diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index aad198c643..63dce77b81 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -49,22 +49,6 @@
       "build_entry_point": "docs",
       "template_folder": "_themes"
     },
-    {
-      "docset_name": "smb",
-      "build_source_folder": "smb",
-      "build_output_subfolder": "smb",
-      "locale": "en-us",
-      "monikers": [],
-      "moniker_ranges": [],
-      "open_to_public_contributors": false,
-      "type_mapping": {
-        "Conceptual": "Content",
-        "ManagedReference": "Content",
-        "RestApi": "Content"
-      },
-      "build_entry_point": "docs",
-      "template_folder": "_themes"
-    },
     {
       "docset_name": "store-for-business",
       "build_source_folder": "store-for-business",
@@ -219,7 +203,6 @@
   ],
   "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
   "git_repository_branch_open_to_public_contributors": "public",
-  "skip_source_output_uploading": false,
   "need_preview_pull_request": true,
   "resolve_user_profile_using_github": true,
   "dependent_repositories": [
@@ -252,6 +235,7 @@
     }
   },
   "docs_build_engine": {},
+  "skip_source_output_uploading": false,
   "need_generate_pdf_url_template": true,
   "contribution_branch_mappings": {},
   "need_generate_pdf": false,
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index ff9d5d5c7e..47941cff18 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -420,6 +420,11 @@
       "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/threat-protection/windows-defender-application-control/citool-commands.md",
+      "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands",
+      "redirect_document_id": false
+    },
     {
       "source_path": "devices/hololens/hololens-whats-new.md",
       "redirect_url": "/hololens/hololens-release-notes",
@@ -1197,7 +1202,7 @@
     },
     {
       "source_path": "windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md",
-      "redirect_url": "hhttps://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings",
+      "redirect_url": "/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings",
       "redirect_document_id": false
     },
     {
@@ -6827,7 +6832,7 @@
     },
     {
       "source_path": "windows/manage/waas-wufb-intune.md",
-      "redirect_url": "/windows/deployment/update/waas-wufb-intune.md",
+      "redirect_url": "/windows/deployment/update/waas-wufb-intune",
       "redirect_document_id": false
     },
     {
@@ -7277,7 +7282,7 @@
     },
     {
       "source_path": "windows/manage/application-development-for-windows-as-a-service.md",
-      "redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service",
+      "redirect_url": "windows/uwp/updates-and-versions/application-development-for-windows-as-a-service",
       "redirect_document_id": false
     },
     {
@@ -7457,7 +7462,7 @@
     },
     {
       "source_path": "windows/plan/chromebook-migration-guide.md",
-      "redirect_url": "edu/windows/chromebook-migration-guide",
+      "redirect_url": "education/windows/chromebook-migration-guide",
       "redirect_document_id": false
     },
     {
@@ -14412,12 +14417,12 @@
     },
     {
       "source_path": "windows/manage/sign-up-windows-store-for-business.md",
-      "redirect_url": "/microsoft-store/index.md",
+      "redirect_url": "/microsoft-store/index",
       "redirect_document_id": false
     },
     {
       "source_path": "store-for-business/sign-up-windows-store-for-business.md",
-      "redirect_url": "/microsoft-store/index.md",
+      "redirect_url": "/microsoft-store/index",
       "redirect_document_id": false
     },
     {
@@ -19442,8 +19447,8 @@
     },
     {
       "source_path": "windows/security/threat-protection/intelligence/rootkits-malware.md",
-      "redirect_url": "/microsoft-365/security/intelligence/rootkits-malware.md",
-      "redirect_document_id": false
+      "redirect_url": "/microsoft-365/security/intelligence/rootkits-malware",
+      "redirect_document_id": false  
     },
     {
       "source_path": "windows/security/threat-protection/intelligence/safety-scanner-download.md",
@@ -19924,6 +19929,11 @@
       "source_path": "windows/client-management/mdm/wmi-providers-supported-in-windows.md",
       "redirect_url": "/windows/client-management/wmi-providers-supported-in-windows",
       "redirect_document_id": false
+     },
+     {
+      "source_path": "windows/deployment/do/mcc-enterprise.md",
+      "redirect_url": "/windows/deployment/do/waas-microsoft-connected-cache",
+      "redirect_document_id": false
     },
     {
       "source_path": "windows/client-management/advanced-troubleshooting-802-authentication.md",
@@ -20069,6 +20079,171 @@
       "source_path": "windows/deployment/upgrade/upgrade-error-codes.md",
       "redirect_url": "/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-configuration-manual.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-configuration-manual",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-configuration-mem.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-configuration-intune",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-configuration-script.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-configuration-script",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-enable.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-enable",
+      "redirect_document_id": false
+    },	
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-help.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-help",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-overview.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-overview",
+      "redirect_document_id": false
+    },		
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-prerequisites.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-prerequisites",
+      "redirect_document_id": false
+    },	
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclient.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclient",
+      "redirect_document_id": false
+    },	
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus",
+      "redirect_document_id": false
+    },		
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucdevicealert",
+      "redirect_document_id": false
+    },		
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus",
+      "redirect_document_id": false
+    },		
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucupdatealert",
+      "redirect_document_id": false
+    },	
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-schema.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-schema",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-use.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-use",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-status-admin-center.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-admin-center",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/update/update-compliance-v2-workbook.md",
+      "redirect_url": "/windows/deployment/update/wufb-reports-workbook",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/kiosk-troubleshoot.md",
+      "redirect_url": "/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/start-layout-troubleshoot.md",
+      "redirect_url": "/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/planning/features-lifecycle.md",
+      "redirect_url": "/windows/whats-new/feature-lifecycle",
+      "redirect_document_id": false
+    }, 
+    {
+      "source_path": "windows/deployment/planning/windows-10-deprecated-features.md",
+      "redirect_url": "/windows/whats-new/deprecated-features",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/planning/windows-10-removed-features.md",
+      "redirect_url": "/windows/whats-new/removed-features",
+      "redirect_document_id": false
+    },
+    {               
+      "source_path": "windows/deployment/usmt/usmt-common-issues.md",
+      "redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/usmt/usmt-return-codes.md",
+      "redirect_url": "/troubleshoot/windows-client/deployment/usmt-return-codes",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md",
+      "redirect_url": "/troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues",
+      "redirect_document_id": false
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..e138ec5d6a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index c7273e1661..10f60620a8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -16,9 +16,9 @@ ms.date: 07/27/2017
 ---
 
 
-# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
-
-[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
+# Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+
+[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
 
 
 **Applies to:**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
index be03e1819a..1617af18d5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
@@ -3,7 +3,7 @@ ms.localizationpriority: medium
 title: Change history for Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
 description: This topic lists new and updated topics in the Internet Explorer 11 Deployment Guide documentation for Windows 10.
 ms.mktglfcycl: deploy
-ms.prod: ie11
+ms.prod: windows-client
 ms.sitesec: library
 author: dansimp
 ms.date: 07/27/2017
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 24265e0261..961f15218c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -3,7 +3,7 @@ ms.localizationpriority: medium
 ms.mktglfcycl: deploy
 description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index 2c525dd36c..cffb48a00d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
 title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
 ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: 
 audience: itpro
 manager: dansimp
 ms.author: dansimp
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index 18ac122bc2..ddaef22325 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -3,7 +3,7 @@ ms.localizationpriority: medium
 ms.mktglfcycl: deploy
 description: Customize Internet Explorer 11 installation packages
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 10a14a09-673b-4f8b-8d12-64036135e7fd
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index c6d0cce921..513e6e6b22 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -3,7 +3,7 @@ ms.localizationpriority: medium
 ms.mktglfcycl: deploy
 description: You can pin websites to the Windows 8.1 taskbar for quick access using the Microsoft Deployment Toolkit (MDT) 2013.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 24f4dcac-9032-4fe8-bf6d-2d712d61cb0c
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index 0335e7c1dc..e284e24e3f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Enhanced Protected Mode problems with Internet Explorer
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 15890ad1-733d-4f7e-a318-10399b389f45
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
index ce2f14b162..602eeb31b1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: After you create your Enterprise Mode site list in the Enterprise Mode Site List Manager, you can export the contents to an Enterprise Mode (.EMIE) file.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 9ee7c13d-6fca-4446-bc22-d23a0213a95d
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index 14284fdfe7..b56fd8d946 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview about Group Policy, the Group Policy Management Console (GPMC), and Internet Explorer 11
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: ae3d227d-3da7-46b8-8a61-c71bfeae0c63
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 6420ff7796..4e6daed0d1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview of the available Group Policy management tools
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: e33bbfeb-6b80-4e71-8bba-1d0369a87312
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index 9b5677e069..c3f3970e4d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Overview about how Group Policy works with Windows Powershell and Internet Explorer 11
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: e3607cde-a498-4e04-9daa-b331412967fc
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index dfb9b8391c..b795f7aab3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -3,7 +3,7 @@ ms.mktglfcycl: deploy
 description: Use this guide to learn about the several options and processes you'll need to consider while you're planning for, deploying, and customizing Internet Explorer 11 for your employee's devices.
 author: dansimp
 ms.author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3
 title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index 8beef9b99d..b8083e1f8d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to install the Internet Explorer 11 update using System Center 2012 R2 Configuration Manager
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 9ede9722-29b3-4cb7-956d-ffa91e7bedbd
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
index 3e6ffbfad8..09442d827c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-problems-with-ie11.md
@@ -3,7 +3,7 @@ ms.localizationpriority: medium
 ms.mktglfcycl: deploy
 description: How to fix potential installation problems with Internet Explorer 11
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 3ae77745-86ac-40a9-a37d-eebbf37661a3
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
index faa927931e..a002fae480 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-the-compatibility-view-button.md
@@ -3,7 +3,7 @@ ms.localizationpriority: medium
 ms.mktglfcycl: support
 description: Internet Explorer 11 uses the latest standards mode, which simplifies web page compatibility for users by removing the **Compatibility View** button and reducing the number of compatibility options in the F12 developer tools for developers.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 501c96c9-9f03-4913-9f4b-f67bd9edbb61
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index e6c30a056e..c0fb369154 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 description: New group policy settings for Internet Explorer 11
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 669cc1a6-e2cb-403f-aa31-c1de52a615d1
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index f701d8ff8d..41a67c1f65 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -3,7 +3,7 @@ ms.localizationpriority: medium
 ms.mktglfcycl: support
 description: Possible solutions to the problems you might encounter after installing IE11, such as crashing or seeming slow, getting into an unusable state, or problems with adaptive streaming and DRM playback.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: c4b75ad3-9c4a-4dd2-9fed-69f776f542e6
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
index f30c495bb3..4a0eace5e7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Instructions about how to remove sites from a local compatibility view list.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: f6ecaa75-ebcb-4f8d-8721-4cd6e73c0ac9
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
index bc7c2ddc2a..4b385be382 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to use Site List Manager to review neutral sites for IE mode
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: f4dbed4c-08ff-40b1-ab3f-60d3b6e8ec9b
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
index 4d5e66ec80..52343886ce 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
 ms.sitesec: library
 ms.date: 07/27/2017
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 9424e5e32f..6ea7312b42 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 description: Use the Group Policy setting, Set a default associations configuration file, to set the default browser for your company devices running Windows 10.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: f486c9db-0dc9-4cd6-8a0b-8cb872b1d361
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 7e4561fa2a..fdb532ae11 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: How to turn Enterprise Mode off temporarily while testing websites and how to turn it off completely if you no longer want to to use it.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: 5027c163-71e0-49b8-9dc0-f0a7310c7ae3
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index ace67f0ddc..98739a8df1 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -4,7 +4,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: appcompat
 description: High-level info about some of the new and updated features for Internet Explorer 11.
 author: dansimp
-ms.prod: ie11
+ms.prod: windows-client
 ms.assetid: f53c6f04-7c60-40e7-9fc5-312220f08156
 ms.reviewer: 
 audience: itpro
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
index bb2983bca4..1a51b8977a 100644
--- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
+++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
@@ -1,17 +1,14 @@
 ---
-author: dansimp
-ms.author: dansimp
-ms.date:  
-ms.reviewer:
-audience: itpro
-manager: dansimp
+author: aczechowski
+ms.author: aaroncz
+ms.date: 10/27/2022
+ms.reviewer: cathask
+manager: aaroncz
 ms.prod: ie11
 ms.topic: include
 ---
 
-> [!IMPORTANT]
-> The Internet Explorer 11 desktop application is [retired and out of support](https://aka.ms/IEJune15Blog) as of June 15, 2022 for certain versions of Windows 10.  
+> [!WARNING]
+> The retired, out-of-support Internet Explorer 11 (IE11) desktop application will be permanently disabled on certain versions of Windows 10 as part of the February 2023 Windows security update ("B") release scheduled for February 14, 2023.  We highly recommend setting up IE mode in Microsoft Edge and disabling IE11 prior to this date to ensure your organization doesn't experience business disruption.
 >
-> You can still access older, legacy sites that require Internet Explorer with Internet Explorer mode in Microsoft Edge. [Learn how](https://aka.ms/IEmodewebsite). 
-> 
-> The Internet Explorer 11 desktop application will progressively redirect to the faster, more secure Microsoft Edge browser, and will ultimately be disabled via Windows Update. [Disable IE today](/deployedge/edge-ie-disable-ie11). 
+> For more information, see [aka.ms/iemodefaq](https://aka.ms/iemodefaq).
diff --git a/education/docfx.json b/education/docfx.json
index df077d1783..70b106e401 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -62,14 +62,6 @@
         "garycentric"
       ]
     },
-    "fileMetadata": {
-      "ms.localizationpriority": {
-        "windows/tutorial-school-deployment/**/**.md": "medium"
-      },
-      "ms.topic": {
-        "windows/tutorial-school-deployment/**/**.md": "tutorial"
-      }
-    },
     "externalReference": [],
     "template": "op.html",
     "dest": "education",
diff --git a/education/index.yml b/education/index.yml
index 1a3a69e704..ef45124188 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -2,19 +2,13 @@
 
 title: Microsoft 365 Education Documentation
 summary: Microsoft 365 Education empowers educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education.
-# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-apps | power-automate | power-bi | power-platform | power-virtual-agents | sql | sql-server | vs | visual-studio | windows | xamarin
 brand: m365
 
 metadata:
   title: Microsoft 365 Education Documentation
   description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
-  ms.service: help
   ms.topic: hub-page
-  ms.collection: education
-  author: paolomatarazzo
-  ms.author: paoloma
   ms.date: 08/10/2022
-  manager: aaroncz
 
 productDirectory:
   title: For IT admins
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index b44ad43f62..0901d32b40 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -4,7 +4,10 @@ description: Learn about Autopilot Reset and how to enable and use it.
 ms.date: 08/10/2022
 ms.topic: how-to
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+ms.collection:
+  - highpri
+  - education
 ---
 
 # Reset devices with Autopilot Reset 
diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md
index d6aa215ab3..1826ecd768 100644
--- a/education/windows/change-home-to-edu.md
+++ b/education/windows/change-home-to-edu.md
@@ -8,8 +8,7 @@ ms.author: scbree
 ms.reviewer: paoloma
 manager: jeffbu
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Upgrade Windows Home to Windows Education on student-owned devices
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index 0fb9122497..f377a4582c 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -4,7 +4,10 @@ description: Learn how IT Pros can opt into changing to Windows 10 Pro Education
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+ms.collection:
+  - highpri
+  - education
 ---
 
 # Change to Windows 10 Pro Education from Windows 10 Pro
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 0c08e17617..05c7db8963 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -4,7 +4,7 @@ description: Learn how to migrate a Google Chromebook-based learning environment
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Chromebook migration guide
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 6ef47f7153..587d279c84 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -4,7 +4,7 @@ description: Learn how to configure the OS diagnostic data, consumer experiences
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Windows 10 configuration recommendations for education customers
 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 6d13cc8c9d..4935d37ed7 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -4,7 +4,7 @@ description: Learn how to deploy Windows 10 in a school district. Integrate the
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Deploy Windows 10 in a school district
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index cb598bc6fd..1655458c44 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -4,7 +4,7 @@ description: Learn how to integrate your school environment with Microsoft Offic
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Deploy Windows 10 in a school
diff --git a/education/windows/deploy-windows-10-overview.md b/education/windows/deploy-windows-10-overview.md
index 8b772d160c..96d9d002e0 100644
--- a/education/windows/deploy-windows-10-overview.md
+++ b/education/windows/deploy-windows-10-overview.md
@@ -4,7 +4,7 @@ description: Learn how to use Windows 10 in schools.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Windows 10 for Education
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 983f31ed85..17302ec0a3 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -4,7 +4,7 @@ description: Provides guidance on ways to customize the OS privacy settings, and
 ms.topic: guide
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Deployment recommendations for school IT administrators
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index cde45e1466..dc25c4e817 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -4,7 +4,10 @@ description: Learn about the Stickers feature and how to configure it via Intune
 ms.date: 09/15/2022
 ms.topic: how-to
 appliesto:
-- ✅ <b>Windows 11 SE, version 22H2</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
+ms.collection:
+  - highpri
+  - education
 ---
 
 # Configure Stickers for Windows 11 SE
@@ -29,13 +32,14 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
-To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
+[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
 
 | Setting |
 |--------|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
+[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md
index a3d8944c42..5b6c073fcd 100644
--- a/education/windows/edu-take-a-test-kiosk-mode.md
+++ b/education/windows/edu-take-a-test-kiosk-mode.md
@@ -4,9 +4,7 @@ description: Learn how to configure Windows to execute the Take a Test app in ki
 ms.date: 09/30/2022
 ms.topic: how-to
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Configure Take a Test in kiosk mode
@@ -57,7 +55,7 @@ To configure devices using Intune for Education, follow these steps:
 
 ### Configure Take a Test with a custom policy
 
-To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
+[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
 
 | Setting |
 |--------|
@@ -71,7 +69,8 @@ To configure devices using Microsoft Intune, create a [custom policy][MEM-1] wit
 
 :::image type="content" source="./images/takeatest/intune-take-a-test-custom-profile.png" alt-text="Intune portal - creation of a custom policy to configure Take a Test." lightbox="./images/takeatest/intune-take-a-test-custom-profile.png" border="true":::
 
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
+[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
@@ -218,8 +217,6 @@ The following animation shows the process of signing in to the test-taking accou
 
 :::image type="content" source="./images/takeatest/sign-in-sign-out.gif" alt-text="Signing in and signing out with a test account" border="true":::
 
------------
-
 [MEM-1]: /mem/intune/configuration/custom-settings-windows-10
 [MEM-2]: /mem/intune/configuration/settings-catalog
 
diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md
index a477121ca5..f76298ef68 100644
--- a/education/windows/edu-themes.md
+++ b/education/windows/edu-themes.md
@@ -4,8 +4,7 @@ description: Learn about education themes for Windows 11 and how to configure th
 ms.date: 09/15/2022
 ms.topic: how-to
 appliesto:
-- ✅ <b>Windows 11, version 22H2</b>
-- ✅ <b>Windows 11 SE, version 22H2</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
 ---
 
 # Configure education themes for Windows 11
@@ -23,13 +22,14 @@ Education themes aren't enabled by default. Follow the instructions below to con
 
 #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
 
-To configure devices using Microsoft Intune, create a [custom policy][MEM-1] with the following settings:
+[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
 
 | Setting |
 |--------|
 | <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
 
-Assign the policy to a security group that contains as members the devices or users that you want to configure.
+[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
 
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
 
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index cf50d7cf3e..1a86e4e1c4 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -4,9 +4,7 @@ description: Learn how IT admins and teachers can use Microsoft Store for Educat
 ms.topic: article
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Working with Microsoft Store for Education
diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md
index 39f39952b6..6fa45fd3e7 100644
--- a/education/windows/enable-s-mode-on-surface-go-devices.md
+++ b/education/windows/enable-s-mode-on-surface-go-devices.md
@@ -4,7 +4,7 @@ description: Learn how to enable S mode on Surface Go devices.
 ms.date: 08/10/2022
 ms.topic: how-to
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Surface Go for Education - Enabling S mode
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 0f769a31e1..7a3ef3172c 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -2,17 +2,9 @@
 title: Configure federated sign-in for Windows devices
 description: Description of federated sign-in feature for Windows 11 SE and how to configure it via Intune
 ms.date: 09/15/2022
-ms.prod: windows
-ms.technology: windows
 ms.topic: how-to
-ms.localizationpriority: medium
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer:
-manager: aaroncz
-ms.collection: education
 appliesto:
-- ✅ <b>Windows 11 SE, version 22H2</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ---
 
 <!-- MAXADO-6286399 -->
@@ -57,7 +49,7 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile]
 
 To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune.
 
-To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
+[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
 
 | Setting |
 |--------|
@@ -68,7 +60,8 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile]
 
 :::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true":::
 
-Assign the policy to a security group that contains as members the devices that require federated sign-in.
+[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
+[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
 
 <!--
 #### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
@@ -114,8 +107,6 @@ Federated sign-in doesn't work on devices that have the following settings enabl
 - The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen
 - Select the *Other User* button, and the standard username/password credentials are available to log into the device
 
------------
-
 [AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp
 [AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign
 [AZ-3]: /azure/active-directory/hybrid/how-to-connect-sync-whatis
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index b0c3dd7f9c..903d8182e3 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -4,9 +4,10 @@ description: Learn how to get and distribute Minecraft Education Edition.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
+ms.collection:
+  - highpri
+  - education
 ---
 
 # Get Minecraft: Education Edition
diff --git a/education/windows/includes/intune-custom-settings-1.md b/education/windows/includes/intune-custom-settings-1.md
new file mode 100644
index 0000000000..fa7811c9eb
--- /dev/null
+++ b/education/windows/includes/intune-custom-settings-1.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+To configure devices with Microsoft Intune, use a custom policy:
+
+  > [!TIP]
+  > If you're browsing with an account that can create Intune policies, you can skip to step 5 by using this direct link to <a href="https://go.microsoft.com/fwlink/?linkid=2109431#view/Microsoft_Intune_DeviceSettings/CreatePolicyFullScreenBlade/policyId/00000000-0000-0000-0000-000000000000/policyType/Windows10Custom/policyJourneyState~/0" target="_blank"><b>create a custom policy</b></a> (opens in a new tab).
+
+1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+2. Select **Devices > Configuration profiles > Create profile**
+3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
+4. Select **Create**
+5. Specify a **Name** and, optionally, a **Description > Next**
+6. Add the following settings:
\ No newline at end of file
diff --git a/education/windows/includes/intune-custom-settings-2.md b/education/windows/includes/intune-custom-settings-2.md
new file mode 100644
index 0000000000..d623773324
--- /dev/null
+++ b/education/windows/includes/intune-custom-settings-2.md
@@ -0,0 +1,11 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+7. Select **Next**
+8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
+9. Under **Applicability Rules**, select **Next**
+10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/education/windows/includes/intune-custom-settings-alternative.md b/education/windows/includes/intune-custom-settings-alternative.md
new file mode 100644
index 0000000000..955dc080cc
--- /dev/null
+++ b/education/windows/includes/intune-custom-settings-alternative.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+Alternatively, <a href="https://go.microsoft.com/fwlink/?linkid=2109431#view/Microsoft_Intune_DeviceSettings/CreatePolicyFullScreenBlade/policyId/00000000-0000-0000-0000-000000000000/policyType/Windows10Custom/policyJourneyState~/0" target="_blank"><b>create a custom policy</b></a> with the following settings:
\ No newline at end of file
diff --git a/education/windows/includes/intune-custom-settings-info.md b/education/windows/includes/intune-custom-settings-info.md
new file mode 100644
index 0000000000..a7376ee4ff
--- /dev/null
+++ b/education/windows/includes/intune-custom-settings-info.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/education/windows/includes/intune-settings-catalog-1.md b/education/windows/includes/intune-settings-catalog-1.md
new file mode 100644
index 0000000000..6031492031
--- /dev/null
+++ b/education/windows/includes/intune-settings-catalog-1.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+To configure devices with Microsoft Intune, use the settings catalog:
+
+  > [!TIP]
+  > If you're browsing with an account that can create Intune policies, you can skip to step 5 by using this direct link to <a href="https://go.microsoft.com/fwlink/?linkid=2109431#view/Microsoft_Intune_Workflows/SettingsCatalogWizardBlade/mode/create/platform/Windows%2010%20and%20later/policyType/SettingsCatalogWindows10" target="_blank"><b>create a Settings catalog policy</b></a> (opens in a new tab).
+
+1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+2. Select **Devices > Configuration profiles > Create profile**
+3. Select **Platform > Windows 10 and later** and **Profile type > Settings catalog**
+4. Select **Create**
+5. Specify a **Name** and, optionally, a **Description** > **Next**
+6. In the settings picker, add the following settings:
\ No newline at end of file
diff --git a/education/windows/includes/intune-settings-catalog-2.md b/education/windows/includes/intune-settings-catalog-2.md
new file mode 100644
index 0000000000..41d840b9c8
--- /dev/null
+++ b/education/windows/includes/intune-settings-catalog-2.md
@@ -0,0 +1,11 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+7. Select **Next**
+8. Optionally, add *scope tags* > **Next**
+9. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
+10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/education/windows/includes/intune-settings-catalog-info.md b/education/windows/includes/intune-settings-catalog-info.md
new file mode 100644
index 0000000000..c2f3b6495b
--- /dev/null
+++ b/education/windows/includes/intune-settings-catalog-info.md
@@ -0,0 +1,8 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+For more information about how to create policies with the Intune settings catalog, see [Use the settings catalog to configure settings](/mem/intune/configuration/settings-catalog).
\ No newline at end of file
diff --git a/education/windows/index.yml b/education/windows/index.yml
index fa426ef022..a84e4b3961 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -7,8 +7,11 @@ metadata:
   title: Windows for Education documentation
   description: Learn about how to plan, deploy and manage Windows devices in an education environment with Microsoft Intune
   ms.topic: landing-page
-  ms.prod: windows
-  ms.collection: education
+  ms.prod: windows-client
+  ms.technology: itpro-edu
+  ms.collection:
+  - education
+  - highpri
   author: paolomatarazzo
   ms.author: paoloma
   ms.date: 08/10/2022
diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md
index 612de4cf4c..fafc2716c8 100644
--- a/education/windows/s-mode-switch-to-edu.md
+++ b/education/windows/s-mode-switch-to-edu.md
@@ -4,7 +4,7 @@ description: Learn how to switch out of Windows 10 Pro in S mode to Windows 10 P
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index c9621f70a2..fca31b0f6b 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -4,7 +4,10 @@ description: Learn how IT admins can get and distribute Minecraft in their schoo
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+ms.collection:
+  - highpri
+  - education
 ---
 
 # For IT administrators - get Minecraft: Education Edition
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 6eba776f7d..8ba0185e3d 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -4,7 +4,7 @@ description: Learn how Azure AD Join is configured in the Set up School PCs app.
 ms.topic: article
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---  
 
 # Azure AD Join for school PCs  
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
index ffee7c5880..58b9ae8063 100644
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -4,7 +4,7 @@ description: List of the provisioning package settings that are configured in th
 ms.date: 08/10/2022
 ms.topic: reference
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---  
 
 # What's in my provisioning package?
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 9f2ecc9d8e..28907160cb 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -4,7 +4,7 @@ description: Describes the purpose of the Set up School PCs app for Windows 10 d
 ms.topic: conceptual
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # What is Set up School PCs?
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
index c36b901f8f..2b46d073f5 100644
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ b/education/windows/set-up-school-pcs-whats-new.md
@@ -4,8 +4,7 @@ description: Find out about app updates and new features in Set up School PCs.
 ms.topic: whats-new
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---  
 
 # What's new in Set up School PCs
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 16f670b6fa..91f2ad28d1 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -4,7 +4,7 @@ description: Learn how to use Windows Configuration Designer to provision studen
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Set up student PCs to join domain
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 679bb7206f..cf16da56b2 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -4,7 +4,7 @@ description: Learn how to use Windows Configuration Designer to easily provision
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Provision student PCs with apps
 
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index c137703898..61f6b28d77 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -4,7 +4,7 @@ description: Decide which option for setting up Windows 10 is right for you.
 ms.topic: article
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Set up Windows devices for education
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index 9b5498d558..daab02821c 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -4,9 +4,7 @@ description: List of policies and settings applied by the Take a Test app.
 ms.date: 09/30/2022
 ms.topic: reference
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Take a Test app technical reference
diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md
index 68472404be..1eea480188 100644
--- a/education/windows/take-tests-in-windows.md
+++ b/education/windows/take-tests-in-windows.md
@@ -4,9 +4,7 @@ description: Learn about the built-in Take a Test app for Windows and how to use
 ms.date: 09/30/2022
 ms.topic: conceptual
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Take tests and assessments in Windows
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 0e90fa8952..df19ac8729 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -4,9 +4,10 @@ description: Learn how teachers can obtain and distribute Minecraft.
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
+ms.collection:
+  - highpri
+  - education
 ---
 
 # For teachers - get Minecraft: Education Edition
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index 605fd2df0e..09f9301130 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -4,7 +4,10 @@ description: Provides guidance on downloading and testing Windows 10 in S mode f
 ms.topic: guide
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+ms.collection:
+  - highpri
+  - education
 ---
 
 # Test Windows 10 in S mode on existing Windows 10 education devices
diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md
index 694a87c643..89eb913446 100644
--- a/education/windows/tutorial-school-deployment/configure-device-apps.md
+++ b/education/windows/tutorial-school-deployment/configure-device-apps.md
@@ -4,9 +4,7 @@ description: Learn how to configure applications with Microsoft Intune in prepar
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Configure applications with Microsoft Intune
diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md
index d2f56961ab..f70081a995 100644
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@@ -4,9 +4,7 @@ description: Learn how to configure policies with Microsoft Intune in preparatio
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Configure and secure devices with Microsoft Intune
diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md
index 32b237ce5a..60bc205647 100644
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@@ -4,9 +4,7 @@ description: Learn how to configure policies and applications in preparation for
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Configure settings and applications with Microsoft Intune
diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-aadj.md
index 829124e264..ddcb5d2bb8 100644
--- a/education/windows/tutorial-school-deployment/enroll-aadj.md
+++ b/education/windows/tutorial-school-deployment/enroll-aadj.md
@@ -4,9 +4,7 @@ description: Learn how to join devices to Azure AD from OOBE and automatically g
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 # Automatic Intune enrollment via Azure AD join
 
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
index 85c838b402..01394b420a 100644
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md
@@ -4,9 +4,7 @@ description: Learn how to join Azure AD and enroll in Intune using Windows Autop
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Windows Autopilot
diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md
index 52fb94bc7a..d816ed1b94 100644
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@@ -4,9 +4,7 @@ description: Learn about the different options to enroll Windows devices in Micr
 ms.date: 08/31/2022
 ms.topic: overview
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Device enrollment overview
diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md
index 2021ec3ff0..9f96234636 100644
--- a/education/windows/tutorial-school-deployment/enroll-package.md
+++ b/education/windows/tutorial-school-deployment/enroll-package.md
@@ -4,9 +4,7 @@ description: Learn about how to enroll Windows devices with provisioning package
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Enrollment with provisioning packages
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
index 14f76929f4..98574366e1 100644
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -3,6 +3,8 @@ title: Introduction to the tutorial deploy and manage Windows devices in a schoo
 description: Introduction to deployment and management of Windows devices in education environments.
 ms.date: 08/31/2022
 ms.topic: conceptual
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Tutorial: deploy and manage Windows devices in a school
diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md
index db77a8606f..00559d4384 100644
--- a/education/windows/tutorial-school-deployment/manage-overview.md
+++ b/education/windows/tutorial-school-deployment/manage-overview.md
@@ -1,12 +1,10 @@
 ---
 title: Manage devices with Microsoft Intune
-description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. 
+description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Manage devices with Microsoft Intune
diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md
index 7b888d8adb..e374fd8f7d 100644
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@@ -3,8 +3,8 @@ title: Management functionalities for Surface devices
 description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
 ms.date: 08/31/2022
 ms.topic: tutorial
-appliesto:
-- ✅ <b>Surface devices</b>
+appliesto: 
+  - ✅ <b>Surface devices</b>
 ---
 
 # Management functionalities for Surface devices
diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md
index 7a404f7ecf..b9a1f80094 100644
--- a/education/windows/tutorial-school-deployment/reset-wipe.md
+++ b/education/windows/tutorial-school-deployment/reset-wipe.md
@@ -4,9 +4,7 @@ description: Learn about the reset and wipe options for Windows devices using In
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Device reset options
diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
index 1bf462b5f7..dd9817a5b9 100644
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@@ -4,9 +4,7 @@ description: Learn how to troubleshoot Windows devices from Intune and contact M
 ms.date: 08/31/2022
 ms.topic: tutorial
 appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
 ---
 
 # Troubleshoot Windows devices
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index c54a5ce446..05dbf61f4b 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -4,7 +4,7 @@ description: Learn how to use the Set up School PCs app and apply the provisioni
 ms.topic: how-to
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 # Use the Set up School PCs app  
 
diff --git a/education/windows/windows-11-se-faq.yml b/education/windows/windows-11-se-faq.yml
index 36582145e0..c45c1980a0 100644
--- a/education/windows/windows-11-se-faq.yml
+++ b/education/windows/windows-11-se-faq.yml
@@ -2,18 +2,10 @@
 metadata:
   title: Windows 11 SE Frequently Asked Questions (FAQ)
   description: Use these frequently asked questions (FAQ) to learn important details about Windows 11 SE.   
-  ms.prod: windows
-  ms.technology: windows
-  author: paolomatarazzo
-  ms.author: paoloma
-  manager: aaroncz
-  ms.reviewer: 
-  ms.collection: education
   ms.topic: faq
-  localizationpriority: medium
   ms.date: 09/14/2022
   appliesto:
-  - ✅ <b>Windows 11 SE</b>
+    - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 
 title: Common questions about Windows 11 SE
 summary: Windows 11 SE combines the power and privacy of Windows 11 with educator feedback to create a simplified experience on devices built for education. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows 11 SE so you can get to what matters most.
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 2e65e17494..654b8d7eca 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -4,7 +4,10 @@ description: Learn about Windows 11 SE, and the apps that are included with the
 ms.topic: article
 ms.date: 09/12/2022
 appliesto:
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
+ms.collection:
+  - highpri
+  - education
 ---
 
 # Windows 11 SE Overview
@@ -78,6 +81,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 
 | Application                             | Supported version | App Type | Vendor                       |
 |-----------------------------------------|-------------------|----------|------------------------------|
+| 3d builder                              | 15.2.10821.1070   | Win32    | Microsoft                    |
 | AirSecure                               | 8.0.0             | Win32    | AIR                          |
 | Alertus Desktop                         | 5.4.44.0          | Win32    | Alertus technologies         |
 | Brave Browser                           | 106.0.5249.65     | Win32    | Brave                        |
@@ -92,6 +96,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | DRC INSIGHT Online Assessments          | 12.0.0.0          | Store    | Data recognition Corporation |
 | Duo from Cisco                          | 2.25.0            | Win32    | Cisco                        |
 | e-Speaking Voice and Speech recognition | 4.4.0.8           | Win32    | e-speaking                   |
+|Epson iProjection                        |	3.31              | Win32    | Epson                        |
 | eTests                                  | 4.0.25            | Win32    | CASAS                        |
 | FortiClient                             | 7.2.0.4034+       | Win32    | Fortinet                     |
 | Free NaturalReader                      | 16.1.2            | Win32    | Natural Soft                 |
@@ -101,6 +106,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | Illuminate Lockdown Browser             | 2.0.5             | Win32    | Illuminate Education         |
 | Immunet                                 | 7.5.0.20795       | Win32    | Immunet                      |
 | Impero Backdrop Client                  | 4.4.86            | Win32    | Impero Software              |
+| Inspiration 10                          | 10.11             | Win32    | Inspiration Software, Inc.   |
 | JAWS for Windows                        | 2022.2112.24      | Win32    | Freedom Scientific           |
 | Kite Student Portal                     | 8.0.3.0           | Win32    | Dynamic Learning Maps        |
 | Kortext                                 | 2.3.433.0         | Store    | Kortext                      |
@@ -119,6 +125,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | NextUp Talker                           | 1.0.49            | Win32    | NextUp Technologies          |
 | NonVisual Desktop Access                | 2021.3.1          | Win32    | NV Access                    |
 | NWEA Secure Testing Browser             | 5.4.356.0         | Win32    | NWEA                         |
+| PaperCut                                | 22.0.6            | Win32    | PaperCut Software International Pty Ltd |
 | Pearson TestNav                         | 1.10.2.0          | Store    | Pearson                      |
 | Questar Secure Browser                  | 4.8.3.376         | Win32    | Questar, Inc                 |
 | ReadAndWriteForWindows                  | 12.0.60.0         | Win32    | Texthelp Ltd.                |
@@ -128,6 +135,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | Safe Exam Browser                       | 3.3.2.413         | Win32    | Safe Exam Browser            |
 | Senso.Cloud                             | 2021.11.15.0      | Win32    | Senso.Cloud                  |
 | SuperNova Magnifier & Screen Reader     | 21.02             | Win32    | Dolphin Computer Access      |
+| SuperNova Magnifier & Speech            | 21.02             | Win32    | Dolphin Computer Access      |  
+| VitalSourceBookShelf 	                  | 10.2.26.0         | Win32    | VitalSource Technologies Inc | 
+| Winbird                                 |	19                | Win32    | Winbird Co., Ltd.            |           
+| WordQ 	                                | 5.4.23            | Win32    | Mathetmots                   |
 | Zoom                                    | 5.9.1 (2581)      | Win32    | Zoom                         |
 | ZoomText Fusion                         | 2022.2109.10      | Win32    | Freedom Scientific           |
 | ZoomText Magnifier/Reader               | 2022.2109.25      | Win32    | Freedom Scientific           |
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index 7cd1a683ce..774fca45dd 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -4,7 +4,7 @@ description: Windows 11 SE automatically configures settings in the operating sy
 ms.topic: article
 ms.date: 09/12/2022
 appliesto:
-- ✅ <b>Windows 11 SE</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ---
 
 # Windows 11 SE for Education settings list
diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md
index 90b399237d..f933dc3465 100644
--- a/education/windows/windows-editions-for-education-customers.md
+++ b/education/windows/windows-editions-for-education-customers.md
@@ -4,7 +4,7 @@ description: Learn about the two Windows 10 editions that are designed for the n
 ms.topic: article
 ms.date: 08/10/2022
 appliesto:
-- ✅ <b>Windows 10</b>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
 ---
 
 # Windows 10 editions for education customers
diff --git a/images/grouppolicy-paste.png b/images/grouppolicy-paste.png
new file mode 100644
index 0000000000..ba2de148f1
Binary files /dev/null and b/images/grouppolicy-paste.png differ
diff --git a/smb/docfx.json b/smb/docfx.json
deleted file mode 100644
index 15de5f0bb4..0000000000
--- a/smb/docfx.json
+++ /dev/null
@@ -1,63 +0,0 @@
-{
-  "build": {
-    "content": [
-      {
-        "files": [
-          "**/*.md",
-          "**/*.yml"
-        ],
-        "exclude": [
-          "**/obj/**",
-          "smb/**",
-          "**/includes/**"
-        ]
-      }
-    ],
-    "resource": [
-      {
-        "files": [
-          "**/*.png",
-          "**/*.jpg"
-        ],
-        "exclude": [
-          "**/obj/**",
-          "smb/**",
-          "**/includes/**"
-        ]
-      }
-    ],
-    "overwrite": [],
-    "externalReference": [],
-    "globalMetadata": {
-      "recommendations": true,
-      "breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
-      "uhfHeaderId": "MSDocsHeader-M365-IT",
-      "feedback_system": "None",
-      "hideEdit": true,
-      "_op_documentIdPathDepotMapping": {
-        "./": {
-          "depot_name": "TechNet.smb",
-          "folder_relative_path_in_docset": "./"
-        }
-      },
-      "contributors_to_exclude": [ 
-        "rjagiewich", 
-        "traya1", 
-        "rmca14", 
-        "claydetels19", 
-        "Kellylorenebaker",
-        "jborsecnik",
-        "tiburd",
-        "AngelaMotherofDragons",
-        "dstrome",
-        "v-dihans",        
-        "garycentric"
-      ],
-      "titleSuffix": "Windows for Small to Midsize Business"
-    },
-    "fileMetadata": {},
-    "template": [],
-    "dest": "smb",
-    "markdownEngineName": "markdig"
-    }
-}
diff --git a/smb/includes/smb-content-updates.md b/smb/includes/smb-content-updates.md
deleted file mode 100644
index 4414b9e00b..0000000000
--- a/smb/includes/smb-content-updates.md
+++ /dev/null
@@ -1,11 +0,0 @@
-<!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->
-

-
-
-## Week of July 18, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 7/22/2022 | Deploy and manage a full cloud IT solution for your business | removed |
-| 7/22/2022 | Windows 10/11 for small to midsize businesses | removed |
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index a625c4f1c7..96f2e3ec05 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -1,7 +1,7 @@
 ---
 title: Add or hide optional apps and features on Windows devices | Microsoft Docs
 description: Learn how to add Windows 10 and Windows 11 optional features using the Apps & features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Apps and Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
-ms.prod: w10
+ms.prod: windows-client
 author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
 ms.date: 08/30/2021
 ms.reviewer: 
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-apps
 ---
 
 # Add or hide features on the Windows client OS
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index 3c080dc8c9..cc656aafd4 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -1,13 +1,14 @@
 ---
 title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10)
-description: Information about what's new in App-V for Windows 10, version 1703 and earlier. 
+description: Information about what's new in App-V for Windows 10, version 1703 and earlier.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # What's new in App-V for Windows 10, version 1703 and earlier
 
diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
index d49eb1249f..58897cdf6e 100644
--- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
@@ -2,12 +2,13 @@
 title: How to Add or Remove an Administrator by Using the Management Console (Windows 10/11)
 description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to add or remove an administrator by using the Management Console
 
diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
index e0eb8f53de..fa08c35781 100644
--- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md
@@ -2,12 +2,13 @@
 title: How to Add or Upgrade Packages by Using the Management Console (Windows 10/11)
 description: Add or upgrade packages on the Microsoft Application Virtualization (App-V) server by using the Management Console.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to add or upgrade packages by using the Management Console
 
diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
index 03ad7e6238..03cecb9d0e 100644
--- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md
+++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md
@@ -2,12 +2,13 @@
 title: Administering App-V by using Windows PowerShell (Windows 10/11)
 description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Administering App-V by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
index bf7e7c0092..e211ca7e51 100644
--- a/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-administering-virtual-applications-with-the-management-console.md
@@ -2,12 +2,13 @@
 title: Administering App-V Virtual Applications by using the Management Console (Windows 10/11)
 description: Administering App-V Virtual Applications by using the Management Console
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Administering App-V Virtual Applications by using the Management Console
 
diff --git a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
index 64361de362..26f95c80b5 100644
--- a/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
+++ b/windows/application-management/app-v/appv-allow-administrators-to-enable-connection-groups.md
@@ -2,12 +2,13 @@
 title: Only Allow Admins to Enable Connection Groups (Windows 10/11)
 description: Configure the App-V client so that only administrators, not users, can enable or disable connection groups.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to allow only administrators to enable connection groups
 
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 34b447c216..74ab14397b 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -2,12 +2,13 @@
 title: Application Publishing and Client Interaction (Windows 10/11)
 description: Learn technical information about common App-V Client operations and their integration with the local operating system.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Application publishing and client interaction
 
@@ -230,7 +231,7 @@ The App-V Client can be configured to change the default behavior of streaming.
 |PackageSourceRoot|The root override where packages should be streamed from|
 |SharedContentStoreMode|Enables the use of Shared Content Store for VDI scenarios|
 
-These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that is important to understand:
+These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors in streaming packages that are important to understand:
 
 - Background Streaming
 - Optimized Streaming
@@ -343,7 +344,7 @@ This process will recreate both the local and network locations for AppData and
 
 In an App-V Full Infrastructure, after applications are sequenced, they're managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client.
 
-This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Microsoft Endpoint Configuration Manager, see [Deploy App-V virtual applications with Configuration Manager](/mem/configmgr/apps/get-started/deploying-app-v-virtual-applications).
+This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Microsoft Configuration Manager, see [Deploy App-V virtual applications with Configuration Manager](/mem/configmgr/apps/get-started/deploying-app-v-virtual-applications).
 
 The App-V application lifecycle tasks are triggered at user sign in (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell).
 
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index c8740e0295..567e7032c1 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -2,12 +2,13 @@
 title: Apply deployment config file via Windows PowerShell (Windows 10/11)
 description: How to apply the deployment configuration file by using Windows PowerShell for Windows 10/11.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/15/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to apply the deployment configuration file by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index be239ea61e..cdf4c28c91 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -2,12 +2,13 @@
 title: How to apply the user configuration file by using Windows PowerShell (Windows 10/11)
 description: How to apply the user configuration file by using Windows PowerShell (Windows 10/11).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/15/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to apply the user configuration file by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
index dc1ca15097..4939b6ebf8 100644
--- a/windows/application-management/app-v/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -2,12 +2,13 @@
 title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
 description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
 
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 7c980f474e..e7258a8130 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -2,12 +2,13 @@
 title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
 description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
 
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index cb417de5f7..3355376c09 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -2,12 +2,13 @@
 title: Auto-remove unpublished packages on App-V client (Windows 10/11)
 description: How to automatically clean up any unpublished packages on your App-V client devices.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/15/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Automatically clean up unpublished packages on the App-V client
 
diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
index ce0946e52d..7ceed272a7 100644
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@@ -2,12 +2,13 @@
 title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
 description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)
 
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 1cb2437d69..771a738982 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -2,12 +2,13 @@
 title: Available Mobile Device Management (MDM) settings for App-V (Windows 10/11)
 description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/15/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Available Mobile Device Management (MDM) settings for App-V
 
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 1b99178358..a6a532e8a3 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -2,12 +2,13 @@
 title: App-V Capacity Planning (Windows 10/11)
 description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # App-V Capacity Planning
 
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index df718dd34c..326585e719 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -2,12 +2,13 @@
 title: About Client Configuration Settings (Windows 10/11)
 description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # About Client Configuration Settings
 
diff --git a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
index e6df891618..41d37e769a 100644
--- a/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-configure-access-to-packages-with-the-management-console.md
@@ -2,12 +2,13 @@
 title: How to configure access to packages by using the Management Console (Windows 10/11)
 description: How to configure access to packages by using the App-V Management Console.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to configure access to packages by using the Management Console
 
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index fea49f61d9..8a69ae36a5 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -2,12 +2,13 @@
 title: How to make a connection group ignore the package version (Windows 10/11)
 description: Learn how to make a connection group ignore the package version with the App-V Server Management Console.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to make a connection group ignore the package version
 
diff --git a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
index 049605ef02..6c2f01bc3f 100644
--- a/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
+++ b/windows/application-management/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
@@ -2,12 +2,13 @@
 title: How to configure the client to receive package and connection groups updates from the publishing server (Windows 10/11)
 description: How to configure the client to receive package and connection groups updates from the publishing server.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/25/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to configure the client to receive package and connection groups updates from the publishing server
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index 253636d464..07b3d731e9 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -2,12 +2,13 @@
 title: How to connect to the Management Console (Windows 10/11)
 description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/25/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to connect to the Management Console
diff --git a/windows/application-management/app-v/appv-connection-group-file.md b/windows/application-management/app-v/appv-connection-group-file.md
index 8ceb9b6c5f..e39efd3b64 100644
--- a/windows/application-management/app-v/appv-connection-group-file.md
+++ b/windows/application-management/app-v/appv-connection-group-file.md
@@ -2,12 +2,13 @@
 title: About the connection group file (Windows 10/11)
 description: A summary of what the connection group file is and how to configure it.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/25/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # About the connection group file
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index db04478772..f1f55c9cd9 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -2,12 +2,13 @@
 title: About the connection group virtual environment (Windows 10/11)
 description: Learn how the connection group virtual environment works and how package priority is determined.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 06/25/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # About the connection group virtual environment
 
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 1684f4c3f3..860483ff03 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -2,12 +2,13 @@
 title: How to convert a package created in a previous version of App-V (Windows 10/11)
 description: Use the package converter utility to convert a virtual application package created in a previous version of App-V.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to convert a package created in a previous version of App-V
 
diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index ee158c7267..96b3e97312 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -2,12 +2,13 @@
 title: How to create a connection croup with user-published and globally published packages (Windows 10/11)
 description: How to create a connection croup with user-published and globally published packages.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to create a connection croup with user-published and globally published packages
 
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index 260369d8c3..497e3ea71b 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -2,12 +2,13 @@
 title: How to create a connection group (Windows 10/11)
 description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to create a connection group
 
diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
index 0190e974ef..4c8acf525d 100644
--- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -2,12 +2,13 @@
 title: How to create a custom configuration file by using the App-V Management Console (Windows 10/11)
 description: How to create a custom configuration file by using the App-V Management Console.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to create a custom configuration file by using the App-V Management Console
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 28482df125..ddd0de127f 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -2,12 +2,13 @@
 title: How to create a package accelerator by using Windows PowerShell (Windows 10/11)
 description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to create a package accelerator by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index 3f2be47130..c753f09372 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -2,12 +2,13 @@
 title: How to create a package accelerator (Windows 10/11)
 description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to create a package accelerator
diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
index babfd64cfe..49e3724b94 100644
--- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
@@ -2,12 +2,13 @@
 title: How to create a virtual application package using an App-V Package Accelerator (Windows 10/11)
 description: How to create a virtual application package using an App-V Package Accelerator.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to create a virtual application package using an App-V Package Accelerator
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 32aca7fa5e..70650f1456 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -2,12 +2,13 @@
 title: Create and apply an App-V project template to a sequenced App-V package (Windows 10/11)
 description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Create and apply an App-V project template to a sequenced App-V package
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index 5dd5070e14..adb044d34a 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -2,12 +2,13 @@
 title: Creating and managing App-V virtualized applications (Windows 10/11)
 description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # Creating and managing App-V virtualized applications
 
diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
index 4b06455581..0326ed9cec 100644
--- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -2,12 +2,13 @@
 title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10/11)
 description: How to customize virtual application extensions for a specific AD group by using the Management Console.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 07/10/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to customize virtual applications extensions for a specific AD group by using the Management Console
 
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 13a1040daf..32cb6660b7 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -2,12 +2,13 @@
 title: How to delete a connection group (Windows 10/11)
 description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to delete a connection group
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index e4df263550..21b928cfbb 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -2,12 +2,13 @@
 title: How to delete a package in the Management Console (Windows 10/11)
 description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to delete a package in the Management Console
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index 9c2e2e8c68..2f34d49a3a 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -2,12 +2,13 @@
 title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10/11)
 description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to deploy the App-V databases by using SQL scripts
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 1c04491cc8..4005389caf 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -2,12 +2,13 @@
 title: How to deploy App-V packages using electronic software distribution (Windows 10/11)
 description: Learn how to use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to deploy App-V packages using electronic software distribution
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 0025905016..f643e3540b 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -2,12 +2,13 @@
 title: How to Deploy the App-V Server Using a Script (Windows 10/11)
 description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.'
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to deploy the App-V server using a script
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index b054a15012..417e6a9dbd 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -2,12 +2,13 @@
 title: How to Deploy the App-V Server (Windows 10/11)
 description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to Deploy the App-V Server (new installation)
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index 8dbb0be4d1..9b93a5cd57 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -2,12 +2,13 @@
 title: Deploying App-V (Windows 10/11)
 description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Deploying App-V for Windows client
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index afe22af405..c1a212d4a9 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -2,12 +2,13 @@
 title: Deploying Microsoft Office 2010 by Using App-V
 description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Deploying Microsoft Office 2010 by Using App-V
@@ -37,7 +38,7 @@ Sequencing Office 2010 is one of the main methods for creating an Office 2010 pa
 
 You can deploy Office 2010 packages by using any of the following App-V deployment methods:
 
-* Microsoft Endpoint Configuration Manager
+* Microsoft Configuration Manager
 * App-V server
 * Stand-alone through Windows PowerShell commands
 
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 3dff5e4e6f..2361c92d00 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -2,12 +2,13 @@
 title: Deploying Microsoft Office 2013 by Using App-V (Windows 10/11)
 description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Deploying Microsoft Office 2013 by Using App-V
@@ -244,7 +245,7 @@ Use the following information to publish an Office package.
 
 Deploy the App-V package for Office 2013 by using the same methods you use for any other package:
 
-* Microsoft Endpoint Configuration Manager
+* Microsoft Configuration Manager
 * App-V Server
 * Stand-alone through Windows PowerShell commands
 
@@ -282,7 +283,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 #### To enable plug-ins for Office App-V packages
 
-1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet.
+1. Add a Connection Group through App-V Server, Microsoft Configuration Manager, or a Windows PowerShell cmdlet.
 2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins.
 3. Create an App-V package that includes the desired plug-ins.
 4. Add a Connection Group through App-V Server, Configuration Manager, or a Windows PowerShell cmdlet.
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index 657f495e80..871ad80c8d 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -2,12 +2,13 @@
 title: Deploying Microsoft Office 2016 by using App-V (Windows 10/11)
 description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Deploying Microsoft Office 2016 by using App-V
@@ -228,7 +229,7 @@ Use the following information to publish an Office package.
 
 Deploy the App-V package for Office 2016 by using the same methods as the other packages that you've already deployed:
 
-* Microsoft Endpoint Configuration Manager
+* Microsoft Configuration Manager
 * App-V Server
 * Stand-alone through Windows PowerShell commands
 
@@ -265,7 +266,7 @@ The following steps will tell you how to enable Office plug-ins with your Office
 
 #### Enable plug-ins for Office App-V packages
 
-1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet.
+1. Add a Connection Group through App-V Server, Microsoft Configuration Manager, or a Windows PowerShell cmdlet.
 2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Microsoft 365 Apps for enterprise (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins.
 3. Create an App-V package that includes the plug-ins you want.
 4. Add a Connection Group through the App-V Server, Configuration Manager, or a Windows PowerShell cmdlet.
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 3611a2181c..19ddffc329 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -2,12 +2,13 @@
 title: Deploying App-V packages by using electronic software distribution (ESD)
 description: Deploying App-V packages by using electronic software distribution (ESD)
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Deploying App-V packages by using electronic software distribution (ESD)
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index f9634bb42c..23364f226c 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -2,12 +2,13 @@
 title: Deploying the App-V Sequencer and configuring the client (Windows 10/11)
 description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Deploying the App-V Sequencer and configuring the client
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index e425121b5a..a65e0f099d 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -2,12 +2,13 @@
 title: Deploying the App-V Server (Windows 10/11)
 description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10/11 by using different deployment configurations described in this article.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Deploying the App-V server
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 6daec0a802..a7c3a33ae3 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -2,12 +2,13 @@
 title: App-V Deployment Checklist (Windows 10/11)
 description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # App-V Deployment Checklist
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 940ef0f90c..2f5070263e 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -2,12 +2,13 @@
 title: About App-V Dynamic Configuration (Windows 10/11)
 description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # About App-V dynamic configuration
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index 91b326948f..c8554bb768 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -2,8 +2,8 @@
 title: How to enable only administrators to publish packages by using an ESD
 description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD).
 author: aczechowski
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-apps
 ms.date: 05/02/2022
 ms.reviewer: 
 manager: dougeby
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 7e4ecc2081..2b56810126 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -2,12 +2,13 @@
 title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10/11)
 description: How to Enable Reporting on the App-V Client by Using Windows PowerShell
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to Enable Reporting on the App-V Client by Using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index 337a016044..c90e3f24f7 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -2,12 +2,13 @@
 title: Enable the App-V in-box client (Windows 10/11)
 description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10/11.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Enable the App-V in-box client
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index 0bfbdf81ed..5324043e75 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -2,11 +2,12 @@
 title: Evaluating App-V (Windows 10/11)
 description: Learn how to evaluate App-V for Windows 10/11 in a lab environment before deploying into a production environment.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Evaluating App-V
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index 5218e5194d..c0190e9ad0 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -2,12 +2,13 @@
 title: Application Virtualization (App-V) (Windows 10/11)
 description: See various articles that can help you administer Application Virtualization (App-V) and its components.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Application Virtualization (App-V) for Windows client overview
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 813ac3e0df..0ac943721e 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -2,12 +2,13 @@
 title: Getting Started with App-V (Windows 10/11)
 description: Get started with Microsoft Application Virtualization (App-V) for Windows 10/11. App-V for Windows client devices delivers Win32 applications to users as virtual applications.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Getting started with App-V for Windows client
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index beb7f72afc..d14f1d6594 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -2,12 +2,13 @@
 title: High-level architecture for App-V (Windows 10/11)
 description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # High-level architecture for App-V
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index 7f3634d48b..ca6176f530 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -2,11 +2,12 @@
 title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10/11)
 description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index 3f9382ed18..262b132cdd 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -2,12 +2,13 @@
 title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10/11)
 description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index ce718b9ce8..1628f2e74c 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -2,12 +2,13 @@
 title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10/11)
 description: How to install the Management Server on a Standalone Computer and Connect it to the Database
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to install the Management Server on a Standalone Computer and Connect it to the Database
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index 2217e93aab..72db9c5275 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -2,12 +2,13 @@
 title: Install the Publishing Server on a Remote Computer (Windows 10/11)
 description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to install the publishing server on a remote computer
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index 109695af22..f76835b49c 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -2,12 +2,13 @@
 title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10/11)
 description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to install the reporting server on a standalone computer and connect it to the database
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index c3f7e5871f..7d6a6fafc5 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -2,12 +2,13 @@
 title: Install the App-V Sequencer (Windows 10/11)
 description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Install the App-V Sequencer
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 2f7f7198c4..cd63df0b5f 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -2,12 +2,13 @@
 title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10/11)
 description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to load the Windows PowerShell cmdlets for App-V and get cmdlet help
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index 4920d942b8..fc8dfc21e0 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -2,12 +2,13 @@
 title: Maintaining App-V (Windows 10/11)
 description: After you have deployed App-V for Windows 10/11, you can use the following information to maintain the App-V infrastructure.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Maintaining App-V
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index c31e7e77f1..90dbde5bfe 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -5,12 +5,13 @@ author: aczechowski
 ms.pagetype: mdop, appcompat, virtualization
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/24/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 # How to manage App-V packages running on a stand-alone computer by using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index 3530f44a72..9cc33e59c4 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -2,11 +2,12 @@
 title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10/11)
 description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 101a4319c9..92205f0970 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -2,11 +2,12 @@
 title: Managing Connection Groups (Windows 10/11)
 description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Managing Connection Groups
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index ffc314ab6a..4a56597185 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -2,11 +2,12 @@
 title: Migrating to App-V from a Previous Version (Windows 10/11)
 description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10/11 from a previous version.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Migrating to App-V from previous versions
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index 73cca93a49..5b3828c3ce 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -2,11 +2,12 @@
 title: How to Modify an Existing Virtual Application Package (Windows 10/11)
 description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # How to Modify an Existing Virtual Application Package
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index ed3b70bd54..221a09536f 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -2,11 +2,12 @@
 title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10/11)
 description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # How to Modify Client Configuration by Using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index b54803c5c3..7a455cd752 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -2,11 +2,12 @@
 title: How to Move the App-V Server to Another Computer (Windows 10/11)
 description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # How to move the App-V server to another computer
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index cc6eb653d1..224a4490ae 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -2,12 +2,13 @@
 title: Operations for App-V (Windows 10/11)
 description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Operations for App-V
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 8b935473ac..5675d15eff 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -2,11 +2,12 @@
 title: Performance Guidance for Application Virtualization
 description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Performance Guidance for Application Virtualization
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index 4587de5ccf..7616cad1e5 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -2,12 +2,13 @@
 title: App-V Planning Checklist (Windows 10/11)
 description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # App-V Planning Checklist
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index 7e5df34930..de5a689d74 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -2,12 +2,13 @@
 title: Planning to Use Folder Redirection with App-V (Windows 10/11)
 description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Planning to Use Folder Redirection with App-V
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index bb8c0a834a..9279268e38 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -2,12 +2,13 @@
 title: Planning for the App-V Server Deployment (Windows 10/11)
 description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Planning for the App-V server deployment
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index 1436e5d26f..f05793311f 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -2,12 +2,13 @@
 title: Planning for App-V (Windows 10/11)
 description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Planning for App-V
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index b36e523319..90d0eb2de4 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -2,12 +2,13 @@
 title: Planning for High Availability with App-V Server
 description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Planning for high availability with App-V Server
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index f0cdc63ccc..c42918e88b 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -2,12 +2,13 @@
 title: Planning for the App-V Sequencer and Client Deployment (Windows 10/11)
 description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Planning for the App-V Sequencer and Client Deployment
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index e6b05d14bb..451e113eaa 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -2,12 +2,13 @@
 title: Planning for Deploying App-V with Office (Windows 10/11)
 description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Planning for deploying App-V with Office
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 0058f4790c..ad7565277d 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -2,19 +2,20 @@
 title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10/11)
 description: Planning to Deploy App-V with an Electronic Software Distribution System
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Planning to Deploy App-V with an electronic software distribution system
 
 [!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
 
-If you're using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv).
+If you're using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv).
 
 Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages:
 
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index 2961ee7c7a..9a682b9c47 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -2,12 +2,13 @@
 title: Planning to Deploy App-V (Windows 10/11)
 description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Planning to Deploy App-V for Windows client
diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md
index d79827a41c..cf0f423e87 100644
--- a/windows/application-management/app-v/appv-preparing-your-environment.md
+++ b/windows/application-management/app-v/appv-preparing-your-environment.md
@@ -1,13 +1,14 @@
 ---
 title: Preparing Your Environment for App-V (Windows 10/11)
 description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V).
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 author: aczechowski
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Preparing your environment for App-V
diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md
index ec9b2e4fc1..d63f666cfa 100644
--- a/windows/application-management/app-v/appv-prerequisites.md
+++ b/windows/application-management/app-v/appv-prerequisites.md
@@ -2,12 +2,13 @@
 title: App-V Prerequisites (Windows 10/11)
 description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/18/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # App-V for Windows client prerequisites
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index bd948491e4..67936bfc06 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -2,12 +2,13 @@
 title: How to Publish a Connection Group (Windows 10/11)
 description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to Publish a Connection Group
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index a116987714..3401984dac 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -2,12 +2,13 @@
 title: How to publish a package by using the Management console (Windows 10/11)
 description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 09/27/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # How to publish a package by using the Management console
diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
index 99f10bfe36..0bd4777e42 100644
--- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
@@ -2,11 +2,12 @@
 title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10/11)
 description: How to Register and Unregister a Publishing Server by Using the Management Console
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # How to Register and Unregister a Publishing Server by Using the Management Console
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index 8ffcdfb10f..5bfd8497af 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -2,11 +2,12 @@
 title: Release Notes for App-V for Windows 10 version 1703 (Windows 10/11)
 description: A list of known issues and workarounds for App-V running on Windows 10 version 1703 and Windows 11.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Release Notes for App-V for Windows 10 version 1703 and later
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index 3cdbf4b20c..5c38053e2b 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -2,11 +2,12 @@
 title: Release Notes for App-V for Windows 10, version 1607 (Windows 10)
 description: A list of known issues and workarounds for App-V running on Windows 10, version 1607.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Release Notes for App-V for Windows 10, version 1607
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index 2ca67c8695..5464c1fdcc 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -2,12 +2,13 @@
 title: About App-V Reporting (Windows 10/11)
 description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/16/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # About App-V reporting
@@ -94,7 +95,7 @@ Yes. Besides manually sending reporting using Windows PowerShell cmdlets (**Send
 
 ## App-V Client reporting
 
-To use App-V reporting,, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting.
+To use App-V reporting, you must enable and configure the App-V client. To configure reporting on the client, use the Windows PowerShell cmdlet **Set-AppVClientConfiguration**, or the Group Policy **ADMX Template**. For more information about the Windows PowerShell cmdlets, see [About client configuration settings](appv-client-configuration-settings.md). The following section provides examples of Windows PowerShell commands for configuring App-V client reporting.
 
 ### Configuring App-V client reporting using Windows PowerShell
 
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index 3237fd2de8..49b68f3ed9 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -2,11 +2,12 @@
 title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10/11)
 description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 03/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
@@ -41,7 +42,7 @@ Each method accomplishes essentially the same task, but some methods may be bett
 
 To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections.
 
-There's no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry.
+There's no Group Policy setting available to manage this registry key. So, you have to use Microsoft Intune or Configuration Manager, another electronic software distribution (ESD) system, or manually edit the registry.
 
 Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user.
 
@@ -65,7 +66,7 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo
       Use the `HKEY_LOCAL_MACHINE` or `HKEY_CURRENT_USER` key. But, all of the following conditions must be fulfilled:
 
       - If you want to include multiple packages in the virtual environment, you must include them in an enabled connection group.
-      - Create only one subkey for one of the packages in the connection group. If, for example, you have one package that is published globally, and another package that is published to the user, you create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment.
+      - Create only one subkey for one of the packages in the connection group. For example, you have one package that is published globally and another package that is published to the user. You create a subkey for either of these packages, but not both. Although you create a subkey for only one of the packages, all of the packages in the connection group, plus the local application, will be available in the virtual environment.
       - The key under which you create the subkey must match the publishing method you used for the package.
 
         For example, if you published the package to the user, you must create the subkey under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual`. Don't add a key for the same application under both hives.
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index 5edc3a1207..23e9dce8a5 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -2,12 +2,13 @@
 title: App-V Security Considerations (Windows 10/11)
 description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/16/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # App-V security considerations
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index 5a9c710587..7e0b19b428 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -2,12 +2,13 @@
 title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10/11)
 description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/16/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer)
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 6b99b11b7d..65cccc4561 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -2,11 +2,12 @@
 title: How to sequence a package by using Windows PowerShell (Windows 10/11)
 description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # How to Sequence a Package by using Windows PowerShell
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index 2522c24732..e9168ea779 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -2,12 +2,13 @@
 title: App-V Supported Configurations (Windows 10/11)
 description: Learn the requirements to install and run App-V supported configurations in your Windows 10/11 environment.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/16/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # App-V Supported Configurations
@@ -72,7 +73,7 @@ The App-V Publishing server can be installed on a server that runs Windows Serve
 
 ### Publishing server hardware requirements
 
-App-V adds requires nothing beyond the requirements of Windows Server.
+App-V adds require nothing beyond the requirements of Windows Server.
 
 * A 64-bit (x64) processor that runs at 1.4 GHz or faster.
 * 2-GB RAM (64-bit).
@@ -117,7 +118,7 @@ Sequencer is now part of the Windows Assessment and Deployment Kit (Windows ADK)
 
 See the Windows or Windows Server documentation for the hardware requirements.
 
-## Supported versions of Microsoft Endpoint Configuration Manager
+## Supported versions of Microsoft Configuration Manager
 
 The App-V client works with Configuration Manager versions starting with Technical Preview for Configuration Manager, version 1606.
 
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index 786dc0acb1..80859782c4 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -2,11 +2,12 @@
 title: Technical Reference for App-V (Windows 10/11)
 description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Technical Reference for App-V
diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
index 54322edfa1..b0a1c0a587 100644
--- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -2,11 +2,12 @@
 title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10/11)
 description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index d5444ae7ab..9bba519134 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -2,11 +2,12 @@
 title: Troubleshooting App-V (Windows 10/11)
 description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V articles.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Troubleshooting App-V
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index d8687a7cf5..192f9f4b66 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -2,11 +2,12 @@
 title: Upgrading to App-V for Windows 10/11 from an existing installation (Windows 10/11)
 description: Learn about upgrading to Application Virtualization (App-V) for Windows 10/11 from an existing installation.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Upgrading to App-V for Windows client from an existing installation
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index c7ece16ed1..c327a058bb 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -2,11 +2,12 @@
 title: Using the App-V Client Management Console (Windows 10/11)
 description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Using the App-V Client Management Console
diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
index c3742fa2f9..858f0dcbad 100644
--- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
@@ -2,11 +2,12 @@
 title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10/11)
 description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index b74ad51647..f5fad71c85 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -2,11 +2,12 @@
 title: Viewing App-V Server Publishing Metadata (Windows 10/11)
 description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-apps
 ---
 
 # Viewing App-V Server Publishing Metadata
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 0c38b376be..425e703738 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -1,14 +1,14 @@
 ---
 title: Learn about the different app types in Windows 10/11 | Microsoft Docs
 description: Learn more and understand the different types of apps that run on Windows 10 and Windows 11. For example, learn more about UWP, WPF, Win32, and Windows Forms apps, including the best way to install these apps.
-ms.prod: w10
+ms.prod: windows-client
 author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
 ms.reviewer: 
 ms.localizationpriority: medium
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-apps
 ---
 
 # Overview of apps on Windows client devices
@@ -20,11 +20,11 @@ ms.collection: highpri
 
 ## Before you begin
 
-As organizations become more global, and to support employees working from anywhere, it's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
+As organizations become more global, and to support employees working from anywhere, it's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use the Microsoft Intune family of products. This family includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
 
 In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
 
-- [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
+- [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
 - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
 - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
 
@@ -32,7 +32,7 @@ In this article, we mention these services. If you're not managing your devices
 
 There are different types of apps that can run on your Windows client devices. This section lists some of the common apps used on Windows devices.
 
-- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. Using an MDM provider, these apps can also be deployed to mobile devices, including smartphones.
+- **Microsoft 365 apps**: These apps are used for business and productivity, and include Outlook, Word, Teams, OneNote, and more. Depending on the licenses your organization has, you may already have these apps. When you use an MDM provider, these apps can also be deployed to mobile devices, including smartphones.
 
   For more information on the Microsoft 365 license options, and what you get, see [Transform your enterprise with Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
 
@@ -95,7 +95,7 @@ When your apps are ready, you can add or deploy these apps to your Windows devic
   - [Add apps to Microsoft Intune](/mem/intune/apps/apps-add)
   - [Application management in Configuration Manager](/mem/configmgr/apps/understand/introduction-to-application-management)
 
-- **Microsoft Store**: Using the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **[Windows Package Manager](/windows/package-manager)** to add apps to the private store.
+- **Microsoft Store**: When you use the Microsoft Store app, Windows users can download apps from the public store. And, they can download apps provided by your organization, which is called the "private store". If your organization creates its own apps, you can use **[Windows Package Manager](/windows/package-manager)** to add apps to the private store.
 
   To help manage the Microsoft Store on your devices, you can use policies:
 
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 0c2d4413bb..4cd7b0588c 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -36,7 +36,7 @@
       "recommendations": true,
       "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
       "uhfHeaderId": "MSDocsHeader-M365-IT",
-      "ms.technology": "windows",
+      "ms.technology": "itpro-apps",
       "ms.topic": "article",
       "feedback_system": "GitHub",
       "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index 60cb9c5b79..f55199f3a5 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -1,13 +1,14 @@
 ---
 title: Remove background task resource restrictions
 description: Allow enterprise background tasks unrestricted access to computer resources.
-ms.prod: w10
+ms.prod: windows-client
 author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
 ms.date: 10/03/2017
 ms.reviewer: 
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Remove background task resource restrictions
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index e13b0747f4..73c14c4195 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -1,25 +1,19 @@
 ### YamlMime:Landing
 
-title: Windows application management # < 60 chars
-summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions.  # < 160 chars
+title: Windows application management
+summary: Learn about managing applications in Windows client, including how to remove background task resource restrictions.
 
 metadata:
-  title: Windows application management  # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Learn about managing applications in Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
-  services: windows-10
-  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
-  ms.subservice: subservice
-  ms.topic: landing-page # Required
-  ms.collection: 
-    - windows-10
+  title: Windows application management
+  description: Learn about managing applications in Windows 10 and Windows 11.
+  ms.topic: landing-page
+  ms.prod: windows-client
+  ms.collection:
     - highpri
   author: nicholasswhite
   ms.author: nwhite
   manager: aaroncz
-  ms.date: 08/24/2021 #Required; mm/dd/yyyy format.
-  ms.localizationpriority : medium
-    
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+  ms.date: 08/24/2021
 
 landingContent:
 # Cards and links should be based on top customer tasks or top subjects
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 7735990889..56381683e9 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -1,12 +1,13 @@
 ---
 title: Per-user services in Windows 10 and Windows Server
 description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
-ms.prod: w10
+ms.prod: windows-client
 author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
 ms.date: 09/14/2017
 ms.reviewer: 
+ms.technology: itpro-apps
 ---
 
 # Per-user services in Windows 10 and Windows Server 
@@ -113,7 +114,7 @@ If a per-user service can't be disabled using the security template, you can dis
 
    ![Startup Type is Disabled.](media/gpp-svc-disabled.png)   
    
-9. To add the other services that can't be managed with a Group Policy templates, edit the policy and repeat steps 5-8.  
+9. To add the other services that can't be managed with Group Policy templates, edit the policy and repeat steps 5-8.  
 
 ### Managing Template Services with reg.exe
 
diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
index b039ab012b..e9d56cf86b 100644
--- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
+++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md
@@ -5,9 +5,10 @@ author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
 ms.reviewer: amanh
-ms.prod: w11
+ms.prod: windows-client
 ms.date: 09/15/2021
 ms.localizationpriority: medium
+ms.technology: itpro-apps
 ---
 
 # Private app repository in Windows 11
@@ -26,11 +27,11 @@ This article discusses the Company Portal app installation options, adding organ
 
 ## Before you begin
 
-The Company Portal app is included with Microsoft Endpoint Manager. Endpoint Manager is a Mobile Device Management (MDM) and Mobile Application manager (MAM) provider. It help manages your devices, and manage apps on your devices.
+The Company Portal app is included with Microsoft Intune. Intune is a Mobile Device Management (MDM) and Mobile Application manager (MAM) provider. It helps manage your devices, your identities, and app data on your devices.
 
 If you're not managing your devices using an MDM provider, the following resources may help you get started:
 
-- [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
+- [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
 - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
 - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
 
@@ -45,7 +46,7 @@ To use the Company Portal app:
 
 To install the Company Portal app, you have some options:
 
-- **Use Microsoft Endpoint Manager**: Endpoint Manager includes Microsoft Intune (cloud) and Configuration Manager (on-premises). With both services, you can add Microsoft Store apps, like the Company Portal app. Once added, you create an app policy that deploys and installs the Company Portal app to your devices.
+- **Use Microsoft Intune**: Microsoft Intune is a family or products that include Microsoft Intune (cloud) and Configuration Manager (on-premises). With both services, you can add Microsoft Store apps, like the Company Portal app. Once added, you create an app policy that deploys and installs the Company Portal app to your devices.
 
   - This option is preferred, and is the most scalable, especially if you have many devices. When you create the app policy, the policy can be deployed to many users and many devices simultaneously. Admins can also use reporting to make sure the app is installed on organization-managed devices.
 
@@ -55,7 +56,7 @@ To install the Company Portal app, you have some options:
 
   For more information, see:
   
-  - [What is Microsoft Endpoint Manager](/mem/endpoint-manager-overview)
+  - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
   - [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows)
   - [What is co-management?](/mem/configmgr/comanage/overview)
   - [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal)
@@ -73,7 +74,7 @@ To install the Company Portal app, you have some options:
 
 - **Use the Microsoft Store**: The Company Portal app is available in the Microsoft Store, and can be downloaded by your users. Users open the Microsoft Store app on their device, search for **Company Portal**, and install it. When it's installed, users might be prompted to sign in with their organization account (`user@contoso.com`). When the app opens, they see a list of approved organization apps that can be installed.
 
-  - This option requires users to install the Company Portal app themselves. If you have many users, the recommended approach is to deploy the Company Portal app using Endpoint Manager or using Windows Autopilot.
+  - This option requires users to install the Company Portal app themselves. If you have many users, the recommended approach is to deploy the Company Portal app using Intune or using Windows Autopilot.
 
   - When the Company Portal app is installed from the Microsoft Store app, by default, it's automatically updated. Users can also open the Microsoft Store, go to the **Library**, and check for updates. Within the Company Portal app, they can use the update feature to get app fixes and feature updates on the organization apps you added.
 
@@ -101,4 +102,4 @@ If you use a third party or partner MDM provider, be sure to configure the setti
 
 ## Windows Package Manager
 
-If your organization creates its own apps, your app developers can use [Windows Package Manager](/windows/package-manager/) to deploy apps. For more information on Endpoint Manager and Windows Package Manager, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423).
+If your organization creates its own apps, your app developers can use [Windows Package Manager](/windows/package-manager/) to deploy apps. For more information on Intune and Windows Package Manager, see [Evolving the Microsoft Store for Business and Education](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423).
diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md
index 1c99168f4a..515bf87aeb 100644
--- a/windows/application-management/provisioned-apps-windows-client-os.md
+++ b/windows/application-management/provisioned-apps-windows-client-os.md
@@ -5,9 +5,10 @@ author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
 description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # Provisioned apps installed with the Windows client OS
@@ -44,9 +45,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809| 
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ✔️ | ✔️ | ✔️ | | | | | |
+    | Uninstall through UI? | 22H2| 21H1 | 20H2 | 
+    | --- | --- | --- | --- |
+    | ✔️ | ✔️ | ✔️ ||
 
     ---
 
@@ -54,9 +55,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ✔️ | ✔️ | ✔️ | ✔️️|
 
     ---
 
@@ -64,9 +65,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | Use Settings App | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | Use Settings App | ✔️ | ✔️ | ✔️|
 
     ---
 
@@ -74,9 +75,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    |---| --- | --- | --- |
+    | ❌ |  ✔️| ✔️| ✔️|
 
     ---
 
@@ -84,9 +85,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️| ✔️|
 
     ---
 
@@ -94,9 +95,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️| ✔️| ✔️|
 
     ---
     
@@ -106,9 +107,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️|||||||
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️|||
     
     ---  
 
@@ -116,9 +117,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -126,9 +127,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -136,9 +137,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ✔️ | ✔️ | ✔️ | ✔️️|
 
     ---
 
@@ -146,9 +147,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ✔️ | ✔️ | ✔️ | ✔️️|
 
     ---
 
@@ -156,9 +157,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -166,9 +167,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -176,9 +177,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -186,9 +187,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? | 22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ✔️ | ✔️ | ✔️ | ✔️️|
 
     ---
 
@@ -196,9 +197,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -206,9 +207,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    | --- | --- | --- | --- | --- | --- | --- |--- |
-    |️ | ✔️ | ✔️ | ✔️|️ | ✔️|️️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -216,9 +217,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -226,9 +227,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -236,9 +237,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -246,9 +247,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -256,9 +257,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -266,9 +267,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -276,9 +277,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-     | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -286,9 +287,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -296,9 +297,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -306,9 +307,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -316,9 +317,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -326,9 +327,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -336,9 +337,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -346,9 +347,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -356,9 +357,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -366,9 +367,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -376,9 +377,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -386,9 +387,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -398,9 +399,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -408,9 +409,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -418,9 +419,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -428,9 +429,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -438,9 +439,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -448,9 +449,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -458,9 +459,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -468,9 +469,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
 
@@ -478,8 +479,8 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
   - Supported versions:
 
     ---
-    | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
-    |---| --- | --- | --- | --- | --- | --- |--- |
-    | ❌ |  ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+    | Uninstall through UI? |22H2| 21H1 | 20H2 |
+    | --- | --- | --- | --- |
+    | ❌ |  ✔️ | ✔️ | ✔️|  
 
     ---
diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md
index 817364d24a..57b52fce28 100644
--- a/windows/application-management/remove-provisioned-apps-during-update.md
+++ b/windows/application-management/remove-provisioned-apps-during-update.md
@@ -1,12 +1,13 @@
 ---
 title: How to keep apps removed from Windows 10 from returning during an update
 description: How to keep provisioned apps that were removed from your machine from returning during an update.
-ms.prod: w10
+ms.prod: windows-client
 author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
 ms.date: 05/25/2018
 ms.reviewer: 
+ms.technology: itpro-apps
 ---
 # How to keep apps removed from Windows 10 from returning during an update
 
diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md
index 466370dcd1..baeae78bd8 100644
--- a/windows/application-management/sideload-apps-in-windows-10.md
+++ b/windows/application-management/sideload-apps-in-windows-10.md
@@ -5,8 +5,9 @@ ms.reviewer:
 author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
+ms.technology: itpro-apps
 ---
 
 # Sideload line of business (LOB) apps in Windows client devices
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 67476d451f..692bae2fe3 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -1,12 +1,13 @@
 ---
 title: Service Host service refactoring in Windows 10 version 1703
 description: Learn about the SvcHost Service Refactoring introduced in Windows 10 version 1703.
-ms.prod: w10
+ms.prod: windows-client
 author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
 ms.date: 07/20/2017
 ms.reviewer: 
+ms.technology: itpro-apps
 ---
 
 # Changes to Service Host grouping in Windows 10
diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md
index eef2f72573..0788b793d8 100644
--- a/windows/application-management/system-apps-windows-client-os.md
+++ b/windows/application-management/system-apps-windows-client-os.md
@@ -5,9 +5,10 @@ author: nicholasswhite
 ms.author: nwhite
 manager: aaroncz
 description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-apps
 ---
 
 # System apps installed with the Windows client OS
diff --git a/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index f5f05c6ddb..160a97cca0 100644
--- a/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index ce8d8ebf38..d5697e455b 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Tools/Administrative Tools
 description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
@@ -9,6 +9,7 @@ ms.localizationpriority: medium
 ms.date: 03/28/2022
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-manage
 ---
 
 # Windows Tools/Administrative Tools
diff --git a/windows/client-management/appv-deploy-and-config.md b/windows/client-management/appv-deploy-and-config.md
index 89619b8a39..f0c9843f27 100644
--- a/windows/client-management/appv-deploy-and-config.md
+++ b/windows/client-management/appv-deploy-and-config.md
@@ -1,13 +1,13 @@
 ---
 title: Deploy and configure App-V apps using MDM
-description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server.
+description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Intune or App-V server.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -15,7 +15,7 @@ manager: aaroncz
 
 ## Executive summary
 
-<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
+<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
 
 <p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
 
diff --git a/windows/client-management/assign-seats.md b/windows/client-management/assign-seats.md
index 7394103149..929b1d62e2 100644
--- a/windows/client-management/assign-seats.md
+++ b/windows/client-management/assign-seats.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index 467e007dd7..7e49be291f 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.collection: highpri
 ---
@@ -36,7 +36,7 @@ For personal devices (BYOD):
 
 ### Azure AD Join
 
-Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM.
+Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM.
 
 Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
 
@@ -202,9 +202,9 @@ The following table shows the required information to create an entry in the Azu
  
 ### Add on-premises MDM to the app gallery
 
-There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant.
+There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
 
-However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
+However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
 
 ## Themes
 
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index e54875a1df..af610cec3c 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -3,18 +3,22 @@ title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Porta
 description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/18/2020
 ms.reviewer: 
 manager: aaroncz
 ---
 
-# Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal 
+# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Endpoint Manager admin center
 
-> [!NOTE]
-> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com).   
+Microsoft Intune can be accessed directly using its own admin center. For more information, go to:
+
+- [Tutorial: Walkthrough Intune in Microsoft Endpoint Manager admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
+- Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+If you use the Azure portal, then you can access Intune using the following steps:
 
 1. Go to your Azure AD Blade.
 2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
diff --git a/windows/client-management/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/bulk-assign-and-reclaim-seats-from-user.md
index a02395dea5..dde32f1d1f 100644
--- a/windows/client-management/bulk-assign-and-reclaim-seats-from-user.md
+++ b/windows/client-management/bulk-assign-and-reclaim-seats-from-user.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
index 8da354f72a..c85858a2d0 100644
--- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,15 +1,15 @@
 ---
 title: Bulk enrollment
 description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11.
-MS-HAID:
+MS-HAID: 
   - 'p\_phdevicemgmt.bulk\_enrollment'
   - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
@@ -28,12 +28,12 @@ Bulk enrollment is an efficient way to set up a large number of devices to be ma
 
 On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain.
 
-On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
+On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
 
 > [!NOTE]
 > -   Bulk-join is not supported in Azure Active Directory Join.
 > -   Bulk enrollment does not work in Intune standalone environment.
-> -   Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console.
+> -   Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console.
 > -   To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
 > -   Bulk Token creation is not supported with federated accounts.
 
@@ -53,14 +53,14 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
 Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
 
 1. Open the WCD tool.
-2. Click **Advanced Provisioning**.
+2. Select **Advanced Provisioning**.
 
    ![icd start page.](images/bulk-enrollment7.png)
-3. Enter a project name and click **Next**.
-4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
-5. Skip **Import a provisioning package (optional)** and click **Finish**.
+3. Enter a project name and select **Next**.
+4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**.
+5. Skip **Import a provisioning package (optional)** and select **Finish**.
 6. Expand **Runtime settings** &gt; **Workplace**.
-7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
+7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**.
    The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
 8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
    Here's the list of available settings:
@@ -74,8 +74,8 @@ Using the WCD, create a provisioning package using the enrollment information re
 
     ![bulk enrollment screenshot.](images/bulk-enrollment.png)
 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
-10. When you're done adding all the settings, on the **File** menu, click **Save**.
-11. On the main menu, click **Export** &gt; **Provisioning package**.
+10. When you're done adding all the settings, on the **File** menu, select **Save**.
+11. On the main menu, select **Export** &gt; **Provisioning package**.
 
     ![icd menu for export.](images/bulk-enrollment2.png)
 12. Enter the values for your package and specify the package output location.
@@ -83,7 +83,7 @@ Using the WCD, create a provisioning package using the enrollment information re
     ![enter package information.](images/bulk-enrollment3.png)
     ![enter additional information for package information.](images/bulk-enrollment4.png)
     ![specify file location.](images/bulk-enrollment6.png)
-13. Click **Build**.
+13. Select **Build**.
 
     ![icb build window.](images/bulk-enrollment5.png)
 14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
@@ -94,13 +94,13 @@ Using the WCD, create a provisioning package using the enrollment information re
 Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
 
 1. Open the WCD tool.
-2. Click **Advanced Provisioning**.
-3. Enter a project name and click **Next**.
+2. Select **Advanced Provisioning**.
+3. Enter a project name and select **Next**.
 4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
-5. Skip **Import a provisioning package (optional)** and click **Finish**.
+5. Skip **Import a provisioning package (optional)** and select **Finish**.
 6. Specify the certificate.
    1.  Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
-   2.  Enter a **CertificateName** and then click **Add**.
+   2.  Enter a **CertificateName** and then select **Add**.
    3.  Enter the **CertificatePasword**.
    4.  For **CertificatePath**, browse and select the certificate to be used.
    5.  Set **ExportCertificate** to False.
@@ -109,7 +109,7 @@ Using the WCD, create a provisioning package using the enrollment information re
    ![icd certificates section.](images/bulk-enrollment8.png)
 7. Specify the workplace settings.
    1. Got to **Workplace** &gt; **Enrollments**.
-   2. Enter the **UPN** for the enrollment and then click **Add**.
+   2. Enter the **UPN** for the enrollment and then select **Add**.
       The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
    3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
       Here's the list of available settings:
@@ -120,32 +120,32 @@ Using the WCD, create a provisioning package using the enrollment information re
       -   **Secret** - the certificate thumbprint.
       For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
 8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
-9. When you're done adding all the settings, on the **File** menu, click **Save**.
+9. When you're done adding all the settings, on the **File** menu, select **Save**.
 10. Export and build the package (steps 10-13 in the procedure above).
 11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
 12. Apply the package to your devices.
 
 ## Apply a provisioning package
 
-Here's the list of topics about applying a provisioning package:
+Here's the list of articles about applying a provisioning package:
 
--   [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
--   [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
--   [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
+-   [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package)
+-   [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image)
+-   [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below
 
 ## Apply a package from the Settings menu
 
 1.  Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
-2.  Click **Add or remove a provisioning package**.
-3.  Click **Add a package**.
+2.  Select **Add or remove a provisioning package**.
+3.  Select **Add a package**.
 
 ## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
 
 1.  Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
-2.  Click **Add or remove a provisioning package**.
+2.  Select **Add or remove a provisioning package**.
     You should see your package listed.
 
-## Retry logic in case of a failure
+## Retry logic if there's a failure
 
 If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
 
@@ -155,9 +155,9 @@ It will also retry to apply the provisioning each time it's launched, if started
 
 In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)).
 
-## Other provisioning topics
+## Other provisioning articles
 
-Here are links to step-by-step provisioning topics in Technet.
+Here are links to step-by-step provisioning articles:
 
 -   [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps)
 -   [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md
index 9ea52d92fc..2f5129ba9b 100644
--- a/windows/client-management/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/certificate-authentication-device-enrollment.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md
index 692158038e..8b44256d9e 100644
--- a/windows/client-management/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/certificate-renewal-windows-mdm.md
@@ -1,15 +1,15 @@
 ---
 title: Certificate Renewal
 description: Learn how to find all the resources that you need to provide continuous access to client certificates.
-MS-HAID:
+MS-HAID: 
   - 'p\_phdevicemgmt.certificate\_renewal'
   - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index 7a16f17f4d..d3410f5068 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -1,7 +1,7 @@
 ---
 title: Windows 10 default media removal policy
 description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal.
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 11/25/2020
@@ -13,6 +13,7 @@ ms.custom:
 audience: ITPro
 ms.localizationpriority: medium
 manager: kaushika
+ms.technology: itpro-manage
 ---
 
 # Change in default removal policy for external storage media in Windows 10, version 1809
diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md
index 3d5f9da9d8..899c2dc399 100644
--- a/windows/client-management/change-history-for-mdm-documentation.md
+++ b/windows/client-management/change-history-for-mdm-documentation.md
@@ -3,11 +3,11 @@ title: Change history for MDM documentation
 description: This article lists new and updated articles for Mobile Device Management.
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 ms.localizationpriority: medium
 ms.date: 11/06/2020
 ---
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index 8f6d53b7b7..04d9be81f2 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -4,8 +4,8 @@ description: A secured-core PC (SCPC) feature that prevents configuration drift
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 05/24/2022
 ---
@@ -38,10 +38,10 @@ Config lock will be available for all Windows Professional and Enterprise Editio
 
 Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on.
 
-The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
+The steps to turn on config lock using Microsoft Intune are as follows:
 
 1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
-1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
+1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
 1. Select the following and press **Create**:
     - **Platform**: Windows 10 and later
     - **Profile type**: Templates
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 50338f7ae8..18fb8a5311 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -1,7 +1,7 @@
 ---
 title: Connect to remote Azure Active Directory-joined PC (Windows)
 description: You can use Remote Desktop Connection to connect to an Azure AD-joined PC.
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.author: vinpa
@@ -10,6 +10,7 @@ ms.reviewer:
 manager: aaroncz
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-manage
 ---
 
 # Connect to remote Azure Active Directory-joined PC
diff --git a/windows/client-management/data-structures-windows-store-for-business.md b/windows/client-management/data-structures-windows-store-for-business.md
index e39e9c9e12..b0f8d8a0f9 100644
--- a/windows/client-management/data-structures-windows-store-for-business.md
+++ b/windows/client-management/data-structures-windows-store-for-business.md
@@ -8,8 +8,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md
index e63e9da775..4964a3969d 100644
--- a/windows/client-management/device-update-management.md
+++ b/windows/client-management/device-update-management.md
@@ -1,12 +1,12 @@
 ---
 title: Mobile device management MDM for device updates
 description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/15/2017
 ms.collection: highpri
diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md
index 68e7e7b72b..67b61ceb3c 100644
--- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md
@@ -1,12 +1,12 @@
 ---
 title: Diagnose MDM failures in Windows 10
 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/25/2018
 ms.collection: highpri
diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md
index 31fbaa5aa9..371357b658 100644
--- a/windows/client-management/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md
@@ -8,8 +8,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index 21740e86df..8c038b6c43 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -36,7 +36,7 @@
       "recommendations": true,
       "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
       "uhfHeaderId": "MSDocsHeader-M365-IT",
-      "ms.technology": "windows",
+      "ms.technology": "itpro-manage",
       "audience": "ITPro",
       "ms.topic": "article",
       "manager": "dansimp",
diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md
index f90ba236e4..ce77a2e025 100644
--- a/windows/client-management/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md
@@ -3,8 +3,8 @@ title: Enable ADMX policies in MDM
 description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 11/01/2017
@@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
 
    2. Find the variable names of the parameters in the ADMX file.
 
-      You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
+      You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2).
 
       ![Publishing server 2 policy description.](images/admx-appv-policy-description.png)
 
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index 77ead2bc40..a27bb4a05a 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -3,8 +3,8 @@ title: Enroll a Windows 10 device automatically using Group Policy
 description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 04/30/2022
 ms.reviewer: 
diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md
index 146e8c5529..6646d4df78 100644
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@@ -1,12 +1,12 @@
 ---
 title: Enterprise app management
 description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/04/2021
 ---
diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md
index cdc60b2936..be730b8fd9 100644
--- a/windows/client-management/esim-enterprise-management.md
+++ b/windows/client-management/esim-enterprise-management.md
@@ -1,11 +1,12 @@
 ---
 title: eSIM Enterprise Management
 description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.author: vinpa
 ms.topic: conceptual
+ms.technology: itpro-manage
 ---
 
 # How Mobile Device Management Providers support eSIM Management on Windows
diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md
index d0e4cb46c1..a50c18383c 100644
--- a/windows/client-management/federated-authentication-device-enrollment.md
+++ b/windows/client-management/federated-authentication-device-enrollment.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/28/2017
 ---
diff --git a/windows/client-management/get-inventory.md b/windows/client-management/get-inventory.md
index 2aa1418ebf..96913de900 100644
--- a/windows/client-management/get-inventory.md
+++ b/windows/client-management/get-inventory.md
@@ -8,8 +8,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/get-localized-product-details.md b/windows/client-management/get-localized-product-details.md
index 373bebf5d7..48fe49a501 100644
--- a/windows/client-management/get-localized-product-details.md
+++ b/windows/client-management/get-localized-product-details.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/07/2020
 ---
diff --git a/windows/client-management/get-offline-license.md b/windows/client-management/get-offline-license.md
index 8960d7a7eb..160424bf6b 100644
--- a/windows/client-management/get-offline-license.md
+++ b/windows/client-management/get-offline-license.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/get-product-details.md b/windows/client-management/get-product-details.md
index 14b0e24af9..54d824ba07 100644
--- a/windows/client-management/get-product-details.md
+++ b/windows/client-management/get-product-details.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/get-product-package.md b/windows/client-management/get-product-package.md
index 2fa11f65b3..9dc16fb5c3 100644
--- a/windows/client-management/get-product-package.md
+++ b/windows/client-management/get-product-package.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/get-product-packages.md b/windows/client-management/get-product-packages.md
index 4312842783..cf9e34fcda 100644
--- a/windows/client-management/get-product-packages.md
+++ b/windows/client-management/get-product-packages.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/get-seat.md b/windows/client-management/get-seat.md
index 66b6b7340f..2c46b03f7a 100644
--- a/windows/client-management/get-seat.md
+++ b/windows/client-management/get-seat.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/get-seats-assigned-to-a-user.md b/windows/client-management/get-seats-assigned-to-a-user.md
index 27a30678ae..b029f4e2da 100644
--- a/windows/client-management/get-seats-assigned-to-a-user.md
+++ b/windows/client-management/get-seats-assigned-to-a-user.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/get-seats.md b/windows/client-management/get-seats.md
index 333d467ee8..50e1920ffc 100644
--- a/windows/client-management/get-seats.md
+++ b/windows/client-management/get-seats.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
index 44304f2950..3f1e0ef47a 100644
--- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md
+++ b/windows/client-management/group-policies-for-enterprise-and-education-editions.md
@@ -1,7 +1,7 @@
 ---
 title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10)
 description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education.
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/14/2021
@@ -9,6 +9,7 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: troubleshooting
+ms.technology: itpro-manage
 ---
 
 # Group Policy settings that apply only to Windows 10 Enterprise and Education Editions
diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md
index 84db62f27f..88f302cdce 100644
--- a/windows/client-management/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/implement-server-side-mobile-application-management.md
@@ -3,11 +3,11 @@ title: Support for mobile application management on Windows
 description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/03/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index 7fdf68a9fa..ff469792d0 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -6,12 +6,10 @@ summary: Find out how to apply custom configurations to Windows client devices.
 metadata:
   title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
   description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
-  services: windows-10
-  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
-  ms.subservice: subservice
-  ms.topic: landing-page # Required
+  ms.topic: landing-page
+  ms.prod: windows-client
+  ms.technology: itpro-manage
   ms.collection:
-    - windows-10
     - highpri
   author: aczechowski
   ms.author: aaroncz
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index d3f9eb80c2..1ed28e0f9b 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -5,11 +5,12 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 keywords: [MDM, device management]
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/14/2021
 ms.topic: article
+ms.technology: itpro-manage
 ---
 
 # Manage corporate devices
@@ -37,7 +38,7 @@ You can use the same management tools to manage all device types running Windows
 
 ## Learn more
 
-[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
+[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
 
 [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
 
diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index a78fb7d156..6f1cf2860e 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -1,13 +1,14 @@
 ---
 title: Manage Device Installation with Group Policy (Windows 10 and Windows 11)
 description: Find out how to manage Device Installation Restrictions with Group Policy.
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.date: 09/14/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
+ms.technology: itpro-manage
 ---
 
 # Manage Device Installation with Group Policy
@@ -214,7 +215,7 @@ Some of these policies take precedence over other policies. The flowchart shown
 
 ### General
 
-To complete each of the scenarios, ensure your have:
+To complete each of the scenarios, ensure you have:
 
 - A client computer running Windows.
 
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index d78eac22f8..0bb88c2d24 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -1,13 +1,14 @@
 ---
 title: Manage the Settings app with Group Policy (Windows 10 and Windows 11)
 description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.date: 09/14/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
+ms.technology: itpro-manage
 ---
 
 # Manage the Settings app with Group Policy
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 852166b3b1..466a326260 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -1,23 +1,24 @@
 ---
 title: Manage Windows 10 in your organization - transitioning to modern management
 description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.date: 06/03/2022
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.topic: overview
+ms.technology: itpro-manage
 ---
 
 # Manage Windows 10 in your organization - transitioning to modern management
 
 Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization.
 
-Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
+Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. This downgrade may appear to save costs due to standardization. But, you typically save more if you don't downgrade, and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist.
 
-Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
+Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster.
 
 This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
 
@@ -114,7 +115,7 @@ MDM with Intune provide tools for applying Windows updates to client computers i
 
 There are various steps you can take to begin the process of modernizing device management in your organization:
 
-**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune.
+**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Intune](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune.
 
 **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.
 
diff --git a/windows/client-management/management-tool-for-windows-store-for-business.md b/windows/client-management/management-tool-for-windows-store-for-business.md
index e67b40bb24..b970a8175f 100644
--- a/windows/client-management/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/management-tool-for-windows-store-for-business.md
@@ -8,8 +8,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/27/2017
 ---
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index cbf11a9442..7cf55e0587 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -1,7 +1,7 @@
 ---
 title: Create mandatory user profiles (Windows 10 and Windows 11)
 description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 09/14/2021
@@ -9,6 +9,7 @@ ms.reviewer:
 manager: aaroncz
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-manage
 ---
 
 # Create mandatory user profiles
@@ -79,7 +80,7 @@ First, you create a default user profile with the customizations that you want,
    >
    > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
 
-1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
+1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the setup, and then sign in to the computer using an account that has local administrator privileges.
 
 1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
 
diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md
index d8748f2ee6..368defcb39 100644
--- a/windows/client-management/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm-enrollment-of-windows-devices.md
@@ -8,8 +8,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.collection: highpri
 ---
@@ -255,7 +255,7 @@ There are a few instances where your device may not be able to connect to work.
 |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
 | Your device is already connected to your organization’s cloud.                                                                                                                             | Your device is already connected to either Azure AD, a work or school account, or an AD domain.     |
 | We couldn't find your identity in your organization’s cloud.                                                                                                                              | The username you entered wasn't found on your Azure AD tenant.                                     |
-| Your device is already being managed by an organization.                                                                                                                                   | Your device is either already managed by MDM or Microsoft Endpoint Configuration Manager.                |
+| Your device is already being managed by an organization.                                                                                                                                   | Your device is either already managed by MDM or Microsoft Configuration Manager.                |
 | You don’t have the right privileges to perform this operation. Talk to your admin.                                                                                                  | You can't enroll your device into MDM as a standard user. You must be on an administrator account. |
 | We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered.  |
 
diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md
index bde99823e0..8c630a325a 100644
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@@ -2,9 +2,9 @@
 title: Mobile Device Management overview
 description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
 ms.date: 08/04/2022
-ms.technology: windows
+ms.technology: itpro-manage
 ms.topic: article
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 1fad640142..f50369aa36 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -1,12 +1,12 @@
 ---
 title: Language Pack Management CSP
 description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/22/2021
 ---
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 2f4b862917..c79bf9d6b9 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -3,11 +3,11 @@ title: AccountManagement CSP
 description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/23/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index 574ffb3f9c..f621db9654 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -3,11 +3,11 @@ title: AccountManagement DDF file
 description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/23/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index 4652e369d2..0bacf6f8d2 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -3,11 +3,11 @@ title: Accounts CSP
 description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/27/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -73,13 +73,13 @@ This node specifies the username for a new local user account. This setting can
 This node specifies the password for a new local user account. This setting can be managed remotely.
 
 Supported operation is Add.
-GET operation isn't supported.  This setting will report as failed when deployed from the Endpoint Manager.
+GET operation isn't supported.  This setting will report as failed when deployed from Intune.
 
 <a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**
 This optional node specifies the local user group that a local user account should be joined to.  If the node isn't set, the new local user account is joined just to the Standard Users group.  Set the value to 2 for Administrators group. This setting can be managed remotely.
 
 Supported operation is Add.
 
-## Related topics
+## Related articles
 
 [Configuration service provider reference](index.yml)
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
index 857fa1941e..afd14959c5 100644
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -3,11 +3,11 @@ title: Accounts DDF file
 description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 04/17/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index c696e1c149..5fe3530eca 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -1,12 +1,12 @@
 ---
 title: ActiveSync CSP
 description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index f262c0f82b..0bf7e5329b 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: ActiveSync DDF file
 description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md
index d5a192201a..d123dc8037 100644
--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@@ -1,12 +1,12 @@
 ---
 title: AllJoynManagement CSP
 description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md
index 50808f780e..f5a886a028 100644
--- a/windows/client-management/mdm/alljoynmanagement-ddf.md
+++ b/windows/client-management/mdm/alljoynmanagement-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: AllJoynManagement DDF
 description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md
index 534477045d..03d9b18055 100644
--- a/windows/client-management/mdm/application-csp.md
+++ b/windows/client-management/mdm/application-csp.md
@@ -1,12 +1,12 @@
 ---
 title: APPLICATION CSP
 description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
index fccbf5a409..749f34bf9b 100644
--- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md
+++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md
@@ -3,8 +3,8 @@ title: ApplicationControl CSP DDF
 description: View the OMA DM device description framework (DDF) for the ApplicationControl configuration service provider. DDF files are used only with OMA DM provisioning XML.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/10/2019
 ---
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index fbfd3ea62f..58e6ece757 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -3,8 +3,8 @@ title: ApplicationControl CSP
 description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.reviewer: jsuther1974
 ms.date: 09/10/2020
@@ -25,7 +25,7 @@ The table below shows the applicability of Windows:
 
 Windows Defender Application Control (WDAC) policies can be managed from an MDM server, or locally by using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently doesn't schedule a reboot.
 
-Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although, WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
+Existing Windows Defender Application Control (WDAC) policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment using the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
 
 The following example shows the ApplicationControl CSP in tree format.
 
@@ -150,9 +150,9 @@ Scope is dynamic. Supported operation is Get.
 
 Value type is char.
 
-## Microsoft Endpoint Manager Intune Usage Guidance
+## Microsoft Intune Usage Guidance
 
-For customers using Intune standalone or hybrid management with Microsoft Endpoint Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
+For customers using Intune standalone or hybrid management with Configuration Manager to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
 
 ## Generic MDM Server Usage Guidance
 
@@ -329,6 +329,6 @@ New-CimInstance -Namespace $namespace -ClassName $policyClassName -Property @{Pa
 Get-CimInstance -Namespace $namespace -ClassName $policyClassName
 ```
 
-## Related topics
+## Related articles
 
 [Configuration service provider reference](index.yml)
\ No newline at end of file
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 7b723a1a61..a21b6f8223 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -1,12 +1,12 @@
 ---
 title: AppLocker CSP
 description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/19/2019
 ---
diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md
index b0fe07ddc8..d0e4446e1c 100644
--- a/windows/client-management/mdm/applocker-ddf-file.md
+++ b/windows/client-management/mdm/applocker-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: AppLocker DDF file
 description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md
index a49de5a7aa..9daa087800 100644
--- a/windows/client-management/mdm/applocker-xsd.md
+++ b/windows/client-management/mdm/applocker-xsd.md
@@ -1,12 +1,12 @@
 ---
 title: AppLocker XSD
 description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 788379dddb..cc8530ec85 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -1,12 +1,12 @@
 ---
 title: AssignedAccess CSP
 description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 05/03/2022
 ---
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index 9bfd832c7c..4e49481095 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: AssignedAccess DDF
 description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 02/22/2018
 ---
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 81943c2b4e..7974e3a245 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -3,14 +3,13 @@ title: BitLocker CSP
 description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 02/04/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
-ms.collection: highpri
 ---
 
 # BitLocker CSP
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index 76982b7918..5c397b3bce 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -3,12 +3,12 @@ title: BitLocker DDF file
 description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/30/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index 5502b5db31..f64cf2be86 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -1,12 +1,12 @@
 ---
 title: CellularSettings CSP
 description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 16ba0d5338..7f9a4ba349 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -1,12 +1,12 @@
 ---
 title: CertificateStore CSP
 description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 02/28/2020
 ---
diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md
index f24438d464..638bdd1748 100644
--- a/windows/client-management/mdm/certificatestore-ddf-file.md
+++ b/windows/client-management/mdm/certificatestore-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: CertificateStore DDF file
 description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md
index 2d45bfb0be..4252fc2469 100644
--- a/windows/client-management/mdm/cleanpc-csp.md
+++ b/windows/client-management/mdm/cleanpc-csp.md
@@ -3,11 +3,11 @@ title: CleanPC CSP
 description: The CleanPC configuration service provider (CSP) allows you to remove user-installed and pre-installed applications, with the option to persist user data.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md
index 3c1dc09f96..b9905656b8 100644
--- a/windows/client-management/mdm/cleanpc-ddf.md
+++ b/windows/client-management/mdm/cleanpc-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: CleanPC DDF
 description: Learn about the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index caba758dda..c1574476c9 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -1,12 +1,12 @@
 ---
 title: ClientCertificateInstall CSP
 description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/30/2021
 ---
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index b2c5d92dd8..8d8a117d95 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: ClientCertificateInstall DDF file
 description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index dec02671ea..bc1967ab1b 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -1,12 +1,12 @@
 ---
 title: CM\_CellularEntries CSP
 description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/02/2017
 ---
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index 26f88a1e32..e8cd768732 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -1,12 +1,12 @@
 ---
 title: CMPolicy CSP
 description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index 899a3779e8..55ae5b8083 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -1,12 +1,12 @@
 ---
 title: CMPolicyEnterprise CSP
 description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
index 0b07180698..35f1e9f495 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: CMPolicyEnterprise DDF file
 description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md
index 12b60500aa..4a903492c4 100644
--- a/windows/client-management/mdm/configuration-service-provider-ddf.md
+++ b/windows/client-management/mdm/configuration-service-provider-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: Configuration service provider DDF files
 description: Learn more about the OMA DM device description framework (DDF) for various configuration service providers
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
 ms.collection: highpri
diff --git a/windows/client-management/mdm/configuration-service-provider-support.md b/windows/client-management/mdm/configuration-service-provider-support.md
index e6000e0976..4afed5993c 100644
--- a/windows/client-management/mdm/configuration-service-provider-support.md
+++ b/windows/client-management/mdm/configuration-service-provider-support.md
@@ -1,12 +1,12 @@
 ---
 title: Configuration service provider support
 description: Learn more about configuration service provider (CSP) supported scenarios.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
 ms.collection: highpri
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 53b1ab435d..1731f78223 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -1,12 +1,12 @@
 ---
 title: CustomDeviceUI CSP
 description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md
index e77372750e..1c2b2eb1e0 100644
--- a/windows/client-management/mdm/customdeviceui-ddf.md
+++ b/windows/client-management/mdm/customdeviceui-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: CustomDeviceUI DDF
 description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index c95bb5bc44..dd6034f807 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,445 +1,3100 @@
 ---
 title: Defender CSP
-description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
-ms.reviewer:
+description: Learn more about the Defender CSP
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: vinaypamnani-msft
+ms.date: 11/02/2022
 ms.localizationpriority: medium
-ms.date: 02/22/2022
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- Defender-Begin -->
 # Defender CSP
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- Defender-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Defender-Editable-End -->
 
-> [!WARNING]
-> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+<!-- Defender-Tree-Begin -->
+The following example shows the Defender configuration service provider in tree format.
 
-The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
-
-The following example shows the Windows Defender configuration service provider in tree format.
+```text
+./Device/Vendor/MSFT/Defender
+--- Configuration
+------ AllowDatagramProcessingOnWinServer
+------ AllowNetworkProtectionDownLevel
+------ AllowNetworkProtectionOnWinServer
+------ ASROnlyPerRuleExclusions
+------ DataDuplicationDirectory
+------ DataDuplicationRemoteLocation
+------ DefaultEnforcement
+------ DeviceControl
+--------- PolicyGroups
+------------ {GroupId}
+--------------- GroupData
+--------- PolicyRules
+------------ {RuleId}
+--------------- RuleData
+------ DeviceControlEnabled
+------ DisableCpuThrottleOnIdleScans
+------ DisableDnsOverTcpParsing
+------ DisableDnsParsing
+------ DisableFtpParsing
+------ DisableGradualRelease
+------ DisableHttpParsing
+------ DisableInboundConnectionFiltering
+------ DisableLocalAdminMerge
+------ DisableNetworkProtectionPerfTelemetry
+------ DisableRdpParsing
+------ DisableSshParsing
+------ DisableTlsParsing
+------ EnableDnsSinkhole
+------ EnableFileHashComputation
+------ EngineUpdatesChannel
+------ ExcludedIpAddresses
+------ HideExclusionsFromLocalAdmins
+------ MeteredConnectionUpdates
+------ PassiveRemediation
+------ PauseUpdateExpirationTime
+------ PauseUpdateFlag
+------ PauseUpdateStartTime
+------ PlatformUpdatesChannel
+------ SchedulerRandomizationTime
+------ SecurityIntelligenceUpdatesChannel
+------ SupportLogLocation
+------ TamperProtection
+------ TDTFeatureEnabled
+------ ThrottleForScheduledScanOnly
+--- Detections
+------ {ThreatId}
+--------- Category
+--------- CurrentStatus
+--------- ExecutionStatus
+--------- InitialDetectionTime
+--------- LastThreatStatusChangeTime
+--------- Name
+--------- NumberOfDetections
+--------- Severity
+--------- URL
+--- Health
+------ ComputerState
+------ DefenderEnabled
+------ DefenderVersion
+------ EngineVersion
+------ FullScanOverdue
+------ FullScanRequired
+------ FullScanSigVersion
+------ FullScanTime
+------ IsVirtualMachine
+------ NisEnabled
+------ ProductStatus
+------ QuickScanOverdue
+------ QuickScanSigVersion
+------ QuickScanTime
+------ RebootRequired
+------ RtpEnabled
+------ SignatureOutOfDate
+------ SignatureVersion
+------ TamperProtectionEnabled
+--- OfflineScan
+--- RollbackEngine
+--- RollbackPlatform
+--- Scan
+--- UpdateSignature
 ```
-./Vendor/MSFT
-Defender
-----Detections
---------ThreatId
-------------Name
-------------URL
-------------Severity
-------------Category
-------------CurrentStatus
-------------ExecutionStatus
-------------InitialDetectionTime
-------------LastThreatStatusChangeTime
-------------NumberOfDetections
-----EnableNetworkProtection
---------AllowNetworkProtectionDownLevel
---------AllowNetworkProtectionOnWinServer
---------DisableNetworkProtectionPerfTelemetry
---------DisableDatagramProcessing
---------DisableInboundConnectionFiltering
---------EnableDnsSinkhole
---------DisableDnsOverTcpParsing
---------DisableHttpParsing
---------DisableRdpParsing
---------DisableSshParsing
---------DisableTlsParsing
-----Health
---------ProductStatus (Added in Windows 10 version 1809)
---------ComputerState
---------DefenderEnabled
---------RtpEnabled
---------NisEnabled
---------QuickScanOverdue
---------FullScanOverdue
---------SignatureOutOfDate
---------RebootRequired
---------FullScanRequired
---------EngineVersion
---------SignatureVersion
---------DefenderVersion
---------QuickScanTime
---------FullScanTime
---------QuickScanSigVersion
---------FullScanSigVersion
---------TamperProtectionEnabled (Added in Windows 10, version 1903)
---------IsVirtualMachine (Added in Windows 10, version 1903)
-----Configuration (Added in Windows 10, version 1903)
---------TamperProtection (Added in Windows 10, version 1903)
---------EnableFileHashComputation (Added in Windows 10, version 1903)
---------SupportLogLocation (Added in the next major release of Windows 10)
---------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
---------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
---------SecurityIntelligenceUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
---------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release)
---------PassiveRemediation (Added with the 4.18.2202.X Defender platform release)
-----Scan
-----UpdateSignature
-----OfflineScan (Added in Windows 10 version 1803)
+<!-- Defender-Tree-End -->
+
+<!-- Device-Configuration-Begin -->
+## Configuration
+
+<!-- Device-Configuration-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- Device-Configuration-Applicability-End -->
+
+<!-- Device-Configuration-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration
 ```
-<a href="" id="detections"></a>**Detections**
+<!-- Device-Configuration-OmaUri-End -->
+
+<!-- Device-Configuration-Description-Begin -->
+An interior node to group Windows Defender configuration information.
+<!-- Device-Configuration-Description-End -->
+
+<!-- Device-Configuration-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-Editable-End -->
+
+<!-- Device-Configuration-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-Configuration-DFProperties-End -->
+
+<!-- Device-Configuration-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-Examples-End -->
+
+<!-- Device-Configuration-End -->
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Begin -->
+### Configuration/AllowDatagramProcessingOnWinServer
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Applicability-End -->
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/AllowDatagramProcessingOnWinServer
+```
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-OmaUri-End -->
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Description-Begin -->
+This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Description-End -->
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Editable-End -->
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-DFProperties-End -->
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Datagram processing on Windows Server is enabled. |
+| 0 | Datagram processing on Windows Server is disabled. |
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-AllowedValues-End -->
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-Examples-End -->
+
+<!-- Device-Configuration-AllowDatagramProcessingOnWinServer-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Begin -->
+### Configuration/AllowNetworkProtectionDownLevel
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Applicability-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionDownLevel
+```
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-OmaUri-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Description-Begin -->
+This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Description-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Editable-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-DFProperties-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Network protection will be enabled downlevel. |
+| 0 | Network protection will be disabled downlevel. |
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-AllowedValues-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-Examples-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionDownLevel-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Begin -->
+### Configuration/AllowNetworkProtectionOnWinServer
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Applicability-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/AllowNetworkProtectionOnWinServer
+```
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-OmaUri-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Description-Begin -->
+This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Description-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Editable-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-DFProperties-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Allow |
+| 0 | Disallow |
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-AllowedValues-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-Examples-End -->
+
+<!-- Device-Configuration-AllowNetworkProtectionOnWinServer-End -->
+
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Begin -->
+### Configuration/ASROnlyPerRuleExclusions
+
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Applicability-End -->
+
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ASROnlyPerRuleExclusions
+```
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-OmaUri-End -->
+
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Description-Begin -->
+Apply ASR only per rule exclusions.
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Description-End -->
+
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Editable-End -->
+
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-DFProperties-End -->
+
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-Examples-End -->
+
+<!-- Device-Configuration-ASROnlyPerRuleExclusions-End -->
+
+<!-- Device-Configuration-DataDuplicationDirectory-Begin -->
+### Configuration/DataDuplicationDirectory
+
+<!-- Device-Configuration-DataDuplicationDirectory-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DataDuplicationDirectory-Applicability-End -->
+
+<!-- Device-Configuration-DataDuplicationDirectory-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationDirectory
+```
+<!-- Device-Configuration-DataDuplicationDirectory-OmaUri-End -->
+
+<!-- Device-Configuration-DataDuplicationDirectory-Description-Begin -->
+Define data duplication directory for device control.
+<!-- Device-Configuration-DataDuplicationDirectory-Description-End -->
+
+<!-- Device-Configuration-DataDuplicationDirectory-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DataDuplicationDirectory-Editable-End -->
+
+<!-- Device-Configuration-DataDuplicationDirectory-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DataDuplicationDirectory-DFProperties-End -->
+
+<!-- Device-Configuration-DataDuplicationDirectory-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DataDuplicationDirectory-Examples-End -->
+
+<!-- Device-Configuration-DataDuplicationDirectory-End -->
+
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Begin -->
+### Configuration/DataDuplicationRemoteLocation
+
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Applicability-End -->
+
+<!-- Device-Configuration-DataDuplicationRemoteLocation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation
+```
+<!-- Device-Configuration-DataDuplicationRemoteLocation-OmaUri-End -->
+
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Description-Begin -->
+Define data duplication remote location for device control.
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Description-End -->
+
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Editable-End -->
+
+<!-- Device-Configuration-DataDuplicationRemoteLocation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DataDuplicationRemoteLocation-DFProperties-End -->
+
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DataDuplicationRemoteLocation-Examples-End -->
+
+<!-- Device-Configuration-DataDuplicationRemoteLocation-End -->
+
+<!-- Device-Configuration-DefaultEnforcement-Begin -->
+### Configuration/DefaultEnforcement
+
+<!-- Device-Configuration-DefaultEnforcement-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DefaultEnforcement-Applicability-End -->
+
+<!-- Device-Configuration-DefaultEnforcement-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DefaultEnforcement
+```
+<!-- Device-Configuration-DefaultEnforcement-OmaUri-End -->
+
+<!-- Device-Configuration-DefaultEnforcement-Description-Begin -->
+Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.
+<!-- Device-Configuration-DefaultEnforcement-Description-End -->
+
+<!-- Device-Configuration-DefaultEnforcement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DefaultEnforcement-Editable-End -->
+
+<!-- Device-Configuration-DefaultEnforcement-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DefaultEnforcement-DFProperties-End -->
+
+<!-- Device-Configuration-DefaultEnforcement-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Default Allow Enforcement |
+| 2 | Default Deny Enforcement |
+<!-- Device-Configuration-DefaultEnforcement-AllowedValues-End -->
+
+<!-- Device-Configuration-DefaultEnforcement-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DefaultEnforcement-Examples-End -->
+
+<!-- Device-Configuration-DefaultEnforcement-End -->
+
+<!-- Device-Configuration-DeviceControl-Begin -->
+### Configuration/DeviceControl
+
+<!-- Device-Configuration-DeviceControl-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DeviceControl-Applicability-End -->
+
+<!-- Device-Configuration-DeviceControl-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl
+```
+<!-- Device-Configuration-DeviceControl-OmaUri-End -->
+
+<!-- Device-Configuration-DeviceControl-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Device-Configuration-DeviceControl-Description-End -->
+
+<!-- Device-Configuration-DeviceControl-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-Editable-End -->
+
+<!-- Device-Configuration-DeviceControl-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-Configuration-DeviceControl-DFProperties-End -->
+
+<!-- Device-Configuration-DeviceControl-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-Examples-End -->
+
+<!-- Device-Configuration-DeviceControl-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Begin -->
+#### Configuration/DeviceControl/PolicyGroups
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Applicability-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups
+```
+<!-- Device-Configuration-DeviceControl-PolicyGroups-OmaUri-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Description-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Editable-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-Configuration-DeviceControl-PolicyGroups-DFProperties-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-Examples-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Begin -->
+##### Configuration/DeviceControl/PolicyGroups/{GroupId}
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Applicability-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId}
+```
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-OmaUri-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Description-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Editable-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-DFProperties-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-Examples-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Begin -->
+###### Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Applicability-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/{GroupId}/GroupData
+```
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-OmaUri-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Description-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Editable-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-DFProperties-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-Examples-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyGroups-{GroupId}-GroupData-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-Begin -->
+#### Configuration/DeviceControl/PolicyRules
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DeviceControl-PolicyRules-Applicability-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules
+```
+<!-- Device-Configuration-DeviceControl-PolicyRules-OmaUri-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-Description-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-Editable-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-Configuration-DeviceControl-PolicyRules-DFProperties-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-Examples-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Begin -->
+##### Configuration/DeviceControl/PolicyRules/{RuleId}
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Applicability-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId}
+```
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-OmaUri-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Description-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Editable-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-DFProperties-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-Examples-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Begin -->
+###### Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Applicability-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/{RuleId}/RuleData
+```
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-OmaUri-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Description-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Editable-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-DFProperties-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-Examples-End -->
+
+<!-- Device-Configuration-DeviceControl-PolicyRules-{RuleId}-RuleData-End -->
+
+<!-- Device-Configuration-DeviceControlEnabled-Begin -->
+### Configuration/DeviceControlEnabled
+
+<!-- Device-Configuration-DeviceControlEnabled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-DeviceControlEnabled-Applicability-End -->
+
+<!-- Device-Configuration-DeviceControlEnabled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DeviceControlEnabled
+```
+<!-- Device-Configuration-DeviceControlEnabled-OmaUri-End -->
+
+<!-- Device-Configuration-DeviceControlEnabled-Description-Begin -->
+Control Device Control feature.
+<!-- Device-Configuration-DeviceControlEnabled-Description-End -->
+
+<!-- Device-Configuration-DeviceControlEnabled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControlEnabled-Editable-End -->
+
+<!-- Device-Configuration-DeviceControlEnabled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DeviceControlEnabled-DFProperties-End -->
+
+<!-- Device-Configuration-DeviceControlEnabled-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 |  |
+| 0 |  |
+<!-- Device-Configuration-DeviceControlEnabled-AllowedValues-End -->
+
+<!-- Device-Configuration-DeviceControlEnabled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DeviceControlEnabled-Examples-End -->
+
+<!-- Device-Configuration-DeviceControlEnabled-End -->
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Begin -->
+### Configuration/DisableCpuThrottleOnIdleScans
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Applicability-End -->
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableCpuThrottleOnIdleScans
+```
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-OmaUri-End -->
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Description-Begin -->
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle.  This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Description-End -->
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Editable-End -->
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-DFProperties-End -->
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Disable CPU Throttle on idle scans |
+| 0 | Enable CPU Throttle on idle scans |
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-Examples-End -->
+
+<!-- Device-Configuration-DisableCpuThrottleOnIdleScans-End -->
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Begin -->
+### Configuration/DisableDnsOverTcpParsing
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Applicability-End -->
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableDnsOverTcpParsing
+```
+<!-- Device-Configuration-DisableDnsOverTcpParsing-OmaUri-End -->
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Description-Begin -->
+This setting disables DNS over TCP Parsing for Network Protection.
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Description-End -->
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Editable-End -->
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-DisableDnsOverTcpParsing-DFProperties-End -->
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DNS over TCP parsing is disabled |
+| 0 (Default) | DNS over TCP parsing is enabled |
+<!-- Device-Configuration-DisableDnsOverTcpParsing-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableDnsOverTcpParsing-Examples-End -->
+
+<!-- Device-Configuration-DisableDnsOverTcpParsing-End -->
+
+<!-- Device-Configuration-DisableDnsParsing-Begin -->
+### Configuration/DisableDnsParsing
+
+<!-- Device-Configuration-DisableDnsParsing-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableDnsParsing-Applicability-End -->
+
+<!-- Device-Configuration-DisableDnsParsing-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableDnsParsing
+```
+<!-- Device-Configuration-DisableDnsParsing-OmaUri-End -->
+
+<!-- Device-Configuration-DisableDnsParsing-Description-Begin -->
+This setting disables DNS Parsing for Network Protection.
+<!-- Device-Configuration-DisableDnsParsing-Description-End -->
+
+<!-- Device-Configuration-DisableDnsParsing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableDnsParsing-Editable-End -->
+
+<!-- Device-Configuration-DisableDnsParsing-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-DisableDnsParsing-DFProperties-End -->
+
+<!-- Device-Configuration-DisableDnsParsing-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DNS parsing is disabled |
+| 0 (Default) | DNS parsing is enabled |
+<!-- Device-Configuration-DisableDnsParsing-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableDnsParsing-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableDnsParsing-Examples-End -->
+
+<!-- Device-Configuration-DisableDnsParsing-End -->
+
+<!-- Device-Configuration-DisableFtpParsing-Begin -->
+### Configuration/DisableFtpParsing
+
+<!-- Device-Configuration-DisableFtpParsing-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableFtpParsing-Applicability-End -->
+
+<!-- Device-Configuration-DisableFtpParsing-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableFtpParsing
+```
+<!-- Device-Configuration-DisableFtpParsing-OmaUri-End -->
+
+<!-- Device-Configuration-DisableFtpParsing-Description-Begin -->
+This setting disables FTP Parsing for Network Protection.
+<!-- Device-Configuration-DisableFtpParsing-Description-End -->
+
+<!-- Device-Configuration-DisableFtpParsing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableFtpParsing-Editable-End -->
+
+<!-- Device-Configuration-DisableFtpParsing-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-DisableFtpParsing-DFProperties-End -->
+
+<!-- Device-Configuration-DisableFtpParsing-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | FTP parsing is disabled |
+| 0 (Default) | FTP parsing is enabled |
+<!-- Device-Configuration-DisableFtpParsing-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableFtpParsing-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableFtpParsing-Examples-End -->
+
+<!-- Device-Configuration-DisableFtpParsing-End -->
+
+<!-- Device-Configuration-DisableGradualRelease-Begin -->
+### Configuration/DisableGradualRelease
+
+<!-- Device-Configuration-DisableGradualRelease-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableGradualRelease-Applicability-End -->
+
+<!-- Device-Configuration-DisableGradualRelease-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableGradualRelease
+```
+<!-- Device-Configuration-DisableGradualRelease-OmaUri-End -->
+
+<!-- Device-Configuration-DisableGradualRelease-Description-Begin -->
+Enable this policy to disable gradual rollout of Defender updates.
+<!-- Device-Configuration-DisableGradualRelease-Description-End -->
+
+<!-- Device-Configuration-DisableGradualRelease-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableGradualRelease-Editable-End -->
+
+<!-- Device-Configuration-DisableGradualRelease-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DisableGradualRelease-DFProperties-End -->
+
+<!-- Device-Configuration-DisableGradualRelease-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Gradual release is disabled |
+| 0 | Gradual release is enabled |
+<!-- Device-Configuration-DisableGradualRelease-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableGradualRelease-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableGradualRelease-Examples-End -->
+
+<!-- Device-Configuration-DisableGradualRelease-End -->
+
+<!-- Device-Configuration-DisableHttpParsing-Begin -->
+### Configuration/DisableHttpParsing
+
+<!-- Device-Configuration-DisableHttpParsing-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableHttpParsing-Applicability-End -->
+
+<!-- Device-Configuration-DisableHttpParsing-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableHttpParsing
+```
+<!-- Device-Configuration-DisableHttpParsing-OmaUri-End -->
+
+<!-- Device-Configuration-DisableHttpParsing-Description-Begin -->
+This setting disables HTTP Parsing for Network Protection.
+<!-- Device-Configuration-DisableHttpParsing-Description-End -->
+
+<!-- Device-Configuration-DisableHttpParsing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableHttpParsing-Editable-End -->
+
+<!-- Device-Configuration-DisableHttpParsing-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-DisableHttpParsing-DFProperties-End -->
+
+<!-- Device-Configuration-DisableHttpParsing-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | HTTP parsing is disabled |
+| 0 (Default) | HTTP parsing is enabled |
+<!-- Device-Configuration-DisableHttpParsing-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableHttpParsing-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableHttpParsing-Examples-End -->
+
+<!-- Device-Configuration-DisableHttpParsing-End -->
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Begin -->
+### Configuration/DisableInboundConnectionFiltering
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Applicability-End -->
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableInboundConnectionFiltering
+```
+<!-- Device-Configuration-DisableInboundConnectionFiltering-OmaUri-End -->
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Description-Begin -->
+This setting disables Inbound connection filtering for Network Protection.
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Description-End -->
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Editable-End -->
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DisableInboundConnectionFiltering-DFProperties-End -->
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Inbound connection filtering is disabled |
+| 0 | Inbound connection filtering is enabled |
+<!-- Device-Configuration-DisableInboundConnectionFiltering-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableInboundConnectionFiltering-Examples-End -->
+
+<!-- Device-Configuration-DisableInboundConnectionFiltering-End -->
+
+<!-- Device-Configuration-DisableLocalAdminMerge-Begin -->
+### Configuration/DisableLocalAdminMerge
+
+<!-- Device-Configuration-DisableLocalAdminMerge-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableLocalAdminMerge-Applicability-End -->
+
+<!-- Device-Configuration-DisableLocalAdminMerge-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableLocalAdminMerge
+```
+<!-- Device-Configuration-DisableLocalAdminMerge-OmaUri-End -->
+
+<!-- Device-Configuration-DisableLocalAdminMerge-Description-Begin -->
+When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings
+<!-- Device-Configuration-DisableLocalAdminMerge-Description-End -->
+
+<!-- Device-Configuration-DisableLocalAdminMerge-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableLocalAdminMerge-Editable-End -->
+
+<!-- Device-Configuration-DisableLocalAdminMerge-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DisableLocalAdminMerge-DFProperties-End -->
+
+<!-- Device-Configuration-DisableLocalAdminMerge-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Disable Local Admin Merge |
+| 0 | Enable Local Admin Merge |
+<!-- Device-Configuration-DisableLocalAdminMerge-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableLocalAdminMerge-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableLocalAdminMerge-Examples-End -->
+
+<!-- Device-Configuration-DisableLocalAdminMerge-End -->
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Begin -->
+### Configuration/DisableNetworkProtectionPerfTelemetry
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Applicability-End -->
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableNetworkProtectionPerfTelemetry
+```
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-OmaUri-End -->
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Description-Begin -->
+This setting disables the gathering and send of performance telemetry from Network Protection.
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Description-End -->
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Editable-End -->
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-DFProperties-End -->
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Network protection telemetry is disabled |
+| 0 | Network protection telemetry is enabled |
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-Examples-End -->
+
+<!-- Device-Configuration-DisableNetworkProtectionPerfTelemetry-End -->
+
+<!-- Device-Configuration-DisableRdpParsing-Begin -->
+### Configuration/DisableRdpParsing
+
+<!-- Device-Configuration-DisableRdpParsing-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableRdpParsing-Applicability-End -->
+
+<!-- Device-Configuration-DisableRdpParsing-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableRdpParsing
+```
+<!-- Device-Configuration-DisableRdpParsing-OmaUri-End -->
+
+<!-- Device-Configuration-DisableRdpParsing-Description-Begin -->
+This setting disables RDP Parsing for Network Protection.
+<!-- Device-Configuration-DisableRdpParsing-Description-End -->
+
+<!-- Device-Configuration-DisableRdpParsing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableRdpParsing-Editable-End -->
+
+<!-- Device-Configuration-DisableRdpParsing-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-DisableRdpParsing-DFProperties-End -->
+
+<!-- Device-Configuration-DisableRdpParsing-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | RDP Parsing is disabled |
+| 0 | RDP Parsing is enabled |
+<!-- Device-Configuration-DisableRdpParsing-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableRdpParsing-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableRdpParsing-Examples-End -->
+
+<!-- Device-Configuration-DisableRdpParsing-End -->
+
+<!-- Device-Configuration-DisableSshParsing-Begin -->
+### Configuration/DisableSshParsing
+
+<!-- Device-Configuration-DisableSshParsing-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableSshParsing-Applicability-End -->
+
+<!-- Device-Configuration-DisableSshParsing-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableSshParsing
+```
+<!-- Device-Configuration-DisableSshParsing-OmaUri-End -->
+
+<!-- Device-Configuration-DisableSshParsing-Description-Begin -->
+This setting disables SSH Parsing for Network Protection.
+<!-- Device-Configuration-DisableSshParsing-Description-End -->
+
+<!-- Device-Configuration-DisableSshParsing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableSshParsing-Editable-End -->
+
+<!-- Device-Configuration-DisableSshParsing-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-DisableSshParsing-DFProperties-End -->
+
+<!-- Device-Configuration-DisableSshParsing-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | SSH parsing is disabled |
+| 0 (Default) | SSH parsing is enabled |
+<!-- Device-Configuration-DisableSshParsing-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableSshParsing-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableSshParsing-Examples-End -->
+
+<!-- Device-Configuration-DisableSshParsing-End -->
+
+<!-- Device-Configuration-DisableTlsParsing-Begin -->
+### Configuration/DisableTlsParsing
+
+<!-- Device-Configuration-DisableTlsParsing-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-DisableTlsParsing-Applicability-End -->
+
+<!-- Device-Configuration-DisableTlsParsing-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/DisableTlsParsing
+```
+<!-- Device-Configuration-DisableTlsParsing-OmaUri-End -->
+
+<!-- Device-Configuration-DisableTlsParsing-Description-Begin -->
+This setting disables TLS Parsing for Network Protection.
+<!-- Device-Configuration-DisableTlsParsing-Description-End -->
+
+<!-- Device-Configuration-DisableTlsParsing-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableTlsParsing-Editable-End -->
+
+<!-- Device-Configuration-DisableTlsParsing-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-DisableTlsParsing-DFProperties-End -->
+
+<!-- Device-Configuration-DisableTlsParsing-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | TLS parsing is disabled |
+| 0 (Default) | TLS parsing is enabled |
+<!-- Device-Configuration-DisableTlsParsing-AllowedValues-End -->
+
+<!-- Device-Configuration-DisableTlsParsing-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-DisableTlsParsing-Examples-End -->
+
+<!-- Device-Configuration-DisableTlsParsing-End -->
+
+<!-- Device-Configuration-EnableDnsSinkhole-Begin -->
+### Configuration/EnableDnsSinkhole
+
+<!-- Device-Configuration-EnableDnsSinkhole-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-EnableDnsSinkhole-Applicability-End -->
+
+<!-- Device-Configuration-EnableDnsSinkhole-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/EnableDnsSinkhole
+```
+<!-- Device-Configuration-EnableDnsSinkhole-OmaUri-End -->
+
+<!-- Device-Configuration-EnableDnsSinkhole-Description-Begin -->
+This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.
+<!-- Device-Configuration-EnableDnsSinkhole-Description-End -->
+
+<!-- Device-Configuration-EnableDnsSinkhole-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-EnableDnsSinkhole-Editable-End -->
+
+<!-- Device-Configuration-EnableDnsSinkhole-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-EnableDnsSinkhole-DFProperties-End -->
+
+<!-- Device-Configuration-EnableDnsSinkhole-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | DNS Sinkhole is disabled |
+| 0 | DNS Sinkhole is enabled |
+<!-- Device-Configuration-EnableDnsSinkhole-AllowedValues-End -->
+
+<!-- Device-Configuration-EnableDnsSinkhole-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-EnableDnsSinkhole-Examples-End -->
+
+<!-- Device-Configuration-EnableDnsSinkhole-End -->
+
+<!-- Device-Configuration-EnableFileHashComputation-Begin -->
+### Configuration/EnableFileHashComputation
+
+<!-- Device-Configuration-EnableFileHashComputation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- Device-Configuration-EnableFileHashComputation-Applicability-End -->
+
+<!-- Device-Configuration-EnableFileHashComputation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/EnableFileHashComputation
+```
+<!-- Device-Configuration-EnableFileHashComputation-OmaUri-End -->
+
+<!-- Device-Configuration-EnableFileHashComputation-Description-Begin -->
+Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans.
+<!-- Device-Configuration-EnableFileHashComputation-Description-End -->
+
+<!-- Device-Configuration-EnableFileHashComputation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-EnableFileHashComputation-Editable-End -->
+
+<!-- Device-Configuration-EnableFileHashComputation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-EnableFileHashComputation-DFProperties-End -->
+
+<!-- Device-Configuration-EnableFileHashComputation-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disable |
+| 1 | Enable |
+<!-- Device-Configuration-EnableFileHashComputation-AllowedValues-End -->
+
+<!-- Device-Configuration-EnableFileHashComputation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-EnableFileHashComputation-Examples-End -->
+
+<!-- Device-Configuration-EnableFileHashComputation-End -->
+
+<!-- Device-Configuration-EngineUpdatesChannel-Begin -->
+### Configuration/EngineUpdatesChannel
+
+<!-- Device-Configuration-EngineUpdatesChannel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-EngineUpdatesChannel-Applicability-End -->
+
+<!-- Device-Configuration-EngineUpdatesChannel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/EngineUpdatesChannel
+```
+<!-- Device-Configuration-EngineUpdatesChannel-OmaUri-End -->
+
+<!-- Device-Configuration-EngineUpdatesChannel-Description-Begin -->
+Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
+<!-- Device-Configuration-EngineUpdatesChannel-Description-End -->
+
+<!-- Device-Configuration-EngineUpdatesChannel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-EngineUpdatesChannel-Editable-End -->
+
+<!-- Device-Configuration-EngineUpdatesChannel-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-EngineUpdatesChannel-DFProperties-End -->
+
+<!-- Device-Configuration-EngineUpdatesChannel-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. |
+| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. |
+| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| 6 | Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. |
+<!-- Device-Configuration-EngineUpdatesChannel-AllowedValues-End -->
+
+<!-- Device-Configuration-EngineUpdatesChannel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-EngineUpdatesChannel-Examples-End -->
+
+<!-- Device-Configuration-EngineUpdatesChannel-End -->
+
+<!-- Device-Configuration-ExcludedIpAddresses-Begin -->
+### Configuration/ExcludedIpAddresses
+
+<!-- Device-Configuration-ExcludedIpAddresses-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-ExcludedIpAddresses-Applicability-End -->
+
+<!-- Device-Configuration-ExcludedIpAddresses-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ExcludedIpAddresses
+```
+<!-- Device-Configuration-ExcludedIpAddresses-OmaUri-End -->
+
+<!-- Device-Configuration-ExcludedIpAddresses-Description-Begin -->
+This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic.
+<!-- Device-Configuration-ExcludedIpAddresses-Description-End -->
+
+<!-- Device-Configuration-ExcludedIpAddresses-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-ExcludedIpAddresses-Editable-End -->
+
+<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- Device-Configuration-ExcludedIpAddresses-DFProperties-End -->
+
+<!-- Device-Configuration-ExcludedIpAddresses-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-ExcludedIpAddresses-Examples-End -->
+
+<!-- Device-Configuration-ExcludedIpAddresses-End -->
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Begin -->
+### Configuration/HideExclusionsFromLocalAdmins
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Applicability-End -->
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/HideExclusionsFromLocalAdmins
+```
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-OmaUri-End -->
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Description-Begin -->
+This policy setting controls whether or not exclusions are visible to local admins.  For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Description-End -->
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+> [!NOTE]
+> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in Get-MpPreference.
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Editable-End -->
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-DFProperties-End -->
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. |
+| 0 | If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell. |
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-AllowedValues-End -->
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-Examples-End -->
+
+<!-- Device-Configuration-HideExclusionsFromLocalAdmins-End -->
+
+<!-- Device-Configuration-MeteredConnectionUpdates-Begin -->
+### Configuration/MeteredConnectionUpdates
+
+<!-- Device-Configuration-MeteredConnectionUpdates-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-MeteredConnectionUpdates-Applicability-End -->
+
+<!-- Device-Configuration-MeteredConnectionUpdates-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/MeteredConnectionUpdates
+```
+<!-- Device-Configuration-MeteredConnectionUpdates-OmaUri-End -->
+
+<!-- Device-Configuration-MeteredConnectionUpdates-Description-Begin -->
+Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed
+<!-- Device-Configuration-MeteredConnectionUpdates-Description-End -->
+
+<!-- Device-Configuration-MeteredConnectionUpdates-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-MeteredConnectionUpdates-Editable-End -->
+
+<!-- Device-Configuration-MeteredConnectionUpdates-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-MeteredConnectionUpdates-DFProperties-End -->
+
+<!-- Device-Configuration-MeteredConnectionUpdates-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Allowed |
+| 0 (Default) | Not Allowed |
+<!-- Device-Configuration-MeteredConnectionUpdates-AllowedValues-End -->
+
+<!-- Device-Configuration-MeteredConnectionUpdates-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-MeteredConnectionUpdates-Examples-End -->
+
+<!-- Device-Configuration-MeteredConnectionUpdates-End -->
+
+<!-- Device-Configuration-PassiveRemediation-Begin -->
+### Configuration/PassiveRemediation
+
+<!-- Device-Configuration-PassiveRemediation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-PassiveRemediation-Applicability-End -->
+
+<!-- Device-Configuration-PassiveRemediation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PassiveRemediation
+```
+<!-- Device-Configuration-PassiveRemediation-OmaUri-End -->
+
+<!-- Device-Configuration-PassiveRemediation-Description-Begin -->
+Setting to control automatic remediation for Sense scans.
+<!-- Device-Configuration-PassiveRemediation-Description-End -->
+
+<!-- Device-Configuration-PassiveRemediation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-PassiveRemediation-Editable-End -->
+
+<!-- Device-Configuration-PassiveRemediation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-PassiveRemediation-DFProperties-End -->
+
+<!-- Device-Configuration-PassiveRemediation-AllowedValues-Begin -->
+**Allowed values**:
+
+| Flag | Description |
+|:--|:--|
+| 0x1 | PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation |
+| 0x2 | PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit |
+| 0x4 | PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation |
+<!-- Device-Configuration-PassiveRemediation-AllowedValues-End -->
+
+<!-- Device-Configuration-PassiveRemediation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-PassiveRemediation-Examples-End -->
+
+<!-- Device-Configuration-PassiveRemediation-End -->
+
+<!-- Device-Configuration-PauseUpdateExpirationTime-Begin -->
+### Configuration/PauseUpdateExpirationTime
+
+<!-- Device-Configuration-PauseUpdateExpirationTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-PauseUpdateExpirationTime-Applicability-End -->
+
+<!-- Device-Configuration-PauseUpdateExpirationTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateExpirationTime
+```
+<!-- Device-Configuration-PauseUpdateExpirationTime-OmaUri-End -->
+
+<!-- Device-Configuration-PauseUpdateExpirationTime-Description-Begin -->
+Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
+<!-- Device-Configuration-PauseUpdateExpirationTime-Description-End -->
+
+<!-- Device-Configuration-PauseUpdateExpirationTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-PauseUpdateExpirationTime-Editable-End -->
+
+<!-- Device-Configuration-PauseUpdateExpirationTime-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-PauseUpdateExpirationTime-DFProperties-End -->
+
+<!-- Device-Configuration-PauseUpdateExpirationTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-PauseUpdateExpirationTime-Examples-End -->
+
+<!-- Device-Configuration-PauseUpdateExpirationTime-End -->
+
+<!-- Device-Configuration-PauseUpdateFlag-Begin -->
+### Configuration/PauseUpdateFlag
+
+<!-- Device-Configuration-PauseUpdateFlag-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-PauseUpdateFlag-Applicability-End -->
+
+<!-- Device-Configuration-PauseUpdateFlag-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateFlag
+```
+<!-- Device-Configuration-PauseUpdateFlag-OmaUri-End -->
+
+<!-- Device-Configuration-PauseUpdateFlag-Description-Begin -->
+Setting to control automatic remediation for Sense scans.
+<!-- Device-Configuration-PauseUpdateFlag-Description-End -->
+
+<!-- Device-Configuration-PauseUpdateFlag-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-PauseUpdateFlag-Editable-End -->
+
+<!-- Device-Configuration-PauseUpdateFlag-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-PauseUpdateFlag-DFProperties-End -->
+
+<!-- Device-Configuration-PauseUpdateFlag-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Update not paused |
+| 1 | Update paused |
+<!-- Device-Configuration-PauseUpdateFlag-AllowedValues-End -->
+
+<!-- Device-Configuration-PauseUpdateFlag-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-PauseUpdateFlag-Examples-End -->
+
+<!-- Device-Configuration-PauseUpdateFlag-End -->
+
+<!-- Device-Configuration-PauseUpdateStartTime-Begin -->
+### Configuration/PauseUpdateStartTime
+
+<!-- Device-Configuration-PauseUpdateStartTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-PauseUpdateStartTime-Applicability-End -->
+
+<!-- Device-Configuration-PauseUpdateStartTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PauseUpdateStartTime
+```
+<!-- Device-Configuration-PauseUpdateStartTime-OmaUri-End -->
+
+<!-- Device-Configuration-PauseUpdateStartTime-Description-Begin -->
+Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.
+<!-- Device-Configuration-PauseUpdateStartTime-Description-End -->
+
+<!-- Device-Configuration-PauseUpdateStartTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-PauseUpdateStartTime-Editable-End -->
+
+<!-- Device-Configuration-PauseUpdateStartTime-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-PauseUpdateStartTime-DFProperties-End -->
+
+<!-- Device-Configuration-PauseUpdateStartTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-PauseUpdateStartTime-Examples-End -->
+
+<!-- Device-Configuration-PauseUpdateStartTime-End -->
+
+<!-- Device-Configuration-PlatformUpdatesChannel-Begin -->
+### Configuration/PlatformUpdatesChannel
+
+<!-- Device-Configuration-PlatformUpdatesChannel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-PlatformUpdatesChannel-Applicability-End -->
+
+<!-- Device-Configuration-PlatformUpdatesChannel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/PlatformUpdatesChannel
+```
+<!-- Device-Configuration-PlatformUpdatesChannel-OmaUri-End -->
+
+<!-- Device-Configuration-PlatformUpdatesChannel-Description-Begin -->
+Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
+<!-- Device-Configuration-PlatformUpdatesChannel-Description-End -->
+
+<!-- Device-Configuration-PlatformUpdatesChannel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-PlatformUpdatesChannel-Editable-End -->
+
+<!-- Device-Configuration-PlatformUpdatesChannel-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-PlatformUpdatesChannel-DFProperties-End -->
+
+<!-- Device-Configuration-PlatformUpdatesChannel-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 2 | Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. |
+| 3 | Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. |
+| 4 | Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| 6 | Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only. |
+<!-- Device-Configuration-PlatformUpdatesChannel-AllowedValues-End -->
+
+<!-- Device-Configuration-PlatformUpdatesChannel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-PlatformUpdatesChannel-Examples-End -->
+
+<!-- Device-Configuration-PlatformUpdatesChannel-End -->
+
+<!-- Device-Configuration-SchedulerRandomizationTime-Begin -->
+### Configuration/SchedulerRandomizationTime
+
+<!-- Device-Configuration-SchedulerRandomizationTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-SchedulerRandomizationTime-Applicability-End -->
+
+<!-- Device-Configuration-SchedulerRandomizationTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/SchedulerRandomizationTime
+```
+<!-- Device-Configuration-SchedulerRandomizationTime-OmaUri-End -->
+
+<!-- Device-Configuration-SchedulerRandomizationTime-Description-Begin -->
+This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting.
+<!-- Device-Configuration-SchedulerRandomizationTime-Description-End -->
+
+<!-- Device-Configuration-SchedulerRandomizationTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-SchedulerRandomizationTime-Editable-End -->
+
+<!-- Device-Configuration-SchedulerRandomizationTime-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-23]` |
+| Default Value  | 4 |
+<!-- Device-Configuration-SchedulerRandomizationTime-DFProperties-End -->
+
+<!-- Device-Configuration-SchedulerRandomizationTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-SchedulerRandomizationTime-Examples-End -->
+
+<!-- Device-Configuration-SchedulerRandomizationTime-End -->
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Begin -->
+### Configuration/SecurityIntelligenceUpdatesChannel
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Applicability-End -->
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/SecurityIntelligenceUpdatesChannel
+```
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-OmaUri-End -->
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Description-Begin -->
+Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Description-End -->
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Editable-End -->
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-DFProperties-End -->
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-AllowedValues-End -->
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Examples-End -->
+
+<!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-End -->
+
+<!-- Device-Configuration-SupportLogLocation-Begin -->
+### Configuration/SupportLogLocation
+
+<!-- Device-Configuration-SupportLogLocation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-SupportLogLocation-Applicability-End -->
+
+<!-- Device-Configuration-SupportLogLocation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/SupportLogLocation
+```
+<!-- Device-Configuration-SupportLogLocation-OmaUri-End -->
+
+<!-- Device-Configuration-SupportLogLocation-Description-Begin -->
+The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
+<!-- Device-Configuration-SupportLogLocation-Description-End -->
+
+<!-- Device-Configuration-SupportLogLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Intune Support Log Location setting UI supports three states:
+
+- Not configured (default) - Doesn't have any impact on the default state of the device.
+- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
+- 0 - Disabled. Turns off the Support log location feature.
+
+When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
+
+More details:
+
+- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
+- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
+<!-- Device-Configuration-SupportLogLocation-Editable-End -->
+
+<!-- Device-Configuration-SupportLogLocation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-SupportLogLocation-DFProperties-End -->
+
+<!-- Device-Configuration-SupportLogLocation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-SupportLogLocation-Examples-End -->
+
+<!-- Device-Configuration-SupportLogLocation-End -->
+
+<!-- Device-Configuration-TamperProtection-Begin -->
+### Configuration/TamperProtection
+
+<!-- Device-Configuration-TamperProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- Device-Configuration-TamperProtection-Applicability-End -->
+
+<!-- Device-Configuration-TamperProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/TamperProtection
+```
+<!-- Device-Configuration-TamperProtection-OmaUri-End -->
+
+<!-- Device-Configuration-TamperProtection-Description-Begin -->
+Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.
+<!-- Device-Configuration-TamperProtection-Description-End -->
+
+<!-- Device-Configuration-TamperProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-TamperProtection-Editable-End -->
+
+<!-- Device-Configuration-TamperProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-Configuration-TamperProtection-DFProperties-End -->
+
+<!-- Device-Configuration-TamperProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-TamperProtection-Examples-End -->
+
+<!-- Device-Configuration-TamperProtection-End -->
+
+<!-- Device-Configuration-TDTFeatureEnabled-Begin -->
+### Configuration/TDTFeatureEnabled
+
+<!-- Device-Configuration-TDTFeatureEnabled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041] and later |
+<!-- Device-Configuration-TDTFeatureEnabled-Applicability-End -->
+
+<!-- Device-Configuration-TDTFeatureEnabled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/TDTFeatureEnabled
+```
+<!-- Device-Configuration-TDTFeatureEnabled-OmaUri-End -->
+
+<!-- Device-Configuration-TDTFeatureEnabled-Description-Begin -->
+This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.
+<!-- Device-Configuration-TDTFeatureEnabled-Description-End -->
+
+<!-- Device-Configuration-TDTFeatureEnabled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-TDTFeatureEnabled-Editable-End -->
+
+<!-- Device-Configuration-TDTFeatureEnabled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- Device-Configuration-TDTFeatureEnabled-DFProperties-End -->
+
+<!-- Device-Configuration-TDTFeatureEnabled-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft. |
+| 2 | If you configure this setting to disabled, Intel TDT integration will be turned off. |
+<!-- Device-Configuration-TDTFeatureEnabled-AllowedValues-End -->
+
+<!-- Device-Configuration-TDTFeatureEnabled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-TDTFeatureEnabled-Examples-End -->
+
+<!-- Device-Configuration-TDTFeatureEnabled-End -->
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Begin -->
+### Configuration/ThrottleForScheduledScanOnly
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Applicability-End -->
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/ThrottleForScheduledScanOnly
+```
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-OmaUri-End -->
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Description-Begin -->
+A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only.
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Description-End -->
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Editable-End -->
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-DFProperties-End -->
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | If you enable this setting, CPU throttling will apply only to scheduled scans. |
+| 0 | If you disable this setting, CPU throttling will apply to scheduled and custom scans. |
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-AllowedValues-End -->
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-Examples-End -->
+
+<!-- Device-Configuration-ThrottleForScheduledScanOnly-End -->
+
+<!-- Device-Detections-Begin -->
+## Detections
+
+<!-- Device-Detections-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-Applicability-End -->
+
+<!-- Device-Detections-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections
+```
+<!-- Device-Detections-OmaUri-End -->
+
+<!-- Device-Detections-Description-Begin -->
 An interior node to group all threats detected by Windows Defender.
+<!-- Device-Detections-Description-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-Editable-End -->
 
-<a href="" id="detections-threatid"></a>**Detections/**<strong>*ThreatId*</strong>
+<!-- Device-Detections-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-Detections-DFProperties-End -->
+
+<!-- Device-Detections-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-Examples-End -->
+
+<!-- Device-Detections-End -->
+
+<!-- Device-Detections-{ThreatId}-Begin -->
+### Detections/{ThreatId}
+
+<!-- Device-Detections-{ThreatId}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-Applicability-End -->
+
+<!-- Device-Detections-{ThreatId}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}
+```
+<!-- Device-Detections-{ThreatId}-OmaUri-End -->
+
+<!-- Device-Detections-{ThreatId}-Description-Begin -->
 The ID of a threat that has been detected by Windows Defender.
+<!-- Device-Detections-{ThreatId}-Description-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-Editable-End -->
 
-<a href="" id="detections-threatid-name"></a>**Detections/*ThreatId*/Name**
-The name of the specific threat.
+<!-- Device-Detections-{ThreatId}-DFProperties-Begin -->
+**Description framework properties**:
 
-The data type is a string.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Detections-{ThreatId}-DFProperties-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-Examples-End -->
 
-<a href="" id="detections-threatid-url"></a>**Detections/*ThreatId*/URL**
-URL link for more threat information.
+<!-- Device-Detections-{ThreatId}-End -->
 
-The data type is a string.
+<!-- Device-Detections-{ThreatId}-Category-Begin -->
+#### Detections/{ThreatId}/Category
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-Category-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-Category-Applicability-End -->
 
-<a href="" id="detections-threatid-severity"></a>**Detections/*ThreatId*/Severity**
-Threat severity ID.
+<!-- Device-Detections-{ThreatId}-Category-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Category
+```
+<!-- Device-Detections-{ThreatId}-Category-OmaUri-End -->
 
-The data type is integer.
+<!-- Device-Detections-{ThreatId}-Category-Description-Begin -->
+Threat category ID.  Supported values:
 
-The following list shows the supported values:
+| Value | Description |
+|:--|:--|
+| 0 | Invalid |
+| 1 | Adware |
+| 2 | Spyware |
+| 3 | Password stealer |
+| 4 | Trojan downloader |
+| 5 | Worm |
+| 6 | Backdoor |
+| 7 | Remote access Trojan |
+| 8 | Trojan |
+| 9 | Email flooder |
+| 10 | Keylogger |
+| 11 | Dialer |
+| 12 | Monitoring software |
+| 13 | Browser modifier |
+| 14 | Cookie |
+| 15 | Browser plugin |
+| 16 | AOL exploit |
+| 17 | Nuker |
+| 18 | Security disabler |
+| 19 | Joke program |
+| 20 | Hostile ActiveX control |
+| 21 | Software bundler |
+| 22 | Stealth modifier |
+| 23 | Settings modifier |
+| 24 | Toolbar |
+| 25 | Remote control software |
+| 26 | Trojan FTP |
+| 27 | Potential unwanted software |
+| 28 | ICQ exploit |
+| 29 | Trojan telnet |
+| 30 | Exploit |
+| 31 | File sharing program |
+| 32 | Malware creation tool |
+| 33 | Remote control software |
+| 34 | Tool |
+| 36 | Trojan denial of service |
+| 37 | Trojan dropper |
+| 38 | Trojan mass mailer |
+| 39 | Trojan monitoring software |
+| 40 | Trojan proxy server |
+| 42 | Virus |
+| 43 | Known |
+| 44 | Unknown |
+| 45 | SPP |
+| 46 | Behavior |
+| 47 | Vulnerability |
+| 48 | Policy |
+| 49 | EUS (Enterprise Unwanted Software) |
+| 50 | Ransomware |
+| 51 | ASR Rule |
+<!-- Device-Detections-{ThreatId}-Category-Description-End -->
 
-- 0 = Unknown
-- 1 = Low
-- 2 = Moderate
-- 4 = High
-- 5 = Severe
+<!-- Device-Detections-{ThreatId}-Category-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-Category-Editable-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-Category-DFProperties-Begin -->
+**Description framework properties**:
 
-<a href="" id="detections-threatid-category"></a>**Detections/*ThreatId*/Category**
-Threat category ID.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-Category-DFProperties-End -->
 
-The data type is integer.
+<!-- Device-Detections-{ThreatId}-Category-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-Category-Examples-End -->
 
-The following table describes the supported values:
-<br/><br/>
+<!-- Device-Detections-{ThreatId}-Category-End -->
 
-| Value | Description                 |
-|-------|-----------------------------|
-| 0     | Invalid                     |
-| 1     | Adware                      |
-| 2     | Spyware                     |
-| 3     | Password stealer            |
-| 4     | Trojan downloader           |
-| 5     | Worm                        |
-| 6     | Backdoor                    |
-| 7     | Remote access Trojan        |
-| 8     | Trojan                      |
-| 9     | Email flooder               |
-| 10    | Key logger                   |
-| 11    | Dialer                      |
-| 12    | Monitoring software         |
-| 13    | Browser modifier            |
-| 14    | Cookie                      |
-| 15    | Browser plugin              |
-| 16    | AOL exploit                 |
-| 17    | Nuker                       |
-| 18    | Security disabler           |
-| 19    | Joke program                |
-| 20    | Hostile ActiveX control     |
-| 21    | Software bundler            |
-| 22    | Stealth modifier            |
-| 23    | Settings modifier           |
-| 24    | Toolbar                     |
-| 25    | Remote control software     |
-| 26    | Trojan FTP                  |
-| 27    | Potential unwanted software |
-| 28    | ICQ exploit                 |
-| 29    | Trojan telnet               |
-| 30    | Exploit                     |
-| 31    | File sharing program        |
-| 32    | Malware creation tool       |
-| 33    | Remote control software     |
-| 34    | Tool                        |
-| 36    | Trojan denial of service    |
-| 37    | Trojan dropper              |
-| 38    | Trojan mass mailer          |
-| 39    | Trojan monitoring software  |
-| 40    | Trojan proxy server         |
-| 42    | Virus                       |
-| 43    | Known                       |
-| 44    | Unknown                     |
-| 45    | SPP                         |
-| 46    | Behavior                    |
-| 47    | Vulnerability               |
-| 48    | Policy                      |
-| 49    | EUS (Enterprise Unwanted Software)|
-| 50    | Ransomware                  |
-| 51    | ASR Rule                    |
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Begin -->
+#### Detections/{ThreatId}/CurrentStatus
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Applicability-End -->
 
-<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
-Information about the current status of the threat.
+<!-- Device-Detections-{ThreatId}-CurrentStatus-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/CurrentStatus
+```
+<!-- Device-Detections-{ThreatId}-CurrentStatus-OmaUri-End -->
 
-The data type is integer.
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Description-Begin -->
+Information about the current status of the threat. The following list shows the supported values:
 
-The following list shows the supported values:
+| Value | Description |
+|:--|:--|
+| 0 | Active |
+| 1 | Action failed |
+| 2 | Manual steps required |
+| 3 | Full scan required |
+| 4 | Reboot required |
+| 5 | Remediated with noncritical failures |
+| 6 | Quarantined |
+| 7 | Removed |
+| 8 | Cleaned |
+| 9 | Allowed |
+| 10 | No Status ( Cleared) |
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Description-End -->
 
-- 0 = Active
-- 1 = Action failed
-- 2 = Manual steps required
-- 3 = Full scan required
-- 4 = Reboot required
-- 5 = Remediated with noncritical failures
-- 6 = Quarantined
-- 7 = Removed
-- 8 = Cleaned
-- 9 = Allowed
-- 10 = No Status (Cleared)
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Editable-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-CurrentStatus-DFProperties-Begin -->
+**Description framework properties**:
 
-<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
-Information about the current status of the threat.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-CurrentStatus-DFProperties-End -->
 
-The data type is integer.
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-CurrentStatus-Examples-End -->
 
-The following list shows the supported values:
+<!-- Device-Detections-{ThreatId}-CurrentStatus-End -->
 
-- 0 = Active
-- 1 = Action failed
-- 2 = Manual steps required
-- 3 = Full scan required
-- 4 = Reboot required
-- 5 = Remediated with noncritical failures
-- 6 = Quarantined
-- 7 = Removed
-- 8 = Cleaned
-- 9 = Allowed
-- 10 = No Status (Cleared)
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Begin -->
+#### Detections/{ThreatId}/ExecutionStatus
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Applicability-End -->
 
-<a href="" id="detections-threatid-executionstatus"></a>**Detections/*ThreatId*/ExecutionStatus**
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/ExecutionStatus
+```
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-OmaUri-End -->
+
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Description-Begin -->
 Information about the execution status of the threat.
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Description-End -->
 
-The data type is integer.
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Editable-End -->
 
-The following list shows the supported values:
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-DFProperties-Begin -->
+**Description framework properties**:
 
-- 0 = Unknown
-- 1 = Blocked
-- 2 = Allowed
-- 3 = Running
-- 4 = Not running
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-DFProperties-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-Examples-End -->
 
-<a href="" id="detections-threatid-initialdetectiontime"></a>**Detections/*ThreatId*/InitialDetectionTime**
+<!-- Device-Detections-{ThreatId}-ExecutionStatus-End -->
+
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Begin -->
+#### Detections/{ThreatId}/InitialDetectionTime
+
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Applicability-End -->
+
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/InitialDetectionTime
+```
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-OmaUri-End -->
+
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Description-Begin -->
 The first time this particular threat was detected.
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Description-End -->
 
-The data type is a string.
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Editable-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-DFProperties-Begin -->
+**Description framework properties**:
 
-<a href="" id="detections-threatid-lastthreatstatuschangetime"></a>**Detections/*ThreatId*/LastThreatStatusChangeTime**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-DFProperties-End -->
+
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-Examples-End -->
+
+<!-- Device-Detections-{ThreatId}-InitialDetectionTime-End -->
+
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Begin -->
+#### Detections/{ThreatId}/LastThreatStatusChangeTime
+
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Applicability-End -->
+
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/LastThreatStatusChangeTime
+```
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-OmaUri-End -->
+
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Description-Begin -->
 The last time this particular threat was changed.
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Description-End -->
 
-The data type is a string.
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Editable-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-DFProperties-Begin -->
+**Description framework properties**:
 
-<a href="" id="detections-threatid-numberofdetections"></a>**Detections/*ThreatId*/NumberOfDetections**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-DFProperties-End -->
+
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-Examples-End -->
+
+<!-- Device-Detections-{ThreatId}-LastThreatStatusChangeTime-End -->
+
+<!-- Device-Detections-{ThreatId}-Name-Begin -->
+#### Detections/{ThreatId}/Name
+
+<!-- Device-Detections-{ThreatId}-Name-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-Name-Applicability-End -->
+
+<!-- Device-Detections-{ThreatId}-Name-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Name
+```
+<!-- Device-Detections-{ThreatId}-Name-OmaUri-End -->
+
+<!-- Device-Detections-{ThreatId}-Name-Description-Begin -->
+The name of the specific threat.
+<!-- Device-Detections-{ThreatId}-Name-Description-End -->
+
+<!-- Device-Detections-{ThreatId}-Name-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-Name-Editable-End -->
+
+<!-- Device-Detections-{ThreatId}-Name-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-Name-DFProperties-End -->
+
+<!-- Device-Detections-{ThreatId}-Name-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-Name-Examples-End -->
+
+<!-- Device-Detections-{ThreatId}-Name-End -->
+
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Begin -->
+#### Detections/{ThreatId}/NumberOfDetections
+
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Applicability-End -->
+
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/NumberOfDetections
+```
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-OmaUri-End -->
+
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Description-Begin -->
 Number of times this threat has been detected on a particular client.
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Description-End -->
 
-The data type is integer.
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Editable-End -->
 
-Supported operation is Get.
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-DFProperties-Begin -->
+**Description framework properties**:
 
-<a href="" id="enablenetworkprotection"></a>**EnableNetworkProtection**
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-DFProperties-End -->
 
-The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
-The acceptable values for this parameter are:
-- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
-- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
-- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log.
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-Examples-End -->
 
-Accepted values: Disabled, Enabled, and AuditMode
-Position: Named
-Default value: Disabled
-Accept pipeline input: False
-Accept wildcard characters: False
+<!-- Device-Detections-{ThreatId}-NumberOfDetections-End -->
 
-<a href="" id="enablenetworkprotection-allownetworkprotectiondownlevel"></a>**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
+<!-- Device-Detections-{ThreatId}-Severity-Begin -->
+#### Detections/{ThreatId}/Severity
 
-By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+<!-- Device-Detections-{ThreatId}-Severity-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-Severity-Applicability-End -->
 
-<a href="" id="enablenetworkprotection-allownetworkprotectiononwinserver"></a>**EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
+<!-- Device-Detections-{ThreatId}-Severity-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/Severity
+```
+<!-- Device-Detections-{ThreatId}-Severity-OmaUri-End -->
 
-By default, network protection isn't allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+<!-- Device-Detections-{ThreatId}-Severity-Description-Begin -->
+Threat severity ID. The following list shows the supported values:
 
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+| Value | Description |
+|:--|:--|
+| 0 | Unknown |
+| 1 | Low |
+| 2 | Moderate |
+| 4 | High |
+| 5 | Severe |
+<!-- Device-Detections-{ThreatId}-Severity-Description-End -->
 
-<a href="" id="enablenetworkprotection-disablenetworkprotectionperftelemetry"></a>**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry**
+<!-- Device-Detections-{ThreatId}-Severity-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-Severity-Editable-End -->
 
-Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true".
+<!-- Device-Detections-{ThreatId}-Severity-DFProperties-Begin -->
+**Description framework properties**:
 
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-Severity-DFProperties-End -->
 
-<a href="" id="enablenetworkprotection-disabledatagramprocessing"></a>**EnableNetworkProtection/DisableDatagramProcessing**
+<!-- Device-Detections-{ThreatId}-Severity-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-Severity-Examples-End -->
 
-Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true".
+<!-- Device-Detections-{ThreatId}-Severity-End -->
 
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+<!-- Device-Detections-{ThreatId}-URL-Begin -->
+#### Detections/{ThreatId}/URL
 
-<a href="" id="enablenetworkprotection-disableinboundconnectionfiltering"></a>**EnableNetworkProtection/DisableInboundConnectionFiltering**
+<!-- Device-Detections-{ThreatId}-URL-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Detections-{ThreatId}-URL-Applicability-End -->
 
-Network Protection inspects and can block both connections that originate from the host machine, and those connections that originate from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
+<!-- Device-Detections-{ThreatId}-URL-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Detections/{ThreatId}/URL
+```
+<!-- Device-Detections-{ThreatId}-URL-OmaUri-End -->
 
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+<!-- Device-Detections-{ThreatId}-URL-Description-Begin -->
+URL link for additional threat information.
+<!-- Device-Detections-{ThreatId}-URL-Description-End -->
 
-<a href="" id="enablenetworkprotection-enablednssinkhole"></a>**EnableNetworkProtection/EnableDnsSinkhole**
+<!-- Device-Detections-{ThreatId}-URL-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-URL-Editable-End -->
 
-Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS-based malicious attacks. Set this configuration to "$true" to enable this feature.
+<!-- Device-Detections-{ThreatId}-URL-DFProperties-Begin -->
+**Description framework properties**:
 
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Detections-{ThreatId}-URL-DFProperties-End -->
 
-<a href="" id="enablenetworkprotection-disablednsovertcpparsing"></a>**EnableNetworkProtection/DisableDnsOverTcpParsing**
+<!-- Device-Detections-{ThreatId}-URL-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Detections-{ThreatId}-URL-Examples-End -->
 
-Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true".
+<!-- Device-Detections-{ThreatId}-URL-End -->
 
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
+<!-- Device-Health-Begin -->
+## Health
 
-<a href="" id="enablenetworkprotection-disablednsparsing"></a>**EnableNetworkProtection/DisableDnsParsing**
+<!-- Device-Health-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-Applicability-End -->
 
-Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This attribute can be disabled by setting this value to "$true".
+<!-- Device-Health-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health
+```
+<!-- Device-Health-OmaUri-End -->
 
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-<a href="" id="enablenetworkprotection-disablehttpparsing"></a>**EnableNetworkProtection/DisableHttpParsing**
-
-Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
-
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-<a href="" id="enablenetworkprotection-disablerdpparsing"></a>**EnableNetworkProtection/DisableRdpParsing**
-
-Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
-
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-<a href="" id="enablenetworkprotection-disablesshparsing"></a>**EnableNetworkProtection/DisableSshParsing**
-
-Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
-
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-<a href="" id="enablenetworkprotection-disabletlsparsing"></a>**EnableNetworkProtection/DisableTlsParsing**
-
-Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
-
-- Type: Boolean
-- Position: Named
-- Default value: False
-- Accept pipeline input: False
-- Accept wildcard characters: False
-
-<a href="" id="health"></a>**Health**
+<!-- Device-Health-Description-Begin -->
 An interior node to group information about Windows Defender health status.
+<!-- Device-Health-Description-End -->
 
-Supported operation is Get.
+<!-- Device-Health-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-Editable-End -->
 
-<a href="" id="health-productstatus"></a>**Health/ProductStatus**
-Added in Windows 10, version 1809. Provide the current state of the product. This value is a bitmask flag value that can represent one or multiple product states from below list.
+<!-- Device-Health-DFProperties-Begin -->
+**Description framework properties**:
 
-The data type is integer. Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-Health-DFProperties-End -->
 
-Supported product status values:
--  No status                                                        = 0
--  Service not running                                              = 1 << 0
--  Service started without any malware protection engine            = 1 << 1
--  Pending full scan due to threat action                           = 1 << 2
--  Pending reboot due to threat action                              = 1 << 3
--  ending manual steps due to threat action                         = 1 << 4
--  AV signatures out of date                                        = 1 << 5
--  AS signatures out of date                                        = 1 << 6
--  No quick scan has happened for a specified period                = 1 << 7
--  No full scan has happened for a specified period                 = 1 << 8
--  System initiated scan in progress                                = 1 << 9
--  System initiated clean in progress                               = 1 << 10
--  There are samples pending submission                             = 1 << 11
--  Product running in evaluation mode                               = 1 << 12
--  Product running in non-genuine Windows mode                      = 1 << 13
--  Product expired                                                  = 1 << 14
--  Off-line scan required                                           = 1 << 15
--  Service is shutting down as part of system shutdown              = 1 << 16
--  Threat remediation failed critically                             = 1 << 17
--  Threat remediation failed non-critically                         = 1 << 18
--  No status flags set (well-initialized state)                     = 1 << 19
--  Platform is out of date                                          = 1 << 20
--  Platform update is in progress                                   = 1 << 21
--  Platform is about to be outdated                                 = 1 << 22
--  Signature or platform end of life is past or is impending        = 1 << 23
--  Windows SMode signatures still in use on non-Win10S install      = 1 << 24
+<!-- Device-Health-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-Examples-End -->
 
-Example:
+<!-- Device-Health-End -->
+
+<!-- Device-Health-ComputerState-Begin -->
+### Health/ComputerState
+
+<!-- Device-Health-ComputerState-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-ComputerState-Applicability-End -->
+
+<!-- Device-Health-ComputerState-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/ComputerState
+```
+<!-- Device-Health-ComputerState-OmaUri-End -->
+
+<!-- Device-Health-ComputerState-Description-Begin -->
+Provide the current state of the device. The following list shows the supported values:
+
+| Value | Description |
+|:--|:--|
+| 0 | Clean |
+| 1 | Pending full scan |
+| 2 | Pending reboot |
+| 4 | Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan) |
+| 8 | Pending offline scan |
+| 16 | Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender) |
+<!-- Device-Health-ComputerState-Description-End -->
+
+<!-- Device-Health-ComputerState-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-ComputerState-Editable-End -->
+
+<!-- Device-Health-ComputerState-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Health-ComputerState-DFProperties-End -->
+
+<!-- Device-Health-ComputerState-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-ComputerState-Examples-End -->
+
+<!-- Device-Health-ComputerState-End -->
+
+<!-- Device-Health-DefenderEnabled-Begin -->
+### Health/DefenderEnabled
+
+<!-- Device-Health-DefenderEnabled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-DefenderEnabled-Applicability-End -->
+
+<!-- Device-Health-DefenderEnabled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/DefenderEnabled
+```
+<!-- Device-Health-DefenderEnabled-OmaUri-End -->
+
+<!-- Device-Health-DefenderEnabled-Description-Begin -->
+Indicates whether the Windows Defender service is running.
+<!-- Device-Health-DefenderEnabled-Description-End -->
+
+<!-- Device-Health-DefenderEnabled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-DefenderEnabled-Editable-End -->
+
+<!-- Device-Health-DefenderEnabled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-DefenderEnabled-DFProperties-End -->
+
+<!-- Device-Health-DefenderEnabled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-DefenderEnabled-Examples-End -->
+
+<!-- Device-Health-DefenderEnabled-End -->
+
+<!-- Device-Health-DefenderVersion-Begin -->
+### Health/DefenderVersion
+
+<!-- Device-Health-DefenderVersion-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-DefenderVersion-Applicability-End -->
+
+<!-- Device-Health-DefenderVersion-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/DefenderVersion
+```
+<!-- Device-Health-DefenderVersion-OmaUri-End -->
+
+<!-- Device-Health-DefenderVersion-Description-Begin -->
+Version number of Windows Defender on the device.
+<!-- Device-Health-DefenderVersion-Description-End -->
+
+<!-- Device-Health-DefenderVersion-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-DefenderVersion-Editable-End -->
+
+<!-- Device-Health-DefenderVersion-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Health-DefenderVersion-DFProperties-End -->
+
+<!-- Device-Health-DefenderVersion-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-DefenderVersion-Examples-End -->
+
+<!-- Device-Health-DefenderVersion-End -->
+
+<!-- Device-Health-EngineVersion-Begin -->
+### Health/EngineVersion
+
+<!-- Device-Health-EngineVersion-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-EngineVersion-Applicability-End -->
+
+<!-- Device-Health-EngineVersion-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/EngineVersion
+```
+<!-- Device-Health-EngineVersion-OmaUri-End -->
+
+<!-- Device-Health-EngineVersion-Description-Begin -->
+Version number of the current Windows Defender engine on the device.
+<!-- Device-Health-EngineVersion-Description-End -->
+
+<!-- Device-Health-EngineVersion-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-EngineVersion-Editable-End -->
+
+<!-- Device-Health-EngineVersion-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Health-EngineVersion-DFProperties-End -->
+
+<!-- Device-Health-EngineVersion-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-EngineVersion-Examples-End -->
+
+<!-- Device-Health-EngineVersion-End -->
+
+<!-- Device-Health-FullScanOverdue-Begin -->
+### Health/FullScanOverdue
+
+<!-- Device-Health-FullScanOverdue-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-FullScanOverdue-Applicability-End -->
+
+<!-- Device-Health-FullScanOverdue-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/FullScanOverdue
+```
+<!-- Device-Health-FullScanOverdue-OmaUri-End -->
+
+<!-- Device-Health-FullScanOverdue-Description-Begin -->
+Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default).
+<!-- Device-Health-FullScanOverdue-Description-End -->
+
+<!-- Device-Health-FullScanOverdue-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-FullScanOverdue-Editable-End -->
+
+<!-- Device-Health-FullScanOverdue-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-FullScanOverdue-DFProperties-End -->
+
+<!-- Device-Health-FullScanOverdue-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-FullScanOverdue-Examples-End -->
+
+<!-- Device-Health-FullScanOverdue-End -->
+
+<!-- Device-Health-FullScanRequired-Begin -->
+### Health/FullScanRequired
+
+<!-- Device-Health-FullScanRequired-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-FullScanRequired-Applicability-End -->
+
+<!-- Device-Health-FullScanRequired-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/FullScanRequired
+```
+<!-- Device-Health-FullScanRequired-OmaUri-End -->
+
+<!-- Device-Health-FullScanRequired-Description-Begin -->
+Indicates whether a Windows Defender full scan is required.
+<!-- Device-Health-FullScanRequired-Description-End -->
+
+<!-- Device-Health-FullScanRequired-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-FullScanRequired-Editable-End -->
+
+<!-- Device-Health-FullScanRequired-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-FullScanRequired-DFProperties-End -->
+
+<!-- Device-Health-FullScanRequired-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-FullScanRequired-Examples-End -->
+
+<!-- Device-Health-FullScanRequired-End -->
+
+<!-- Device-Health-FullScanSigVersion-Begin -->
+### Health/FullScanSigVersion
+
+<!-- Device-Health-FullScanSigVersion-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-FullScanSigVersion-Applicability-End -->
+
+<!-- Device-Health-FullScanSigVersion-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/FullScanSigVersion
+```
+<!-- Device-Health-FullScanSigVersion-OmaUri-End -->
+
+<!-- Device-Health-FullScanSigVersion-Description-Begin -->
+Signature version used for the last full scan of the device.
+<!-- Device-Health-FullScanSigVersion-Description-End -->
+
+<!-- Device-Health-FullScanSigVersion-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-FullScanSigVersion-Editable-End -->
+
+<!-- Device-Health-FullScanSigVersion-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Health-FullScanSigVersion-DFProperties-End -->
+
+<!-- Device-Health-FullScanSigVersion-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-FullScanSigVersion-Examples-End -->
+
+<!-- Device-Health-FullScanSigVersion-End -->
+
+<!-- Device-Health-FullScanTime-Begin -->
+### Health/FullScanTime
+
+<!-- Device-Health-FullScanTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-FullScanTime-Applicability-End -->
+
+<!-- Device-Health-FullScanTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/FullScanTime
+```
+<!-- Device-Health-FullScanTime-OmaUri-End -->
+
+<!-- Device-Health-FullScanTime-Description-Begin -->
+Time of the last Windows Defender full scan of the device.
+<!-- Device-Health-FullScanTime-Description-End -->
+
+<!-- Device-Health-FullScanTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-FullScanTime-Editable-End -->
+
+<!-- Device-Health-FullScanTime-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Health-FullScanTime-DFProperties-End -->
+
+<!-- Device-Health-FullScanTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-FullScanTime-Examples-End -->
+
+<!-- Device-Health-FullScanTime-End -->
+
+<!-- Device-Health-IsVirtualMachine-Begin -->
+### Health/IsVirtualMachine
+
+<!-- Device-Health-IsVirtualMachine-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- Device-Health-IsVirtualMachine-Applicability-End -->
+
+<!-- Device-Health-IsVirtualMachine-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/IsVirtualMachine
+```
+<!-- Device-Health-IsVirtualMachine-OmaUri-End -->
+
+<!-- Device-Health-IsVirtualMachine-Description-Begin -->
+Indicates whether the device is a virtual machine.
+<!-- Device-Health-IsVirtualMachine-Description-End -->
+
+<!-- Device-Health-IsVirtualMachine-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-IsVirtualMachine-Editable-End -->
+
+<!-- Device-Health-IsVirtualMachine-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-IsVirtualMachine-DFProperties-End -->
+
+<!-- Device-Health-IsVirtualMachine-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-IsVirtualMachine-Examples-End -->
+
+<!-- Device-Health-IsVirtualMachine-End -->
+
+<!-- Device-Health-NisEnabled-Begin -->
+### Health/NisEnabled
+
+<!-- Device-Health-NisEnabled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-NisEnabled-Applicability-End -->
+
+<!-- Device-Health-NisEnabled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/NisEnabled
+```
+<!-- Device-Health-NisEnabled-OmaUri-End -->
+
+<!-- Device-Health-NisEnabled-Description-Begin -->
+Indicates whether network protection is running.
+<!-- Device-Health-NisEnabled-Description-End -->
+
+<!-- Device-Health-NisEnabled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-NisEnabled-Editable-End -->
+
+<!-- Device-Health-NisEnabled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-NisEnabled-DFProperties-End -->
+
+<!-- Device-Health-NisEnabled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-NisEnabled-Examples-End -->
+
+<!-- Device-Health-NisEnabled-End -->
+
+<!-- Device-Health-ProductStatus-Begin -->
+### Health/ProductStatus
+
+<!-- Device-Health-ProductStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- Device-Health-ProductStatus-Applicability-End -->
+
+<!-- Device-Health-ProductStatus-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/ProductStatus
+```
+<!-- Device-Health-ProductStatus-OmaUri-End -->
+
+<!-- Device-Health-ProductStatus-Description-Begin -->
+Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values:
+
+| Value | Description |
+|:--|:--|
+| 0 | No status |
+| 1 (1 << 0) | Service not running |
+| 2 (1 << 1) | Service started without any malware protection engine |
+| 4 (1 << 2) | Pending full scan due to threat action |
+| 8 (1 << 3) | Pending reboot due to threat action |
+| 16 (1 << 4) | ending manual steps due to threat action |
+| 32 (1 << 5) | AV signatures out of date |
+| 64 (1 << 6) | AS signatures out of date |
+| 128 (1 << 7) | No quick scan has happened for a specified period |
+| 256 (1 << 8) | No full scan has happened for a specified period |
+| 512 (1 << 9) | System initiated scan in progress |
+| 1024 (1 << 10) | System initiated clean in progress |
+| 2048 (1 << 11) | There are samples pending submission |
+| 4096 (1 << 12) | Product running in evaluation mode |
+| 8192 (1 << 13) | Product running in non-genuine Windows mode |
+| 16384 (1 << 14) | Product expired |
+| 32768 (1 << 15) | Off-line scan required |
+| 65536 (1 << 16) | Service is shutting down as part of system shutdown |
+| 131072 (1 << 17) | Threat remediation failed critically |
+| 262144 (1 << 18) | Threat remediation failed non-critically |
+| 524288 (1 << 19) | No status flags set (well initialized state) |
+| 1048576 (1 << 20) | Platform is out of date |
+| 2097152 (1 << 21) | Platform update is in progress |
+| 4194304 (1 << 22) | Platform is about to be outdated |
+| 8388608 (1 << 23) | Signature or platform end of life is past or is impending |
+| 16777216 (1 << 24) | Windows SMode signatures still in use on non-Win10S install |
+<!-- Device-Health-ProductStatus-Description-End -->
+
+<!-- Device-Health-ProductStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-ProductStatus-Editable-End -->
+
+<!-- Device-Health-ProductStatus-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+<!-- Device-Health-ProductStatus-DFProperties-End -->
+
+<!-- Device-Health-ProductStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
 
 ```xml
 <SyncML xmlns="SYNCML:SYNCML1.1">
@@ -456,421 +3111,522 @@ Example:
   </SyncBody>
 </SyncML>
 ```
+<!-- Device-Health-ProductStatus-Examples-End -->
 
-<a href="" id="health-computerstate"></a>**Health/ComputerState**
-Provide the current state of the device.
+<!-- Device-Health-ProductStatus-End -->
 
-The data type is integer.
+<!-- Device-Health-QuickScanOverdue-Begin -->
+### Health/QuickScanOverdue
 
-The following list shows the supported values:
+<!-- Device-Health-QuickScanOverdue-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-QuickScanOverdue-Applicability-End -->
 
--   0 = Clean
--   1 = Pending full scan
--   2 = Pending reboot
--   4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan)
--   8 = Pending offline scan
--   16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
+<!-- Device-Health-QuickScanOverdue-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/QuickScanOverdue
+```
+<!-- Device-Health-QuickScanOverdue-OmaUri-End -->
 
-Supported operation is Get.
+<!-- Device-Health-QuickScanOverdue-Description-Begin -->
+Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default).
+<!-- Device-Health-QuickScanOverdue-Description-End -->
 
-<a href="" id="health-defenderenabled"></a>**Health/DefenderEnabled**
-Indicates whether the Windows Defender service is running.
+<!-- Device-Health-QuickScanOverdue-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-QuickScanOverdue-Editable-End -->
 
-The data type is a Boolean.
+<!-- Device-Health-QuickScanOverdue-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-QuickScanOverdue-DFProperties-End -->
 
-<a href="" id="health-rtpenabled"></a>**Health/RtpEnabled**
-Indicates whether real-time protection is running.
+<!-- Device-Health-QuickScanOverdue-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-QuickScanOverdue-Examples-End -->
 
-The data type is a Boolean.
+<!-- Device-Health-QuickScanOverdue-End -->
 
-Supported operation is Get.
+<!-- Device-Health-QuickScanSigVersion-Begin -->
+### Health/QuickScanSigVersion
 
-<a href="" id="health-nisenabled"></a>**Health/NisEnabled**
-Indicates whether network protection is running.
+<!-- Device-Health-QuickScanSigVersion-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-QuickScanSigVersion-Applicability-End -->
 
-The data type is a Boolean.
+<!-- Device-Health-QuickScanSigVersion-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/QuickScanSigVersion
+```
+<!-- Device-Health-QuickScanSigVersion-OmaUri-End -->
 
-Supported operation is Get.
-
-<a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue**
-Indicates whether a Windows Defender quick scan is overdue for the device.
-
-A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default).
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-<a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue**
-Indicates whether a Windows Defender full scan is overdue for the device.
-
-A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default).
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-<a href="" id="health-signatureoutofdate"></a>**Health/SignatureOutOfDate**
-Indicates whether the Windows Defender signature is outdated.
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-<a href="" id="health-rebootrequired"></a>**Health/RebootRequired**
-Indicates whether a device reboot is needed.
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-<a href="" id="health-fullscanrequired"></a>**Health/FullScanRequired**
-Indicates whether a Windows Defender full scan is required.
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-<a href="" id="health-engineversion"></a>**Health/EngineVersion**
-Version number of the current Windows Defender engine on the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-<a href="" id="health-signatureversion"></a>**Health/SignatureVersion**
-Version number of the current Windows Defender signatures on the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-<a href="" id="health-defenderversion"></a>**Health/DefenderVersion**
-Version number of Windows Defender on the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-<a href="" id="health-quickscantime"></a>**Health/QuickScanTime**
-Time of the last Windows Defender quick scan of the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-<a href="" id="health-fullscantime"></a>**Health/FullScanTime**
-Time of the last Windows Defender full scan of the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-<a href="" id="health-quickscansigversion"></a>**Health/QuickScanSigVersion**
+<!-- Device-Health-QuickScanSigVersion-Description-Begin -->
 Signature version used for the last quick scan of the device.
+<!-- Device-Health-QuickScanSigVersion-Description-End -->
 
-The data type is a string.
+<!-- Device-Health-QuickScanSigVersion-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-QuickScanSigVersion-Editable-End -->
 
-Supported operation is Get.
-
-<a href="" id="health-fullscansigversion"></a>**Health/FullScanSigVersion**
-Signature version used for the last full scan of the device.
-
-The data type is a string.
-
-Supported operation is Get.
-
-<a href="" id="health-tamperprotectionenabled"></a>**Health/TamperProtectionEnabled**
-Indicates whether the Windows Defender tamper protection feature is enabled.​
-
-The data type is a Boolean.
-
-Supported operation is Get.
-
-<a href="" id="health-isvirtualmachine"></a>**Health/IsVirtualMachine**
-Indicates whether the device is a virtual machine.
-
-The data type is a string.
-
-Supported operation is Get.
-
-<a href="" id="configuration"></a>**Configuration**
-An interior node to group Windows Defender configuration information.
-
-Supported operation is Get.
-
-<a href="" id="configuration-tamperprotection"></a>**Configuration/TamperProtection**
-
-Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
-
-
-Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune.
-
-The data type is a Signed BLOB.
-
-Supported operations are Add, Delete, Get, Replace.
-
-Intune tamper protection setting UX supports three states:
-- Not configured (default): Doesn't have any impact on the default state of the device.
-- Enabled: Enables the tamper protection feature.
-- Disabled: Turns off the tamper protection feature.
-
-When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
-
-<a href="" id="configuration-disablelocaladminmerge"></a>**Configuration/DisableLocalAdminMerge**<br>
-This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list.
-
-If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings.
-
-If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator.
-
-> [!NOTE]
-> Applying this setting won't remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**.
-
-Supported OS versions:  Windows 10
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-<a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
-
-This policy setting controls whether or not exclusions are visible to Local Admins.  For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled.
-
-If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell.
-
-If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell.
-
-> [!NOTE]
-> Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
-
-Supported OS versions: Windows 10
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-<a href="" id="configuration-disablecputhrottleonidlescans"></a>**Configuration/DisableCpuThrottleOnIdleScans**<br>
-
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle.  This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
--	1 (default) – Enable.
--	0 – Disable.
-
-<a href="" id="configuration-meteredconnectionupdates"></a>**Configuration/MeteredConnectionUpdates**<br>
-Allow managed devices to update through metered connections. Data charges may apply.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-<a href="" id="configuration-allownetworkprotectiononwinserver"></a>**Configuration/AllowNetworkProtectionOnWinServer**<br>
-This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-<a href="" id="configuration-exclusionipaddress"></a>**Configuration/ExclusionIpAddress**<br>
-Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
-
-The data type is string.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-<a href="" id="configuration-enablefilehashcomputation"></a>**Configuration/EnableFileHashComputation**
-Enables or disables file hash computation feature.
-When this feature is enabled, Windows Defender will compute hashes for files it scans.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
-
-<a href="" id="configuration-supportloglocation"></a>**Configuration/SupportLogLocation**
-The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
-
-Data type is string.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Intune Support log location setting UX supports three states:
-
-- Not configured (default) - Doesn't have any impact on the default state of the device.
-- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
-- 0 - Disabled. Turns off the Support log location feature.
-
-When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
-
-More details:
-
-- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
-- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
-
-<a href="" id="configuration-platformupdateschannel"></a>**Configuration/PlatformUpdatesChannel**
-Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
-
-Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
-
-If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 0: Not configured (Default)
-- 2: Beta Channel - Prerelease
-- 3: Current Channel (Preview)
-- 4: Current Channel (Staged)
-- 5: Current Channel (Broad)
-- 6: Critical- Time Delay
-
-
-More details:
-
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-
-<a href="" id="configuration-engineupdateschannel"></a>**Configuration/EngineUpdatesChannel**
-Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
-
-Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
-
-Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
-
-If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 0: Not configured (Default)
-- 2: Beta Channel - Prerelease
-- 3: Current Channel (Preview)
-- 4: Current Channel (Staged)
-- 5: Current Channel (Broad)
-- 6: Critical- Time Delay
-
-More details:
-
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-
-<a href="" id="configuration-definitionupdateschannel"></a>**Configuration/SecurityIntelligenceUpdatesChannel**
-Enable this policy to specify when devices receive daily Microsoft Defender security intelligence (definition) updates during the daily gradual rollout.
-
-Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
-
-Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-
-If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices.
-
-The data type is integer.
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid Values are:
-- 0: Not configured (Default)
-- 4: Current Channel (Staged)
-- 5: Current Channel (Broad)
-
-More details:
-
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-
-<a href="" id="configuration-disablegradualrelease"></a>**Configuration/DisableGradualRelease**
-Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates.
-Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This facility for devices is best for datacenters that only receive limited updates.
-
-> [!NOTE]
-> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates.
-
-If you disable or don't configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
-
-The data type is integer.
-
-Supported operations are Add, Delete, Get, and Replace.
-
-Valid values are:
-- 1 – Enabled.
--	0 (default) – Not Configured.
-
-More details:
-
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-
-<a href="" id="configuration-passiveremediation"></a>**Configuration/PassiveRemediation**
-This policy setting enables or disables EDR in block mode (recommended for devices running Microsoft Defender Antivirus in passive mode). For more information, see Endpoint detection and response in block mode | Microsoft Docs. Available with platform release: 4.18.2202.X
-
-The data type is integer
-
-Supported values:
-- 1: Turn EDR in block mode on
-- 0: Turn EDR in block mode off
-
-
-<a href="" id="scan"></a>**Scan**
+<!-- Device-Health-QuickScanSigVersion-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Health-QuickScanSigVersion-DFProperties-End -->
+
+<!-- Device-Health-QuickScanSigVersion-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-QuickScanSigVersion-Examples-End -->
+
+<!-- Device-Health-QuickScanSigVersion-End -->
+
+<!-- Device-Health-QuickScanTime-Begin -->
+### Health/QuickScanTime
+
+<!-- Device-Health-QuickScanTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-QuickScanTime-Applicability-End -->
+
+<!-- Device-Health-QuickScanTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/QuickScanTime
+```
+<!-- Device-Health-QuickScanTime-OmaUri-End -->
+
+<!-- Device-Health-QuickScanTime-Description-Begin -->
+Time of the last Windows Defender quick scan of the device.
+<!-- Device-Health-QuickScanTime-Description-End -->
+
+<!-- Device-Health-QuickScanTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-QuickScanTime-Editable-End -->
+
+<!-- Device-Health-QuickScanTime-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Health-QuickScanTime-DFProperties-End -->
+
+<!-- Device-Health-QuickScanTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-QuickScanTime-Examples-End -->
+
+<!-- Device-Health-QuickScanTime-End -->
+
+<!-- Device-Health-RebootRequired-Begin -->
+### Health/RebootRequired
+
+<!-- Device-Health-RebootRequired-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-RebootRequired-Applicability-End -->
+
+<!-- Device-Health-RebootRequired-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/RebootRequired
+```
+<!-- Device-Health-RebootRequired-OmaUri-End -->
+
+<!-- Device-Health-RebootRequired-Description-Begin -->
+Indicates whether a device reboot is needed.
+<!-- Device-Health-RebootRequired-Description-End -->
+
+<!-- Device-Health-RebootRequired-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-RebootRequired-Editable-End -->
+
+<!-- Device-Health-RebootRequired-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-RebootRequired-DFProperties-End -->
+
+<!-- Device-Health-RebootRequired-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-RebootRequired-Examples-End -->
+
+<!-- Device-Health-RebootRequired-End -->
+
+<!-- Device-Health-RtpEnabled-Begin -->
+### Health/RtpEnabled
+
+<!-- Device-Health-RtpEnabled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-RtpEnabled-Applicability-End -->
+
+<!-- Device-Health-RtpEnabled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/RtpEnabled
+```
+<!-- Device-Health-RtpEnabled-OmaUri-End -->
+
+<!-- Device-Health-RtpEnabled-Description-Begin -->
+Indicates whether real-time protection is running.
+<!-- Device-Health-RtpEnabled-Description-End -->
+
+<!-- Device-Health-RtpEnabled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-RtpEnabled-Editable-End -->
+
+<!-- Device-Health-RtpEnabled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-RtpEnabled-DFProperties-End -->
+
+<!-- Device-Health-RtpEnabled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-RtpEnabled-Examples-End -->
+
+<!-- Device-Health-RtpEnabled-End -->
+
+<!-- Device-Health-SignatureOutOfDate-Begin -->
+### Health/SignatureOutOfDate
+
+<!-- Device-Health-SignatureOutOfDate-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-SignatureOutOfDate-Applicability-End -->
+
+<!-- Device-Health-SignatureOutOfDate-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/SignatureOutOfDate
+```
+<!-- Device-Health-SignatureOutOfDate-OmaUri-End -->
+
+<!-- Device-Health-SignatureOutOfDate-Description-Begin -->
+Indicates whether the Windows Defender signature is outdated.
+<!-- Device-Health-SignatureOutOfDate-Description-End -->
+
+<!-- Device-Health-SignatureOutOfDate-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-SignatureOutOfDate-Editable-End -->
+
+<!-- Device-Health-SignatureOutOfDate-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-SignatureOutOfDate-DFProperties-End -->
+
+<!-- Device-Health-SignatureOutOfDate-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-SignatureOutOfDate-Examples-End -->
+
+<!-- Device-Health-SignatureOutOfDate-End -->
+
+<!-- Device-Health-SignatureVersion-Begin -->
+### Health/SignatureVersion
+
+<!-- Device-Health-SignatureVersion-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Health-SignatureVersion-Applicability-End -->
+
+<!-- Device-Health-SignatureVersion-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/SignatureVersion
+```
+<!-- Device-Health-SignatureVersion-OmaUri-End -->
+
+<!-- Device-Health-SignatureVersion-Description-Begin -->
+Version number of the current Windows Defender signatures on the device.
+<!-- Device-Health-SignatureVersion-Description-End -->
+
+<!-- Device-Health-SignatureVersion-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-SignatureVersion-Editable-End -->
+
+<!-- Device-Health-SignatureVersion-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+<!-- Device-Health-SignatureVersion-DFProperties-End -->
+
+<!-- Device-Health-SignatureVersion-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-SignatureVersion-Examples-End -->
+
+<!-- Device-Health-SignatureVersion-End -->
+
+<!-- Device-Health-TamperProtectionEnabled-Begin -->
+### Health/TamperProtectionEnabled
+
+<!-- Device-Health-TamperProtectionEnabled-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- Device-Health-TamperProtectionEnabled-Applicability-End -->
+
+<!-- Device-Health-TamperProtectionEnabled-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Health/TamperProtectionEnabled
+```
+<!-- Device-Health-TamperProtectionEnabled-OmaUri-End -->
+
+<!-- Device-Health-TamperProtectionEnabled-Description-Begin -->
+Indicates whether the Windows Defender tamper protection feature is enabled.
+<!-- Device-Health-TamperProtectionEnabled-Description-End -->
+
+<!-- Device-Health-TamperProtectionEnabled-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Health-TamperProtectionEnabled-Editable-End -->
+
+<!-- Device-Health-TamperProtectionEnabled-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Get |
+<!-- Device-Health-TamperProtectionEnabled-DFProperties-End -->
+
+<!-- Device-Health-TamperProtectionEnabled-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Health-TamperProtectionEnabled-Examples-End -->
+
+<!-- Device-Health-TamperProtectionEnabled-End -->
+
+<!-- Device-OfflineScan-Begin -->
+## OfflineScan
+
+<!-- Device-OfflineScan-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- Device-OfflineScan-Applicability-End -->
+
+<!-- Device-OfflineScan-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/OfflineScan
+```
+<!-- Device-OfflineScan-OmaUri-End -->
+
+<!-- Device-OfflineScan-Description-Begin -->
+OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.
+<!-- Device-OfflineScan-Description-End -->
+
+<!-- Device-OfflineScan-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-OfflineScan-Editable-End -->
+
+<!-- Device-OfflineScan-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+| Reboot Behavior | ServerInitiated |
+<!-- Device-OfflineScan-DFProperties-End -->
+
+<!-- Device-OfflineScan-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-OfflineScan-Examples-End -->
+
+<!-- Device-OfflineScan-End -->
+
+<!-- Device-RollbackEngine-Begin -->
+## RollbackEngine
+
+<!-- Device-RollbackEngine-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- Device-RollbackEngine-Applicability-End -->
+
+<!-- Device-RollbackEngine-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/RollbackEngine
+```
+<!-- Device-RollbackEngine-OmaUri-End -->
+
+<!-- Device-RollbackEngine-Description-Begin -->
+RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.
+<!-- Device-RollbackEngine-Description-End -->
+
+<!-- Device-RollbackEngine-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-RollbackEngine-Editable-End -->
+
+<!-- Device-RollbackEngine-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+| Reboot Behavior | ServerInitiated |
+<!-- Device-RollbackEngine-DFProperties-End -->
+
+<!-- Device-RollbackEngine-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-RollbackEngine-Examples-End -->
+
+<!-- Device-RollbackEngine-End -->
+
+<!-- Device-RollbackPlatform-Begin -->
+## RollbackPlatform
+
+<!-- Device-RollbackPlatform-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- Device-RollbackPlatform-Applicability-End -->
+
+<!-- Device-RollbackPlatform-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/RollbackPlatform
+```
+<!-- Device-RollbackPlatform-OmaUri-End -->
+
+<!-- Device-RollbackPlatform-Description-Begin -->
+RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command.
+<!-- Device-RollbackPlatform-Description-End -->
+
+<!-- Device-RollbackPlatform-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-RollbackPlatform-Editable-End -->
+
+<!-- Device-RollbackPlatform-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+| Reboot Behavior | ServerInitiated |
+<!-- Device-RollbackPlatform-DFProperties-End -->
+
+<!-- Device-RollbackPlatform-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-RollbackPlatform-Examples-End -->
+
+<!-- Device-RollbackPlatform-End -->
+
+<!-- Device-Scan-Begin -->
+## Scan
+
+<!-- Device-Scan-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-Scan-Applicability-End -->
+
+<!-- Device-Scan-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/Scan
+```
+<!-- Device-Scan-OmaUri-End -->
+
+<!-- Device-Scan-Description-Begin -->
 Node that can be used to start a Windows Defender scan on a device.
+<!-- Device-Scan-Description-End -->
 
-Valid values are:
-- 1 - quick scan
-- 2 - full scan
+<!-- Device-Scan-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Scan-Editable-End -->
 
-Supported operations are Get and Execute.
+<!-- Device-Scan-DFProperties-Begin -->
+**Description framework properties**:
 
-<a href="" id="updatesignature"></a>**UpdateSignature**
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+<!-- Device-Scan-DFProperties-End -->
+
+<!-- Device-Scan-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | quick scan |
+| 2 | full scan |
+<!-- Device-Scan-AllowedValues-End -->
+
+<!-- Device-Scan-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Scan-Examples-End -->
+
+<!-- Device-Scan-End -->
+
+<!-- Device-UpdateSignature-Begin -->
+## UpdateSignature
+
+<!-- Device-UpdateSignature-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+<!-- Device-UpdateSignature-Applicability-End -->
+
+<!-- Device-UpdateSignature-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Defender/UpdateSignature
+```
+<!-- Device-UpdateSignature-OmaUri-End -->
+
+<!-- Device-UpdateSignature-Description-Begin -->
 Node that can be used to perform signature updates for Windows Defender.
+<!-- Device-UpdateSignature-Description-End -->
 
-Supported operations are Get and Execute.
+<!-- Device-UpdateSignature-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-UpdateSignature-Editable-End -->
 
-<a href="" id="offlinescan"></a>**OfflineScan**
-Added in Windows 10, version 1803. OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.
+<!-- Device-UpdateSignature-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operations are Get and Execute.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Exec, Get |
+<!-- Device-UpdateSignature-DFProperties-End -->
 
-## See also
+<!-- Device-UpdateSignature-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-UpdateSignature-Examples-End -->
 
-[Configuration service provider reference](index.yml)
+<!-- Device-UpdateSignature-End -->
+
+<!-- Defender-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- Defender-CspMoreInfo-End -->
+
+<!-- Defender-End -->
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index b7851e330b..661c491b22 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,35 +1,748 @@
 ---
 title: Defender DDF file
-description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: vinaypamnani-msft
+ms.date: 11/02/2022
 ms.localizationpriority: medium
-ms.date: 07/23/2021
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
 # Defender DDF file
 
-This article shows the OMA DM device description framework (DDF) for the Defender configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the Defender configuration service provider.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
-  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
-  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
   <VerDTD>1.2</VerDTD>
+  <MSFT:Diagnostics>
+  </MSFT:Diagnostics>
+  <Node>
+    <NodeName>Defender</NodeName>
+    <Path>./Device/Vendor/MSFT</Path>
+    <DFProperties>
+      <AccessType>
+        <Get />
+      </AccessType>
+      <DFFormat>
+        <node />
+      </DFFormat>
+      <Occurrence>
+        <One />
+      </Occurrence>
+      <Scope>
+        <Permanent />
+      </Scope>
+      <DFType>
+        <MIME />
+      </DFType>
+      <MSFT:Applicability>
+        <MSFT:OsBuildVersion>10.0.10586</MSFT:OsBuildVersion>
+        <MSFT:CspVersion>1.0</MSFT:CspVersion>
+        <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;</MSFT:EditionAllowList>
+      </MSFT:Applicability>
+    </DFProperties>
+    <Node>
+      <NodeName>Detections</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>An interior node to group all threats detected by Windows Defender.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
       <Node>
-        <NodeName>Defender</NodeName>
-        <Path>./Vendor/MSFT</Path>
+        <NodeName>
+        </NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>The ID of a threat that has been detected by Windows Defender.</Description>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <ZeroOrMore />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFTitle>ThreatId</DFTitle>
+          <DFType>
+            <DDFName />
+          </DFType>
+          <MSFT:DynamicNodeNaming>
+            <MSFT:ClientInventory />
+          </MSFT:DynamicNodeNaming>
+        </DFProperties>
+        <Node>
+          <NodeName>Name</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>The name of the specific threat.</Description>
+            <DFFormat>
+              <chr />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>URL</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>URL link for additional threat information.</Description>
+            <DFFormat>
+              <chr />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Severity</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Threat severity ID. The following list shows the supported values: 0 = Unknown; 1 = Low; 2 = Moderate; 4 = High; 5 = Severe; </Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>Category</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Threat category ID.  Supported values: 0-Invalid; 1-Adware; 2-Spyware; 3-Password stealer; 4-Trojan downloader; 5-Worm; 6-Backdoor; 7-Remote access Trojan; 8-Trojan; 9-Email flooder; 10-Keylogger; 11-Dialer; 12-Monitoring software; 13-Browser modifier; 14-Cookie; 15-Browser plugin; 16-AOL exploit; 17-Nuker; 18-Security disabler; 19-Joke program; 20-Hostile ActiveX control; 21-Software bundler; 22-Stealth modifier; 23-Settings modifier; 24-Toolbar; 25-Remote control software; 26-Trojan FTP; 27-Potential unwanted software; 28-ICQ exploit; 29-Trojan telnet; 30-Exploit; 31-File sharing program; 32-Malware creation tool; 33-Remote control software; 34-Tool; 36-Trojan denial of service; 37-Trojan dropper; 38-Trojan mass mailer; 39-Trojan monitoring software; 40-Trojan proxy server; 42-Virus; 43-Known; 44-Unknown; 45-SPP; 46-Behavior; 47-Vulnerability; 48-Policy; 49-EUS (Enterprise Unwanted Software); 50-Ransomware; 51-ASR Rule</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>CurrentStatus</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Information about the current status of the threat. The following list shows the supported values: 0 = Active; 1 = Action failed; 2 = Manual steps required; 3 = Full scan required; 4 = Reboot required; 5 = Remediated with noncritical failures; 6 = Quarantined; 7 = Removed; 8 = Cleaned; 9 = Allowed; 10 = No Status ( Cleared)</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>ExecutionStatus</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Information about the execution status of the threat.</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>InitialDetectionTime</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>The first time this particular threat was detected.</Description>
+            <DFFormat>
+              <chr />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>LastThreatStatusChangeTime</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>The last time this particular threat was changed.</Description>
+            <DFFormat>
+              <chr />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+        <Node>
+          <NodeName>NumberOfDetections</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+            </AccessType>
+            <Description>Number of times this threat has been detected on a particular client.</Description>
+            <DFFormat>
+              <int />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Dynamic />
+            </Scope>
+            <DFType>
+              <MIME />
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>Health</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>An interior node to group information about Windows Defender health status.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Dynamic />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+      </DFProperties>
+      <Node>
+        <NodeName>ProductStatus</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description><![CDATA[Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Supported product status values: No status = 0; Service not running = 1 << 0; Service started without any malware protection engine = 1 << 1; Pending full scan due to threat action = 1 << 2; Pending reboot due to threat action = 1 << 3; ending manual steps due to threat action = 1 << 4; AV signatures out of date = 1 << 5; AS signatures out of date = 1 << 6; No quick scan has happened for a specified period = 1 << 7; No full scan has happened for a specified period = 1 << 8; System initiated scan in progress = 1 << 9; System initiated clean in progress = 1 << 10; There are samples pending submission = 1 << 11; Product running in evaluation mode = 1 << 12; Product running in non-genuine Windows mode = 1 << 13; Product expired = 1 << 14; Off-line scan required = 1 << 15; Service is shutting down as part of system shutdown = 1 << 16; Threat remediation failed critically = 1 << 17; Threat remediation failed non-critically = 1 << 18; No status flags set (well initialized state) = 1 << 19; Platform is out of date = 1 << 20; Platform update is in progress = 1 << 21; Platform is about to be outdated = 1 << 22; Signature or platform end of life is past or is impending = 1 << 23; Windows SMode signatures still in use on non-Win10S install = 1 << 24]]></Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.2</MSFT:CspVersion>
+          </MSFT:Applicability>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>ComputerState</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Provide the current state of the device. The following list shows the supported values: 0 = Clean; 1 = Pending full scan; 2 = Pending reboot; 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan); 8 = Pending offline scan; 16 = Pending critical failure (Windows Defender has failed critically and an Administrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DefenderEnabled</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether the Windows Defender service is running.</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>RtpEnabled</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether real-time protection is running.</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>NisEnabled</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether network protection is running.</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>QuickScanOverdue</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether a Windows Defender quick scan is overdue for the device. A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and catchup Quick scans are disabled (default).</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>FullScanOverdue</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether a Windows Defender full scan is overdue for the device. A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and catchup Full scans are disabled (default).</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>SignatureOutOfDate</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether the Windows Defender signature is outdated.</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>RebootRequired</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether a device reboot is needed.</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>FullScanRequired</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether a Windows Defender full scan is required.</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>EngineVersion</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Version number of the current Windows Defender engine on the device.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>SignatureVersion</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Version number of the current Windows Defender signatures on the device.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DefenderVersion</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Version number of Windows Defender on the device.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>QuickScanTime</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Time of the last Windows Defender quick scan of the device.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>FullScanTime</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Time of the last Windows Defender full scan of the device.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>QuickScanSigVersion</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Signature version used for the last quick scan of the device.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>FullScanSigVersion</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Signature version used for the last full scan of the device.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>TamperProtectionEnabled</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether the Windows Defender tamper protection feature is enabled.</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>IsVirtualMachine</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>Indicates whether the device is a virtual machine.</Description>
+          <DFFormat>
+            <bool />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+        </DFProperties>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>Configuration</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <Description>An interior node to group Windows Defender configuration information.</Description>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.18362</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>1.3</MSFT:CspVersion>
+        </MSFT:Applicability>
+      </DFProperties>
+      <Node>
+        <NodeName>DeviceControl</NodeName>
         <DFProperties>
           <AccessType>
             <Get />
@@ -41,14 +754,18 @@ The XML below is the current version for this CSP.
             <One />
           </Occurrence>
           <Scope>
-            <Permanent />
+            <Dynamic />
           </Scope>
           <DFType>
-            <MIME>com.microsoft/1.3/MDM/Defender</MIME>
+            <DDFName />
           </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
         </DFProperties>
         <Node>
-          <NodeName>Detections</NodeName>
+          <NodeName>PolicyGroups</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -63,14 +780,18 @@ The XML below is the current version for this CSP.
               <Dynamic />
             </Scope>
             <DFType>
-              <DDFName></DDFName>
+              <DDFName />
             </DFType>
           </DFProperties>
           <Node>
-            <NodeName></NodeName>
+            <NodeName>
+            </NodeName>
             <DFProperties>
               <AccessType>
+                <Add />
+                <Delete />
                 <Get />
+                <Replace />
               </AccessType>
               <DFFormat>
                 <node />
@@ -81,16 +802,19 @@ The XML below is the current version for this CSP.
               <Scope>
                 <Dynamic />
               </Scope>
-              <DFTitle>ThreatId</DFTitle>
+              <DFTitle>GroupId</DFTitle>
               <DFType>
-                <DDFName></DDFName>
+                <DDFName />
               </DFType>
             </DFProperties>
             <Node>
-              <NodeName>Name</NodeName>
+              <NodeName>GroupData</NodeName>
               <DFProperties>
                 <AccessType>
+                  <Add />
+                  <Delete />
                   <Get />
+                  <Replace />
                 </AccessType>
                 <DFFormat>
                   <chr />
@@ -102,174 +826,14 @@ The XML below is the current version for this CSP.
                   <Dynamic />
                 </Scope>
                 <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-            <Node>
-              <NodeName>URL</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <DFFormat>
-                  <chr />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-            <Node>
-              <NodeName>Severity</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <DFFormat>
-                  <int />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-            <Node>
-              <NodeName>Category</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <DFFormat>
-                  <int />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-            <Node>
-              <NodeName>CurrentStatus</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <DFFormat>
-                  <int />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-            <Node>
-              <NodeName>ExecutionStatus</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <DFFormat>
-                  <int />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-            <Node>
-              <NodeName>InitialDetectionTime</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <DFFormat>
-                  <chr />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-            <Node>
-              <NodeName>LastThreatStatusChangeTime</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <DFFormat>
-                  <chr />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
-                </DFType>
-              </DFProperties>
-            </Node>
-            <Node>
-              <NodeName>NumberOfDetections</NodeName>
-              <DFProperties>
-                <AccessType>
-                  <Get />
-                </AccessType>
-                <DFFormat>
-                  <int />
-                </DFFormat>
-                <Occurrence>
-                  <One />
-                </Occurrence>
-                <Scope>
-                  <Dynamic />
-                </Scope>
-                <DFType>
-                  <MIME>text/plain</MIME>
+                  <MIME />
                 </DFType>
               </DFProperties>
             </Node>
           </Node>
         </Node>
         <Node>
-          <NodeName>Health</NodeName>
+          <NodeName>PolicyRules</NodeName>
           <DFProperties>
             <AccessType>
               <Get />
@@ -284,480 +848,61 @@ The XML below is the current version for this CSP.
               <Dynamic />
             </Scope>
             <DFType>
-              <DDFName></DDFName>
+              <DDFName />
             </DFType>
           </DFProperties>
           <Node>
-            <NodeName>ProductStatus</NodeName>
+            <NodeName>
+            </NodeName>
             <DFProperties>
               <AccessType>
+                <Add />
+                <Delete />
                 <Get />
+                <Replace />
               </AccessType>
               <DFFormat>
-                <int />
+                <node />
               </DFFormat>
               <Occurrence>
-                <One />
+                <ZeroOrMore />
               </Occurrence>
               <Scope>
                 <Dynamic />
               </Scope>
+              <DFTitle>RuleId</DFTitle>
               <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>ComputerState</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>DefenderEnabled</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>RtpEnabled</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>NisEnabled</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>QuickScanOverdue</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>FullScanOverdue</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>SignatureOutOfDate</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>RebootRequired</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>FullScanRequired</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>EngineVersion</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>SignatureVersion</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>DefenderVersion</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>QuickScanTime</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>FullScanTime</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>QuickScanSigVersion</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>FullScanSigVersion</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>TamperProtectionEnabled</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>IsVirtualMachine</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-              </AccessType>
-              <DFFormat>
-                <bool />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
+                <DDFName />
               </DFType>
             </DFProperties>
+            <Node>
+              <NodeName>RuleData</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                  <Delete />
+                  <Get />
+                  <Replace />
+                </AccessType>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME />
+                </DFType>
+              </DFProperties>
+            </Node>
           </Node>
         </Node>
-        <Node>
-          <NodeName>Configuration</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Get />
-            </AccessType>
-            <DFFormat>
-              <node />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <DDFName></DDFName>
-            </DFType>
-          </DFProperties>
-          <Node>
-            <NodeName>TamperProtection</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-                <Add />
-                <Delete />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>EnableFileHashComputation</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-                <Add />
-                <Delete />
-              </AccessType>
-              <DFFormat>
-                <int />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-            <NodeName>SupportLogLocation</NodeName>
-            <DFProperties>
-              <AccessType>
-                <Get />
-                <Replace />
-                <Add />
-                <Delete />
-              </AccessType>
-              <DFFormat>
-                <chr />
-              </DFFormat>
-              <Occurrence>
-                <One />
-              </Occurrence>
-              <Scope>
-                <Dynamic />
-              </Scope>
-              <DFType>
-                <MIME>text/plain</MIME>
-              </DFType>
-            </DFProperties>
-          </Node>
-          <Node>
-        <NodeName>DisableGradualRelease</NodeName>
+      </Node>
+      <Node>
+        <NodeName>TamperProtection</NodeName>
         <DFProperties>
           <AccessType>
             <Add />
@@ -765,7 +910,34 @@ The XML below is the current version for this CSP.
             <Get />
             <Replace />
           </AccessType>
-          <Description>Enable this policy to disable gradual rollout of Defender updates.</Description>
+          <Description>Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. The data type is a Signed blob.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>EnableFileHashComputation</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans.</Description>
           <DFFormat>
             <int />
           </DFFormat>
@@ -776,26 +948,22 @@ The XML below is the current version for this CSP.
             <Dynamic />
           </Scope>
           <DFType>
-            <MIME>text/plain</MIME>
+            <MIME />
           </DFType>
-          <Applicability>
-            <OsBuildVersion>99.9.99999</OsBuildVersion>
-            <CspVersion>1.3</CspVersion>
-          </Applicability>
-          <AllowedValues ValueType="ENUM">
-            <Enum>
-              <Value>1</Value>
-              <ValueDescription>Gradual release is disabled</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>0</Value>
-              <ValueDescription>Gradual release is enabled</ValueDescription>
-            </Enum>
-          </AllowedValues>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Disable</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Enable</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
         </DFProperties>
       </Node>
-           <Node>
-        <NodeName>DefinitionUpdatesChannel</NodeName>
+      <Node>
+        <NodeName>MeteredConnectionUpdates</NodeName>
         <DFProperties>
           <AccessType>
             <Add />
@@ -803,7 +971,8 @@ The XML below is the current version for this CSP.
             <Get />
             <Replace />
           </AccessType>
-          <Description>Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.</Description>
+          <DefaultValue>0</DefaultValue>
+          <Description>Allow managed devices to update through metered connections. Default is 0 - not allowed, 1 - allowed</Description>
           <DFFormat>
             <int />
           </DFFormat>
@@ -814,30 +983,25 @@ The XML below is the current version for this CSP.
             <Dynamic />
           </Scope>
           <DFType>
-            <MIME>text/plain</MIME>
+            <MIME />
           </DFType>
-          <Applicability>
-            <OsBuildVersion>99.9.99999</OsBuildVersion>
-            <CspVersion>1.3</CspVersion>
-          </Applicability>
-          <AllowedValues ValueType="ENUM">
-            <Enum>
-              <Value>0</Value>
-              <ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>4</Value>
-              <ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>5</Value>
-              <ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
-            </Enum>
-          </AllowedValues>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Allowed</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Not Allowed</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
         </DFProperties>
       </Node>
-          <Node>
-        <NodeName>EngineUpdatesChannel</NodeName>
+      <Node>
+        <NodeName>SupportLogLocation</NodeName>
         <DFProperties>
           <AccessType>
             <Add />
@@ -845,7 +1009,38 @@ The XML below is the current version for this CSP.
             <Get />
             <Replace />
           </AccessType>
-          <Description>Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.</Description>
+          <Description>The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>9.9</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>AllowNetworkProtectionOnWinServer</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>1</DefaultValue>
+          <Description>This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.</Description>
           <DFFormat>
             <int />
           </DFFormat>
@@ -856,37 +1051,399 @@ The XML below is the current version for this CSP.
             <Dynamic />
           </Scope>
           <DFType>
-            <MIME>text/plain</MIME>
+            <MIME />
           </DFType>
-          <Applicability>
-            <OsBuildVersion>99.9.99999</OsBuildVersion>
-            <CspVersion>1.3</CspVersion>
-          </Applicability>
-          <AllowedValues ValueType="ENUM">
-            <Enum>
-              <Value>0</Value>
-              <ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>2</Value>
-              <ValueDescription>Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>3</Value>
-              <ValueDescription>Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>4</Value>
-              <ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>5</Value>
-              <ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
-            </Enum>
-          </AllowedValues>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Allow</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Disallow</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
         </DFProperties>
       </Node>
-          <Node>
+      <Node>
+        <NodeName>ExcludedIpAddresses</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>This node contains a list of values specifying any IP addresses that wdnisdrv will ignore when intercepting traffic.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="None">
+            <MSFT:List Delimiter="|" />
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableCpuThrottleOnIdleScans</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>1</DefaultValue>
+          <Description>Indicates whether the CPU will be throttled for scheduled scans while the device is idle.  This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Disable CPU Throttle on idle scans</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Enable CPU Throttle on idle scans</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableLocalAdminMerge</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>When this value is set to false, it allows a local admin the ability to specify some settings for complex list type that will then merge /override the Preference settings with the Policy settings</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Disable Local Admin Merge</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Enable Local Admin Merge</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>SchedulerRandomizationTime</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>4</DefaultValue>
+          <Description>This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. For more information on the randomization effect please check the RandomizeScheduleTaskTimes setting.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="Range">
+            <MSFT:Value>[1-23]</MSFT:Value>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableTlsParsing</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This setting disables TLS Parsing for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>TLS parsing is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>TLS parsing is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableFtpParsing</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This setting disables FTP Parsing for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>FTP parsing is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>FTP parsing is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableHttpParsing</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This setting disables HTTP Parsing for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>HTTP parsing is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>HTTP parsing is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableDnsParsing</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This setting disables DNS Parsing for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>DNS parsing is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>DNS parsing is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableDnsOverTcpParsing</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This setting disables DNS over TCP Parsing for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>DNS over TCP parsing is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>DNS over TCP parsing is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableSshParsing</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This setting disables SSH Parsing for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>SSH parsing is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>SSH parsing is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
         <NodeName>PlatformUpdatesChannel</NodeName>
         <DFProperties>
           <AccessType>
@@ -906,104 +1463,966 @@ The XML below is the current version for this CSP.
             <Dynamic />
           </Scope>
           <DFType>
-            <MIME>text/plain</MIME>
+            <MIME />
           </DFType>
-          <Applicability>
-            <OsBuildVersion>99.9.99999</OsBuildVersion>
-            <CspVersion>1.3</CspVersion>
-          </Applicability>
-          <AllowedValues ValueType="ENUM">
-            <Enum>
-              <Value>0</Value>
-              <ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>2</Value>
-              <ValueDescription>Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>3</Value>
-              <ValueDescription>Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>4</Value>
-              <ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</ValueDescription>
-            </Enum>
-            <Enum>
-              <Value>5</Value>
-              <ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</ValueDescription>
-            </Enum>
-          </AllowedValues>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>2</MSFT:Value>
+              <MSFT:ValueDescription>Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>3</MSFT:Value>
+              <MSFT:ValueDescription>Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>4</MSFT:Value>
+              <MSFT:ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>5</MSFT:Value>
+              <MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>6</MSFT:Value>
+              <MSFT:ValueDescription>Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
         </DFProperties>
       </Node>
-        </Node>
-        <Node>
-          <NodeName>Scan</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Exec />
-              <Get />
-            </AccessType>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>UpdateSignature</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Exec />
-              <Get />
-            </AccessType>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
-        <Node>
-          <NodeName>OfflineScan</NodeName>
-          <DFProperties>
-            <AccessType>
-              <Exec />
-              <Get />
-            </AccessType>
-            <DFFormat>
-              <chr />
-            </DFFormat>
-            <Occurrence>
-              <One />
-            </Occurrence>
-            <Scope>
-              <Permanent />
-            </Scope>
-            <DFType>
-              <MIME>text/plain</MIME>
-            </DFType>
-          </DFProperties>
-        </Node>
+      <Node>
+        <NodeName>EngineUpdatesChannel</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>2</MSFT:Value>
+              <MSFT:ValueDescription>Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>3</MSFT:Value>
+              <MSFT:ValueDescription>Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>4</MSFT:Value>
+              <MSFT:ValueDescription>Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>5</MSFT:Value>
+              <MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>6</MSFT:Value>
+              <MSFT:ValueDescription>Critical - Time delay: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
       </Node>
+      <Node>
+        <NodeName>SecurityIntelligenceUpdatesChannel</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>4</MSFT:Value>
+              <MSFT:ValueDescription>Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>5</MSFT:Value>
+              <MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableGradualRelease</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Enable this policy to disable gradual rollout of Defender updates.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Gradual release is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Gradual release is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>AllowNetworkProtectionDownLevel</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>This settings controls whether Network Protection is allowed to be configured into block or audit mode on windows downlevel of RS3. If false, the value of EnableNetworkProtection will be ignored.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Network protection will be enabled downlevel.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Network protection will be disabled downlevel.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>EnableDnsSinkhole</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>This setting enables the DNS Sinkhole feature for Network Protection, respecting the value of EnableNetworkProtection for block vs audit, does nothing in inspect mode.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>DNS Sinkhole is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>DNS Sinkhole is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableInboundConnectionFiltering</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>This setting disables Inbound connection filtering for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Inbound connection filtering is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Inbound connection filtering is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableRdpParsing</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>This setting disables RDP Parsing for Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>RDP Parsing is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>RDP Parsing is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>AllowDatagramProcessingOnWinServer</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>This settings controls whether Network Protection is allowed to enable datagram processing on Windows Server. If false, the value of DisableDatagramProcessing will be ignored and default to disabling Datagram inspection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Datagram processing on Windows Server is enabled.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Datagram processing on Windows Server is disabled.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DisableNetworkProtectionPerfTelemetry</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>This setting disables the gathering and send of performance telemetry from Network Protection.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Network protection telemetry is disabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Network protection telemetry is enabled</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>HideExclusionsFromLocalAdmins</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>This policy setting controls whether or not exclusions are visible to local admins.  For end users (that are not local admins) exclusions are not visible, whether or not this setting is enabled.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>ThrottleForScheduledScanOnly</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>1</DefaultValue>
+          <Description>A CPU usage limit can be applied to scheduled scans only, or to scheduled and custom scans. The default value applies a CPU usage limit to scheduled scans only.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>If you enable this setting, CPU throttling will apply only to scheduled scans.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>If you disable this setting, CPU throttling will apply to scheduled and custom scans.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>ASROnlyPerRuleExclusions</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Apply ASR only per rule exclusions.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.16299</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DataDuplicationDirectory</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Define data duplication directory for device control.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DataDuplicationRemoteLocation</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Define data duplication remote location for device control.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DeviceControlEnabled</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Control Device Control feature.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>
+              </MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>
+              </MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>DefaultEnforcement</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Control Device Control default enforcement. This is the enforcement applied if there are no policy rules present or at the end of the policy rules evaluation none were matched.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.17763</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Default Allow Enforcement</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>2</MSFT:Value>
+              <MSFT:ValueDescription>Default Deny Enforcement</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>PassiveRemediation</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Setting to control automatic remediation for Sense scans.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="Flag">
+            <MSFT:Enum>
+              <MSFT:Value>0x1</MSFT:Value>
+              <MSFT:ValueDescription>PASSIVE_REMEDIATION_FLAG_SENSE_AUTO_REMEDIATION: Passive Remediation Sense AutoRemediation</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0x2</MSFT:Value>
+              <MSFT:ValueDescription>PASSIVE_REMEDIATION_FLAG_RTP_AUDIT: Passive Remediation Realtime Protection Audit</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>0x4</MSFT:Value>
+              <MSFT:ValueDescription>PASSIVE_REMEDIATION_FLAG_RTP_REMEDIATION: Passive Remediation Realtime Protection Remediation</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>PauseUpdateStartTime</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Pause update from the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>PauseUpdateExpirationTime</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Pause update until the UTC time in ISO string format without milliseconds, for example, 2022-02-24T00:03:59Z.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="None">
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>PauseUpdateFlag</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Setting to control automatic remediation for Sense scans.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Update not paused</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Update paused</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>TDTFeatureEnabled</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>This policy setting configures the integration level for Intel TDT integration for Intel TDT-capable devices.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.19041</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.3</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>If you do not configure this setting, the default value will be applied. The default value is set to control by signatures. TDT will be enabled based on particular signatures that are released by Microsoft.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>2</MSFT:Value>
+              <MSFT:ValueDescription>If you configure this setting to disabled, Intel TDT integration will be turned off.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>Scan</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Exec />
+          <Get />
+        </AccessType>
+        <Description>Node that can be used to start a Windows Defender scan on a device.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:AllowedValues ValueType="ENUM">
+          <MSFT:Enum>
+            <MSFT:Value>1</MSFT:Value>
+            <MSFT:ValueDescription>quick scan</MSFT:ValueDescription>
+          </MSFT:Enum>
+          <MSFT:Enum>
+            <MSFT:Value>2</MSFT:Value>
+            <MSFT:ValueDescription>full scan</MSFT:ValueDescription>
+          </MSFT:Enum>
+        </MSFT:AllowedValues>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>UpdateSignature</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Exec />
+          <Get />
+        </AccessType>
+        <Description>Node that can be used to perform signature updates for Windows Defender.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>OfflineScan</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Exec />
+          <Get />
+        </AccessType>
+        <Description>OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.17134</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>1.1</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:RebootBehavior>ServerInitiated</MSFT:RebootBehavior>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>RollbackPlatform</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Exec />
+          <Get />
+        </AccessType>
+        <Description>RollbackPlatform action rolls back Microsoft Defender to it's last known good installation location on the computer where you run the command.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.17134</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>1.1</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:RebootBehavior>ServerInitiated</MSFT:RebootBehavior>
+      </DFProperties>
+    </Node>
+    <Node>
+      <NodeName>RollbackEngine</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Exec />
+          <Get />
+        </AccessType>
+        <Description>RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command.</Description>
+        <DFFormat>
+          <chr />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <MIME />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.17134</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>1.1</MSFT:CspVersion>
+        </MSFT:Applicability>
+        <MSFT:RebootBehavior>ServerInitiated</MSFT:RebootBehavior>
+      </DFProperties>
+    </Node>
+  </Node>
 </MgmtTree>
 ```
 
-## See also
+## Related articles
 
-[Defender configuration service provider](defender-csp.md)
+[Defender configuration service provider reference](defender-csp.md)
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index cf12739b69..ac1777a84f 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DevDetail CSP
 description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/27/2020
 ---
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index d19d909f71..701008751e 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: DevDetail DDF file
 description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/03/2020
 ---
diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md
index 033ace2ec0..56d85eb234 100644
--- a/windows/client-management/mdm/developersetup-csp.md
+++ b/windows/client-management/mdm/developersetup-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DeveloperSetup CSP
 description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2018
 ---
diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md
index 1b7d9de267..5194793e17 100644
--- a/windows/client-management/mdm/developersetup-ddf.md
+++ b/windows/client-management/mdm/developersetup-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: DeveloperSetup DDF file
 description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index 054ebc1774..b10bd93a62 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DeviceLock CSP
 description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md
index e206a5b29e..a7baeea8fe 100644
--- a/windows/client-management/mdm/devicelock-ddf-file.md
+++ b/windows/client-management/mdm/devicelock-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: DeviceLock DDF file
 description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 70340fe1a6..ba8c8543ab 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DeviceManageability CSP
 description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/01/2017
 ---
diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md
index 5200da534c..8854d21cfc 100644
--- a/windows/client-management/mdm/devicemanageability-ddf.md
+++ b/windows/client-management/mdm/devicemanageability-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: DeviceManageability DDF
 description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 4d74896075..0f4c3a631c 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DeviceStatus CSP
 description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/25/2021
 ---
diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md
index a13d8ad0e9..758d3d324d 100644
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: DeviceStatus DDF
 description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/12/2018
 ---
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index 0ed5356c9d..eeef8c18ab 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DevInfo CSP
 description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md
index 98492f8b3f..dca49363e3 100644
--- a/windows/client-management/mdm/devinfo-ddf-file.md
+++ b/windows/client-management/mdm/devinfo-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: DevInfo DDF file
 description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 8924241e4d..7f88c701b6 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DiagnosticLog CSP
 description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/19/2019
 ---
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 05a0e4d332..a268523ce4 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: DiagnosticLog DDF
-description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP).
-ms.reviewer:
+description: Learn about the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP).
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 8218509c6f..aa91c7caf5 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DMAcc CSP
 description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index 2d0f472a36..f2d4b6a20f 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: DMAcc DDF file
 description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 6013c649ce..a1d4415f08 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,12 +1,12 @@
 ---
 title: DMClient CSP
 description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/01/2017
 ---
@@ -484,7 +484,7 @@ Support operation is Exec.
 <a href="" id="provider-providerid-linkedenrollment-enrollstatus"></a>**Provider/*ProviderID*/LinkedEnrollment/EnrollStatus**
 
 This node can be used to check both enroll and unenroll statuses.
-This will return the enroll action status and is defined as a enum class LinkedEnrollmentStatus. The values are aas follows:
+This will return the enroll action status and is defined as an enum class LinkedEnrollmentStatus. The values are as follows:
 
 - Undefined = 0
 - EnrollmentNotStarted = 1
@@ -502,7 +502,7 @@ This specifies the Hresult to report the enrollment/unenroll results.
 
 <a href="" id="provider-providerid-recovery-allowrecovery"></a>**Provider/*ProviderID*/Recovery/AllowRecovery**
 
-This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate.
+This node determines whether or not the client will automatically initiate an MDM Recovery operation when it detects issues with the MDM certificate.
 
 Supported operations are Get, Add, Replace and Delete.
 
@@ -540,7 +540,10 @@ Optional. This node specifies maximum number of concurrent user sync sessions in
 
 The default value is dynamically decided by the client based on CPU usage.
 
-The values are : 0= none, 1= sequential, anything else=  parallel.
+The values are as follows: 
+0 = none 
+1 = sequential
+anything else = parallel
 
 Supported operations are Get, Add, Replace and Delete.
 
@@ -552,7 +555,10 @@ Optional. This node specifies maximum number of concurrent user sync sessions at
 
 The default value is dynamically decided by the client based on CPU usage.
 
-The values are : 0= none, 1= sequential, anything else= parallel.
+The values are as follows: 
+0 = none
+1 = sequential
+anything else = parallel.
 
 Supported operations are Get, Add, Replace and Delete.
 
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 83705437e0..4f66124b30 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: DMClient DDF file
 description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md
index 7d1f209458..b7d129f30a 100644
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@@ -3,11 +3,11 @@ title: DMSessionActions CSP
 description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md
index c03dc36fde..bbf9287698 100644
--- a/windows/client-management/mdm/dmsessionactions-ddf.md
+++ b/windows/client-management/mdm/dmsessionactions-ddf.md
@@ -3,11 +3,11 @@ title: DMSessionActions DDF file
 description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index 26bf159871..241e6803a9 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -3,11 +3,11 @@ title: DynamicManagement CSP
 description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.collection: highpri
 ---
diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md
index 48ea1b01a8..e4b4235d51 100644
--- a/windows/client-management/mdm/dynamicmanagement-ddf.md
+++ b/windows/client-management/mdm/dynamicmanagement-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: DynamicManagement DDF file
 description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 6e067a0976..35f29d23a7 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -1,12 +1,12 @@
 ---
 title: EAP configuration
 description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index 0fc082236b..31d99fa377 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -1,12 +1,12 @@
 ---
 title: EMAIL2 CSP
 description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md
index 1543101a54..cda01b7a53 100644
--- a/windows/client-management/mdm/email2-ddf-file.md
+++ b/windows/client-management/mdm/email2-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: EMAIL2 DDF file
 description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
index c607ed7015..a7cf76b52f 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md
@@ -3,8 +3,8 @@ title: EnrollmentStatusTracking DDF
 description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 05/17/2019
 ---
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md
index 59220928f8..01d414693b 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@@ -3,8 +3,8 @@ title: EnrollmentStatusTracking CSP
 description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 05/21/2019
 ---
diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md
index ef1f136780..abbf2c055b 100644
--- a/windows/client-management/mdm/enterpriseapn-csp.md
+++ b/windows/client-management/mdm/enterpriseapn-csp.md
@@ -1,12 +1,12 @@
 ---
 title: EnterpriseAPN CSP
 description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/22/2017
 ---
diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md
index e14b2947da..df2d42aa34 100644
--- a/windows/client-management/mdm/enterpriseapn-ddf.md
+++ b/windows/client-management/mdm/enterpriseapn-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: EnterpriseAPN DDF
 description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 46de6095eb..f283d78393 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -3,11 +3,11 @@ title: EnterpriseAppVManagement CSP
 description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
index 51705bf533..95e991df6b 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
@@ -3,11 +3,11 @@ title: EnterpriseAppVManagement DDF file
 description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 17adea149a..3a3a87afe4 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -2,12 +2,12 @@
 title: EnterpriseDataProtection CSP
 description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
 ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/09/2017
 ---
@@ -277,7 +277,7 @@ Specifies whether to allow Azure RMS encryption for Windows Information Protecti
 Supported operations are Add, Get, Replace, and Delete. Value type is integer.
 
 <a href="" id="settings-smbautoencryptedfileextensions"></a>**Settings/SMBAutoEncryptedFileExtensions**
-Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list.
+Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-csp-networkisolation.md) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-csp-networkisolation.md). Use semicolon (;) delimiter in the list.
 When this policy isn't specified, the existing auto-encryption behavior is applied.  When this policy is configured, only files with the extensions in the list will be encrypted.
 Supported operations are Add, Get, Replace and Delete. Value type is string.
 
diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md
index da67ebd4ea..cde4878163 100644
--- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md
+++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: EnterpriseDataProtection DDF file
 description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index ebd53f9de1..62e50eadd1 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -2,12 +2,12 @@
 title: EnterpriseDesktopAppManagement CSP
 description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
 ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/11/2017
 ---
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
index 23261b8b07..0a13970546 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: EnterpriseDesktopAppManagement DDF
 description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md
index e03181b4e0..7bdeb81114 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md
@@ -1,12 +1,12 @@
 ---
 title: EnterpriseDesktopAppManagement XSD
 description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index dfe544370c..534c2117a8 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,12 +1,12 @@
 ---
 title: EnterpriseModernAppManagement CSP
 description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/19/2021
 ---
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index ba9430bc83..a7c599a149 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: EnterpriseModernAppManagement DDF
 description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/01/2019
 ---
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
index c323934254..423e4752c9 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
@@ -1,12 +1,12 @@
 ---
 title: EnterpriseModernAppManagement XSD
 description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 5785014560..1d8c5255b7 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -3,11 +3,11 @@ title: eUICCs CSP
 description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, reassign, remove) subscriptions to employees.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/02/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index cab2efe2b9..a6de1b34ab 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: eUICCs DDF file
 description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/02/2018
 ---
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 7d3f2c7e1c..ae2d0aca3b 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -3,10 +3,10 @@ title: Firewall CSP
 description: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -25,8 +25,6 @@ The table below shows the applicability of Windows:
 
 The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device.  Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.  This CSP was added Windows 10, version 1709.
 
-The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device.  Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.  This CSP was added Windows 10, version 1709.
-
 Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.
 
 For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac).
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index c31d769719..c270f2f6f9 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -3,11 +3,11 @@ title: Firewall DDF file
 description: Learn about the OMA DM device description framework (DDF) for the Firewall configuration service provider.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index f4b7d29d2e..ef26f2ef61 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -1,14 +1,14 @@
 ---
 title: Device HealthAttestation CSP
 description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.date:
+ms.date: 
 ---
 
 # Device HealthAttestation CSP
@@ -265,7 +265,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo
 
 ### MAA CSP Integration Steps
 
-1. Set up a MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal].
+1. Set up an MAA provider instance: MAA instance can be created following the steps at [Quickstart: Set up Azure Attestation by using the Azure portal](/azure/attestation/quickstart-portal).
 
 2. Update the provider with an appropriate policy: The MAA instance should be updated with an appropriate policy. For more information, see [How to author an Azure Attestation policy](/azure/attestation/claim-rule-grammar).
 
@@ -933,6 +933,16 @@ If DEPPolicy = 0 (Off), then take one of the following actions that align with y
 - Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
 - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
 
+DEP policy evaluation is a non binary status when queried. It is then mapped to an On/Off state.
+
+|DEP policy level |Description | Attestation reported level | Property value |
+|--------------|-----------|------------|-------------|
+|OptIn (default configuration) |Only Windows system components and services have DEP applied. | 0 | 2 |
+|OptOut |DEP is enabled for all processes. Administrators can manually create a list of specific applications that do not have DEP applied. | 1 | 3 |
+|AlwaysOn |DEP is enabled for all processess. | 3 | 1 |
+|AlwaysOff |DEP is not enabled for any process. | 2 | 0 |
+
+
 <a href="" id="bitlockerstatus"></a>**BitLockerStatus** (at boot time)
 
 When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index f0277343bb..74a707236c 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: HealthAttestation DDF
 description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml
index fe657489a9..d8bd8ed982 100644
--- a/windows/client-management/mdm/index.yml
+++ b/windows/client-management/mdm/index.yml
@@ -6,11 +6,10 @@ summary: Learn more about the configuration service provider (CSP) policies avai
 metadata:
   title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars.
   description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
-  ms.topic: landing-page # Required
-  services: windows-10
-  ms.prod: windows
+  ms.topic: landing-page
+  ms.technology: itpro-manage
+  ms.prod: windows-client
   ms.collection:
-    - windows-10
     - highpri
   ms.custom: intro-hub-or-landing
   author: vinaypamnani-msft
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index 9c383468c7..f5c69b2fcd 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -17,7 +17,7 @@ ms.date: 09/20/2022
 The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. This CSP was added in Windows 11 as of version 25145.
 
 > [!IMPORTANT]
-> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
+> Windows LAPS currently is available only in [Windows 11 Insider Preview Build 25145 and later](/windows-insider/flight-hub/#active-development-builds-of-windows-11). Support for the Windows LAPS Azure Active Directory scenario is currently in private preview, and limited to a small number of customers who have a direct engagement with engineering. Once public preview is declared in 2023, all customers will be able to evaluate this AAD scenario.
 
 > [!TIP]
 > This article covers the specific technical details of the LAPS CSP.  For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
@@ -63,7 +63,7 @@ The LAPS CSP can be used to manage devices that are either joined to Azure AD or
 |ResetPasswordStatus|Yes|Yes|
 
 > [!IMPORTANT]
-> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see the TBD reference on LAPS policy configuration.
+> Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
 
 ## ./Device/Vendor/MSFT/LAPS
 
diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md
index 5a830139c8..b5ba239a7a 100644
--- a/windows/client-management/mdm/laps-ddf-file.md
+++ b/windows/client-management/mdm/laps-ddf-file.md
@@ -3,8 +3,8 @@ title: LAPS DDF file
 description: Learn about the OMA DM device description framework (DDF) for the Local Administrator Password Solution configuration service provider.
 ms.author: jsimmons
 ms.topic: article
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: jsimmons
 ms.localizationpriority: medium
 ms.date: 07/04/2022
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index 27e3cb817b..dad200f3b6 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -3,11 +3,11 @@ title: MultiSIM CSP
 description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/22/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md
index 29365184f1..492326bc04 100644
--- a/windows/client-management/mdm/multisim-ddf.md
+++ b/windows/client-management/mdm/multisim-ddf.md
@@ -3,11 +3,11 @@ title: MultiSIM DDF file
 description: XML file containing the device description framework for the MultiSIM configuration service provider.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 02/27/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index fd5f01ba9a..95cd0ee469 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -1,12 +1,12 @@
 ---
 title: NAP CSP
 description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index e3f47e30a2..615e9f4a47 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -1,12 +1,12 @@
 ---
 title: NAPDEF CSP
 description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index 8ad815d592..4be3316fbb 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -3,11 +3,11 @@ title: NetworkProxy CSP
 description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/29/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md
index 8ef88b427b..b83fb6eab6 100644
--- a/windows/client-management/mdm/networkproxy-ddf.md
+++ b/windows/client-management/mdm/networkproxy-ddf.md
@@ -3,11 +3,11 @@ title: NetworkProxy DDF file
 description: AppNetworkProxyLocker DDF file
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index ce6a3862cd..70a952ccd4 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -3,11 +3,11 @@ title: NetworkQoSPolicy CSP
 description: The NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 04/22/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -40,7 +40,7 @@ The following actions are supported:
 > - Azure AD Hybrid joined devices.
 > - Devices that use both GPO and CSP at the same time.
 >
-> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004.
+> The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703.
 
 The following example shows the NetworkQoSPolicy configuration service provider in tree format.
 ```
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index 34f6c9a409..f90310942f 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: NetworkQoSPolicy DDF
 description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md
index aee27d8d0c..b7fa0fbc34 100644
--- a/windows/client-management/mdm/nodecache-csp.md
+++ b/windows/client-management/mdm/nodecache-csp.md
@@ -1,12 +1,12 @@
 ---
 title: NodeCache CSP
 description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md
index 041d0c0f48..f5f3d05408 100644
--- a/windows/client-management/mdm/nodecache-ddf-file.md
+++ b/windows/client-management/mdm/nodecache-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: NodeCache DDF file
 description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index fa96d98a49..ce956ea412 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -3,11 +3,11 @@ title: Office CSP
 description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/15/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index 6393664010..9dec2a31e2 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: Office DDF
 description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/15/2018
 ---
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index c88737941e..79b9684766 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -1,12 +1,12 @@
 ---
 title: PassportForWork CSP
 description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/19/2019
 ---
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index ac9a932661..9e511239d2 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: PassportForWork DDF
 description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/29/2019
 ---
diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md
index c7617394d0..c64e9f1290 100644
--- a/windows/client-management/mdm/personaldataencryption-csp.md
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@@ -3,14 +3,13 @@ title: PersonalDataEncryption CSP
 description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices.
 ms.author: v-nsatapathy
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: nimishasatapathy
 ms.localizationpriority: medium
 ms.date: 09/12/2022
 ms.reviewer: 
 manager: dansimp
-ms.collection: highpri
 ---
 
 # PersonalDataEncryption CSP
diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md
index 131ffd925b..8584167779 100644
--- a/windows/client-management/mdm/personaldataencryption-ddf-file.md
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@@ -3,12 +3,12 @@ title: PersonalDataEncryption DDF file
 description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider.
 ms.author: v-nsatapathy
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: nimishasatapathy
 ms.localizationpriority: medium
 ms.date: 09/10/2022
-ms.reviewer:
+ms.reviewer: 
 manager: dansimp
 ---
 
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index aa250f64aa..ac71d90716 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -3,11 +3,11 @@ title: Personalization CSP
 description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/28/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index f75f2e95aa..c3ec340d14 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -3,11 +3,11 @@ title: Personalization DDF file
 description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index 04c74309d3..0224b374cf 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -1,1913 +1,3028 @@
 ---
 title: ADMX-backed policies in Policy CSP
 description: Learn about the ADMX-backed policies in Policy CSP.
-ms.reviewer:
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: vinaypamnani-msft
+ms.date: 11/29/2022
 ms.localizationpriority: medium
-ms.date: 10/08/2020
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
 # ADMX-backed policies in Policy CSP
 
-- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
-- [ADMX_ActiveXInstallService/AxISURLZonePolicies](./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies)
-- [ADMX_AddRemovePrograms/DefaultCategory](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory)
-- [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy)
-- [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet)
-- [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork)
-- [ADMX_AddRemovePrograms/NoAddPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddpage)
-- [ADMX_AddRemovePrograms/NoAddRemovePrograms](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddremoveprograms)
-- [ADMX_AddRemovePrograms/NoChooseProgramsPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nochooseprogramspage)
-- [ADMX_AddRemovePrograms/NoRemovePage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noremovepage)
-- [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices)
-- [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo)
-- [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage)
-- [ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_dontallowpwdexpirationbehindpolicy)
-- [ADMX_AdmPwd/POL_AdmPwd_Enabled](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_enabled)
-- [ADMX_AdmPwd/POL_AdmPwd_AdminName](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_adminname)
-- [ADMX_AdmPwd/POL_AdmPwd](./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd)
-- [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach)
-- [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage)
-- [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry)
-- [ADMX_AppCompat/AppCompatTurnOffSwitchBack](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffswitchback)
-- [ADMX_AppCompat/AppCompatTurnOffEngine](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffengine)
-- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1)
-- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2)
-- [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord)
-- [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory)
-- [ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles](./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles)
-- [ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules)
-- [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation)
-- [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt)
-- [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation)
-- [ADMX_AttachmentManager/AM_EstimateFileHandlerRisk](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk)
-- [ADMX_AttachmentManager/AM_SetFileRiskLevel](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel)
-- [ADMX_AttachmentManager/AM_SetHighRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion)
-- [ADMX_AttachmentManager/AM_SetLowRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion)
-- [ADMX_AttachmentManager/AM_SetModRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion)
-- [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline)
-- [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache)
-- [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient)
-- [ADMX_Bits/BITS_DisablePeercachingServer](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingserver)
-- [ADMX_Bits/BITS_EnablePeercaching](./policy-csp-admx-bits.md#admx-bits-bits-enablepeercaching)
-- [ADMX_Bits/BITS_MaxBandwidthServedForPeers](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthservedforpeers)
-- [ADMX_Bits/BITS_MaxBandwidthV2_Maintenance](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-maintenance)
-- [ADMX_Bits/BITS_MaxBandwidthV2_Work](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-work)
-- [ADMX_Bits/BITS_MaxCacheSize](./policy-csp-admx-bits.md#admx-bits-bits-maxcachesize)
-- [ADMX_Bits/BITS_MaxContentAge](./policy-csp-admx-bits.md#admx-bits-bits-maxcontentage)
-- [ADMX_Bits/BITS_MaxDownloadTime](./policy-csp-admx-bits.md#admx-bits-bits-maxdownloadtime)
-- [ADMX_Bits/BITS_MaxFilesPerJob](./policy-csp-admx-bits.md#admx-bits-bits-maxfilesperjob)
-- [ADMX_Bits/BITS_MaxJobsPerMachine](./policy-csp-admx-bits.md#admx-bits-bits-maxjobspermachine)
-- [ADMX_Bits/BITS_MaxJobsPerUser](./policy-csp-admx-bits.md#admx-bits-bits-maxjobsperuser)
-- [ADMX_Bits/BITS_MaxRangesPerFile](./policy-csp-admx-bits.md#admx-bits-bits-maxrangesperfile)
-- [ADMX_CipherSuiteOrder/SSLCipherSuiteOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslciphersuiteorder)
-- [ADMX_CipherSuiteOrder/SSLCurveOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder)
-- [ADMX_COM/AppMgmt_COM_SearchForCLSID_1](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1)
-- [ADMX_COM/AppMgmt_COM_SearchForCLSID_2](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2)
-- [ADMX_ControlPanel/DisallowCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls)
-- [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel)
-- [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel)
-- [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls)
-- [ADMX_ControlPanelDisplay/CPL_Display_Disable](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable)
-- [ADMX_ControlPanelDisplay/CPL_Display_HideSettings](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle)
-- [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground)
-- [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile)
-- [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock)
-- [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider)
-- [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders)
-- [ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly)
-- [ADMX_CredSsp/AllowDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials)
-- [ADMX_CredSsp/AllowEncryptionOracle](./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle)
-- [ADMX_CredSsp/AllowFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials)
-- [ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly)
-- [ADMX_CredSsp/AllowSavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials)
-- [ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly)
-- [ADMX_CredSsp/DenyDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials)
-- [ADMX_CredSsp/DenyFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials)
-- [ADMX_CredSsp/DenySavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials)
-- [ADMX_CredSsp/RestrictedRemoteAdministration](./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration)
-- [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting)
-- [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions)
-- [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword)
-- [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer)
-- [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr)
-- [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff)
-- [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy)
-- [ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckallowlocallist)
-- [ADMX_DCOM/DCOMActivationSecurityCheckExemptionList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckexemptionlist)
-- [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter)
-- [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder)
-- [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit)
-- [ADMX_Desktop/ForceActiveDesktopOn](./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon)
-- [ADMX_Desktop/NoActiveDesktop](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop)
-- [ADMX_Desktop/NoActiveDesktopChanges](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges)
-- [ADMX_Desktop/NoDesktop](./policy-csp-admx-desktop.md#admx-desktop-nodesktop)
-- [ADMX_Desktop/NoDesktopCleanupWizard](./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard)
-- [ADMX_Desktop/NoInternetIcon](./policy-csp-admx-desktop.md#admx-desktop-nointerneticon)
-- [ADMX_Desktop/NoMyComputerIcon](./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon)
-- [ADMX_Desktop/NoMyDocumentsIcon](./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon)
-- [ADMX_Desktop/NoNetHood](./policy-csp-admx-desktop.md#admx-desktop-nonethood)
-- [ADMX_Desktop/NoPropertiesMyComputer](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer)
-- [ADMX_Desktop/NoPropertiesMyDocuments](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments)
-- [ADMX_Desktop/NoRecentDocsNetHood](./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood)
-- [ADMX_Desktop/NoRecycleBinIcon](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon)
-- [ADMX_Desktop/NoRecycleBinProperties](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties)
-- [ADMX_Desktop/NoSaveSettings](./policy-csp-admx-desktop.md#admx-desktop-nosavesettings)
-- [ADMX_Desktop/NoWindowMinimizingShortcuts](./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts)
-- [ADMX_Desktop/Wallpaper](./policy-csp-admx-desktop.md#admx-desktop-wallpaper)
-- [ADMX_Desktop/sz_ATC_DisableAdd](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd)
-- [ADMX_Desktop/sz_ATC_DisableClose](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose)
-- [ADMX_Desktop/sz_ATC_DisableDel](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel)
-- [ADMX_Desktop/sz_ATC_DisableEdit](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit)
-- [ADMX_Desktop/sz_ATC_NoComponents](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents)
-- [ADMX_Desktop/sz_AdminComponents_Title](./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title)
-- [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose)
-- [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving)
-- [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper)
-- [ADMX_DeviceCompat/DeviceFlags](./policy-csp-admx-devicecompat.md#admx-devicecompat-deviceflags)
-- [ADMX_DeviceCompat/DriverShims](./policy-csp-admx-devicecompat.md#admx-devicecompat-drivershims)
-- [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall)
-- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext)
-- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext)
-- [ADMX_DeviceInstallation/DeviceInstall_InstallTimeout](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout)
-- [ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime)
-- [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny)
-- [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore)
-- [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser)
-- [ADMX_DeviceGuard/ConfigCIPolicy](./policy-csp-admx-deviceguard.md#admx-deviceguard-configcipolicy)
-- [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips)
-- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration)
-- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
-- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
-- [ADMX_DiskNVCache/BootResumePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy)
-- [ADMX_DiskNVCache/FeatureOffPolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy)
-- [ADMX_DiskNVCache/SolidStatePolicy](./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy)
-- [ADMX_DiskQuota/DQ_RemovableMedia](./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia)
-- [ADMX_DiskQuota/DQ_Enable](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable)
-- [ADMX_DiskQuota/DQ_Enforce](./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce)
-- [ADMX_DiskQuota/DQ_LogEventOverLimit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit)
-- [ADMX_DiskQuota/DQ_LogEventOverThreshold](./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold)
-- [ADMX_DiskQuota/DQ_Limit](./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit)
-- [ADMX_DistributedLinkTracking/DLT_AllowDomainMode](./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode)
-- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
-- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname)
-- [ADMX_DnsClient/DNS_Domain](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domain)
-- [ADMX_DnsClient/DNS_DomainNameDevolutionLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domainnamedevolutionlevel)
-- [ADMX_DnsClient/DNS_IdnEncoding](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnencoding)
-- [ADMX_DnsClient/DNS_IdnMapping](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnmapping)
-- [ADMX_DnsClient/DNS_NameServer](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-nameserver)
-- [ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns)
-- [ADMX_DnsClient/DNS_PrimaryDnsSuffix](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-primarydnssuffix)
-- [ADMX_DnsClient/DNS_RegisterAdapterName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registeradaptername)
-- [ADMX_DnsClient/DNS_RegisterReverseLookup](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registerreverselookup)
-- [ADMX_DnsClient/DNS_RegistrationEnabled](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationenabled)
-- [ADMX_DnsClient/DNS_RegistrationOverwritesInConflict](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationoverwritesinconflict)
-- [ADMX_DnsClient/DNS_RegistrationRefreshInterval](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationrefreshinterval)
-- [ADMX_DnsClient/DNS_RegistrationTtl](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationttl)
-- [ADMX_DnsClient/DNS_SearchList](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-searchlist)
-- [ADMX_DnsClient/DNS_SmartMultiHomedNameResolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartmultihomednameresolution)
-- [ADMX_DnsClient/DNS_SmartProtocolReorder](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartprotocolreorder)
-- [ADMX_DnsClient/DNS_UpdateSecurityLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatesecuritylevel)
-- [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones)
-- [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution)
-- [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast)
-- [ADMX_DFS/DFSDiscoverDC](./policy-csp-admx-dfs.md#admx-dfs-dfsdiscoverdc)
-- [ADMX_DWM/DwmDefaultColorizationColor_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-1)
-- [ADMX_DWM/DwmDefaultColorizationColor_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-2)
-- [ADMX_DWM/DwmDisallowAnimations_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-1)
-- [ADMX_DWM/DwmDisallowAnimations_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2)
-- [ADMX_DWM/DwmDisallowColorizationColorChanges_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1)
-- [ADMX_DWM/DwmDisallowColorizationColorChanges_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2)
-- [ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist)
-- [ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion](./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion)
-- [ADMX_EAIME/L_TurnOffCustomDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary)
-- [ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput)
-- [ADMX_EAIME/L_TurnOffInternetSearchIntegration](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration)
-- [ADMX_EAIME/L_TurnOffOpenExtendedDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary)
-- [ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile)
-- [ADMX_EAIME/L_TurnOnCloudCandidate](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate)
-- [ADMX_EAIME/L_TurnOnCloudCandidateCHS](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs)
-- [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate)
-- [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers)
-- [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport)
-- [ADMX_EventLogging/EnableProtectedEventLogging](./policy-csp-admx-eventlogging.md#admx-eventlogging-enableprotectedeventlogging)
-- [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove)
-- [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices)
-- [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos)
-- [ADMX_EnhancedStorage/DisablePasswordAuthentication](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication)
-- [ADMX_EnhancedStorage/DisallowLegacyDiskDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices)
-- [ADMX_EnhancedStorage/LockDeviceOnMachineLock](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock)
-- [ADMX_EnhancedStorage/RootHubConnectedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices)
-- [ADMX_ErrorReporting/PCH_AllOrNoneDef](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef)
-- [ADMX_ErrorReporting/PCH_AllOrNoneEx](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex)
-- [ADMX_ErrorReporting/PCH_AllOrNoneInc](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc)
-- [ADMX_ErrorReporting/PCH_ConfigureReport](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport)
-- [ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults)
-- [ADMX_ErrorReporting/WerArchive_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1)
-- [ADMX_ErrorReporting/WerArchive_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2)
-- [ADMX_ErrorReporting/WerAutoApproveOSDumps_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1)
-- [ADMX_ErrorReporting/WerAutoApproveOSDumps_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2)
-- [ADMX_ErrorReporting/WerBypassDataThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1)
-- [ADMX_ErrorReporting/WerBypassDataThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2)
-- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1)
-- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2)
-- [ADMX_ErrorReporting/WerBypassPowerThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1)
-- [ADMX_ErrorReporting/WerBypassPowerThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2)
-- [ADMX_ErrorReporting/WerCER](./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer)
-- [ADMX_ErrorReporting/WerConsentCustomize_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1)
-- [ADMX_ErrorReporting/WerConsentOverride_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1)
-- [ADMX_ErrorReporting/WerConsentOverride_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2)
-- [ADMX_ErrorReporting/WerDefaultConsent_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1)
-- [ADMX_ErrorReporting/WerDefaultConsent_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2)
-- [ADMX_ErrorReporting/WerDisable_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1)
-- [ADMX_ErrorReporting/WerExlusion_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1)
-- [ADMX_ErrorReporting/WerExlusion_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2)
-- [ADMX_ErrorReporting/WerNoLogging_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1)
-- [ADMX_ErrorReporting/WerNoLogging_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2)
-- [ADMX_ErrorReporting/WerNoSecondLevelData_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1)
-- [ADMX_ErrorReporting/WerQueue_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1)
-- [ADMX_ErrorReporting/WerQueue_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2)
-- [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage)
-- [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager)
-- [ADMX_EventLog/Channel_LogEnabled](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled)
-- [ADMX_EventLog/Channel_LogFilePath_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1)
-- [ADMX_EventLog/Channel_LogFilePath_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2)
-- [ADMX_EventLog/Channel_LogFilePath_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3)
-- [ADMX_EventLog/Channel_LogFilePath_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4)
-- [ADMX_EventLog/Channel_LogMaxSize_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3)
-- [ADMX_EventLog/Channel_Log_AutoBackup_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1)
-- [ADMX_EventLog/Channel_Log_AutoBackup_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2)
-- [ADMX_EventLog/Channel_Log_AutoBackup_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3)
-- [ADMX_EventLog/Channel_Log_AutoBackup_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4)
-- [ADMX_EventLog/Channel_Log_FileLogAccess_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1)
-- [ADMX_EventLog/Channel_Log_FileLogAccess_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2)
-- [ADMX_EventLog/Channel_Log_FileLogAccess_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3)
-- [ADMX_EventLog/Channel_Log_FileLogAccess_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4)
-- [ADMX_EventLog/Channel_Log_FileLogAccess_5](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5)
-- [ADMX_EventLog/Channel_Log_FileLogAccess_6](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6)
-- [ADMX_EventLog/Channel_Log_FileLogAccess_7](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7)
-- [ADMX_EventLog/Channel_Log_FileLogAccess_8](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8)
-- [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2)
-- [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3)
-- [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4)
-- [ADMX_EventViewer/EventViewer_RedirectionProgram](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogram)
-- [ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters)
-- [ADMX_EventViewer/EventViewer_RedirectionURL](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionurl)
-- [ADMX_Explorer/AdminInfoUrl](./policy-csp-admx-explorer.md#admx-explorer-admininfourl)
-- [ADMX_Explorer/AlwaysShowClassicMenu](./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu)
-- [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit)
-- [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder)
-- [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations)
-- [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate)
-- [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep)
-- [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher)
-- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy)
-- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
-- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
-- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)
-- [ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption)
-- [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption)
-- [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled)
-- [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings)
-- [ADMX_FileSys/SymlinkEvaluation](./policy-csp-admx-filesys.md#admx-filesys-symlinkevaluation)
-- [ADMX_FileSys/TxfDeprecatedFunctionality](./policy-csp-admx-filesys.md#admx-filesys-txfdeprecatedfunctionality)
-- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy)
-- [ADMX_FileRevocation/DelegatedPackageFamilyNames](./policy-csp-admx-filerevocation.md#admx-filerevocation-delegatedpackagefamilynames)
-- [ADMX_FolderRedirection/DisableFRAdminPin](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpin)
-- [ADMX_FolderRedirection/DisableFRAdminPinByFolder](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpinbyfolder)
-- [ADMX_FolderRedirection/FolderRedirectionEnableCacheRename](./policy-csp-admx-folderredirection.md#admx-folderredirection-folderredirectionenablecacherename)
-- [ADMX_FolderRedirection/LocalizeXPRelativePaths_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-1)
-- [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2)
-- [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1)
-- [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2)
-- [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane)
-- [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane)
-- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy)
-- [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin)
-- [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1)
-- [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2)
-- [ADMX_Globalization/HideAdminOptions](./policy-csp-admx-globalization.md#admx-globalization-hideadminoptions)
-- [ADMX_Globalization/HideCurrentLocation](./policy-csp-admx-globalization.md#admx-globalization-hidecurrentlocation)
-- [ADMX_Globalization/HideLanguageSelection](./policy-csp-admx-globalization.md#admx-globalization-hidelanguageselection)
-- [ADMX_Globalization/HideLocaleSelectAndCustomize](./policy-csp-admx-globalization.md#admx-globalization-hidelocaleselectandcustomize)
-- [ADMX_Globalization/ImplicitDataCollectionOff_1](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-1)
-- [ADMX_Globalization/ImplicitDataCollectionOff_2](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-2)
-- [ADMX_Globalization/LocaleSystemRestrict](./policy-csp-admx-globalization.md#admx-globalization-localesystemrestrict)
-- [ADMX_Globalization/LocaleUserRestrict_1](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-1)
-- [ADMX_Globalization/LocaleUserRestrict_2](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-2)
-- [ADMX_Globalization/LockMachineUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockmachineuilanguage)
-- [ADMX_Globalization/LockUserUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockuseruilanguage)
-- [ADMX_Globalization/PreventGeoIdChange_1](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-1)
-- [ADMX_Globalization/PreventGeoIdChange_2](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-2)
-- [ADMX_Globalization/PreventUserOverrides_1](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-1)
-- [ADMX_Globalization/PreventUserOverrides_2](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-2)
-- [ADMX_Globalization/RestrictUILangSelect](./policy-csp-admx-globalization.md#admx-globalization-restrictuilangselect)
-- [ADMX_Globalization/TurnOffAutocorrectMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffautocorrectmisspelledwords)
-- [ADMX_Globalization/TurnOffHighlightMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffhighlightmisspelledwords)
-- [ADMX_Globalization/TurnOffInsertSpace](./policy-csp-admx-globalization.md#admx-globalization-turnoffinsertspace)
-- [ADMX_Globalization/TurnOffOfferTextPredictions](./policy-csp-admx-globalization.md#admx-globalization-turnoffoffertextpredictions)
-- [ADMX_Globalization/Y2K](./policy-csp-admx-globalization.md#admx-globalization-y2k)
-- [ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-allowx-forestpolicy-and-rup)
-- [ADMX_GroupPolicy/CSE_AppMgmt](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-appmgmt)
-- [ADMX_GroupPolicy/CSE_DiskQuota](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-diskquota)
-- [ADMX_GroupPolicy/CSE_EFSRecovery](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-efsrecovery)
-- [ADMX_GroupPolicy/CSE_FolderRedirection](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-folderredirection)
-- [ADMX_GroupPolicy/CSE_IEM](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-iem)
-- [ADMX_GroupPolicy/CSE_IPSecurity](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-ipsecurity)
-- [ADMX_GroupPolicy/CSE_Registry](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-registry)
-- [ADMX_GroupPolicy/CSE_Scripts](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-scripts)
-- [ADMX_GroupPolicy/CSE_Security](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-security)
-- [ADMX_GroupPolicy/CSE_Wired](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wired)
-- [ADMX_GroupPolicy/CSE_Wireless](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wireless)
-- [ADMX_GroupPolicy/CorpConnSyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-corpconnsyncwaittime)
-- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-1)
-- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-2)
-- [ADMX_GroupPolicy/DisableAOACProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableaoacprocessing)
-- [ADMX_GroupPolicy/DisableAutoADMUpdate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableautoadmupdate)
-- [ADMX_GroupPolicy/DisableBackgroundPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablebackgroundpolicy)
-- [ADMX_GroupPolicy/DisableLGPOProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablelgpoprocessing)
-- [ADMX_GroupPolicy/DisableUsersFromMachGP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableusersfrommachgp)
-- [ADMX_GroupPolicy/EnableCDP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablecdp)
-- [ADMX_GroupPolicy/EnableLogonOptimization](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimization)
-- [ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimizationonserversku)
-- [ADMX_GroupPolicy/EnableMMX](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablemmx)
-- [ADMX_GroupPolicy/EnforcePoliciesOnly](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enforcepoliciesonly)
-- [ADMX_GroupPolicy/FontMitigation](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-fontmitigation)
-- [ADMX_GroupPolicy/GPDCOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gpdcoptions)
-- [ADMX_GroupPolicy/GPTransferRate_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-1)
-- [ADMX_GroupPolicy/GPTransferRate_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-2)
-- [ADMX_GroupPolicy/GroupPolicyRefreshRate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrate)
-- [ADMX_GroupPolicy/GroupPolicyRefreshRateDC](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshratedc)
-- [ADMX_GroupPolicy/GroupPolicyRefreshRateUser](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrateuser)
-- [ADMX_GroupPolicy/LogonScriptDelay](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-logonscriptdelay)
-- [ADMX_GroupPolicy/NewGPODisplayName](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpodisplayname)
-- [ADMX_GroupPolicy/NewGPOLinksDisabled](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpolinksdisabled)
-- [ADMX_GroupPolicy/OnlyUseLocalAdminFiles](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-onlyuselocaladminfiles)
-- [ADMX_GroupPolicy/ProcessMitigationOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-processmitigationoptions)
-- [ADMX_GroupPolicy/RSoPLogging](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-rsoplogging)
-- [ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-resetdfsclientinfoduringrefreshpolicy)
-- [ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaultfordirectaccess)
-- [ADMX_GroupPolicy/SlowlinkDefaultToAsync](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaulttoasync)
-- [ADMX_GroupPolicy/SyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-syncwaittime)
-- [ADMX_GroupPolicy/UserPolicyMode](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-userpolicymode)
-- [ADMX_Help/DisableHHDEP](./policy-csp-admx-help.md#admx-help-disablehhdep)
-- [ADMX_Help/HelpQualifiedRootDir_Comp](./policy-csp-admx-help.md#admx-help-helpqualifiedrootdir-comp)
-- [ADMX_Help/RestrictRunFromHelp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp)
-- [ADMX_Help/RestrictRunFromHelp_Comp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp-comp)
-- [ADMX_HelpAndSupport/ActiveHelp](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-activehelp)
-- [ADMX_HelpAndSupport/HPExplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpexplicitfeedback)
-- [ADMX_HelpAndSupport/HPImplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpimplicitfeedback)
-- [ADMX_HelpAndSupport/HPOnlineAssistance](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hponlineassistance)
-- [ADMX_ICM/CEIPEnable](./policy-csp-admx-icm.md#admx-icm-ceipenable)
-- [ADMX_ICM/CertMgr_DisableAutoRootUpdates](./policy-csp-admx-icm.md#admx-icm-certmgr-disableautorootupdates)
-- [ADMX_ICM/DisableHTTPPrinting_1](./policy-csp-admx-icm.md#admx-icm-disablehttpprinting-1)
-- [ADMX_ICM/DisableWebPnPDownload_1](./policy-csp-admx-icm.md#admx-icm-disablewebpnpdownload-1)
-- [ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate](./policy-csp-admx-icm.md#admx-icm-driversearchplaces-dontsearchwindowsupdate)
-- [ADMX_ICM/EventViewer_DisableLinks](./policy-csp-admx-icm.md#admx-icm-eventviewer-disablelinks)
-- [ADMX_ICM/HSS_HeadlinesPolicy](./policy-csp-admx-icm.md#admx-icm-hss-headlinespolicy)
-- [ADMX_ICM/HSS_KBSearchPolicy](./policy-csp-admx-icm.md#admx-icm-hss-kbsearchpolicy)
-- [ADMX_ICM/InternetManagement_RestrictCommunication_1](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-1)
-- [ADMX_ICM/InternetManagement_RestrictCommunication_2](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-2)
-- [ADMX_ICM/NC_ExitOnISP](./policy-csp-admx-icm.md#admx-icm-nc-exitonisp)
-- [ADMX_ICM/NC_NoRegistration](./policy-csp-admx-icm.md#admx-icm-nc-noregistration)
-- [ADMX_ICM/PCH_DoNotReport](./policy-csp-admx-icm.md#admx-icm-pch-donotreport)
-- [ADMX_ICM/RemoveWindowsUpdate_ICM](./policy-csp-admx-icm.md#admx-icm-removewindowsupdate-icm)
-- [ADMX_ICM/SearchCompanion_DisableFileUpdates](./policy-csp-admx-icm.md#admx-icm-searchcompanion-disablefileupdates)
-- [ADMX_ICM/ShellNoUseInternetOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-1)
-- [ADMX_ICM/ShellNoUseInternetOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-2)
-- [ADMX_ICM/ShellNoUseStoreOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-1)
-- [ADMX_ICM/ShellNoUseStoreOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-2)
-- [ADMX_ICM/ShellPreventWPWDownload_1](./policy-csp-admx-icm.md#admx-icm-shellpreventwpwdownload-1)
-- [ADMX_ICM/ShellRemoveOrderPrints_1](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-1)
-- [ADMX_ICM/ShellRemoveOrderPrints_2](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-2)
-- [ADMX_ICM/ShellRemovePublishToWeb_1](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-1)
-- [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2)
-- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1)
-- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2)
-- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall)
-- [ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins)
-- [ADMX_iSCSI/iSCSIGeneral_ChangeIQNName](./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname)
-- [ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret](./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret)
-- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor)
-- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch)
-- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness)
-- [ADMX_kdc/RequestCompoundId](./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid)
-- [ADMX_kdc/TicketSizeThreshold](./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold)
-- [ADMX_kdc/emitlili](./policy-csp-admx-kdc.md#admx-kdc-emitlili)
-- [ADMX_Kerberos/AlwaysSendCompoundId](./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid)
-- [ADMX_Kerberos/DevicePKInitEnabled](./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled)
-- [ADMX_Kerberos/HostToRealm](./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm)
-- [ADMX_Kerberos/KdcProxyDisableServerRevocationCheck](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck)
-- [ADMX_Kerberos/KdcProxyServer](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver)
-- [ADMX_Kerberos/MitRealms](./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms)
-- [ADMX_Kerberos/ServerAcceptsCompound](./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound)
-- [ADMX_Kerberos/StrictTarget](./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget)
-- [ADMX_LanmanServer/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder)
-- [ADMX_LanmanServer/Pol_HashPublication](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication)
-- [ADMX_LanmanServer/Pol_HashSupportVersion](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion)
-- [ADMX_LanmanServer/Pol_HonorCipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder)
-- [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder)
-- [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles)
-- [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares)
-- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy)
-- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio)
-- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr)
-- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1)
-- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin)
-- [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon)
-- [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1)
-- [ADMX_Logon/DisableExplorerRunLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-2)
-- [ADMX_Logon/DisableExplorerRunOnceLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-1)
-- [ADMX_Logon/DisableExplorerRunOnceLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-2)
-- [ADMX_Logon/DisableStatusMessages](./policy-csp-admx-logon.md#admx-logon-disablestatusmessages)
-- [ADMX_Logon/DontEnumerateConnectedUsers](./policy-csp-admx-logon.md#admx-logon-dontenumerateconnectedusers)
-- [ADMX_Logon/NoWelcomeTips_1](./policy-csp-admx-logon.md#admx-logon-nowelcometips-1)
-- [ADMX_Logon/NoWelcomeTips_2](./policy-csp-admx-logon.md#admx-logon-nowelcometips-2)
-- [ADMX_Logon/Run_1](./policy-csp-admx-logon.md#admx-logon-run-1)
-- [ADMX_Logon/Run_2](./policy-csp-admx-logon.md#admx-logon-run-2)
-- [ADMX_Logon/SyncForegroundPolicy](./policy-csp-admx-logon.md#admx-logon-syncforegroundpolicy)
-- [ADMX_Logon/UseOEMBackground](./policy-csp-admx-logon.md#admx-logon-useoembackground)
-- [ADMX_Logon/VerboseStatus](./policy-csp-admx-logon.md#admx-logon-verbosestatus)
-- [ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup)
-- [ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender)
-- [ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions)
-- [ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen)
-- [ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge)
-- [ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring)
-- [ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction)
-- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions)
-- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths)
-- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes)
-- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions)
-- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules)
-- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications)
-- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders)
-- [ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation)
-- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement)
-- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid)
-- [ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition)
-- [ADMX_MicrosoftDefenderAntivirus/ProxyBypass](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass)
-- [ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl)
-- [ADMX_MicrosoftDefenderAntivirus/ProxyServer](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver)
-- [ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay)
-- [ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay)
-- [ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring)
-- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection)
-- [ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime)
-- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday)
-- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime)
-- [ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout)
-- [ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout)
-- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications)
-- [ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports)
-- [ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout)
-- [ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout)
-- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents)
-- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday)
-- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime)
-- [ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval)
-- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup)
-- [ADMX_MicrosoftDefenderAntivirus/SpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting)
-- [ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting)
-- [ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction)
-- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring)
-- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress)
-- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification)
-- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown)
-- [ADMX_MMC/MMC_ActiveXControl](./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol)
-- [ADMX_MMC/MMC_ExtendView](./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview)
-- [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb)
-- [ADMX_MMC/MMC_Restrict_Author](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author)
-- [ADMX_MMC/MMC_Restrict_To_Permitted_Snapins](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins)
-- [ADMX_MMCSnapins/MMC_ADMComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-1)
-- [ADMX_MMCSnapins/MMC_ADMComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-2)
-- [ADMX_MMCSnapins/MMC_ADMUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-1)
-- [ADMX_MMCSnapins/MMC_ADMUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-2)
-- [ADMX_MMCSnapins/MMC_ADSI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-adsi)
-- [ADMX_MMCSnapins/MMC_ActiveDirDomTrusts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirdomtrusts)
-- [ADMX_MMCSnapins/MMC_ActiveDirSitesServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirsitesservices)
-- [ADMX_MMCSnapins/MMC_ActiveDirUsersComp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activediruserscomp)
-- [ADMX_MMCSnapins/MMC_AppleTalkRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-appletalkrouting)
-- [ADMX_MMCSnapins/MMC_AuthMan](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-authman)
-- [ADMX_MMCSnapins/MMC_CertAuth](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauth)
-- [ADMX_MMCSnapins/MMC_CertAuthPolSet](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauthpolset)
-- [ADMX_MMCSnapins/MMC_Certs](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certs)
-- [ADMX_MMCSnapins/MMC_CertsTemplate](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certstemplate)
-- [ADMX_MMCSnapins/MMC_ComponentServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-componentservices)
-- [ADMX_MMCSnapins/MMC_ComputerManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-computermanagement)
-- [ADMX_MMCSnapins/MMC_ConnectionSharingNAT](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-connectionsharingnat)
-- [ADMX_MMCSnapins/MMC_DCOMCFG](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dcomcfg)
-- [ADMX_MMCSnapins/MMC_DFS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dfs)
-- [ADMX_MMCSnapins/MMC_DHCPRelayMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dhcprelaymgmt)
-- [ADMX_MMCSnapins/MMC_DeviceManager_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-1)
-- [ADMX_MMCSnapins/MMC_DeviceManager_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-2)
-- [ADMX_MMCSnapins/MMC_DiskDefrag](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskdefrag)
-- [ADMX_MMCSnapins/MMC_DiskMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskmgmt)
-- [ADMX_MMCSnapins/MMC_EnterprisePKI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-enterprisepki)
-- [ADMX_MMCSnapins/MMC_EventViewer_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-1)
-- [ADMX_MMCSnapins/MMC_EventViewer_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-2)
-- [ADMX_MMCSnapins/MMC_EventViewer_3](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-3)
-- [ADMX_MMCSnapins/MMC_EventViewer_4](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-4)
-- [ADMX_MMCSnapins/MMC_FAXService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-faxservice)
-- [ADMX_MMCSnapins/MMC_FailoverClusters](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-failoverclusters)
-- [ADMX_MMCSnapins/MMC_FolderRedirection_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-1)
-- [ADMX_MMCSnapins/MMC_FolderRedirection_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-2)
-- [ADMX_MMCSnapins/MMC_FrontPageExt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-frontpageext)
-- [ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicymanagementsnapin)
-- [ADMX_MMCSnapins/MMC_GroupPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicysnapin)
-- [ADMX_MMCSnapins/MMC_GroupPolicyTab](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicytab)
-- [ADMX_MMCSnapins/MMC_HRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-hra)
-- [ADMX_MMCSnapins/MMC_IAS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ias)
-- [ADMX_MMCSnapins/MMC_IASLogging](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iaslogging)
-- [ADMX_MMCSnapins/MMC_IEMaintenance_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-1)
-- [ADMX_MMCSnapins/MMC_IEMaintenance_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-2)
-- [ADMX_MMCSnapins/MMC_IGMPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-igmprouting)
-- [ADMX_MMCSnapins/MMC_IIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iis)
-- [ADMX_MMCSnapins/MMC_IPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iprouting)
-- [ADMX_MMCSnapins/MMC_IPSecManage_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage-gp)
-- [ADMX_MMCSnapins/MMC_IPXRIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxriprouting)
-- [ADMX_MMCSnapins/MMC_IPXRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxrouting)
-- [ADMX_MMCSnapins/MMC_IPXSAPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxsaprouting)
-- [ADMX_MMCSnapins/MMC_IndexingService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-indexingservice)
-- [ADMX_MMCSnapins/MMC_IpSecManage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage)
-- [ADMX_MMCSnapins/MMC_IpSecMonitor](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmonitor)
-- [ADMX_MMCSnapins/MMC_LocalUsersGroups](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-localusersgroups)
-- [ADMX_MMCSnapins/MMC_LogicalMappedDrives](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-logicalmappeddrives)
-- [ADMX_MMCSnapins/MMC_NPSUI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-npsui)
-- [ADMX_MMCSnapins/MMC_NapSnap](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap)
-- [ADMX_MMCSnapins/MMC_NapSnap_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap-gp)
-- [ADMX_MMCSnapins/MMC_Net_Framework](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-net-framework)
-- [ADMX_MMCSnapins/MMC_OCSP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ocsp)
-- [ADMX_MMCSnapins/MMC_OSPFRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ospfrouting)
-- [ADMX_MMCSnapins/MMC_PerfLogsAlerts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-perflogsalerts)
-- [ADMX_MMCSnapins/MMC_PublicKey](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-publickey)
-- [ADMX_MMCSnapins/MMC_QoSAdmission](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-qosadmission)
-- [ADMX_MMCSnapins/MMC_RAS_DialinUser](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ras-dialinuser)
-- [ADMX_MMCSnapins/MMC_RIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-riprouting)
-- [ADMX_MMCSnapins/MMC_RIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ris)
-- [ADMX_MMCSnapins/MMC_RRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rra)
-- [ADMX_MMCSnapins/MMC_RSM](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rsm)
-- [ADMX_MMCSnapins/MMC_RemStore](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remstore)
-- [ADMX_MMCSnapins/MMC_RemoteAccess](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remoteaccess)
-- [ADMX_MMCSnapins/MMC_RemoteDesktop](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remotedesktop)
-- [ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-resultantsetofpolicysnapin)
-- [ADMX_MMCSnapins/MMC_Routing](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-routing)
-- [ADMX_MMCSnapins/MMC_SCA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sca)
-- [ADMX_MMCSnapins/MMC_SMTPProtocol](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-smtpprotocol)
-- [ADMX_MMCSnapins/MMC_SNMP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-snmp)
-- [ADMX_MMCSnapins/MMC_ScriptsMachine_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-1)
-- [ADMX_MMCSnapins/MMC_ScriptsMachine_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-2)
-- [ADMX_MMCSnapins/MMC_ScriptsUser_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-1)
-- [ADMX_MMCSnapins/MMC_ScriptsUser_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-2)
-- [ADMX_MMCSnapins/MMC_SecuritySettings_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-1)
-- [ADMX_MMCSnapins/MMC_SecuritySettings_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-2)
-- [ADMX_MMCSnapins/MMC_SecurityTemplates](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitytemplates)
-- [ADMX_MMCSnapins/MMC_SendConsoleMessage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sendconsolemessage)
-- [ADMX_MMCSnapins/MMC_ServerManager](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servermanager)
-- [ADMX_MMCSnapins/MMC_ServiceDependencies](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servicedependencies)
-- [ADMX_MMCSnapins/MMC_Services](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-services)
-- [ADMX_MMCSnapins/MMC_SharedFolders](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders)
-- [ADMX_MMCSnapins/MMC_SharedFolders_Ext](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders-ext)
-- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-1)
-- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-2)
-- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-1)
-- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-2)
-- [ADMX_MMCSnapins/MMC_SysInfo](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysinfo)
-- [ADMX_MMCSnapins/MMC_SysProp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysprop)
-- [ADMX_MMCSnapins/MMC_TPMManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-tpmmanagement)
-- [ADMX_MMCSnapins/MMC_Telephony](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-telephony)
-- [ADMX_MMCSnapins/MMC_TerminalServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-terminalservices)
-- [ADMX_MMCSnapins/MMC_WMI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wmi)
-- [ADMX_MMCSnapins/MMC_WindowsFirewall](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall)
-- [ADMX_MMCSnapins/MMC_WindowsFirewall_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall-gp)
-- [ADMX_MMCSnapins/MMC_WiredNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy)
-- [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon)
-- [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy)
-- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_1)
-- [ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2](./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_2)
-- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_1)
-- [ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2](./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_2)
-- [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth)
-- [ADMX_msched/ActivationBoundaryPolicy](./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy)
-- [ADMX_msched/RandomDelayPolicy](./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy)
-- [ADMX_MSDT/MsdtSupportProvider](./policy-csp-admx-msdt.md#admx-msdt-msdtsupportprovider)
-- [ADMX_MSDT/MsdtToolDownloadPolicy](./policy-csp-admx-msdt.md#admx-msdt-msdttooldownloadpolicy)
-- [ADMX_MSDT/WdiScenarioExecutionPolicy](./policy-csp-admx-msdt.md#admx-msdt-wdiscenarioexecutionpolicy)
-- [ADMX_MSI/AllowLockdownBrowse](./policy-csp-admx-msi.md#admx-msi-allowlockdownbrowse)
-- [ADMX_MSI/AllowLockdownMedia](./policy-csp-admx-msi.md#admx-msi-allowlockdownmedia)
-- [ADMX_MSI/AllowLockdownPatch](./policy-csp-admx-msi.md#admx-msi-allowlockdownpatch)
-- [ADMX_MSI/DisableAutomaticApplicationShutdown](./policy-csp-admx-msi.md#admx-msi-disableautomaticapplicationshutdown)
-- [ADMX_MSI/DisableBrowse](./policy-csp-admx-msi.md#admx-msi-disablebrowse)
-- [ADMX_MSI/DisableFlyweightPatching](./policy-csp-admx-msi.md#admx-msi-disableflyweightpatching)
-- [ADMX_MSI/DisableLoggingFromPackage](./policy-csp-admx-msi.md#admx-msi-disableloggingfrompackage)
-- [ADMX_MSI/DisableMSI](./policy-csp-admx-msi.md#admx-msi-disablemsi)
-- [ADMX_MSI/DisableMedia](./policy-csp-admx-msi.md#admx-msi-disablemedia)
-- [ADMX_MSI/DisablePatch](./policy-csp-admx-msi.md#admx-msi-disablepatch)
-- [ADMX_MSI/DisableRollback_1](./policy-csp-admx-msi.md#admx-msi-disablerollback-1)
-- [ADMX_MSI/DisableRollback_2](./policy-csp-admx-msi.md#admx-msi-disablerollback-2)
-- [ADMX_MSI/DisableSharedComponent](./policy-csp-admx-msi.md#admx-msi-disablesharedcomponent)
-- [ADMX_MSI/MSILogging](./policy-csp-admx-msi.md#admx-msi-msilogging)
-- [ADMX_MSI/MSI_DisableLUAPatching](./policy-csp-admx-msi.md#admx-msi-msi-disableluapatching)
-- [ADMX_MSI/MSI_DisablePatchUninstall](./policy-csp-admx-msi.md#admx-msi-msi-disablepatchuninstall)
-- [ADMX_MSI/MSI_DisableSRCheckPoints](./policy-csp-admx-msi.md#admx-msi-msi-disablesrcheckpoints)
-- [ADMX_MSI/MSI_DisableUserInstalls](./policy-csp-admx-msi.md#admx-msi-msi-disableuserinstalls)
-- [ADMX_MSI/MSI_EnforceUpgradeComponentRules](./policy-csp-admx-msi.md#admx-msi-msi-enforceupgradecomponentrules)
-- [ADMX_MSI/MSI_MaxPatchCacheSize](./policy-csp-admx-msi.md#admx-msi-msi-maxpatchcachesize)
-- [ADMX_MSI/MsiDisableEmbeddedUI](./policy-csp-admx-msi.md#admx-msi-msidisableembeddedui)
-- [ADMX_MSI/SafeForScripting](./policy-csp-admx-msi.md#admx-msi-safeforscripting)
-- [ADMX_MSI/SearchOrder](./policy-csp-admx-msi.md#admx-msi-searchorder)
-- [ADMX_MSI/TransformsSecure](./policy-csp-admx-msi.md#admx-msi-transformssecure)
-- [ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-msifilerecovery.md#admx-msifilerecovery-wdiscenarioexecutionpolicy)
-- [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources)
-- [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands)
-- [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes)
-- [ADMX_nca/FriendlyName](./policy-csp-admx-nca.md#admx-nca-friendlyname)
-- [ADMX_nca/LocalNamesOn](./policy-csp-admx-nca.md#admx-nca-localnameson)
-- [ADMX_nca/PassiveMode](./policy-csp-admx-nca.md#admx-nca-passivemode)
-- [ADMX_nca/ShowUI](./policy-csp-admx-nca.md#admx-nca-showui)
-- [ADMX_nca/SupportEmail](./policy-csp-admx-nca.md#admx-nca-supportemail)
-- [ADMX_NCSI/NCSI_CorpDnsProbeContent](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobecontent)
-- [ADMX_NCSI/NCSI_CorpDnsProbeHost](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobehost)
-- [ADMX_NCSI/NCSI_CorpSitePrefixes](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpsiteprefixes)
-- [ADMX_NCSI/NCSI_CorpWebProbeUrl](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpwebprobeurl)
-- [ADMX_NCSI/NCSI_DomainLocationDeterminationUrl](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-domainlocationdeterminationurl)
-- [ADMX_NCSI/NCSI_GlobalDns](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-globaldns)
-- [ADMX_NCSI/NCSI_PassivePolling](./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-passivepolling)
-- [ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresslookuponpingbehavior)
-- [ADMX_Netlogon/Netlogon_AddressTypeReturned](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresstypereturned)
-- [ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowdnssuffixsearch)
-- [ADMX_Netlogon/Netlogon_AllowNT4Crypto](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allownt4crypto)
-- [ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowsinglelabeldnsdomain)
-- [ADMX_Netlogon/Netlogon_AutoSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-autositecoverage)
-- [ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidfallbacknetbiosdiscovery)
-- [ADMX_Netlogon/Netlogon_AvoidPdcOnWan](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidpdconwan)
-- [ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryinitialperiod)
-- [ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretrymaximumperiod)
-- [ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryquittime)
-- [ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundsuccessfulrefreshperiod)
-- [ADMX_Netlogon/Netlogon_DebugFlag](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-debugflag)
-- [ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsavoidregisterrecords)
-- [ADMX_Netlogon/Netlogon_DnsRefreshInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsrefreshinterval)
-- [ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnssrvrecorduselowercasehostnames)
-- [ADMX_Netlogon/Netlogon_DnsTtl](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsttl)
-- [ADMX_Netlogon/Netlogon_ExpectedDialupDelay](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-expecteddialupdelay)
-- [ADMX_Netlogon/Netlogon_ForceRediscoveryInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-forcerediscoveryinterval)
-- [ADMX_Netlogon/Netlogon_GcSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-gcsitecoverage)
-- [ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ignoreincomingmailslotmessages)
-- [ADMX_Netlogon/Netlogon_LdapSrvPriority](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvpriority)
-- [ADMX_Netlogon/Netlogon_LdapSrvWeight](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvweight)
-- [ADMX_Netlogon/Netlogon_MaximumLogFileSize](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-maximumlogfilesize)
-- [ADMX_Netlogon/Netlogon_NdncSiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ndncsitecoverage)
-- [ADMX_Netlogon/Netlogon_NegativeCachePeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-negativecacheperiod)
-- [ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-netlogonsharecompatibilitymode)
-- [ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-nonbackgroundsuccessfulrefreshperiod)
-- [ADMX_Netlogon/Netlogon_PingUrgencyMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-pingurgencymode)
-- [ADMX_Netlogon/Netlogon_ScavengeInterval](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-scavengeinterval)
-- [ADMX_Netlogon/Netlogon_SiteCoverage](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitecoverage)
-- [ADMX_Netlogon/Netlogon_SiteName](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitename)
-- [ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode)
-- [ADMX_Netlogon/Netlogon_TryNextClosestSite](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite)
-- [ADMX_Netlogon/Netlogon_UseDynamicDns](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns)
-- [ADMX_NetworkConnections/NC_AddRemoveComponents](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents)
-- [ADMX_NetworkConnections/NC_AdvancedSettings](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-advancedsettings)
-- [ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-allowadvancedtcpipconfig)
-- [ADMX_NetworkConnections/NC_ChangeBindState](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-changebindstate)
-- [ADMX_NetworkConnections/NC_DeleteAllUserConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deletealluserconnection)
-- [ADMX_NetworkConnections/NC_DeleteConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deleteconnection)
-- [ADMX_NetworkConnections/NC_DialupPrefs](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-dialupprefs)
-- [ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-donotshowlocalonlyicon)
-- [ADMX_NetworkConnections/NC_EnableAdminProhibits](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-enableadminprohibits)
-- [ADMX_NetworkConnections/NC_ForceTunneling](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-forcetunneling)
-- [ADMX_NetworkConnections/NC_IpStateChecking](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-ipstatechecking)
-- [ADMX_NetworkConnections/NC_LanChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanchangeproperties)
-- [ADMX_NetworkConnections/NC_LanConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanconnect)
-- [ADMX_NetworkConnections/NC_LanProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanproperties)
-- [ADMX_NetworkConnections/NC_NewConnectionWizard](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-newconnectionwizard)
-- [ADMX_NetworkConnections/NC_PersonalFirewallConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-personalfirewallconfig)
-- [ADMX_NetworkConnections/NC_RasAllUserProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasalluserproperties)
-- [ADMX_NetworkConnections/NC_RasChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-raschangeproperties)
-- [ADMX_NetworkConnections/NC_RasConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasconnect)
-- [ADMX_NetworkConnections/NC_RasMyProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasmyproperties)
-- [ADMX_NetworkConnections/NC_RenameAllUserRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamealluserrasconnection)
-- [ADMX_NetworkConnections/NC_RenameConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renameconnection)
-- [ADMX_NetworkConnections/NC_RenameLanConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamelanconnection)
-- [ADMX_NetworkConnections/NC_RenameMyRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamemyrasconnection)
-- [ADMX_NetworkConnections/NC_ShowSharedAccessUI](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-showsharedaccessui)
-- [ADMX_NetworkConnections/NC_Statistics](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-statistics)
-- [ADMX_NetworkConnections/NC_StdDomainUserSetLocation](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-stddomainusersetlocation)
-- [ADMX_OfflineFiles/Pol_AlwaysPinSubFolders](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders)
-- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1)
-- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2)
-- [ADMX_OfflineFiles/Pol_BackgroundSyncSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-backgroundsyncsettings)
-- [ADMX_OfflineFiles/Pol_CacheSize](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-cachesize)
-- [ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-1)
-- [ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-2)
-- [ADMX_OfflineFiles/Pol_DefCacheSize](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-defcachesize)
-- [ADMX_OfflineFiles/Pol_Enabled](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-enabled)
-- [ADMX_OfflineFiles/Pol_EncryptOfflineFiles](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-encryptofflinefiles)
-- [ADMX_OfflineFiles/Pol_EventLoggingLevel_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-1)
-- [ADMX_OfflineFiles/Pol_EventLoggingLevel_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-2)
-- [ADMX_OfflineFiles/Pol_ExclusionListSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-exclusionlistsettings)
-- [ADMX_OfflineFiles/Pol_ExtExclusionList](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-extexclusionlist)
-- [ADMX_OfflineFiles/Pol_GoOfflineAction_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-1)
-- [ADMX_OfflineFiles/Pol_GoOfflineAction_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-2)
-- [ADMX_OfflineFiles/Pol_NoCacheViewer_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-1)
-- [ADMX_OfflineFiles/Pol_NoCacheViewer_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-2)
-- [ADMX_OfflineFiles/Pol_NoConfigCache_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-1)
-- [ADMX_OfflineFiles/Pol_NoConfigCache_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-2)
-- [ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-1)
-- [ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-2)
-- [ADMX_OfflineFiles/Pol_NoPinFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-1)
-- [ADMX_OfflineFiles/Pol_NoPinFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-2)
-- [ADMX_OfflineFiles/Pol_NoReminders_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-1)
-- [ADMX_OfflineFiles/Pol_NoReminders_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-2)
-- [ADMX_OfflineFiles/Pol_OnlineCachingSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-onlinecachingsettings)
-- [ADMX_OfflineFiles/Pol_PurgeAtLogoff](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-purgeatlogoff)
-- [ADMX_OfflineFiles/Pol_QuickAdimPin](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-quickadimpin)
-- [ADMX_OfflineFiles/Pol_ReminderFreq_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-1)
-- [ADMX_OfflineFiles/Pol_ReminderFreq_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-2)
-- [ADMX_OfflineFiles/Pol_ReminderInitTimeout_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-1)
-- [ADMX_OfflineFiles/Pol_ReminderInitTimeout_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-2)
-- [ADMX_OfflineFiles/Pol_ReminderTimeout_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-1)
-- [ADMX_OfflineFiles/Pol_ReminderTimeout_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-2)
-- [ADMX_OfflineFiles/Pol_SlowLinkSettings](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinksettings)
-- [ADMX_OfflineFiles/Pol_SlowLinkSpeed](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinkspeed)
-- [ADMX_OfflineFiles/Pol_SyncAtLogoff_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-1)
-- [ADMX_OfflineFiles/Pol_SyncAtLogoff_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-2)
-- [ADMX_OfflineFiles/Pol_SyncAtLogon_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-1)
-- [ADMX_OfflineFiles/Pol_SyncAtLogon_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-2)
-- [ADMX_OfflineFiles/Pol_SyncAtSuspend_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-1)
-- [ADMX_OfflineFiles/Pol_SyncAtSuspend_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-2)
-- [ADMX_OfflineFiles/Pol_SyncOnCostedNetwork](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-synconcostednetwork)
-- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-1)
-- [ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-2)
-- [ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomcomponentfailurespolicy)
-- [ADMX_pca/DetectDeprecatedComponentFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomponentfailurespolicy)
-- [ADMX_pca/DetectInstallFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectinstallfailurespolicy)
-- [ADMX_pca/DetectUndetectedInstallersPolicy](./policy-csp-admx-pca.md#admx-pca-detectundetectedinstallerspolicy)
-- [ADMX_pca/DetectUpdateFailuresPolicy](./policy-csp-admx-pca.md#admx-pca-detectupdatefailurespolicy)
-- [ADMX_pca/DisablePcaUIPolicy](./policy-csp-admx-pca.md#admx-pca-disablepcauipolicy)
-- [ADMX_pca/DetectBlockedDriversPolicy](./policy-csp-admx-pca.md#admx-pca-detectblockeddriverspolicy)
-- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache)
-- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-distributed)
-- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hosted)
-- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery)
-- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers)
-- [ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-smb)
-- [ADMX_PeerToPeerCaching/SetCachePercent](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setcachepercent)
-- [ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdatacacheentrymaxage)
-- [ADMX_PeerToPeerCaching/SetDowngrading](./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdowngrading)
-- [ADMX_PenTraining/PenTrainingOff_1](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_1)
-- [ADMX_PenTraining/PenTrainingOff_2](./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_2)
-- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-1)
-- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2)
-- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3)
-- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4)
-- [ADMX_Power/ACConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-acconnectivityinstandby-2)
-- [ADMX_Power/ACCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-accriticalsleeptransitionsdisable-2)
-- [ADMX_Power/ACStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-acstartmenubuttonaction-2)
-- [ADMX_Power/AllowSystemPowerRequestAC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestac)
-- [ADMX_Power/AllowSystemPowerRequestDC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestdc)
-- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopenac)
-- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopendc)
-- [ADMX_Power/CustomActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-customactiveschemeoverride-2)
-- [ADMX_Power/DCBatteryDischargeAction0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction0-2)
-- [ADMX_Power/DCBatteryDischargeAction1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction1-2)
-- [ADMX_Power/DCBatteryDischargeLevel0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel0-2)
-- [ADMX_Power/DCBatteryDischargeLevel1UINotification_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1uinotification-2)
-- [ADMX_Power/DCBatteryDischargeLevel1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1-2)
-- [ADMX_Power/DCConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-dcconnectivityinstandby-2)
-- [ADMX_Power/DCCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-dccriticalsleeptransitionsdisable-2)
-- [ADMX_Power/DCStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-dcstartmenubuttonaction-2)
-- [ADMX_Power/DiskACPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskacpowerdowntimeout-2)
-- [ADMX_Power/DiskDCPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskdcpowerdowntimeout-2)
-- [ADMX_Power/Dont_PowerOff_AfterShutdown](./policy-csp-admx-power.md#admx-power-dont-poweroff-aftershutdown)
-- [ADMX_Power/EnableDesktopSlideShowAC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowac)
-- [ADMX_Power/EnableDesktopSlideShowDC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowdc)
-- [ADMX_Power/InboxActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-inboxactiveschemeoverride-2)
-- [ADMX_Power/PW_PromptPasswordOnResume](./policy-csp-admx-power.md#admx-power-pw-promptpasswordonresume)
-- [ADMX_Power/PowerThrottlingTurnOff](./policy-csp-admx-power.md#admx-power-powerthrottlingturnoff)
-- [ADMX_Power/ReserveBatteryNotificationLevel](./policy-csp-admx-power.md#admx-power-reservebatterynotificationlevel)
-- [ADMX_PowerShellExecutionPolicy/EnableModuleLogging](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging)
-- [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts)
-- [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting)
-- [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath)
-- [ADMX_PreviousVersions/DisableLocalPage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_1)
-- [ADMX_PreviousVersions/DisableLocalPage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_2)
-- [ADMX_PreviousVersions/DisableRemotePage_1](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_1)
-- [ADMX_PreviousVersions/DisableRemotePage_2](./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_2)
-- [ADMX_PreviousVersions/HideBackupEntries_1](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_1)
-- [ADMX_PreviousVersions/HideBackupEntries_2](./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_2)
-- [ADMX_PreviousVersions/DisableLocalRestore_1](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_1)
-- [ADMX_PreviousVersions/DisableLocalRestore_2](./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_2)
-- [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting)
-- [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation)
-- [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl)
-- [ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate](./policy-csp-admx-printing.md#admx-printing-donotinstallcompatibledriverfromwindowsupdate)
-- [ADMX_Printing/DomainPrinters](./policy-csp-admx-printing.md#admx-printing-domainprinters)
-- [ADMX_Printing/DownlevelBrowse](./policy-csp-admx-printing.md#admx-printing-downlevelbrowse)
-- [ADMX_Printing/EMFDespooling](./policy-csp-admx-printing.md#admx-printing-emfdespooling)
-- [ADMX_Printing/ForceSoftwareRasterization](./policy-csp-admx-printing.md#admx-printing-forcesoftwarerasterization)
-- [ADMX_Printing/IntranetPrintersUrl](./policy-csp-admx-printing.md#admx-printing-intranetprintersurl)
-- [ADMX_Printing/KMPrintersAreBlocked](./policy-csp-admx-printing.md#admx-printing-kmprintersareblocked)
-- [ADMX_Printing/LegacyDefaultPrinterMode](./policy-csp-admx-printing.md#admx-printing-legacydefaultprintermode)
-- [ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS](./policy-csp-admx-printing.md#admx-printing-mxdwuselegacyoutputformatmsxps)
-- [ADMX_Printing/NoDeletePrinter](./policy-csp-admx-printing.md#admx-printing-nodeleteprinter)
-- [ADMX_Printing/NonDomainPrinters](./policy-csp-admx-printing.md#admx-printing-nondomainprinters)
-- [ADMX_Printing/PackagePointAndPrintOnly](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly)
-- [ADMX_Printing/PackagePointAndPrintOnly_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly-win7)
-- [ADMX_Printing/PackagePointAndPrintServerList](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist)
-- [ADMX_Printing/PackagePointAndPrintServerList_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist-win7)
-- [ADMX_Printing/PhysicalLocation](./policy-csp-admx-printing.md#admx-printing-physicallocation)
-- [ADMX_Printing/PhysicalLocationSupport](./policy-csp-admx-printing.md#admx-printing-physicallocationsupport)
-- [ADMX_Printing/PrintDriverIsolationExecutionPolicy](./policy-csp-admx-printing.md#admx-printing-printdriverisolationexecutionpolicy
-)
-- [ADMX_Printing/PrintDriverIsolationOverrideCompat](./policy-csp-admx-printing.md#admx-printing-printdriverisolationoverridecompat)
-- [ADMX_Printing/PrinterDirectorySearchScope](./policy-csp-admx-printing.md#admx-printing-printerdirectorysearchscope)
-- [ADMX_Printing/PrinterServerThread](./policy-csp-admx-printing.md#admx-printing-printerserverthread)
-- [ADMX_Printing/ShowJobTitleInEventLogs](./policy-csp-admx-printing.md#admx-printing-showjobtitleineventlogs)
-- [ADMX_Printing/V4DriverDisallowPrinterExtension](./policy-csp-admx-printing.md#admx-printing-v4driverdisallowprinterextension)
-- [ADMX_Printing2/AutoPublishing](./policy-csp-admx-printing2.md#admx-printing2-autopublishing)
-- [ADMX_Printing2/ImmortalPrintQueue](./policy-csp-admx-printing2.md#admx-printing2-immortalprintqueue)
-- [ADMX_Printing2/PruneDownlevel](./policy-csp-admx-printing2.md#admx-printing2-prunedownlevel)
-- [ADMX_Printing2/PruningInterval](./policy-csp-admx-printing2.md#admx-printing2-pruninginterval)
-- [ADMX_Printing2/PruningPriority](./policy-csp-admx-printing2.md#admx-printing2-pruningpriority)
-- [ADMX_Printing2/PruningRetries](./policy-csp-admx-printing2.md#admx-printing2-pruningretries)
-- [ADMX_Printing2/PruningRetryLog](./policy-csp-admx-printing2.md#admx-printing2-pruningretrylog)
-- [ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint](./policy-csp-admx-printing2.md#admx-printing2-registerspoolerremoterpcendpoint)
-- [ADMX_Printing2/VerifyPublishedState](./policy-csp-admx-printing2.md#admx-printing2-verifypublishedstate)
-- [ADMX_Programs/NoDefaultPrograms](./policy-csp-admx-programs.md#admx-programs-nodefaultprograms)
-- [ADMX_Programs/NoGetPrograms](./policy-csp-admx-programs.md#admx-programs-nogetprograms)
-- [ADMX_Programs/NoInstalledUpdates](./policy-csp-admx-programs.md#admx-programs-noinstalledupdates)
-- [ADMX_Programs/NoProgramsAndFeatures](./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures)
-- [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl)
-- [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures)
-- [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace)
-- [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp)
-- [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents)
-- [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile)
-- [ADMX_Reliability/ShutdownReason](./policy-csp-admx-reliability.md#admx-reliability-shutdownreason)
-- [ADMX_RemoteAssistance/RA_EncryptedTicketOnly](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-encryptedticketonly)
-- [ADMX_RemoteAssistance/RA_Optimize_Bandwidth](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-optimize-bandwidth)
-- [ADMX_RemovableStorage/AccessRights_RebootTime_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-1)
-- [ADMX_RemovableStorage/AccessRights_RebootTime_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-2)
-- [ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyexecute-access-2)
-- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-1)
-- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-2)
-- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-1)
-- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-2)
-- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-1)
-- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-2)
-- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-1)
-- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-2)
-- [ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyexecute-access-2)
-- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-1)
-- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-2)
-- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-1)
-- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-2)
-- [ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyexecute-access-2)
-- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-1)
-- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-2)
-- [ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denywrite-access-1)
-- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-1)
-- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-2)
-- [ADMX_RemovableStorage/Removable_Remote_Allow_Access](./policy-csp-admx-removablestorage.md#admx-removablestorage-removable-remote-allow-access)
-- [ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyexecute-access-2)
-- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-1)
-- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-2)
-- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-1)
-- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-2)
-- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-1)
-- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-2)
-- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-1)
-- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-2)
-- [ADMX_RPC/RpcExtendedErrorInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcextendederrorinformation)
-- [ADMX_RPC/RpcIgnoreDelegationFailure](./policy-csp-admx-rpc.md#admx-rpc-rpcignoredelegationfailure)
-- [ADMX_RPC/RpcMinimumHttpConnectionTimeout](./policy-csp-admx-rpc.md#admx-rpc-rpcminimumhttpconnectiontimeout)
-- [ADMX_RPC/RpcStateInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcstateinformation)
-- [ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled](./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled)
-- [ADMX_Scripts/MaxGPOScriptWaitPolicy](./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy)
-- [ADMX_Scripts/Run_Computer_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first)
-- [ADMX_Scripts/Run_Legacy_Logon_Script_Hidden](./policy-csp-admx-scripts.md#admx-scripts-run-legacy-logon-script-hidden)
-- [ADMX_Scripts/Run_Logoff_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-logoff-script-visible)
-- [ADMX_Scripts/Run_Logon_Script_Sync_1](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-1)
-- [ADMX_Scripts/Run_Logon_Script_Sync_2](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-2)
-- [ADMX_Scripts/Run_Logon_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-visible)
-- [ADMX_Scripts/Run_Shutdown_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-shutdown-script-visible)
-- [ADMX_Scripts/Run_Startup_Script_Sync](./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-sync)
-- [ADMX_Scripts/Run_Startup_Script_Visible](./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-visible)
-- [ADMX_Scripts/Run_User_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-user-ps-scripts-first)
-- [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected)
-- [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy)
-- [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy)
-- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy)
-- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](./policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
-- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1)
-- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2)
-- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1)
-- [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1)
-- [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2)
-- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page)
-- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate)
-- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks)
-- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager)
-- [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
-- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync)
-- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync)
-- [ADMX_SettingSync/DisableCredentialsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync)
-- [ADMX_SettingSync/DisableDesktopThemeSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync)
-- [ADMX_SettingSync/DisablePersonalizationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync)
-- [ADMX_SettingSync/DisableSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync)
-- [ADMX_SettingSync/DisableStartLayoutSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync)
-- [ADMX_SettingSync/DisableSyncOnPaidNetwork](./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork)
-- [ADMX_SettingSync/DisableWindowsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync)
-- [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots)
-- [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders)
-- [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing)
-- [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps)
-- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit)
-- [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
-- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-restrictapps)
-- [ADMX_Smartcard/AllowCertificatesWithNoEKU](./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku)
-- [ADMX_Smartcard/AllowIntegratedUnblock](./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock)
-- [ADMX_Smartcard/AllowSignatureOnlyKeys](./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys)
-- [ADMX_Smartcard/AllowTimeInvalidCertificates](./policy-csp-admx-smartcard.md#admx-smartcard-allowtimeinvalidcertificates)
-- [ADMX_Smartcard/CertPropEnabledString](./policy-csp-admx-smartcard.md#admx-smartcard-certpropenabledstring)
-- [ADMX_Smartcard/CertPropRootCleanupString](./policy-csp-admx-smartcard.md#admx-smartcard-certproprootcleanupstring)
-- [ADMX_Smartcard/CertPropRootEnabledString](./policy-csp-admx-smartcard.md#admx-smartcard-certproprootenabledstring)
-- [ADMX_Smartcard/DisallowPlaintextPin](./policy-csp-admx-smartcard.md#admx-smartcard-disallowplaintextpin)
-- [ADMX_Smartcard/EnumerateECCCerts](./policy-csp-admx-smartcard.md#admx-smartcard-enumerateecccerts)
-- [ADMX_Smartcard/FilterDuplicateCerts](./policy-csp-admx-smartcard.md#admx-smartcard-filterduplicatecerts)
-- [ADMX_Smartcard/ForceReadingAllCertificates](./policy-csp-admx-smartcard.md#admx-smartcard-forcereadingallcertificates)
-- [ADMX_Smartcard/IntegratedUnblockPromptString](./policy-csp-admx-smartcard.md#admx-smartcard-integratedunblockpromptstring)
-- [ADMX_Smartcard/ReverseSubject](./policy-csp-admx-smartcard.md#admx-smartcard-reversesubject)
-- [ADMX_Smartcard/SCPnPEnabled](./policy-csp-admx-smartcard.md#admx-smartcard-scpnpenabled)
-- [ADMX_Smartcard/SCPnPNotification](./policy-csp-admx-smartcard.md#admx-smartcard-scpnpnotification)
-- [ADMX_Smartcard/X509HintsNeeded](./policy-csp-admx-smartcard.md#admx-smartcard-x509hintsneeded)
-- [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities)
-- [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers)
-- [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public)
-- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu)
-- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit)
-- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu)
-- [ADMX_StartMenu/ClearTilesOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-cleartilesonexit)
-- [ADMX_StartMenu/DesktopAppsFirstInAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-desktopappsfirstinappsview)
-- [ADMX_StartMenu/DisableGlobalSearchOnAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-disableglobalsearchonappsview)
-- [ADMX_StartMenu/ForceStartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-forcestartmenulogoff)
-- [ADMX_StartMenu/GoToDesktopOnSignIn](./policy-csp-admx-startmenu.md#admx-startmenu-gotodesktoponsignin)
-- [ADMX_StartMenu/GreyMSIAds](./policy-csp-admx-startmenu.md#admx-startmenu-greymsiads)
-- [ADMX_StartMenu/HidePowerOptions](./policy-csp-admx-startmenu.md#admx-startmenu-hidepoweroptions)
-- [ADMX_StartMenu/Intellimenus](./policy-csp-admx-startmenu.md#admx-startmenu-intellimenus)
-- [ADMX_StartMenu/LockTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-locktaskbar)
-- [ADMX_StartMenu/MemCheckBoxInRunDlg](./policy-csp-admx-startmenu.md#admx-startmenu-memcheckboxinrundlg)
-- [ADMX_StartMenu/NoAutoTrayNotify](./policy-csp-admx-startmenu.md#admx-startmenu-noautotraynotify)
-- [ADMX_StartMenu/NoBalloonTip](./policy-csp-admx-startmenu.md#admx-startmenu-noballoontip)
-- [ADMX_StartMenu/NoChangeStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nochangestartmenu)
-- [ADMX_StartMenu/NoClose](./policy-csp-admx-startmenu.md#admx-startmenu-noclose)
-- [ADMX_StartMenu/NoCommonGroups](./policy-csp-admx-startmenu.md#admx-startmenu-nocommongroups)
-- [ADMX_StartMenu/NoFavoritesMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nofavoritesmenu)
-- [ADMX_StartMenu/NoFind](./policy-csp-admx-startmenu.md#admx-startmenu-nofind)
-- [ADMX_StartMenu/NoGamesFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nogamesfolderonstartmenu)
-- [ADMX_StartMenu/NoHelp](./policy-csp-admx-startmenu.md#admx-startmenu-nohelp)
-- [ADMX_StartMenu/NoInstrumentation](./policy-csp-admx-startmenu.md#admx-startmenu-noinstrumentation)
-- [ADMX_StartMenu/NoMoreProgramsList](./policy-csp-admx-startmenu.md#admx-startmenu-nomoreprogramslist)
-- [ADMX_StartMenu/NoNetAndDialupConnect](./policy-csp-admx-startmenu.md#admx-startmenu-nonetanddialupconnect)
-- [ADMX_StartMenu/NoPinnedPrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nopinnedprograms)
-- [ADMX_StartMenu/NoRecentDocsMenu](./policy-csp-admx-startmenu.md#admx-startmenu-norecentdocsmenu)
-- [ADMX_StartMenu/NoResolveSearch](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvesearch)
-- [ADMX_StartMenu/NoResolveTrack](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvetrack)
-- [ADMX_StartMenu/NoRun](./policy-csp-admx-startmenu.md#admx-startmenu-norun)
-- [ADMX_StartMenu/NoSMConfigurePrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nosmconfigureprograms)
-- [ADMX_StartMenu/NoSMMyDocuments](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmydocuments)
-- [ADMX_StartMenu/NoSMMyMusic](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmymusic)
-- [ADMX_StartMenu/NoSMMyNetworkPlaces](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmynetworkplaces)
-- [ADMX_StartMenu/NoSMMyPictures](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmypictures)
-- [ADMX_StartMenu/NoSearchCommInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomminstartmenu)
-- [ADMX_StartMenu/NoSearchComputerLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomputerlinkinstartmenu)
-- [ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearcheverywherelinkinstartmenu)
-- [ADMX_StartMenu/NoSearchFilesInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchfilesinstartmenu)
-- [ADMX_StartMenu/NoSearchInternetInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchinternetinstartmenu)
-- [ADMX_StartMenu/NoSearchProgramsInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchprogramsinstartmenu)
-- [ADMX_StartMenu/NoSetFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nosetfolders)
-- [ADMX_StartMenu/NoSetTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-nosettaskbar)
-- [ADMX_StartMenu/NoStartMenuDownload](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenudownload)
-- [ADMX_StartMenu/NoStartMenuHomegroup](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuhomegroup)
-- [ADMX_StartMenu/NoStartMenuRecordedTV](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenurecordedtv)
-- [ADMX_StartMenu/NoStartMenuSubFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenusubfolders)
-- [ADMX_StartMenu/NoStartMenuVideos](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuvideos)
-- [ADMX_StartMenu/NoStartPage](./policy-csp-admx-startmenu.md#admx-startmenu-nostartpage)
-- [ADMX_StartMenu/NoTaskBarClock](./policy-csp-admx-startmenu.md#admx-startmenu-notaskbarclock)
-- [ADMX_StartMenu/NoTaskGrouping](./policy-csp-admx-startmenu.md#admx-startmenu-notaskgrouping)
-- [ADMX_StartMenu/NoToolbarsOnTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-notoolbarsontaskbar)
-- [ADMX_StartMenu/NoTrayContextMenu](./policy-csp-admx-startmenu.md#admx-startmenu-notraycontextmenu)
-- [ADMX_StartMenu/NoTrayItemsDisplay](./policy-csp-admx-startmenu.md#admx-startmenu-notrayitemsdisplay)
-- [ADMX_StartMenu/NoUninstallFromStart](./policy-csp-admx-startmenu.md#admx-startmenu-nouninstallfromstart)
-- [ADMX_StartMenu/NoUserFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nouserfolderonstartmenu)
-- [ADMX_StartMenu/NoUserNameOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nousernameonstartmenu)
-- [ADMX_StartMenu/NoWindowsUpdate](./policy-csp-admx-startmenu.md#admx-startmenu-nowindowsupdate)
-- [ADMX_StartMenu/PowerButtonAction](./policy-csp-admx-startmenu.md#admx-startmenu-powerbuttonaction)
-- [ADMX_StartMenu/QuickLaunchEnabled](./policy-csp-admx-startmenu.md#admx-startmenu-quicklaunchenabled)
-- [ADMX_StartMenu/RemoveUnDockPCButton](./policy-csp-admx-startmenu.md#admx-startmenu-removeundockpcbutton)
-- [ADMX_StartMenu/ShowAppsViewOnStart](./policy-csp-admx-startmenu.md#admx-startmenu-showappsviewonstart)
-- [ADMX_StartMenu/ShowRunAsDifferentUserInStart](./policy-csp-admx-startmenu.md#admx-startmenu-showrunasdifferentuserinstart)
-- [ADMX_StartMenu/ShowRunInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-showruninstartmenu)
-- [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey)
-- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff)
-- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled)
-- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig)
-- [ADMX_TabletShell/DisableInkball_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1)
-- [ADMX_TabletShell/DisableNoteWriterPrinting_1](./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1)
-- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter)
-- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications)
-- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth)
-- [ADMX_Taskbar/HideSCANetwork](./policy-csp-admx-taskbar.md#admx-taskbar-hidescanetwork)
-- [ADMX_Taskbar/HideSCAPower](./policy-csp-admx-taskbar.md#admx-taskbar-hidescapower)
-- [ADMX_Taskbar/HideSCAVolume](./policy-csp-admx-taskbar.md#admx-taskbar-hidescavolume)
-- [ADMX_Taskbar/NoBalloonFeatureAdvertisements](./policy-csp-admx-taskbar.md#admx-taskbar-noballoonfeatureadvertisements)
-- [ADMX_Taskbar/NoPinningStoreToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningstoretotaskbar)
-- [ADMX_Taskbar/NoPinningToDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtodestinations)
-- [ADMX_Taskbar/NoPinningToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtotaskbar)
-- [ADMX_Taskbar/NoRemoteDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-noremotedestinations)
-- [ADMX_Taskbar/NoSystraySystemPromotion](./policy-csp-admx-taskbar.md#admx-taskbar-nosystraysystempromotion)
-- [ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-showwindowsstoreappsontaskbar)
-- [ADMX_Taskbar/TaskbarLockAll](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarlockall)
-- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoaddremovetoolbar)
-- [ADMX_Taskbar/TaskbarNoDragToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnodragtoolbar)
-- [ADMX_Taskbar/TaskbarNoMultimon](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnomultimon)
-- [ADMX_Taskbar/TaskbarNoNotification](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnonotification)
-- [ADMX_Taskbar/TaskbarNoPinnedList](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnopinnedlist)
-- [ADMX_Taskbar/TaskbarNoRedock](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoredock)
-- [ADMX_Taskbar/TaskbarNoResize](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoresize)
-- [ADMX_Taskbar/TaskbarNoThumbnail](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnothumbnail)
-- [ADMX_tcpip/6to4_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name)
-- [ADMX_tcpip/6to4_Router_Name_Resolution_Interval](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval)
-- [ADMX_tcpip/6to4_State](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state)
-- [ADMX_tcpip/IPHTTPS_ClientState](./policy-csp-admx-tcpip.md#admx-tcpip-iphttps-clientstate)
-- [ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State](./policy-csp-admx-tcpip.md#admx-tcpip-ip-stateless-autoconfiguration-limits-state)
-- [ADMX_tcpip/ISATAP_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-isatap-router-name)
-- [ADMX_tcpip/ISATAP_State](./policy-csp-admx-tcpip.md#admx-tcpip-isatap-state)
-- [ADMX_tcpip/Teredo_Client_Port](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-client-port)
-- [ADMX_tcpip/Teredo_Default_Qualified](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-default-qualified)
-- [ADMX_tcpip/Teredo_Refresh_Rate](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-refresh-rate)
-- [ADMX_tcpip/Teredo_Server_Name](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name)
-- [ADMX_tcpip/Teredo_State](./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state)
-- [ADMX_tcpip/Windows_Scaling_Heuristics_State](./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state)
-- [ADMX_TerminalServer/TS_AUTO_RECONNECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect)
-- [ADMX_TerminalServer/TS_CAMERA_REDIRECTION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection)
-- [ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy)
-- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1)
-- [ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2)
-- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1)
-- [ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2)
-- [ADMX_TerminalServer/TS_CLIENT_AUDIO](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio)
-- [ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture)
-- [ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality)
-- [ADMX_TerminalServer/TS_CLIENT_CLIPBOARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard)
-- [ADMX_TerminalServer/TS_CLIENT_COM](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com)
-- [ADMX_TerminalServer/TS_CLIENT_DEFAULT_M](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m)
-- [ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode)
-- [ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1)
-- [ADMX_TerminalServer/TS_CLIENT_LPT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt)
-- [ADMX_TerminalServer/TS_CLIENT_PNP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp)
-- [ADMX_TerminalServer/TS_CLIENT_PRINTER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer)
-- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1)
-- [ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2)
-- [ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp)
-- [ADMX_TerminalServer/TS_COLORDEPTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth)
-- [ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles)
-- [ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper)
-- [ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu)
-- [ADMX_TerminalServer/TS_EASY_PRINT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print)
-- [ADMX_TerminalServer/TS_EASY_PRINT_User](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user)
-- [ADMX_TerminalServer/TS_EnableVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics)
-- [ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype)
-- [ADMX_TerminalServer/TS_FORCIBLE_LOGOFF](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff)
-- [ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable)
-- [ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method)
-- [ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server)
-- [ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory)
-- [ADMX_TerminalServer/TS_KEEP_ALIVE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive)
-- [ADMX_TerminalServer/TS_LICENSE_SECGROUP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup)
-- [ADMX_TerminalServer/TS_LICENSE_SERVERS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers)
-- [ADMX_TerminalServer/TS_LICENSE_TOOLTIP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip)
-- [ADMX_TerminalServer/TS_LICENSING_MODE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode)
-- [ADMX_TerminalServer/TS_MAX_CON_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy)
-- [ADMX_TerminalServer/TS_MAXDISPLAYRES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres)
-- [ADMX_TerminalServer/TS_MAXMONITOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor)
-- [ADMX_TerminalServer/TS_NoDisconnectMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu)
-- [ADMX_TerminalServer/TS_NoSecurityMenu](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu)
-- [ADMX_TerminalServer/TS_PreventLicenseUpgrade](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade)
-- [ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp)
-- [ADMX_TerminalServer/TS_RADC_DefaultConnection](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection)
-- [ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration)
-- [ADMX_TerminalServer/TS_RemoteControl_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1)
-- [ADMX_TerminalServer/TS_RemoteControl_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2)
-- [ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics)
-- [ADMX_TerminalServer/TS_SD_ClustName](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname)
-- [ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address)
-- [ADMX_TerminalServer/TS_SD_Loc](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc)
-- [ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy)
-- [ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect)
-- [ADMX_TerminalServer/TS_SELECT_TRANSPORT](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport)
-- [ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp)
-- [ADMX_TerminalServer/TS_SERVER_AUTH](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth)
-- [ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred)
-- [ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred)
-- [ADMX_TerminalServer/TS_SERVER_COMPRESSOR](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor)
-- [ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality)
-- [ADMX_TerminalServer/TS_SERVER_LEGACY_RFX](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx)
-- [ADMX_TerminalServer/TS_SERVER_PROFILE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile)
-- [ADMX_TerminalServer/TS_SERVER_VISEXP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp)
-- [ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver)
-- [ADMX_TerminalServer/TS_Session_End_On_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1)
-- [ADMX_TerminalServer/TS_Session_End_On_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2)
-- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1)
-- [ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2)
-- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1)
-- [ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2)
-- [ADMX_TerminalServer/TS_SESSIONS_Limits_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_1)
-- [ADMX_TerminalServer/TS_SESSIONS_Limits_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_limits_2)
-- [ADMX_TerminalServer/TS_SINGLE_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session)
-- [ADMX_TerminalServer/TS_SMART_CARD](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card)
-- [ADMX_TerminalServer/TS_START_PROGRAM_1](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1)
-- [ADMX_TerminalServer/TS_START_PROGRAM_2](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2)
-- [ADMX_TerminalServer/TS_TEMP_DELETE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete)
-- [ADMX_TerminalServer/TS_TEMP_PER_SESSION](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session)
-- [ADMX_TerminalServer/TS_TIME_ZONE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone)
-- [ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy)
-- [ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp)
-- [ADMX_TerminalServer/TS_UIA](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia)
-- [ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable)
-- [ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy)
-- [ADMX_TerminalServer/TS_USER_HOME](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home)
-- [ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles)
-- [ADMX_TerminalServer/TS_USER_PROFILES](./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles)
-- [ADMX_Thumbnails/DisableThumbnails](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails)
-- [ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders)
-- [ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders](./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders)
-- [ADMX_TouchInput/TouchInputOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_1)
-- [ADMX_TouchInput/TouchInputOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_2)
-- [ADMX_TouchInput/PanningEverywhereOff_1](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_1)
-- [ADMX_TouchInput/PanningEverywhereOff_2](./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_2)
-- [ADMX_TPM/BlockedCommandsList_Name](./policy-csp-admx-tpm.md#admx-tpm-blockedcommandslist-name)
-- [ADMX_TPM/ClearTPMIfNotReady_Name](./policy-csp-admx-tpm.md#admx-tpm-cleartpmifnotready-name)
-- [ADMX_TPM/IgnoreDefaultList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignoredefaultlist-name)
-- [ADMX_TPM/IgnoreLocalList_Name](./policy-csp-admx-tpm.md#admx-tpm-ignorelocallist-name)
-- [ADMX_TPM/OSManagedAuth_Name](./policy-csp-admx-tpm.md#admx-tpm-osmanagedauth-name)
-- [ADMX_TPM/OptIntoDSHA_Name](./policy-csp-admx-tpm.md#admx-tpm-optintodsha-name)
-- [ADMX_TPM/StandardUserAuthorizationFailureDuration_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailureduration-name)
-- [ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailureindividualthreshold-name)
-- [ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name](./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailuretotalthreshold-name)
-- [ADMX_TPM/UseLegacyDAP_Name](./policy-csp-admx-tpm.md#admx-tpm-uselegacydap-name)
-- [ADMX_UserExperienceVirtualization/Calculator](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-calculator)
-- [ADMX_UserExperienceVirtualization/ConfigureSyncMethod](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-configuresyncmethod)
-- [ADMX_UserExperienceVirtualization/ConfigureVdi](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-configurevdi)
-- [ADMX_UserExperienceVirtualization/ContactITDescription](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-contactitdescription)
-- [ADMX_UserExperienceVirtualization/ContactITUrl](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-contactiturl)
-- [ADMX_UserExperienceVirtualization/DisableWin8Sync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-disablewin8sync)
-- [ADMX_UserExperienceVirtualization/DisableWindowsOSSettings](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-disablewindowsossettings)
-- [ADMX_UserExperienceVirtualization/EnableUEV](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-enableuev)
-- [ADMX_UserExperienceVirtualization/Finance](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-finance)
-- [ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-firstusenotificationenabled)
-- [ADMX_UserExperienceVirtualization/Games](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-games)
-- [ADMX_UserExperienceVirtualization/InternetExplorer8](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer8)
-- [ADMX_UserExperienceVirtualization/InternetExplorer9](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer9)
-- [ADMX_UserExperienceVirtualization/InternetExplorer10](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer10)
-- [ADMX_UserExperienceVirtualization/InternetExplorer11](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer11)
-- [ADMX_UserExperienceVirtualization/InternetExplorerCommon](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorercommon)
-- [ADMX_UserExperienceVirtualization/Maps](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-maps)
-- [ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-maxpackagesizeinbytes)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010access)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010common)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010excel)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010infopath)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010lync)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010onenote)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010outlook)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010powerpoint)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010project)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010publisher)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010sharepointdesigner)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010sharepointworkspace)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010visio)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010word)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013access)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013accessbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013common)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013commonbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013excel)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013excelbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013infopath)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013infopathbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013lync)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013lyncbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onedriveforbusiness)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onenote)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onenotebackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013outlook)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013outlookbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013powerpoint)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013powerpointbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013project)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013projectbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013publisher)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013publisherbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013sharepointdesigner)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013sharepointdesignerbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013uploadcenter)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013visio)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013visiobackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013word)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013wordbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016access)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016accessbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016common)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016commonbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016excel)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016excelbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016lync)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016lyncbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onedriveforbusiness)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onenote)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onenotebackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016outlook)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016outlookbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016powerpoint)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016powerpointbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016project)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016projectbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016publisher)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016publisherbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016uploadcenter)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016visio)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016visiobackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016word)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016wordbackup)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365access2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365access2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365common2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365common2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365excel2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365excel2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365infopath2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365lync2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365lync2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365onenote2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365onenote2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365outlook2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365outlook2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365powerpoint2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365powerpoint2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365project2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365project2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365publisher2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365publisher2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365sharepointdesigner2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365visio2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365visio2016)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365word2013)
-- [ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365word2016)
-- [ADMX_UserExperienceVirtualization/Music](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-music)
-- [ADMX_UserExperienceVirtualization/News](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-news)
-- [ADMX_UserExperienceVirtualization/Notepad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-notepad)
-- [ADMX_UserExperienceVirtualization/Reader](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-reader)
-- [ADMX_UserExperienceVirtualization/RepositoryTimeout](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-repositorytimeout)
-- [ADMX_UserExperienceVirtualization/SettingsStoragePath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-settingsstoragepath)
-- [ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-settingstemplatecatalogpath)
-- [ADMX_UserExperienceVirtualization/Sports](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-sports)
-- [ADMX_UserExperienceVirtualization/SyncEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncenabled)
-- [ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncovermeterednetwork)
-- [ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncovermeterednetworkwhenroaming)
-- [ADMX_UserExperienceVirtualization/SyncProviderPingEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncproviderpingenabled)
-- [ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncunlistedwindows8apps)
-- [ADMX_UserExperienceVirtualization/Travel](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-travel)
-- [ADMX_UserExperienceVirtualization/TrayIconEnabled](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-trayiconenabled)
-- [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video)
-- [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather)
-- [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad)
-- [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles)
-- [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive)
-- [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata)
-- [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize)
-- [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction)
-- [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout)
-- [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home)
-- [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction)
-- [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config)
-- [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient)
-- [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient)
-- [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpserver)
-- [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement)
-- [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect)
-- [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections)
-- [ADMX_WDI/WdiDpsScenarioExecutionPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenarioexecutionpolicy)
-- [ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy](./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenariodatasizelimitpolicy)
-- [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1)
-- [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2)
-- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1)
-- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2)
-- [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar)
-- [ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-checksamesourceandtargetforfranddfs)
-- [ADMX_WindowsExplorer/ClassicShell](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-classicshell)
-- [ADMX_WindowsExplorer/ConfirmFileDelete](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-confirmfiledelete)
-- [ADMX_WindowsExplorer/DefaultLibrariesLocation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-defaultlibrarieslocation)
-- [ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablebinddirectlytopropertysetstorage)
-- [ADMX_WindowsExplorer/DisableIndexedLibraryExperience](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableindexedlibraryexperience)
-- [ADMX_WindowsExplorer/DisableKnownFolders](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableknownfolders)
-- [ADMX_WindowsExplorer/DisableSearchBoxSuggestions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablesearchboxsuggestions)
-- [ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enableshellshortcuticonremotepath)
-- [ADMX_WindowsExplorer/EnableSmartScreen](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enablesmartscreen)
-- [ADMX_WindowsExplorer/EnforceShellExtensionSecurity](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enforceshellextensionsecurity)
-- [ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-explorerribbonstartsminimized)
-- [ADMX_WindowsExplorer/HideContentViewModeSnippets](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-hidecontentviewmodesnippets)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internet)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internetlockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranet)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranetlockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachine)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachinelockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restricted)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restrictedlockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trusted)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trustedlockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internet)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internetlockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranet)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranetlockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachine)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachinelockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restricted)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restrictedlockdown)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trusted)
-- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trustedlockdown)
-- [ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-linkresolveignorelinkinfo)
-- [ADMX_WindowsExplorer/MaxRecentDocs](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-maxrecentdocs)
-- [ADMX_WindowsExplorer/NoBackButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nobackbutton)
-- [ADMX_WindowsExplorer/NoCDBurning](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocdburning)
-- [ADMX_WindowsExplorer/NoCacheThumbNailPictures](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocachethumbnailpictures)
-- [ADMX_WindowsExplorer/NoChangeAnimation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangeanimation)
-- [ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangekeyboardnavigationindicators)
-- [ADMX_WindowsExplorer/NoDFSTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodfstab)
-- [ADMX_WindowsExplorer/NoDrives](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodrives)
-- [ADMX_WindowsExplorer/NoEntireNetwork](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noentirenetwork)
-- [ADMX_WindowsExplorer/NoFileMRU](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemru)
-- [ADMX_WindowsExplorer/NoFileMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemenu)
-- [ADMX_WindowsExplorer/NoFolderOptions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofolderoptions)
-- [ADMX_WindowsExplorer/NoHardwareTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nohardwaretab)
-- [ADMX_WindowsExplorer/NoManageMyComputerVerb](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomanagemycomputerverb)
-- [ADMX_WindowsExplorer/NoMyComputerSharedDocuments](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomycomputershareddocuments)
-- [ADMX_WindowsExplorer/NoNetConnectDisconnect](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonetconnectdisconnect)
-- [ADMX_WindowsExplorer/NoNewAppAlert](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonewappalert)
-- [ADMX_WindowsExplorer/NoPlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noplacesbar)
-- [ADMX_WindowsExplorer/NoRecycleFiles](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norecyclefiles)
-- [ADMX_WindowsExplorer/NoRunAsInstallPrompt](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norunasinstallprompt)
-- [ADMX_WindowsExplorer/NoSearchInternetTryHarderButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosearchinternettryharderbutton)
-- [ADMX_WindowsExplorer/NoSecurityTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosecuritytab)
-- [ADMX_WindowsExplorer/NoShellSearchButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noshellsearchbutton)
-- [ADMX_WindowsExplorer/NoStrCmpLogical](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nostrcmplogical)
-- [ADMX_WindowsExplorer/NoViewContextMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewcontextmenu)
-- [ADMX_WindowsExplorer/NoViewOnDrive](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewondrive)
-- [ADMX_WindowsExplorer/NoWindowsHotKeys](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nowindowshotkeys)
-- [ADMX_WindowsExplorer/NoWorkgroupContents](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noworkgroupcontents)
-- [ADMX_WindowsExplorer/PlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-placesbar)
-- [ADMX_WindowsExplorer/PromptRunasInstallNetPath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-promptrunasinstallnetpath)
-- [ADMX_WindowsExplorer/RecycleBinSize](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-recyclebinsize)
-- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-1)
-- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-2)
-- [ADMX_WindowsExplorer/ShowHibernateOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showhibernateoption)
-- [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption)
-- [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary)
-- [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch)
-- [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline)
-- [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings)
-- [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings)
-- [ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurertspproxysettings)
-- [ADMX_WindowsMediaPlayer/DisableAutoUpdate](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disableautoupdate)
-- [ADMX_WindowsMediaPlayer/DisableNetworkSettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disablenetworksettings)
-- [ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disablesetupfirstuseconfiguration)
-- [ADMX_WindowsMediaPlayer/DoNotShowAnchor](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-donotshowanchor)
-- [ADMX_WindowsMediaPlayer/DontUseFrameInterpolation](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-dontuseframeinterpolation)
-- [ADMX_WindowsMediaPlayer/EnableScreenSaver](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-enablescreensaver)
-- [ADMX_WindowsMediaPlayer/HidePrivacyTab](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-hideprivacytab)
-- [ADMX_WindowsMediaPlayer/HideSecurityTab](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-hidesecuritytab)
-- [ADMX_WindowsMediaPlayer/NetworkBuffering](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-networkbuffering)
-- [ADMX_WindowsMediaPlayer/PolicyCodecUpdate](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-policycodecupdate)
-- [ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventcddvdmetadataretrieval)
-- [ADMX_WindowsMediaPlayer/PreventLibrarySharing](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventlibrarysharing)
-- [ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventmusicfilemetadataretrieval)
-- [ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventquicklaunchshortcut)
-- [ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventradiopresetsretrieval)
-- [ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut)
-- [ADMX_WindowsMediaPlayer/SkinLockDown](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown)
-- [ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols)
-- [ADMX_WindowsRemoteManagement/DisallowKerberos_1](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-1)
-- [ADMX_WindowsRemoteManagement/DisallowKerberos_2](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-2)
-- [ADMX_WindowsStore/DisableAutoDownloadWin8](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8)
-- [ADMX_WindowsStore/DisableOSUpgrade_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1)
-- [ADMX_WindowsStore/DisableOSUpgrade_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2)
-- [ADMX_WindowsStore/RemoveWindowsStore_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-1)
-- [ADMX_WindowsStore/RemoveWindowsStore_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-2)
-- [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription)
-- [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot)
-- [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription)
-- [ADMX_WinLogon/CustomShell](./policy-csp-admx-winlogon.md#admx-winlogon-customshell)
-- [ADMX_WinLogon/DisplayLastLogonInfoDescription](./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription)
-- [ADMX_WinLogon/LogonHoursNotificationPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription)
-- [ADMX_WinLogon/LogonHoursPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription)
-- [ADMX_WinLogon/ReportCachedLogonPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription)
-- [ADMX_WinLogon/SoftwareSASGeneration](./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration)
-- [ADMX_Winsrv/AllowBlockingAppsAtShutdown](./policy-csp-admx-winsrv.md#admx-winsrv-allowblockingappsatshutdown)
-- [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost)
-- [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced)
-- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred)
-- [ADMX_WordWheel/CustomSearch](./policy-csp-admx-wordwheel.md#admx-wordwheel-customsearch)
-- [ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenabletokenbroker)
-- [ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenableworkfolders)
-- [ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders](./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_machineenableworkfolders)
-- [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours)
-- [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification)
-- [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours)
-- [ADMX_WPN/NoToastNotification](./policy-csp-admx-wpn.md#admx-wpn-notoastnotification)
-- [ADMX_WPN/QuietHoursDailyBeginMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute)
-- [ADMX_WPN/QuietHoursDailyEndMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute)
-- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
-- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
-- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
-- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
-- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
-- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
-- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
-- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
-- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
-- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
-- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
-- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
-- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
-- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
-- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
-- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
-- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
-- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
-- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
-- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
-- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
-- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
-- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
-- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
-- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
-- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
-- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
-- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
-- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
-- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
-- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
-- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
-- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
-- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
-- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
-- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp)
-- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
-- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
-- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
-- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
-- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
-- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
-- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
-- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
-- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
-- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources)
-- [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller)
-- [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles)
-- [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride)
-- [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource)
-- [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol)
-- [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings)
-- [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources)
-- [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures)
-- [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
-- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)
-- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses)
-- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
-- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
-- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
-- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
-- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
-- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
-- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
-- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
-- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
-- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
-- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
-- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
-- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
-- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
-- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
-- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
-- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
-- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
-- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
-- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
-- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
-- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
-- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
-- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
-- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
-- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
-- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
-- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
-- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
-- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
-- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
-- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
-- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
-- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
-- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
-- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
-- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
-- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
-- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
-- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
-- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
-- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
-- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
-- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
-- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
-- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
-- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
-- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
-- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
-- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
-- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
-- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
-- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
-- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
-- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
-- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
-- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
-- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
-- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
-- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
-- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
-- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
-- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
-- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
-- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
-- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
-- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
-- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
-- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
-- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
-- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
-- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
-- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
-- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
-- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
-- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
-- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
-- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
-- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
-- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
-- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
-- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
-- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
-- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
-- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
-- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer)
-- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
-- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
-- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
-- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
-- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
-- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
-- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
-- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
-- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
-- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
-- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
-- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
-- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
-- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
-- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
-- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
-- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
-- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
-- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
-- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
-- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
-- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
-- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
-- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
-- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
-- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
-- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
-- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
-- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
-- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
-- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions)
-- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
-- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
-- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
-- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
-- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
-- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
-- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
-- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
-- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
-- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
-- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
-- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
-- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
-- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
-- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
-- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
-- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
-- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
-- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
-- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
-- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
-- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
-- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
-- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
-- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer)
-- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
-- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
-- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
-- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
-- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
-- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
-- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
-- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
-- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
-- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
-- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
-- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
-- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
-- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
-- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
-- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
-- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
-- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
-- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
-- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
-- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
-- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
-- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
-- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
-- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
-- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
-- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes)
-- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers)
-- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel)
-- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel)
-- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon)
-- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver)
-- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server)
-- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection)
-- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications)
-- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication)
-- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery)
-- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
-- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
-- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
-- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
-- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
-- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
-- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
-- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
-- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
-- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
-- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
-- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
-- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
-- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
-- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
-- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
-- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
-- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
-- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
-- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
-- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
-- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
-- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
-- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
-- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
-- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
-- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
-- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
-- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
-- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
-- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
-- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
-- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
-- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
-- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
-- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
-- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
-- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
-- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
-- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
-- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
-- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
-- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
-- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
-- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
-- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
-- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
-- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
-- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
-- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
-- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
-- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
-- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
-- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
-- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
-- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
-- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
+This article lists the ADMX-backed policies in Policy CSP.
 
-## Related topics
+## ActiveXControls
 
-[Policy CSP](policy-configuration-service-provider.md)
+- [ApprovedInstallationSites](policy-csp-activexcontrols.md)
+
+## ADMX_ActiveXInstallService
+
+- [AxISURLZonePolicies](policy-csp-admx-activexinstallservice.md)
+
+## ADMX_AddRemovePrograms
+
+- [NoServices](policy-csp-admx-addremoveprograms.md)
+- [NoAddPage](policy-csp-admx-addremoveprograms.md)
+- [NoWindowsSetupPage](policy-csp-admx-addremoveprograms.md)
+- [NoRemovePage](policy-csp-admx-addremoveprograms.md)
+- [NoAddFromCDorFloppy](policy-csp-admx-addremoveprograms.md)
+- [NoAddFromInternet](policy-csp-admx-addremoveprograms.md)
+- [NoAddFromNetwork](policy-csp-admx-addremoveprograms.md)
+- [NoChooseProgramsPage](policy-csp-admx-addremoveprograms.md)
+- [NoAddRemovePrograms](policy-csp-admx-addremoveprograms.md)
+- [NoSupportInfo](policy-csp-admx-addremoveprograms.md)
+- [DefaultCategory](policy-csp-admx-addremoveprograms.md)
+
+## ADMX_AdmPwd
+
+- [POL_AdmPwd_DontAllowPwdExpirationBehindPolicy](policy-csp-admx-admpwd.md)
+- [POL_AdmPwd_Enabled](policy-csp-admx-admpwd.md)
+- [POL_AdmPwd_AdminName](policy-csp-admx-admpwd.md)
+- [POL_AdmPwd](policy-csp-admx-admpwd.md)
+
+## ADMX_AppCompat
+
+- [AppCompatTurnOffProgramCompatibilityAssistant_1](policy-csp-admx-appcompat.md)
+- [AppCompatPrevent16BitMach](policy-csp-admx-appcompat.md)
+- [AppCompatRemoveProgramCompatPropPage](policy-csp-admx-appcompat.md)
+- [AppCompatTurnOffEngine](policy-csp-admx-appcompat.md)
+- [AppCompatTurnOffApplicationImpactTelemetry](policy-csp-admx-appcompat.md)
+- [AppCompatTurnOffProgramInventory](policy-csp-admx-appcompat.md)
+- [AppCompatTurnOffProgramCompatibilityAssistant_2](policy-csp-admx-appcompat.md)
+- [AppCompatTurnOffUserActionRecord](policy-csp-admx-appcompat.md)
+- [AppCompatTurnOffSwitchBack](policy-csp-admx-appcompat.md)
+
+## ADMX_AppxPackageManager
+
+- [AllowDeploymentInSpecialProfiles](policy-csp-admx-appxpackagemanager.md)
+
+## ADMX_AppXRuntime
+
+- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
+- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
+- [AppxRuntimeBlockFileElevation](policy-csp-admx-appxruntime.md)
+- [AppxRuntimeBlockProtocolElevation](policy-csp-admx-appxruntime.md)
+- [AppxRuntimeBlockHostedAppAccessWinRT](policy-csp-admx-appxruntime.md)
+- [AppxRuntimeApplicationContentUriRules](policy-csp-admx-appxruntime.md)
+
+## ADMX_AttachmentManager
+
+- [AM_SetFileRiskLevel](policy-csp-admx-attachmentmanager.md)
+- [AM_SetHighRiskInclusion](policy-csp-admx-attachmentmanager.md)
+- [AM_SetLowRiskInclusion](policy-csp-admx-attachmentmanager.md)
+- [AM_SetModRiskInclusion](policy-csp-admx-attachmentmanager.md)
+- [AM_EstimateFileHandlerRisk](policy-csp-admx-attachmentmanager.md)
+
+## ADMX_AuditSettings
+
+- [IncludeCmdLine](policy-csp-admx-auditsettings.md)
+
+## ADMX_Bits
+
+- [BITS_EnablePeercaching](policy-csp-admx-bits.md)
+- [BITS_DisableBranchCache](policy-csp-admx-bits.md)
+- [BITS_DisablePeercachingClient](policy-csp-admx-bits.md)
+- [BITS_DisablePeercachingServer](policy-csp-admx-bits.md)
+- [BITS_MaxContentAge](policy-csp-admx-bits.md)
+- [BITS_MaxCacheSize](policy-csp-admx-bits.md)
+- [BITS_MaxDownloadTime](policy-csp-admx-bits.md)
+- [BITS_MaxBandwidthServedForPeers](policy-csp-admx-bits.md)
+- [BITS_MaxJobsPerUser](policy-csp-admx-bits.md)
+- [BITS_MaxJobsPerMachine](policy-csp-admx-bits.md)
+- [BITS_MaxFilesPerJob](policy-csp-admx-bits.md)
+- [BITS_MaxRangesPerFile](policy-csp-admx-bits.md)
+- [BITS_MaxBandwidthV2_Maintenance](policy-csp-admx-bits.md)
+- [BITS_MaxBandwidthV2_Work](policy-csp-admx-bits.md)
+
+## ADMX_CipherSuiteOrder
+
+- [SSLCurveOrder](policy-csp-admx-ciphersuiteorder.md)
+- [SSLCipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md)
+
+## ADMX_COM
+
+- [AppMgmt_COM_SearchForCLSID_1](policy-csp-admx-com.md)
+- [AppMgmt_COM_SearchForCLSID_2](policy-csp-admx-com.md)
+
+## ADMX_ControlPanel
+
+- [ForceClassicControlPanel](policy-csp-admx-controlpanel.md)
+- [DisallowCpls](policy-csp-admx-controlpanel.md)
+- [NoControlPanel](policy-csp-admx-controlpanel.md)
+- [RestrictCpls](policy-csp-admx-controlpanel.md)
+
+## ADMX_ControlPanelDisplay
+
+- [CPL_Display_Disable](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Display_HideSettings](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_EnableScreenSaver](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_SetVisualStyle](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_SetScreenSaver](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_ScreenSaverIsSecure](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoColorAppearanceUI](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_DisableColorSchemeChoice](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoDesktopBackgroundUI](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoDesktopIconsUI](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoMousePointersUI](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoScreenSaverUI](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoSoundSchemeUI](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_DisableThemeChange](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_DisableVisualStyle](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_LockFontSize](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_ScreenSaverTimeOut](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoLockScreen](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_PersonalColors](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_ForceDefaultLockScreen](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_StartBackground](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_SetTheme](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoChangingLockScreen](policy-csp-admx-controlpaneldisplay.md)
+- [CPL_Personalization_NoChangingStartMenuBackground](policy-csp-admx-controlpaneldisplay.md)
+
+## ADMX_Cpls
+
+- [UseDefaultTile](policy-csp-admx-cpls.md)
+
+## ADMX_CredentialProviders
+
+- [AllowDomainDelayLock](policy-csp-admx-credentialproviders.md)
+- [DefaultCredentialProvider](policy-csp-admx-credentialproviders.md)
+- [ExcludedCredentialProviders](policy-csp-admx-credentialproviders.md)
+
+## ADMX_CredSsp
+
+- [AllowDefaultCredentials](policy-csp-admx-credssp.md)
+- [AllowDefCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md)
+- [AllowFreshCredentials](policy-csp-admx-credssp.md)
+- [AllowFreshCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md)
+- [AllowSavedCredentials](policy-csp-admx-credssp.md)
+- [AllowSavedCredentialsWhenNTLMOnly](policy-csp-admx-credssp.md)
+- [DenyDefaultCredentials](policy-csp-admx-credssp.md)
+- [DenyFreshCredentials](policy-csp-admx-credssp.md)
+- [DenySavedCredentials](policy-csp-admx-credssp.md)
+- [AllowEncryptionOracle](policy-csp-admx-credssp.md)
+- [RestrictedRemoteAdministration](policy-csp-admx-credssp.md)
+
+## ADMX_CredUI
+
+- [NoLocalPasswordResetQuestions](policy-csp-admx-credui.md)
+- [EnableSecureCredentialPrompting](policy-csp-admx-credui.md)
+
+## ADMX_CtrlAltDel
+
+- [DisableChangePassword](policy-csp-admx-ctrlaltdel.md)
+- [DisableLockComputer](policy-csp-admx-ctrlaltdel.md)
+- [NoLogoff](policy-csp-admx-ctrlaltdel.md)
+- [DisableTaskMgr](policy-csp-admx-ctrlaltdel.md)
+
+## ADMX_DataCollection
+
+- [CommercialIdPolicy](policy-csp-admx-datacollection.md)
+
+## ADMX_DCOM
+
+- [DCOMActivationSecurityCheckAllowLocalList](policy-csp-admx-dcom.md)
+- [DCOMActivationSecurityCheckExemptionList](policy-csp-admx-dcom.md)
+
+## ADMX_Desktop
+
+- [AD_EnableFilter](policy-csp-admx-desktop.md)
+- [AD_HideDirectoryFolder](policy-csp-admx-desktop.md)
+- [AD_QueryLimit](policy-csp-admx-desktop.md)
+- [sz_AdminComponents_Title](policy-csp-admx-desktop.md)
+- [sz_DWP_NoHTMLPaper](policy-csp-admx-desktop.md)
+- [Wallpaper](policy-csp-admx-desktop.md)
+- [NoActiveDesktop](policy-csp-admx-desktop.md)
+- [sz_ATC_NoComponents](policy-csp-admx-desktop.md)
+- [ForceActiveDesktopOn](policy-csp-admx-desktop.md)
+- [sz_ATC_DisableAdd](policy-csp-admx-desktop.md)
+- [NoActiveDesktopChanges](policy-csp-admx-desktop.md)
+- [sz_ATC_DisableClose](policy-csp-admx-desktop.md)
+- [sz_ATC_DisableDel](policy-csp-admx-desktop.md)
+- [sz_ATC_DisableEdit](policy-csp-admx-desktop.md)
+- [NoRecentDocsNetHood](policy-csp-admx-desktop.md)
+- [NoSaveSettings](policy-csp-admx-desktop.md)
+- [NoDesktop](policy-csp-admx-desktop.md)
+- [NoInternetIcon](policy-csp-admx-desktop.md)
+- [NoNetHood](policy-csp-admx-desktop.md)
+- [sz_DB_DragDropClose](policy-csp-admx-desktop.md)
+- [sz_DB_Moving](policy-csp-admx-desktop.md)
+- [NoMyComputerIcon](policy-csp-admx-desktop.md)
+- [NoMyDocumentsIcon](policy-csp-admx-desktop.md)
+- [NoPropertiesMyComputer](policy-csp-admx-desktop.md)
+- [NoPropertiesMyDocuments](policy-csp-admx-desktop.md)
+- [NoRecycleBinProperties](policy-csp-admx-desktop.md)
+- [NoRecycleBinIcon](policy-csp-admx-desktop.md)
+- [NoDesktopCleanupWizard](policy-csp-admx-desktop.md)
+- [NoWindowMinimizingShortcuts](policy-csp-admx-desktop.md)
+- [NoDesktop](policy-csp-admx-desktop.md)
+
+## ADMX_DeviceCompat
+
+- [DeviceFlags](policy-csp-admx-devicecompat.md)
+- [DriverShims](policy-csp-admx-devicecompat.md)
+
+## ADMX_DeviceGuard
+
+- [ConfigCIPolicy](policy-csp-admx-deviceguard.md)
+
+## ADMX_DeviceInstallation
+
+- [DeviceInstall_InstallTimeout](policy-csp-admx-deviceinstallation.md)
+- [DeviceInstall_AllowAdminInstall](policy-csp-admx-deviceinstallation.md)
+- [DeviceInstall_DeniedPolicy_SimpleText](policy-csp-admx-deviceinstallation.md)
+- [DeviceInstall_DeniedPolicy_DetailText](policy-csp-admx-deviceinstallation.md)
+- [DeviceInstall_Removable_Deny](policy-csp-admx-deviceinstallation.md)
+- [DeviceInstall_Policy_RebootTime](policy-csp-admx-deviceinstallation.md)
+- [DeviceInstall_SystemRestore](policy-csp-admx-deviceinstallation.md)
+- [DriverInstall_Classes_AllowUser](policy-csp-admx-deviceinstallation.md)
+
+## ADMX_DeviceSetup
+
+- [DriverSearchPlaces_SearchOrderConfiguration](policy-csp-admx-devicesetup.md)
+- [DeviceInstall_BalloonTips](policy-csp-admx-devicesetup.md)
+
+## ADMX_DFS
+
+- [DFSDiscoverDC](policy-csp-admx-dfs.md)
+
+## ADMX_DigitalLocker
+
+- [Digitalx_DiableApplication_TitleText_1](policy-csp-admx-digitallocker.md)
+- [Digitalx_DiableApplication_TitleText_2](policy-csp-admx-digitallocker.md)
+
+## ADMX_DiskDiagnostic
+
+- [DfdAlertPolicy](policy-csp-admx-diskdiagnostic.md)
+- [WdiScenarioExecutionPolicy](policy-csp-admx-diskdiagnostic.md)
+
+## ADMX_DiskNVCache
+
+- [BootResumePolicy](policy-csp-admx-disknvcache.md)
+- [CachePowerModePolicy](policy-csp-admx-disknvcache.md)
+- [FeatureOffPolicy](policy-csp-admx-disknvcache.md)
+- [SolidStatePolicy](policy-csp-admx-disknvcache.md)
+
+## ADMX_DiskQuota
+
+- [DQ_RemovableMedia](policy-csp-admx-diskquota.md)
+- [DQ_Enable](policy-csp-admx-diskquota.md)
+- [DQ_Enforce](policy-csp-admx-diskquota.md)
+- [DQ_LogEventOverLimit](policy-csp-admx-diskquota.md)
+- [DQ_LogEventOverThreshold](policy-csp-admx-diskquota.md)
+- [DQ_Limit](policy-csp-admx-diskquota.md)
+
+## ADMX_DistributedLinkTracking
+
+- [DLT_AllowDomainMode](policy-csp-admx-distributedlinktracking.md)
+
+## ADMX_DnsClient
+
+- [DNS_AppendToMultiLabelName](policy-csp-admx-dnsclient.md)
+- [DNS_AllowFQDNNetBiosQueries](policy-csp-admx-dnsclient.md)
+- [DNS_Domain](policy-csp-admx-dnsclient.md)
+- [DNS_NameServer](policy-csp-admx-dnsclient.md)
+- [DNS_SearchList](policy-csp-admx-dnsclient.md)
+- [DNS_RegistrationEnabled](policy-csp-admx-dnsclient.md)
+- [DNS_IdnMapping](policy-csp-admx-dnsclient.md)
+- [DNS_PreferLocalResponsesOverLowerOrderDns](policy-csp-admx-dnsclient.md)
+- [DNS_PrimaryDnsSuffix](policy-csp-admx-dnsclient.md)
+- [DNS_UseDomainNameDevolution](policy-csp-admx-dnsclient.md)
+- [DNS_DomainNameDevolutionLevel](policy-csp-admx-dnsclient.md)
+- [DNS_RegisterAdapterName](policy-csp-admx-dnsclient.md)
+- [DNS_RegisterReverseLookup](policy-csp-admx-dnsclient.md)
+- [DNS_RegistrationRefreshInterval](policy-csp-admx-dnsclient.md)
+- [DNS_RegistrationOverwritesInConflict](policy-csp-admx-dnsclient.md)
+- [DNS_RegistrationTtl](policy-csp-admx-dnsclient.md)
+- [DNS_IdnEncoding](policy-csp-admx-dnsclient.md)
+- [Turn_Off_Multicast](policy-csp-admx-dnsclient.md)
+- [DNS_SmartMultiHomedNameResolution](policy-csp-admx-dnsclient.md)
+- [DNS_SmartProtocolReorder](policy-csp-admx-dnsclient.md)
+- [DNS_UpdateSecurityLevel](policy-csp-admx-dnsclient.md)
+- [DNS_UpdateTopLevelDomainZones](policy-csp-admx-dnsclient.md)
+
+## ADMX_DWM
+
+- [DwmDisallowAnimations_1](policy-csp-admx-dwm.md)
+- [DwmDisallowColorizationColorChanges_1](policy-csp-admx-dwm.md)
+- [DwmDefaultColorizationColor_1](policy-csp-admx-dwm.md)
+- [DwmDisallowAnimations_2](policy-csp-admx-dwm.md)
+- [DwmDisallowColorizationColorChanges_2](policy-csp-admx-dwm.md)
+- [DwmDefaultColorizationColor_2](policy-csp-admx-dwm.md)
+
+## ADMX_EAIME
+
+- [L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](policy-csp-admx-eaime.md)
+- [L_RestrictCharacterCodeRangeOfConversion](policy-csp-admx-eaime.md)
+- [L_TurnOffCustomDictionary](policy-csp-admx-eaime.md)
+- [L_TurnOffHistorybasedPredictiveInput](policy-csp-admx-eaime.md)
+- [L_TurnOffInternetSearchIntegration](policy-csp-admx-eaime.md)
+- [L_TurnOffOpenExtendedDictionary](policy-csp-admx-eaime.md)
+- [L_TurnOffSavingAutoTuningDataToFile](policy-csp-admx-eaime.md)
+- [L_TurnOnCloudCandidate](policy-csp-admx-eaime.md)
+- [L_TurnOnCloudCandidateCHS](policy-csp-admx-eaime.md)
+- [L_TurnOnLexiconUpdate](policy-csp-admx-eaime.md)
+- [L_TurnOnLiveStickers](policy-csp-admx-eaime.md)
+- [L_TurnOnMisconversionLoggingForMisconversionReport](policy-csp-admx-eaime.md)
+
+## ADMX_EncryptFilesonMove
+
+- [NoEncryptOnMove](policy-csp-admx-encryptfilesonmove.md)
+
+## ADMX_EnhancedStorage
+
+- [RootHubConnectedEnStorDevices](policy-csp-admx-enhancedstorage.md)
+- [ApprovedEnStorDevices](policy-csp-admx-enhancedstorage.md)
+- [ApprovedSilos](policy-csp-admx-enhancedstorage.md)
+- [DisallowLegacyDiskDevices](policy-csp-admx-enhancedstorage.md)
+- [DisablePasswordAuthentication](policy-csp-admx-enhancedstorage.md)
+- [LockDeviceOnMachineLock](policy-csp-admx-enhancedstorage.md)
+
+## ADMX_ErrorReporting
+
+- [WerArchive_1](policy-csp-admx-errorreporting.md)
+- [WerQueue_1](policy-csp-admx-errorreporting.md)
+- [WerExlusion_1](policy-csp-admx-errorreporting.md)
+- [WerAutoApproveOSDumps_1](policy-csp-admx-errorreporting.md)
+- [WerDefaultConsent_1](policy-csp-admx-errorreporting.md)
+- [WerConsentCustomize_1](policy-csp-admx-errorreporting.md)
+- [WerConsentOverride_1](policy-csp-admx-errorreporting.md)
+- [WerNoLogging_1](policy-csp-admx-errorreporting.md)
+- [WerDisable_1](policy-csp-admx-errorreporting.md)
+- [WerNoSecondLevelData_1](policy-csp-admx-errorreporting.md)
+- [WerBypassDataThrottling_1](policy-csp-admx-errorreporting.md)
+- [WerBypassPowerThrottling_1](policy-csp-admx-errorreporting.md)
+- [WerBypassNetworkCostThrottling_1](policy-csp-admx-errorreporting.md)
+- [WerCER](policy-csp-admx-errorreporting.md)
+- [WerArchive_2](policy-csp-admx-errorreporting.md)
+- [WerQueue_2](policy-csp-admx-errorreporting.md)
+- [PCH_AllOrNoneDef](policy-csp-admx-errorreporting.md)
+- [PCH_AllOrNoneInc](policy-csp-admx-errorreporting.md)
+- [WerExlusion_2](policy-csp-admx-errorreporting.md)
+- [PCH_AllOrNoneEx](policy-csp-admx-errorreporting.md)
+- [PCH_ReportOperatingSystemFaults](policy-csp-admx-errorreporting.md)
+- [WerAutoApproveOSDumps_2](policy-csp-admx-errorreporting.md)
+- [PCH_ConfigureReport](policy-csp-admx-errorreporting.md)
+- [WerDefaultConsent_2](policy-csp-admx-errorreporting.md)
+- [WerConsentOverride_2](policy-csp-admx-errorreporting.md)
+- [WerNoLogging_2](policy-csp-admx-errorreporting.md)
+- [WerBypassDataThrottling_2](policy-csp-admx-errorreporting.md)
+- [WerBypassPowerThrottling_2](policy-csp-admx-errorreporting.md)
+- [WerBypassNetworkCostThrottling_2](policy-csp-admx-errorreporting.md)
+
+## ADMX_EventForwarding
+
+- [ForwarderResourceUsage](policy-csp-admx-eventforwarding.md)
+- [SubscriptionManager](policy-csp-admx-eventforwarding.md)
+
+## ADMX_EventLog
+
+- [Channel_Log_AutoBackup_1](policy-csp-admx-eventlog.md)
+- [Channel_Log_FileLogAccess_1](policy-csp-admx-eventlog.md)
+- [Channel_Log_FileLogAccess_5](policy-csp-admx-eventlog.md)
+- [Channel_LogFilePath_1](policy-csp-admx-eventlog.md)
+- [Channel_Log_AutoBackup_2](policy-csp-admx-eventlog.md)
+- [Channel_Log_FileLogAccess_2](policy-csp-admx-eventlog.md)
+- [Channel_Log_FileLogAccess_6](policy-csp-admx-eventlog.md)
+- [Channel_Log_Retention_2](policy-csp-admx-eventlog.md)
+- [Channel_LogFilePath_2](policy-csp-admx-eventlog.md)
+- [Channel_Log_AutoBackup_3](policy-csp-admx-eventlog.md)
+- [Channel_Log_FileLogAccess_3](policy-csp-admx-eventlog.md)
+- [Channel_Log_FileLogAccess_7](policy-csp-admx-eventlog.md)
+- [Channel_Log_Retention_3](policy-csp-admx-eventlog.md)
+- [Channel_LogFilePath_3](policy-csp-admx-eventlog.md)
+- [Channel_LogMaxSize_3](policy-csp-admx-eventlog.md)
+- [Channel_LogEnabled](policy-csp-admx-eventlog.md)
+- [Channel_Log_AutoBackup_4](policy-csp-admx-eventlog.md)
+- [Channel_Log_FileLogAccess_4](policy-csp-admx-eventlog.md)
+- [Channel_Log_FileLogAccess_8](policy-csp-admx-eventlog.md)
+- [Channel_Log_Retention_4](policy-csp-admx-eventlog.md)
+- [Channel_LogFilePath_4](policy-csp-admx-eventlog.md)
+
+## ADMX_EventLogging
+
+- [EnableProtectedEventLogging](policy-csp-admx-eventlogging.md)
+
+## ADMX_EventViewer
+
+- [EventViewer_RedirectionProgram](policy-csp-admx-eventviewer.md)
+- [EventViewer_RedirectionProgramCommandLineParameters](policy-csp-admx-eventviewer.md)
+- [EventViewer_RedirectionURL](policy-csp-admx-eventviewer.md)
+
+## ADMX_Explorer
+
+- [AlwaysShowClassicMenu](policy-csp-admx-explorer.md)
+- [PreventItemCreationInUsersFilesFolder](policy-csp-admx-explorer.md)
+- [TurnOffSPIAnimations](policy-csp-admx-explorer.md)
+- [DisableRoamedProfileInit](policy-csp-admx-explorer.md)
+- [AdminInfoUrl](policy-csp-admx-explorer.md)
+
+## ADMX_ExternalBoot
+
+- [PortableOperatingSystem_Hibernate](policy-csp-admx-externalboot.md)
+- [PortableOperatingSystem_Sleep](policy-csp-admx-externalboot.md)
+- [PortableOperatingSystem_Launcher](policy-csp-admx-externalboot.md)
+
+## ADMX_FileRecovery
+
+- [WdiScenarioExecutionPolicy](policy-csp-admx-filerecovery.md)
+
+## ADMX_FileRevocation
+
+- [DelegatedPackageFamilyNames](policy-csp-admx-filerevocation.md)
+
+## ADMX_FileServerVSSProvider
+
+- [Pol_EncryptProtocol](policy-csp-admx-fileservervssprovider.md)
+
+## ADMX_FileSys
+
+- [DisableDeleteNotification](policy-csp-admx-filesys.md)
+- [LongPathsEnabled](policy-csp-admx-filesys.md)
+- [DisableCompression](policy-csp-admx-filesys.md)
+- [DisableEncryption](policy-csp-admx-filesys.md)
+- [TxfDeprecatedFunctionality](policy-csp-admx-filesys.md)
+- [EnablePagefileEncryption](policy-csp-admx-filesys.md)
+- [ShortNameCreationSettings](policy-csp-admx-filesys.md)
+- [SymlinkEvaluation](policy-csp-admx-filesys.md)
+
+## ADMX_FolderRedirection
+
+- [DisableFRAdminPin](policy-csp-admx-folderredirection.md)
+- [DisableFRAdminPinByFolder](policy-csp-admx-folderredirection.md)
+- [FolderRedirectionEnableCacheRename](policy-csp-admx-folderredirection.md)
+- [PrimaryComputer_FR_1](policy-csp-admx-folderredirection.md)
+- [LocalizeXPRelativePaths_1](policy-csp-admx-folderredirection.md)
+- [PrimaryComputer_FR_2](policy-csp-admx-folderredirection.md)
+- [LocalizeXPRelativePaths_2](policy-csp-admx-folderredirection.md)
+
+## ADMX_FramePanes
+
+- [NoReadingPane](policy-csp-admx-framepanes.md)
+- [NoPreviewPane](policy-csp-admx-framepanes.md)
+
+## ADMX_fthsvc
+
+- [WdiScenarioExecutionPolicy](policy-csp-admx-fthsvc.md)
+
+## ADMX_Globalization
+
+- [ImplicitDataCollectionOff_1](policy-csp-admx-globalization.md)
+- [HideAdminOptions](policy-csp-admx-globalization.md)
+- [HideCurrentLocation](policy-csp-admx-globalization.md)
+- [HideLanguageSelection](policy-csp-admx-globalization.md)
+- [HideLocaleSelectAndCustomize](policy-csp-admx-globalization.md)
+- [RestrictUILangSelect](policy-csp-admx-globalization.md)
+- [LockUserUILanguage](policy-csp-admx-globalization.md)
+- [TurnOffAutocorrectMisspelledWords](policy-csp-admx-globalization.md)
+- [TurnOffHighlightMisspelledWords](policy-csp-admx-globalization.md)
+- [TurnOffInsertSpace](policy-csp-admx-globalization.md)
+- [TurnOffOfferTextPredictions](policy-csp-admx-globalization.md)
+- [Y2K](policy-csp-admx-globalization.md)
+- [PreventGeoIdChange_1](policy-csp-admx-globalization.md)
+- [CustomLocalesNoSelect_1](policy-csp-admx-globalization.md)
+- [PreventUserOverrides_1](policy-csp-admx-globalization.md)
+- [LocaleUserRestrict_1](policy-csp-admx-globalization.md)
+- [ImplicitDataCollectionOff_2](policy-csp-admx-globalization.md)
+- [LockMachineUILanguage](policy-csp-admx-globalization.md)
+- [PreventGeoIdChange_2](policy-csp-admx-globalization.md)
+- [BlockUserInputMethodsForSignIn](policy-csp-admx-globalization.md)
+- [CustomLocalesNoSelect_2](policy-csp-admx-globalization.md)
+- [PreventUserOverrides_2](policy-csp-admx-globalization.md)
+- [LocaleSystemRestrict](policy-csp-admx-globalization.md)
+- [LocaleUserRestrict_2](policy-csp-admx-globalization.md)
+
+## ADMX_GroupPolicy
+
+- [GPDCOptions](policy-csp-admx-grouppolicy.md)
+- [GPTransferRate_1](policy-csp-admx-grouppolicy.md)
+- [NewGPOLinksDisabled](policy-csp-admx-grouppolicy.md)
+- [DenyRsopToInteractiveUser_1](policy-csp-admx-grouppolicy.md)
+- [EnforcePoliciesOnly](policy-csp-admx-grouppolicy.md)
+- [NewGPODisplayName](policy-csp-admx-grouppolicy.md)
+- [GroupPolicyRefreshRateUser](policy-csp-admx-grouppolicy.md)
+- [DisableAutoADMUpdate](policy-csp-admx-grouppolicy.md)
+- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md)
+- [AllowX-ForestPolicy-and-RUP](policy-csp-admx-grouppolicy.md)
+- [OnlyUseLocalAdminFiles](policy-csp-admx-grouppolicy.md)
+- [SlowlinkDefaultToAsync](policy-csp-admx-grouppolicy.md)
+- [SlowLinkDefaultForDirectAccess](policy-csp-admx-grouppolicy.md)
+- [CSE_DiskQuota](policy-csp-admx-grouppolicy.md)
+- [CSE_EFSRecovery](policy-csp-admx-grouppolicy.md)
+- [CSE_FolderRedirection](policy-csp-admx-grouppolicy.md)
+- [EnableLogonOptimization](policy-csp-admx-grouppolicy.md)
+- [GPTransferRate_2](policy-csp-admx-grouppolicy.md)
+- [CSE_IEM](policy-csp-admx-grouppolicy.md)
+- [CSE_IPSecurity](policy-csp-admx-grouppolicy.md)
+- [LogonScriptDelay](policy-csp-admx-grouppolicy.md)
+- [CSE_Registry](policy-csp-admx-grouppolicy.md)
+- [CSE_Scripts](policy-csp-admx-grouppolicy.md)
+- [CSE_Security](policy-csp-admx-grouppolicy.md)
+- [CSE_AppMgmt](policy-csp-admx-grouppolicy.md)
+- [UserPolicyMode](policy-csp-admx-grouppolicy.md)
+- [CSE_Wired](policy-csp-admx-grouppolicy.md)
+- [CSE_Wireless](policy-csp-admx-grouppolicy.md)
+- [EnableCDP](policy-csp-admx-grouppolicy.md)
+- [DenyRsopToInteractiveUser_2](policy-csp-admx-grouppolicy.md)
+- [ResetDfsClientInfoDuringRefreshPolicy](policy-csp-admx-grouppolicy.md)
+- [EnableLogonOptimizationOnServerSKU](policy-csp-admx-grouppolicy.md)
+- [EnableMMX](policy-csp-admx-grouppolicy.md)
+- [DisableUsersFromMachGP](policy-csp-admx-grouppolicy.md)
+- [GroupPolicyRefreshRate](policy-csp-admx-grouppolicy.md)
+- [GroupPolicyRefreshRateDC](policy-csp-admx-grouppolicy.md)
+- [SyncWaitTime](policy-csp-admx-grouppolicy.md)
+- [CorpConnSyncWaitTime](policy-csp-admx-grouppolicy.md)
+- [DisableBackgroundPolicy](policy-csp-admx-grouppolicy.md)
+- [DisableAOACProcessing](policy-csp-admx-grouppolicy.md)
+- [DisableLGPOProcessing](policy-csp-admx-grouppolicy.md)
+- [RSoPLogging](policy-csp-admx-grouppolicy.md)
+- [ProcessMitigationOptions](policy-csp-admx-grouppolicy.md)
+- [FontMitigation](policy-csp-admx-grouppolicy.md)
+
+## ADMX_Help
+
+- [RestrictRunFromHelp](policy-csp-admx-help.md)
+- [HelpQualifiedRootDir_Comp](policy-csp-admx-help.md)
+- [RestrictRunFromHelp_Comp](policy-csp-admx-help.md)
+- [DisableHHDEP](policy-csp-admx-help.md)
+
+## ADMX_HelpAndSupport
+
+- [HPImplicitFeedback](policy-csp-admx-helpandsupport.md)
+- [HPExplicitFeedback](policy-csp-admx-helpandsupport.md)
+- [HPOnlineAssistance](policy-csp-admx-helpandsupport.md)
+- [ActiveHelp](policy-csp-admx-helpandsupport.md)
+
+## ADMX_hotspotauth
+
+- [HotspotAuth_Enable](policy-csp-admx-hotspotauth.md)
+
+## ADMX_ICM
+
+- [ShellNoUseStoreOpenWith_1](policy-csp-admx-icm.md)
+- [DisableWebPnPDownload_1](policy-csp-admx-icm.md)
+- [ShellPreventWPWDownload_1](policy-csp-admx-icm.md)
+- [ShellNoUseInternetOpenWith_1](policy-csp-admx-icm.md)
+- [DisableHTTPPrinting_1](policy-csp-admx-icm.md)
+- [ShellRemoveOrderPrints_1](policy-csp-admx-icm.md)
+- [ShellRemovePublishToWeb_1](policy-csp-admx-icm.md)
+- [WinMSG_NoInstrumentation_1](policy-csp-admx-icm.md)
+- [InternetManagement_RestrictCommunication_1](policy-csp-admx-icm.md)
+- [RemoveWindowsUpdate_ICM](policy-csp-admx-icm.md)
+- [ShellNoUseStoreOpenWith_2](policy-csp-admx-icm.md)
+- [CertMgr_DisableAutoRootUpdates](policy-csp-admx-icm.md)
+- [EventViewer_DisableLinks](policy-csp-admx-icm.md)
+- [HSS_HeadlinesPolicy](policy-csp-admx-icm.md)
+- [HSS_KBSearchPolicy](policy-csp-admx-icm.md)
+- [NC_ExitOnISP](policy-csp-admx-icm.md)
+- [ShellNoUseInternetOpenWith_2](policy-csp-admx-icm.md)
+- [NC_NoRegistration](policy-csp-admx-icm.md)
+- [SearchCompanion_DisableFileUpdates](policy-csp-admx-icm.md)
+- [ShellRemoveOrderPrints_2](policy-csp-admx-icm.md)
+- [ShellRemovePublishToWeb_2](policy-csp-admx-icm.md)
+- [WinMSG_NoInstrumentation_2](policy-csp-admx-icm.md)
+- [CEIPEnable](policy-csp-admx-icm.md)
+- [PCH_DoNotReport](policy-csp-admx-icm.md)
+- [DriverSearchPlaces_DontSearchWindowsUpdate](policy-csp-admx-icm.md)
+- [InternetManagement_RestrictCommunication_2](policy-csp-admx-icm.md)
+
+## ADMX_IIS
+
+- [PreventIISInstall](policy-csp-admx-iis.md)
+
+## ADMX_iSCSI
+
+- [iSCSIGeneral_RestrictAdditionalLogins](policy-csp-admx-iscsi.md)
+- [iSCSIGeneral_ChangeIQNName](policy-csp-admx-iscsi.md)
+- [iSCSISecurity_ChangeCHAPSecret](policy-csp-admx-iscsi.md)
+- [iSCSISecurity_RequireIPSec](policy-csp-admx-iscsi.md)
+- [iSCSISecurity_RequireMutualCHAP](policy-csp-admx-iscsi.md)
+- [iSCSISecurity_RequireOneWayCHAP](policy-csp-admx-iscsi.md)
+- [iSCSIDiscovery_NewStaticTargets](policy-csp-admx-iscsi.md)
+- [iSCSIDiscovery_ConfigureTargets](policy-csp-admx-iscsi.md)
+- [iSCSIDiscovery_ConfigureiSNSServers](policy-csp-admx-iscsi.md)
+- [iSCSIDiscovery_ConfigureTargetPortals](policy-csp-admx-iscsi.md)
+
+## ADMX_kdc
+
+- [CbacAndArmor](policy-csp-admx-kdc.md)
+- [PKINITFreshness](policy-csp-admx-kdc.md)
+- [emitlili](policy-csp-admx-kdc.md)
+- [RequestCompoundId](policy-csp-admx-kdc.md)
+- [ForestSearch](policy-csp-admx-kdc.md)
+- [TicketSizeThreshold](policy-csp-admx-kdc.md)
+
+## ADMX_Kerberos
+
+- [AlwaysSendCompoundId](policy-csp-admx-kerberos.md)
+- [HostToRealm](policy-csp-admx-kerberos.md)
+- [MitRealms](policy-csp-admx-kerberos.md)
+- [KdcProxyDisableServerRevocationCheck](policy-csp-admx-kerberos.md)
+- [StrictTarget](policy-csp-admx-kerberos.md)
+- [KdcProxyServer](policy-csp-admx-kerberos.md)
+- [ServerAcceptsCompound](policy-csp-admx-kerberos.md)
+- [DevicePKInitEnabled](policy-csp-admx-kerberos.md)
+
+## ADMX_LanmanServer
+
+- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanserver.md)
+- [Pol_HashPublication](policy-csp-admx-lanmanserver.md)
+- [Pol_HashSupportVersion](policy-csp-admx-lanmanserver.md)
+- [Pol_HonorCipherSuiteOrder](policy-csp-admx-lanmanserver.md)
+
+## ADMX_LanmanWorkstation
+
+- [Pol_CipherSuiteOrder](policy-csp-admx-lanmanworkstation.md)
+- [Pol_EnableHandleCachingForCAFiles](policy-csp-admx-lanmanworkstation.md)
+- [Pol_EnableOfflineFilesforCAShares](policy-csp-admx-lanmanworkstation.md)
+
+## ADMX_LeakDiagnostic
+
+- [WdiScenarioExecutionPolicy](policy-csp-admx-leakdiagnostic.md)
+
+## ADMX_LinkLayerTopologyDiscovery
+
+- [LLTD_EnableLLTDIO](policy-csp-admx-linklayertopologydiscovery.md)
+- [LLTD_EnableRspndr](policy-csp-admx-linklayertopologydiscovery.md)
+
+## ADMX_LocationProviderAdm
+
+- [DisableWindowsLocationProvider_1](policy-csp-admx-locationprovideradm.md)
+
+## ADMX_Logon
+
+- [NoWelcomeTips_1](policy-csp-admx-logon.md)
+- [DisableExplorerRunLegacy_1](policy-csp-admx-logon.md)
+- [DisableExplorerRunOnceLegacy_1](policy-csp-admx-logon.md)
+- [Run_1](policy-csp-admx-logon.md)
+- [VerboseStatus](policy-csp-admx-logon.md)
+- [UseOEMBackground](policy-csp-admx-logon.md)
+- [SyncForegroundPolicy](policy-csp-admx-logon.md)
+- [BlockUserFromShowingAccountDetailsOnSignin](policy-csp-admx-logon.md)
+- [NoWelcomeTips_2](policy-csp-admx-logon.md)
+- [DontEnumerateConnectedUsers](policy-csp-admx-logon.md)
+- [DisableExplorerRunLegacy_2](policy-csp-admx-logon.md)
+- [DisableExplorerRunOnceLegacy_2](policy-csp-admx-logon.md)
+- [Run_2](policy-csp-admx-logon.md)
+- [DisableAcrylicBackgroundOnLogon](policy-csp-admx-logon.md)
+- [DisableStatusMessages](policy-csp-admx-logon.md)
+
+## ADMX_MicrosoftDefenderAntivirus
+
+- [ServiceKeepAlive](policy-csp-admx-microsoftdefenderantivirus.md)
+- [AllowFastServiceStartup](policy-csp-admx-microsoftdefenderantivirus.md)
+- [UX_Configuration_CustomDefaultActionToastString](policy-csp-admx-microsoftdefenderantivirus.md)
+- [UX_Configuration_UILockdown](policy-csp-admx-microsoftdefenderantivirus.md)
+- [UX_Configuration_Notification_Suppress](policy-csp-admx-microsoftdefenderantivirus.md)
+- [UX_Configuration_SuppressRebootNotification](policy-csp-admx-microsoftdefenderantivirus.md)
+- [DisableLocalAdminMerge](policy-csp-admx-microsoftdefenderantivirus.md)
+- [ProxyBypass](policy-csp-admx-microsoftdefenderantivirus.md)
+- [ProxyPacUrl](policy-csp-admx-microsoftdefenderantivirus.md)
+- [ProxyServer](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Exclusions_Extensions](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Exclusions_Paths](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Exclusions_Processes](policy-csp-admx-microsoftdefenderantivirus.md)
+- [DisableAutoExclusions](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Spynet_LocalSettingOverrideSpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md)
+- [DisableBlockAtFirstSeen](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SpynetReporting](policy-csp-admx-microsoftdefenderantivirus.md)
+- [ExploitGuard_ASR_Rules](policy-csp-admx-microsoftdefenderantivirus.md)
+- [ExploitGuard_ASR_ASROnlyExclusions](policy-csp-admx-microsoftdefenderantivirus.md)
+- [ExploitGuard_ControlledFolderAccess_AllowedApplications](policy-csp-admx-microsoftdefenderantivirus.md)
+- [ExploitGuard_ControlledFolderAccess_ProtectedFolders](policy-csp-admx-microsoftdefenderantivirus.md)
+- [MpEngine_EnableFileHashComputation](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Nis_Consumers_IPS_DisableSignatureRetirement](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Nis_DisableProtocolRecognition](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Quarantine_LocalSettingOverridePurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Quarantine_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RandomizeScheduleTaskTimes](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_IOAVMaxSize](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_DisableOnAccessProtection](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_DisableIOAVProtection](policy-csp-admx-microsoftdefenderantivirus.md)
+- [DisableRealtimeMonitoring](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_DisableBehaviorMonitoring](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_DisableScanOnRealtimeEnable](policy-csp-admx-microsoftdefenderantivirus.md)
+- [RealtimeProtection_DisableRawWriteNotification](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Remediation_LocalSettingOverrideScan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Remediation_Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Remediation_Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Reporting_CriticalFailureTimeout](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Reporting_NonCriticalTimeout](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Reporting_RecentlyCleanedTimeout](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Reporting_AdditionalActionTimeout](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Reporting_DisablegenericrePorts](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Reporting_WppTracingComponents](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Reporting_WppTracingLevel](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Reporting_DisableEnhancedNotifications](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_AllowPause](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_LocalSettingOverrideAvgCPULoadFactor](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_LocalSettingOverrideScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_LocalSettingOverrideScheduleQuickScantime](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_LocalSettingOverrideScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_LocalSettingOverrideScanParameters](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_LowCpuPriority](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisableRestorePoint](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_MissedScheduledScanCountBeforeCatchup](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisableScanningMappedNetworkDrivesForFullScan](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisableArchiveScanning](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisableScanningNetworkFiles](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisablePackedExeScanning](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisableRemovableDriveScanning](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_QuickScanInterval](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_ArchiveMaxDepth](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_ArchiveMaxSize](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_ScanOnlyIfIdle](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisableEmailScanning](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisableHeuristics](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_PurgeItemsAfterDelay](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Scan_DisableReparsePointScanning](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_SignatureDisableNotification](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_RealtimeSignatureDelivery](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_ForceUpdateFromMU](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_DisableScheduledSignatureUpdateonBattery](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_UpdateOnStartup](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_DefinitionUpdateFileSharesSources](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_SharedSignaturesLocation](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_SignatureUpdateCatchupInterval](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_ASSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_AVSignatureDue](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_FallbackOrder](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_DisableUpdateOnStartupWithoutEngine](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_ScheduleDay](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_ScheduleTime](policy-csp-admx-microsoftdefenderantivirus.md)
+- [SignatureUpdate_DisableScanOnUpdate](policy-csp-admx-microsoftdefenderantivirus.md)
+- [Threats_ThreatIdDefaultAction](policy-csp-admx-microsoftdefenderantivirus.md)
+- [DisableAntiSpywareDefender](policy-csp-admx-microsoftdefenderantivirus.md)
+- [DisableRoutinelyTakingAction](policy-csp-admx-microsoftdefenderantivirus.md)
+
+## ADMX_MMC
+
+- [MMC_Restrict_Author](policy-csp-admx-mmc.md)
+- [MMC_Restrict_To_Permitted_Snapins](policy-csp-admx-mmc.md)
+- [MMC_ActiveXControl](policy-csp-admx-mmc.md)
+- [MMC_ExtendView](policy-csp-admx-mmc.md)
+- [MMC_LinkToWeb](policy-csp-admx-mmc.md)
+
+## ADMX_MMCSnapins
+
+- [MMC_Net_Framework](policy-csp-admx-mmcsnapins.md)
+- [MMC_ActiveDirDomTrusts](policy-csp-admx-mmcsnapins.md)
+- [MMC_ActiveDirSitesServices](policy-csp-admx-mmcsnapins.md)
+- [MMC_ActiveDirUsersComp](policy-csp-admx-mmcsnapins.md)
+- [MMC_ADSI](policy-csp-admx-mmcsnapins.md)
+- [MMC_CertsTemplate](policy-csp-admx-mmcsnapins.md)
+- [MMC_Certs](policy-csp-admx-mmcsnapins.md)
+- [MMC_CertAuth](policy-csp-admx-mmcsnapins.md)
+- [MMC_ComponentServices](policy-csp-admx-mmcsnapins.md)
+- [MMC_ComputerManagement](policy-csp-admx-mmcsnapins.md)
+- [MMC_DeviceManager_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_DiskDefrag](policy-csp-admx-mmcsnapins.md)
+- [MMC_DiskMgmt](policy-csp-admx-mmcsnapins.md)
+- [MMC_DFS](policy-csp-admx-mmcsnapins.md)
+- [MMC_EnterprisePKI](policy-csp-admx-mmcsnapins.md)
+- [MMC_EventViewer_3](policy-csp-admx-mmcsnapins.md)
+- [MMC_EventViewer_4](policy-csp-admx-mmcsnapins.md)
+- [MMC_AppleTalkRouting](policy-csp-admx-mmcsnapins.md)
+- [MMC_AuthMan](policy-csp-admx-mmcsnapins.md)
+- [MMC_CertAuthPolSet](policy-csp-admx-mmcsnapins.md)
+- [MMC_ConnectionSharingNAT](policy-csp-admx-mmcsnapins.md)
+- [MMC_DCOMCFG](policy-csp-admx-mmcsnapins.md)
+- [MMC_DeviceManager_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_DHCPRelayMgmt](policy-csp-admx-mmcsnapins.md)
+- [MMC_EventViewer_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_EventViewer_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_IASLogging](policy-csp-admx-mmcsnapins.md)
+- [MMC_IGMPRouting](policy-csp-admx-mmcsnapins.md)
+- [MMC_IPRouting](policy-csp-admx-mmcsnapins.md)
+- [MMC_IPXRIPRouting](policy-csp-admx-mmcsnapins.md)
+- [MMC_IPXRouting](policy-csp-admx-mmcsnapins.md)
+- [MMC_IPXSAPRouting](policy-csp-admx-mmcsnapins.md)
+- [MMC_LogicalMappedDrives](policy-csp-admx-mmcsnapins.md)
+- [MMC_OSPFRouting](policy-csp-admx-mmcsnapins.md)
+- [MMC_PublicKey](policy-csp-admx-mmcsnapins.md)
+- [MMC_RAS_DialinUser](policy-csp-admx-mmcsnapins.md)
+- [MMC_RemoteAccess](policy-csp-admx-mmcsnapins.md)
+- [MMC_RemStore](policy-csp-admx-mmcsnapins.md)
+- [MMC_RIPRouting](policy-csp-admx-mmcsnapins.md)
+- [MMC_Routing](policy-csp-admx-mmcsnapins.md)
+- [MMC_SendConsoleMessage](policy-csp-admx-mmcsnapins.md)
+- [MMC_ServiceDependencies](policy-csp-admx-mmcsnapins.md)
+- [MMC_SharedFolders_Ext](policy-csp-admx-mmcsnapins.md)
+- [MMC_SMTPProtocol](policy-csp-admx-mmcsnapins.md)
+- [MMC_SNMP](policy-csp-admx-mmcsnapins.md)
+- [MMC_SysProp](policy-csp-admx-mmcsnapins.md)
+- [MMC_FailoverClusters](policy-csp-admx-mmcsnapins.md)
+- [MMC_FAXService](policy-csp-admx-mmcsnapins.md)
+- [MMC_FrontPageExt](policy-csp-admx-mmcsnapins.md)
+- [MMC_GroupPolicyManagementSnapIn](policy-csp-admx-mmcsnapins.md)
+- [MMC_GroupPolicySnapIn](policy-csp-admx-mmcsnapins.md)
+- [MMC_ADMComputers_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_ADMUsers_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_FolderRedirection_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_IEMaintenance_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_IPSecManage_GP](policy-csp-admx-mmcsnapins.md)
+- [MMC_NapSnap_GP](policy-csp-admx-mmcsnapins.md)
+- [MMC_RIS](policy-csp-admx-mmcsnapins.md)
+- [MMC_ScriptsUser_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_ScriptsMachine_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_SecuritySettings_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_SoftwareInstalationComputers_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_SoftwareInstallationUsers_1](policy-csp-admx-mmcsnapins.md)
+- [MMC_WindowsFirewall_GP](policy-csp-admx-mmcsnapins.md)
+- [MMC_WiredNetworkPolicy](policy-csp-admx-mmcsnapins.md)
+- [MMC_WirelessNetworkPolicy](policy-csp-admx-mmcsnapins.md)
+- [MMC_GroupPolicyTab](policy-csp-admx-mmcsnapins.md)
+- [MMC_ResultantSetOfPolicySnapIn](policy-csp-admx-mmcsnapins.md)
+- [MMC_ADMComputers_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_ADMUsers_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_FolderRedirection_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_IEMaintenance_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_ScriptsUser_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_ScriptsMachine_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_SecuritySettings_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_SoftwareInstalationComputers_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_SoftwareInstallationUsers_2](policy-csp-admx-mmcsnapins.md)
+- [MMC_HRA](policy-csp-admx-mmcsnapins.md)
+- [MMC_IndexingService](policy-csp-admx-mmcsnapins.md)
+- [MMC_IAS](policy-csp-admx-mmcsnapins.md)
+- [MMC_IIS](policy-csp-admx-mmcsnapins.md)
+- [MMC_IpSecMonitor](policy-csp-admx-mmcsnapins.md)
+- [MMC_IpSecManage](policy-csp-admx-mmcsnapins.md)
+- [MMC_LocalUsersGroups](policy-csp-admx-mmcsnapins.md)
+- [MMC_NapSnap](policy-csp-admx-mmcsnapins.md)
+- [MMC_NPSUI](policy-csp-admx-mmcsnapins.md)
+- [MMC_OCSP](policy-csp-admx-mmcsnapins.md)
+- [MMC_PerfLogsAlerts](policy-csp-admx-mmcsnapins.md)
+- [MMC_QoSAdmission](policy-csp-admx-mmcsnapins.md)
+- [MMC_TerminalServices](policy-csp-admx-mmcsnapins.md)
+- [MMC_RemoteDesktop](policy-csp-admx-mmcsnapins.md)
+- [MMC_RSM](policy-csp-admx-mmcsnapins.md)
+- [MMC_RRA](policy-csp-admx-mmcsnapins.md)
+- [MMC_SCA](policy-csp-admx-mmcsnapins.md)
+- [MMC_SecurityTemplates](policy-csp-admx-mmcsnapins.md)
+- [MMC_ServerManager](policy-csp-admx-mmcsnapins.md)
+- [MMC_Services](policy-csp-admx-mmcsnapins.md)
+- [MMC_SharedFolders](policy-csp-admx-mmcsnapins.md)
+- [MMC_SysInfo](policy-csp-admx-mmcsnapins.md)
+- [MMC_Telephony](policy-csp-admx-mmcsnapins.md)
+- [MMC_TPMManagement](policy-csp-admx-mmcsnapins.md)
+- [MMC_WindowsFirewall](policy-csp-admx-mmcsnapins.md)
+- [MMC_WirelessMon](policy-csp-admx-mmcsnapins.md)
+- [MMC_WMI](policy-csp-admx-mmcsnapins.md)
+
+## ADMX_MobilePCMobilityCenter
+
+- [MobilityCenterEnable_1](policy-csp-admx-mobilepcmobilitycenter.md)
+- [MobilityCenterEnable_2](policy-csp-admx-mobilepcmobilitycenter.md)
+
+## ADMX_MobilePCPresentationSettings
+
+- [PresentationSettingsEnable_1](policy-csp-admx-mobilepcpresentationsettings.md)
+- [PresentationSettingsEnable_2](policy-csp-admx-mobilepcpresentationsettings.md)
+
+## ADMX_MSAPolicy
+
+- [MicrosoftAccount_DisableUserAuth](policy-csp-admx-msapolicy.md)
+
+## ADMX_msched
+
+- [ActivationBoundaryPolicy](policy-csp-admx-msched.md)
+- [RandomDelayPolicy](policy-csp-admx-msched.md)
+
+## ADMX_MSDT
+
+- [WdiScenarioExecutionPolicy](policy-csp-admx-msdt.md)
+- [MsdtToolDownloadPolicy](policy-csp-admx-msdt.md)
+- [MsdtSupportProvider](policy-csp-admx-msdt.md)
+
+## ADMX_MSI
+
+- [DisableMedia](policy-csp-admx-msi.md)
+- [DisableRollback_1](policy-csp-admx-msi.md)
+- [SearchOrder](policy-csp-admx-msi.md)
+- [AllowLockdownBrowse](policy-csp-admx-msi.md)
+- [AllowLockdownPatch](policy-csp-admx-msi.md)
+- [AllowLockdownMedia](policy-csp-admx-msi.md)
+- [MSI_MaxPatchCacheSize](policy-csp-admx-msi.md)
+- [MSI_EnforceUpgradeComponentRules](policy-csp-admx-msi.md)
+- [MsiDisableEmbeddedUI](policy-csp-admx-msi.md)
+- [SafeForScripting](policy-csp-admx-msi.md)
+- [DisablePatch](policy-csp-admx-msi.md)
+- [DisableFlyweightPatching](policy-csp-admx-msi.md)
+- [MSI_DisableLUAPatching](policy-csp-admx-msi.md)
+- [MSI_DisablePatchUninstall](policy-csp-admx-msi.md)
+- [DisableRollback_2](policy-csp-admx-msi.md)
+- [DisableAutomaticApplicationShutdown](policy-csp-admx-msi.md)
+- [MSI_DisableUserInstalls](policy-csp-admx-msi.md)
+- [DisableBrowse](policy-csp-admx-msi.md)
+- [TransformsSecure](policy-csp-admx-msi.md)
+- [MSILogging](policy-csp-admx-msi.md)
+- [MSI_DisableSRCheckPoints](policy-csp-admx-msi.md)
+- [DisableLoggingFromPackage](policy-csp-admx-msi.md)
+- [DisableSharedComponent](policy-csp-admx-msi.md)
+- [DisableMSI](policy-csp-admx-msi.md)
+
+## ADMX_MsiFileRecovery
+
+- [WdiScenarioExecutionPolicy](policy-csp-admx-msifilerecovery.md)
+
+## ADMX_MSS-legacy
+
+- [Pol_MSS_AutoAdminLogon](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_AutoReboot](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_AutoShareServer](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_AutoShareWks](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_DisableSavePassword](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_EnableDeadGWDetect](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_HideFromBrowseList](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_KeepAliveTime](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_NoDefaultExempt](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_NtfsDisable8dot3NameCreation](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_PerformRouterDiscovery](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_SafeDllSearchMode](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_ScreenSaverGracePeriod](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_SynAttackProtect](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_TcpMaxConnectResponseRetransmissions](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_TcpMaxDataRetransmissionsIPv6](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_TcpMaxDataRetransmissions](policy-csp-admx-mss-legacy.md)
+- [Pol_MSS_WarningLevel](policy-csp-admx-mss-legacy.md)
+
+## ADMX_nca
+
+- [CorporateResources](policy-csp-admx-nca.md)
+- [CustomCommands](policy-csp-admx-nca.md)
+- [PassiveMode](policy-csp-admx-nca.md)
+- [FriendlyName](policy-csp-admx-nca.md)
+- [DTEs](policy-csp-admx-nca.md)
+- [LocalNamesOn](policy-csp-admx-nca.md)
+- [SupportEmail](policy-csp-admx-nca.md)
+- [ShowUI](policy-csp-admx-nca.md)
+
+## ADMX_NCSI
+
+- [NCSI_CorpDnsProbeContent](policy-csp-admx-ncsi.md)
+- [NCSI_CorpDnsProbeHost](policy-csp-admx-ncsi.md)
+- [NCSI_CorpSitePrefixes](policy-csp-admx-ncsi.md)
+- [NCSI_CorpWebProbeUrl](policy-csp-admx-ncsi.md)
+- [NCSI_DomainLocationDeterminationUrl](policy-csp-admx-ncsi.md)
+- [NCSI_GlobalDns](policy-csp-admx-ncsi.md)
+- [NCSI_PassivePolling](policy-csp-admx-ncsi.md)
+
+## ADMX_Netlogon
+
+- [Netlogon_AllowNT4Crypto](policy-csp-admx-netlogon.md)
+- [Netlogon_AvoidPdcOnWan](policy-csp-admx-netlogon.md)
+- [Netlogon_IgnoreIncomingMailslotMessages](policy-csp-admx-netlogon.md)
+- [Netlogon_AvoidFallbackNetbiosDiscovery](policy-csp-admx-netlogon.md)
+- [Netlogon_ForceRediscoveryInterval](policy-csp-admx-netlogon.md)
+- [Netlogon_AddressTypeReturned](policy-csp-admx-netlogon.md)
+- [Netlogon_LdapSrvPriority](policy-csp-admx-netlogon.md)
+- [Netlogon_DnsTtl](policy-csp-admx-netlogon.md)
+- [Netlogon_LdapSrvWeight](policy-csp-admx-netlogon.md)
+- [Netlogon_AddressLookupOnPingBehavior](policy-csp-admx-netlogon.md)
+- [Netlogon_DnsAvoidRegisterRecords](policy-csp-admx-netlogon.md)
+- [Netlogon_UseDynamicDns](policy-csp-admx-netlogon.md)
+- [Netlogon_DnsRefreshInterval](policy-csp-admx-netlogon.md)
+- [Netlogon_NdncSiteCoverage](policy-csp-admx-netlogon.md)
+- [Netlogon_SiteCoverage](policy-csp-admx-netlogon.md)
+- [Netlogon_GcSiteCoverage](policy-csp-admx-netlogon.md)
+- [Netlogon_TryNextClosestSite](policy-csp-admx-netlogon.md)
+- [Netlogon_AutoSiteCoverage](policy-csp-admx-netlogon.md)
+- [Netlogon_AllowDnsSuffixSearch](policy-csp-admx-netlogon.md)
+- [Netlogon_AllowSingleLabelDnsDomain](policy-csp-admx-netlogon.md)
+- [Netlogon_DnsSrvRecordUseLowerCaseHostNames](policy-csp-admx-netlogon.md)
+- [Netlogon_NetlogonShareCompatibilityMode](policy-csp-admx-netlogon.md)
+- [Netlogon_ScavengeInterval](policy-csp-admx-netlogon.md)
+- [Netlogon_SysvolShareCompatibilityMode](policy-csp-admx-netlogon.md)
+- [Netlogon_ExpectedDialupDelay](policy-csp-admx-netlogon.md)
+- [Netlogon_DebugFlag](policy-csp-admx-netlogon.md)
+- [Netlogon_MaximumLogFileSize](policy-csp-admx-netlogon.md)
+- [Netlogon_NegativeCachePeriod](policy-csp-admx-netlogon.md)
+- [Netlogon_NonBackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md)
+- [Netlogon_SiteName](policy-csp-admx-netlogon.md)
+- [Netlogon_BackgroundRetryQuitTime](policy-csp-admx-netlogon.md)
+- [Netlogon_BackgroundRetryInitialPeriod](policy-csp-admx-netlogon.md)
+- [Netlogon_BackgroundRetryMaximumPeriod](policy-csp-admx-netlogon.md)
+- [Netlogon_BackgroundSuccessfulRefreshPeriod](policy-csp-admx-netlogon.md)
+- [Netlogon_PingUrgencyMode](policy-csp-admx-netlogon.md)
+
+## ADMX_NetworkConnections
+
+- [NC_RasAllUserProperties](policy-csp-admx-networkconnections.md)
+- [NC_DeleteAllUserConnection](policy-csp-admx-networkconnections.md)
+- [NC_LanConnect](policy-csp-admx-networkconnections.md)
+- [NC_RenameAllUserRasConnection](policy-csp-admx-networkconnections.md)
+- [NC_RenameLanConnection](policy-csp-admx-networkconnections.md)
+- [NC_RenameConnection](policy-csp-admx-networkconnections.md)
+- [NC_EnableAdminProhibits](policy-csp-admx-networkconnections.md)
+- [NC_LanProperties](policy-csp-admx-networkconnections.md)
+- [NC_LanChangeProperties](policy-csp-admx-networkconnections.md)
+- [NC_RasChangeProperties](policy-csp-admx-networkconnections.md)
+- [NC_AdvancedSettings](policy-csp-admx-networkconnections.md)
+- [NC_NewConnectionWizard](policy-csp-admx-networkconnections.md)
+- [NC_DialupPrefs](policy-csp-admx-networkconnections.md)
+- [NC_AddRemoveComponents](policy-csp-admx-networkconnections.md)
+- [NC_RasMyProperties](policy-csp-admx-networkconnections.md)
+- [NC_RasConnect](policy-csp-admx-networkconnections.md)
+- [NC_DeleteConnection](policy-csp-admx-networkconnections.md)
+- [NC_ChangeBindState](policy-csp-admx-networkconnections.md)
+- [NC_RenameMyRasConnection](policy-csp-admx-networkconnections.md)
+- [NC_AllowAdvancedTCPIPConfig](policy-csp-admx-networkconnections.md)
+- [NC_Statistics](policy-csp-admx-networkconnections.md)
+- [NC_IpStateChecking](policy-csp-admx-networkconnections.md)
+- [NC_DoNotShowLocalOnlyIcon](policy-csp-admx-networkconnections.md)
+- [NC_PersonalFirewallConfig](policy-csp-admx-networkconnections.md)
+- [NC_ShowSharedAccessUI](policy-csp-admx-networkconnections.md)
+- [NC_StdDomainUserSetLocation](policy-csp-admx-networkconnections.md)
+- [NC_ForceTunneling](policy-csp-admx-networkconnections.md)
+
+## ADMX_OfflineFiles
+
+- [Pol_GoOfflineAction_1](policy-csp-admx-offlinefiles.md)
+- [Pol_EventLoggingLevel_1](policy-csp-admx-offlinefiles.md)
+- [Pol_ReminderInitTimeout_1](policy-csp-admx-offlinefiles.md)
+- [Pol_CustomGoOfflineActions_1](policy-csp-admx-offlinefiles.md)
+- [Pol_NoCacheViewer_1](policy-csp-admx-offlinefiles.md)
+- [Pol_NoConfigCache_1](policy-csp-admx-offlinefiles.md)
+- [Pol_ReminderFreq_1](policy-csp-admx-offlinefiles.md)
+- [Pol_ReminderTimeout_1](policy-csp-admx-offlinefiles.md)
+- [Pol_NoMakeAvailableOffline_1](policy-csp-admx-offlinefiles.md)
+- [Pol_NoPinFiles_1](policy-csp-admx-offlinefiles.md)
+- [Pol_WorkOfflineDisabled_1](policy-csp-admx-offlinefiles.md)
+- [Pol_AssignedOfflineFiles_1](policy-csp-admx-offlinefiles.md)
+- [Pol_SyncAtLogoff_1](policy-csp-admx-offlinefiles.md)
+- [Pol_SyncAtLogon_1](policy-csp-admx-offlinefiles.md)
+- [Pol_SyncAtSuspend_1](policy-csp-admx-offlinefiles.md)
+- [Pol_NoReminders_1](policy-csp-admx-offlinefiles.md)
+- [Pol_GoOfflineAction_2](policy-csp-admx-offlinefiles.md)
+- [Pol_Enabled](policy-csp-admx-offlinefiles.md)
+- [Pol_PurgeAtLogoff](policy-csp-admx-offlinefiles.md)
+- [Pol_BackgroundSyncSettings](policy-csp-admx-offlinefiles.md)
+- [Pol_SlowLinkSpeed](policy-csp-admx-offlinefiles.md)
+- [Pol_SlowLinkSettings](policy-csp-admx-offlinefiles.md)
+- [Pol_DefCacheSize](policy-csp-admx-offlinefiles.md)
+- [Pol_ExclusionListSettings](policy-csp-admx-offlinefiles.md)
+- [Pol_SyncOnCostedNetwork](policy-csp-admx-offlinefiles.md)
+- [Pol_OnlineCachingSettings](policy-csp-admx-offlinefiles.md)
+- [Pol_EncryptOfflineFiles](policy-csp-admx-offlinefiles.md)
+- [Pol_EventLoggingLevel_2](policy-csp-admx-offlinefiles.md)
+- [Pol_ExtExclusionList](policy-csp-admx-offlinefiles.md)
+- [Pol_ReminderInitTimeout_2](policy-csp-admx-offlinefiles.md)
+- [Pol_CacheSize](policy-csp-admx-offlinefiles.md)
+- [Pol_CustomGoOfflineActions_2](policy-csp-admx-offlinefiles.md)
+- [Pol_NoCacheViewer_2](policy-csp-admx-offlinefiles.md)
+- [Pol_NoConfigCache_2](policy-csp-admx-offlinefiles.md)
+- [Pol_ReminderFreq_2](policy-csp-admx-offlinefiles.md)
+- [Pol_ReminderTimeout_2](policy-csp-admx-offlinefiles.md)
+- [Pol_NoMakeAvailableOffline_2](policy-csp-admx-offlinefiles.md)
+- [Pol_NoPinFiles_2](policy-csp-admx-offlinefiles.md)
+- [Pol_WorkOfflineDisabled_2](policy-csp-admx-offlinefiles.md)
+- [Pol_AssignedOfflineFiles_2](policy-csp-admx-offlinefiles.md)
+- [Pol_AlwaysPinSubFolders](policy-csp-admx-offlinefiles.md)
+- [Pol_SyncAtLogoff_2](policy-csp-admx-offlinefiles.md)
+- [Pol_SyncAtLogon_2](policy-csp-admx-offlinefiles.md)
+- [Pol_SyncAtSuspend_2](policy-csp-admx-offlinefiles.md)
+- [Pol_NoReminders_2](policy-csp-admx-offlinefiles.md)
+- [Pol_QuickAdimPin](policy-csp-admx-offlinefiles.md)
+
+## ADMX_pca
+
+- [DetectDeprecatedCOMComponentFailuresPolicy](policy-csp-admx-pca.md)
+- [DetectDeprecatedComponentFailuresPolicy](policy-csp-admx-pca.md)
+- [DetectInstallFailuresPolicy](policy-csp-admx-pca.md)
+- [DetectUndetectedInstallersPolicy](policy-csp-admx-pca.md)
+- [DetectUpdateFailuresPolicy](policy-csp-admx-pca.md)
+- [DisablePcaUIPolicy](policy-csp-admx-pca.md)
+- [DetectBlockedDriversPolicy](policy-csp-admx-pca.md)
+
+## ADMX_PeerToPeerCaching
+
+- [EnableWindowsBranchCache_SMB](policy-csp-admx-peertopeercaching.md)
+- [SetDowngrading](policy-csp-admx-peertopeercaching.md)
+- [EnableWindowsBranchCache_HostedMultipleServers](policy-csp-admx-peertopeercaching.md)
+- [EnableWindowsBranchCache_HostedCacheDiscovery](policy-csp-admx-peertopeercaching.md)
+- [SetDataCacheEntryMaxAge](policy-csp-admx-peertopeercaching.md)
+- [EnableWindowsBranchCache_Distributed](policy-csp-admx-peertopeercaching.md)
+- [EnableWindowsBranchCache_Hosted](policy-csp-admx-peertopeercaching.md)
+- [SetCachePercent](policy-csp-admx-peertopeercaching.md)
+- [EnableWindowsBranchCache](policy-csp-admx-peertopeercaching.md)
+
+## ADMX_PenTraining
+
+- [PenTrainingOff_1](policy-csp-admx-pentraining.md)
+- [PenTrainingOff_2](policy-csp-admx-pentraining.md)
+
+## ADMX_PerformanceDiagnostics
+
+- [WdiScenarioExecutionPolicy_1](policy-csp-admx-performancediagnostics.md)
+- [WdiScenarioExecutionPolicy_3](policy-csp-admx-performancediagnostics.md)
+- [WdiScenarioExecutionPolicy_4](policy-csp-admx-performancediagnostics.md)
+- [WdiScenarioExecutionPolicy_2](policy-csp-admx-performancediagnostics.md)
+
+## ADMX_Power
+
+- [PW_PromptPasswordOnResume](policy-csp-admx-power.md)
+- [Dont_PowerOff_AfterShutdown](policy-csp-admx-power.md)
+- [DCStartMenuButtonAction_2](policy-csp-admx-power.md)
+- [ACStartMenuButtonAction_2](policy-csp-admx-power.md)
+- [DiskDCPowerDownTimeOut_2](policy-csp-admx-power.md)
+- [DiskACPowerDownTimeOut_2](policy-csp-admx-power.md)
+- [DCBatteryDischargeAction0_2](policy-csp-admx-power.md)
+- [DCBatteryDischargeLevel0_2](policy-csp-admx-power.md)
+- [DCBatteryDischargeAction1_2](policy-csp-admx-power.md)
+- [DCBatteryDischargeLevel1_2](policy-csp-admx-power.md)
+- [ReserveBatteryNotificationLevel](policy-csp-admx-power.md)
+- [DCBatteryDischargeLevel1UINotification_2](policy-csp-admx-power.md)
+- [PowerThrottlingTurnOff](policy-csp-admx-power.md)
+- [InboxActiveSchemeOverride_2](policy-csp-admx-power.md)
+- [AllowSystemPowerRequestDC](policy-csp-admx-power.md)
+- [AllowSystemPowerRequestAC](policy-csp-admx-power.md)
+- [AllowSystemSleepWithRemoteFilesOpenDC](policy-csp-admx-power.md)
+- [AllowSystemSleepWithRemoteFilesOpenAC](policy-csp-admx-power.md)
+- [DCConnectivityInStandby_2](policy-csp-admx-power.md)
+- [ACConnectivityInStandby_2](policy-csp-admx-power.md)
+- [DCCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md)
+- [ACCriticalSleepTransitionsDisable_2](policy-csp-admx-power.md)
+- [CustomActiveSchemeOverride_2](policy-csp-admx-power.md)
+- [EnableDesktopSlideShowDC](policy-csp-admx-power.md)
+- [EnableDesktopSlideShowAC](policy-csp-admx-power.md)
+
+## ADMX_PowerShellExecutionPolicy
+
+- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
+- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
+- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
+- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md)
+- [EnableUpdateHelpDefaultSourcePath](policy-csp-admx-powershellexecutionpolicy.md)
+- [EnableModuleLogging](policy-csp-admx-powershellexecutionpolicy.md)
+- [EnableTranscripting](policy-csp-admx-powershellexecutionpolicy.md)
+- [EnableScripts](policy-csp-admx-powershellexecutionpolicy.md)
+
+## ADMX_PreviousVersions
+
+- [DisableLocalPage_1](policy-csp-admx-previousversions.md)
+- [DisableRemotePage_1](policy-csp-admx-previousversions.md)
+- [HideBackupEntries_1](policy-csp-admx-previousversions.md)
+- [DisableLocalRestore_1](policy-csp-admx-previousversions.md)
+- [DisableBackupRestore_1](policy-csp-admx-previousversions.md)
+- [DisableRemoteRestore_1](policy-csp-admx-previousversions.md)
+- [DisableLocalPage_2](policy-csp-admx-previousversions.md)
+- [DisableRemotePage_2](policy-csp-admx-previousversions.md)
+- [HideBackupEntries_2](policy-csp-admx-previousversions.md)
+- [DisableLocalRestore_2](policy-csp-admx-previousversions.md)
+- [DisableBackupRestore_2](policy-csp-admx-previousversions.md)
+- [DisableRemoteRestore_2](policy-csp-admx-previousversions.md)
+
+## ADMX_Printing
+
+- [IntranetPrintersUrl](policy-csp-admx-printing.md)
+- [DownlevelBrowse](policy-csp-admx-printing.md)
+- [PrinterDirectorySearchScope](policy-csp-admx-printing.md)
+- [PackagePointAndPrintOnly](policy-csp-admx-printing.md)
+- [PackagePointAndPrintServerList](policy-csp-admx-printing.md)
+- [NoDeletePrinter](policy-csp-admx-printing.md)
+- [LegacyDefaultPrinterMode](policy-csp-admx-printing.md)
+- [AllowWebPrinting](policy-csp-admx-printing.md)
+- [DomainPrinters](policy-csp-admx-printing.md)
+- [NonDomainPrinters](policy-csp-admx-printing.md)
+- [ShowJobTitleInEventLogs](policy-csp-admx-printing.md)
+- [ForceSoftwareRasterization](policy-csp-admx-printing.md)
+- [EMFDespooling](policy-csp-admx-printing.md)
+- [MXDWUseLegacyOutputFormatMSXPS](policy-csp-admx-printing.md)
+- [PhysicalLocation](policy-csp-admx-printing.md)
+- [CustomizedSupportUrl](policy-csp-admx-printing.md)
+- [KMPrintersAreBlocked](policy-csp-admx-printing.md)
+- [V4DriverDisallowPrinterExtension](policy-csp-admx-printing.md)
+- [PrintDriverIsolationExecutionPolicy](policy-csp-admx-printing.md)
+- [DoNotInstallCompatibleDriverFromWindowsUpdate](policy-csp-admx-printing.md)
+- [ApplicationDriverIsolation](policy-csp-admx-printing.md)
+- [PackagePointAndPrintOnly_Win7](policy-csp-admx-printing.md)
+- [PrintDriverIsolationOverrideCompat](policy-csp-admx-printing.md)
+- [PackagePointAndPrintServerList_Win7](policy-csp-admx-printing.md)
+- [PhysicalLocationSupport](policy-csp-admx-printing.md)
+- [PrinterServerThread](policy-csp-admx-printing.md)
+
+## ADMX_Printing2
+
+- [RegisterSpoolerRemoteRpcEndPoint](policy-csp-admx-printing2.md)
+- [ImmortalPrintQueue](policy-csp-admx-printing2.md)
+- [AutoPublishing](policy-csp-admx-printing2.md)
+- [VerifyPublishedState](policy-csp-admx-printing2.md)
+- [PruningInterval](policy-csp-admx-printing2.md)
+- [PruningPriority](policy-csp-admx-printing2.md)
+- [PruningRetries](policy-csp-admx-printing2.md)
+- [PruningRetryLog](policy-csp-admx-printing2.md)
+- [PruneDownlevel](policy-csp-admx-printing2.md)
+
+## ADMX_Programs
+
+- [NoGetPrograms](policy-csp-admx-programs.md)
+- [NoInstalledUpdates](policy-csp-admx-programs.md)
+- [NoProgramsAndFeatures](policy-csp-admx-programs.md)
+- [NoDefaultPrograms](policy-csp-admx-programs.md)
+- [NoWindowsFeatures](policy-csp-admx-programs.md)
+- [NoWindowsMarketplace](policy-csp-admx-programs.md)
+- [NoProgramsCPL](policy-csp-admx-programs.md)
+
+## ADMX_PushToInstall
+
+- [DisablePushToInstall](policy-csp-admx-pushtoinstall.md)
+
+## ADMX_QOS
+
+- [QosServiceTypeBestEffort_C](policy-csp-admx-qos.md)
+- [QosServiceTypeControlledLoad_C](policy-csp-admx-qos.md)
+- [QosServiceTypeGuaranteed_C](policy-csp-admx-qos.md)
+- [QosServiceTypeNetworkControl_C](policy-csp-admx-qos.md)
+- [QosServiceTypeQualitative_C](policy-csp-admx-qos.md)
+- [QosServiceTypeBestEffort_NC](policy-csp-admx-qos.md)
+- [QosServiceTypeControlledLoad_NC](policy-csp-admx-qos.md)
+- [QosServiceTypeGuaranteed_NC](policy-csp-admx-qos.md)
+- [QosServiceTypeNetworkControl_NC](policy-csp-admx-qos.md)
+- [QosServiceTypeQualitative_NC](policy-csp-admx-qos.md)
+- [QosServiceTypeBestEffort_PV](policy-csp-admx-qos.md)
+- [QosServiceTypeControlledLoad_PV](policy-csp-admx-qos.md)
+- [QosServiceTypeGuaranteed_PV](policy-csp-admx-qos.md)
+- [QosServiceTypeNetworkControl_PV](policy-csp-admx-qos.md)
+- [QosServiceTypeNonConforming](policy-csp-admx-qos.md)
+- [QosServiceTypeQualitative_PV](policy-csp-admx-qos.md)
+- [QosMaxOutstandingSends](policy-csp-admx-qos.md)
+- [QosNonBestEffortLimit](policy-csp-admx-qos.md)
+- [QosTimerResolution](policy-csp-admx-qos.md)
+
+## ADMX_Radar
+
+- [WdiScenarioExecutionPolicy](policy-csp-admx-radar.md)
+
+## ADMX_Reliability
+
+- [ShutdownEventTrackerStateFile](policy-csp-admx-reliability.md)
+- [ShutdownReason](policy-csp-admx-reliability.md)
+- [EE_EnablePersistentTimeStamp](policy-csp-admx-reliability.md)
+- [PCH_ReportShutdownEvents](policy-csp-admx-reliability.md)
+
+## ADMX_RemoteAssistance
+
+- [RA_EncryptedTicketOnly](policy-csp-admx-remoteassistance.md)
+- [RA_Optimize_Bandwidth](policy-csp-admx-remoteassistance.md)
+
+## ADMX_RemovableStorage
+
+- [RemovableStorageClasses_DenyAll_Access_1](policy-csp-admx-removablestorage.md)
+- [CDandDVD_DenyRead_Access_1](policy-csp-admx-removablestorage.md)
+- [CDandDVD_DenyWrite_Access_1](policy-csp-admx-removablestorage.md)
+- [CustomClasses_DenyRead_Access_1](policy-csp-admx-removablestorage.md)
+- [CustomClasses_DenyWrite_Access_1](policy-csp-admx-removablestorage.md)
+- [FloppyDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md)
+- [FloppyDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md)
+- [RemovableDisks_DenyRead_Access_1](policy-csp-admx-removablestorage.md)
+- [RemovableDisks_DenyWrite_Access_1](policy-csp-admx-removablestorage.md)
+- [AccessRights_RebootTime_1](policy-csp-admx-removablestorage.md)
+- [TapeDrives_DenyRead_Access_1](policy-csp-admx-removablestorage.md)
+- [TapeDrives_DenyWrite_Access_1](policy-csp-admx-removablestorage.md)
+- [WPDDevices_DenyRead_Access_1](policy-csp-admx-removablestorage.md)
+- [WPDDevices_DenyWrite_Access_1](policy-csp-admx-removablestorage.md)
+- [RemovableStorageClasses_DenyAll_Access_2](policy-csp-admx-removablestorage.md)
+- [Removable_Remote_Allow_Access](policy-csp-admx-removablestorage.md)
+- [CDandDVD_DenyExecute_Access_2](policy-csp-admx-removablestorage.md)
+- [CDandDVD_DenyRead_Access_2](policy-csp-admx-removablestorage.md)
+- [CDandDVD_DenyWrite_Access_2](policy-csp-admx-removablestorage.md)
+- [CustomClasses_DenyRead_Access_2](policy-csp-admx-removablestorage.md)
+- [CustomClasses_DenyWrite_Access_2](policy-csp-admx-removablestorage.md)
+- [FloppyDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md)
+- [FloppyDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md)
+- [FloppyDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md)
+- [RemovableDisks_DenyExecute_Access_2](policy-csp-admx-removablestorage.md)
+- [RemovableDisks_DenyRead_Access_2](policy-csp-admx-removablestorage.md)
+- [AccessRights_RebootTime_2](policy-csp-admx-removablestorage.md)
+- [TapeDrives_DenyExecute_Access_2](policy-csp-admx-removablestorage.md)
+- [TapeDrives_DenyRead_Access_2](policy-csp-admx-removablestorage.md)
+- [TapeDrives_DenyWrite_Access_2](policy-csp-admx-removablestorage.md)
+- [WPDDevices_DenyRead_Access_2](policy-csp-admx-removablestorage.md)
+- [WPDDevices_DenyWrite_Access_2](policy-csp-admx-removablestorage.md)
+
+## ADMX_RPC
+
+- [RpcIgnoreDelegationFailure](policy-csp-admx-rpc.md)
+- [RpcStateInformation](policy-csp-admx-rpc.md)
+- [RpcExtendedErrorInformation](policy-csp-admx-rpc.md)
+- [RpcMinimumHttpConnectionTimeout](policy-csp-admx-rpc.md)
+
+## ADMX_sam
+
+- [SamNGCKeyROCAValidation](policy-csp-admx-sam.md)
+
+## ADMX_Scripts
+
+- [Run_Logoff_Script_Visible](policy-csp-admx-scripts.md)
+- [Run_Logon_Script_Visible](policy-csp-admx-scripts.md)
+- [Run_Legacy_Logon_Script_Hidden](policy-csp-admx-scripts.md)
+- [Run_Logon_Script_Sync_1](policy-csp-admx-scripts.md)
+- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md)
+- [Allow_Logon_Script_NetbiosDisabled](policy-csp-admx-scripts.md)
+- [Run_Shutdown_Script_Visible](policy-csp-admx-scripts.md)
+- [Run_Startup_Script_Visible](policy-csp-admx-scripts.md)
+- [Run_Logon_Script_Sync_2](policy-csp-admx-scripts.md)
+- [Run_Startup_Script_Sync](policy-csp-admx-scripts.md)
+- [Run_Computer_PS_Scripts_First](policy-csp-admx-scripts.md)
+- [Run_User_PS_Scripts_First](policy-csp-admx-scripts.md)
+- [MaxGPOScriptWaitPolicy](policy-csp-admx-scripts.md)
+
+## ADMX_sdiageng
+
+- [ScriptedDiagnosticsSecurityPolicy](policy-csp-admx-sdiageng.md)
+- [ScriptedDiagnosticsExecutionPolicy](policy-csp-admx-sdiageng.md)
+- [BetterWhenConnected](policy-csp-admx-sdiageng.md)
+
+## ADMX_sdiagschd
+
+- [ScheduledDiagnosticsExecutionPolicy](policy-csp-admx-sdiagschd.md)
+
+## ADMX_Securitycenter
+
+- [SecurityCenter_SecurityCenterInDomain](policy-csp-admx-securitycenter.md)
+
+## ADMX_Sensors
+
+- [DisableLocation_1](policy-csp-admx-sensors.md)
+- [DisableLocationScripting_1](policy-csp-admx-sensors.md)
+- [DisableSensors_1](policy-csp-admx-sensors.md)
+- [DisableLocationScripting_2](policy-csp-admx-sensors.md)
+- [DisableSensors_2](policy-csp-admx-sensors.md)
+
+## ADMX_ServerManager
+
+- [Do_not_display_Manage_Your_Server_page](policy-csp-admx-servermanager.md)
+- [ServerManagerAutoRefreshRate](policy-csp-admx-servermanager.md)
+- [DoNotLaunchInitialConfigurationTasks](policy-csp-admx-servermanager.md)
+- [DoNotLaunchServerManager](policy-csp-admx-servermanager.md)
+
+## ADMX_Servicing
+
+- [Servicing](policy-csp-admx-servicing.md)
+
+## ADMX_SettingSync
+
+- [DisableSettingSync](policy-csp-admx-settingsync.md)
+- [DisableApplicationSettingSync](policy-csp-admx-settingsync.md)
+- [DisableAppSyncSettingSync](policy-csp-admx-settingsync.md)
+- [DisableDesktopThemeSettingSync](policy-csp-admx-settingsync.md)
+- [DisableSyncOnPaidNetwork](policy-csp-admx-settingsync.md)
+- [DisableWindowsSettingSync](policy-csp-admx-settingsync.md)
+- [DisableCredentialsSettingSync](policy-csp-admx-settingsync.md)
+- [DisablePersonalizationSettingSync](policy-csp-admx-settingsync.md)
+- [DisableStartLayoutSettingSync](policy-csp-admx-settingsync.md)
+
+## ADMX_SharedFolders
+
+- [PublishDfsRoots](policy-csp-admx-sharedfolders.md)
+- [PublishSharedFolders](policy-csp-admx-sharedfolders.md)
+
+## ADMX_Sharing
+
+- [NoInplaceSharing](policy-csp-admx-sharing.md)
+- [DisableHomeGroup](policy-csp-admx-sharing.md)
+
+## ADMX_ShellCommandPromptRegEditTools
+
+- [DisallowApps](policy-csp-admx-shellcommandpromptregedittools.md)
+- [DisableRegedit](policy-csp-admx-shellcommandpromptregedittools.md)
+- [DisableCMD](policy-csp-admx-shellcommandpromptregedittools.md)
+- [RestrictApps](policy-csp-admx-shellcommandpromptregedittools.md)
+
+## ADMX_Smartcard
+
+- [AllowCertificatesWithNoEKU](policy-csp-admx-smartcard.md)
+- [EnumerateECCCerts](policy-csp-admx-smartcard.md)
+- [AllowIntegratedUnblock](policy-csp-admx-smartcard.md)
+- [AllowSignatureOnlyKeys](policy-csp-admx-smartcard.md)
+- [AllowTimeInvalidCertificates](policy-csp-admx-smartcard.md)
+- [X509HintsNeeded](policy-csp-admx-smartcard.md)
+- [CertPropRootCleanupString](policy-csp-admx-smartcard.md)
+- [IntegratedUnblockPromptString](policy-csp-admx-smartcard.md)
+- [FilterDuplicateCerts](policy-csp-admx-smartcard.md)
+- [ForceReadingAllCertificates](policy-csp-admx-smartcard.md)
+- [SCPnPNotification](policy-csp-admx-smartcard.md)
+- [DisallowPlaintextPin](policy-csp-admx-smartcard.md)
+- [ReverseSubject](policy-csp-admx-smartcard.md)
+- [CertPropEnabledString](policy-csp-admx-smartcard.md)
+- [CertPropRootEnabledString](policy-csp-admx-smartcard.md)
+- [SCPnPEnabled](policy-csp-admx-smartcard.md)
+
+## ADMX_Snmp
+
+- [SNMP_Communities](policy-csp-admx-snmp.md)
+- [SNMP_PermittedManagers](policy-csp-admx-snmp.md)
+- [SNMP_Traps_Public](policy-csp-admx-snmp.md)
+
+## ADMX_SoundRec
+
+- [Soundrec_DiableApplication_TitleText_1](policy-csp-admx-soundrec.md)
+- [Soundrec_DiableApplication_TitleText_2](policy-csp-admx-soundrec.md)
+
+## ADMX_srmfci
+
+- [AccessDeniedConfiguration](policy-csp-admx-srmfci.md)
+- [EnableShellAccessCheck](policy-csp-admx-srmfci.md)
+- [EnableManualUX](policy-csp-admx-srmfci.md)
+- [CentralClassificationList](policy-csp-admx-srmfci.md)
+
+## ADMX_StartMenu
+
+- [MemCheckBoxInRunDlg](policy-csp-admx-startmenu.md)
+- [ForceStartMenuLogOff](policy-csp-admx-startmenu.md)
+- [AddSearchInternetLinkInStartMenu](policy-csp-admx-startmenu.md)
+- [ShowRunInStartMenu](policy-csp-admx-startmenu.md)
+- [PowerButtonAction](policy-csp-admx-startmenu.md)
+- [ClearRecentDocsOnExit](policy-csp-admx-startmenu.md)
+- [ClearRecentProgForNewUserInStartMenu](policy-csp-admx-startmenu.md)
+- [ClearTilesOnExit](policy-csp-admx-startmenu.md)
+- [NoToolbarsOnTaskbar](policy-csp-admx-startmenu.md)
+- [NoSearchCommInStartMenu](policy-csp-admx-startmenu.md)
+- [NoSearchFilesInStartMenu](policy-csp-admx-startmenu.md)
+- [NoSearchInternetInStartMenu](policy-csp-admx-startmenu.md)
+- [NoSearchProgramsInStartMenu](policy-csp-admx-startmenu.md)
+- [NoResolveSearch](policy-csp-admx-startmenu.md)
+- [NoResolveTrack](policy-csp-admx-startmenu.md)
+- [NoStartPage](policy-csp-admx-startmenu.md)
+- [GoToDesktopOnSignIn](policy-csp-admx-startmenu.md)
+- [GreyMSIAds](policy-csp-admx-startmenu.md)
+- [NoTrayItemsDisplay](policy-csp-admx-startmenu.md)
+- [DesktopAppsFirstInAppsView](policy-csp-admx-startmenu.md)
+- [LockTaskbar](policy-csp-admx-startmenu.md)
+- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md)
+- [NoSetTaskbar](policy-csp-admx-startmenu.md)
+- [NoTaskGrouping](policy-csp-admx-startmenu.md)
+- [NoChangeStartMenu](policy-csp-admx-startmenu.md)
+- [NoUninstallFromStart](policy-csp-admx-startmenu.md)
+- [NoTrayContextMenu](policy-csp-admx-startmenu.md)
+- [NoMoreProgramsList](policy-csp-admx-startmenu.md)
+- [NoClose](policy-csp-admx-startmenu.md)
+- [NoBalloonTip](policy-csp-admx-startmenu.md)
+- [NoTaskBarClock](policy-csp-admx-startmenu.md)
+- [NoCommonGroups](policy-csp-admx-startmenu.md)
+- [NoSMConfigurePrograms](policy-csp-admx-startmenu.md)
+- [NoSMMyDocuments](policy-csp-admx-startmenu.md)
+- [NoStartMenuDownload](policy-csp-admx-startmenu.md)
+- [NoFavoritesMenu](policy-csp-admx-startmenu.md)
+- [NoGamesFolderOnStartMenu](policy-csp-admx-startmenu.md)
+- [NoHelp](policy-csp-admx-startmenu.md)
+- [NoStartMenuHomegroup](policy-csp-admx-startmenu.md)
+- [NoWindowsUpdate](policy-csp-admx-startmenu.md)
+- [StartMenuLogOff](policy-csp-admx-startmenu.md)
+- [NoSMMyMusic](policy-csp-admx-startmenu.md)
+- [NoNetAndDialupConnect](policy-csp-admx-startmenu.md)
+- [NoSMMyNetworkPlaces](policy-csp-admx-startmenu.md)
+- [NoSMMyPictures](policy-csp-admx-startmenu.md)
+- [NoPinnedPrograms](policy-csp-admx-startmenu.md)
+- [NoSetFolders](policy-csp-admx-startmenu.md)
+- [NoRecentDocsMenu](policy-csp-admx-startmenu.md)
+- [NoStartMenuRecordedTV](policy-csp-admx-startmenu.md)
+- [NoRun](policy-csp-admx-startmenu.md)
+- [NoSearchComputerLinkInStartMenu](policy-csp-admx-startmenu.md)
+- [NoFind](policy-csp-admx-startmenu.md)
+- [NoSearchEverywhereLinkInStartMenu](policy-csp-admx-startmenu.md)
+- [RemoveUnDockPCButton](policy-csp-admx-startmenu.md)
+- [NoUserFolderOnStartMenu](policy-csp-admx-startmenu.md)
+- [NoUserNameOnStartMenu](policy-csp-admx-startmenu.md)
+- [NoStartMenuSubFolders](policy-csp-admx-startmenu.md)
+- [NoStartMenuVideos](policy-csp-admx-startmenu.md)
+- [DisableGlobalSearchOnAppsView](policy-csp-admx-startmenu.md)
+- [ShowRunAsDifferentUserInStart](policy-csp-admx-startmenu.md)
+- [QuickLaunchEnabled](policy-csp-admx-startmenu.md)
+- [ShowStartOnDisplayWithForegroundOnWinKey](policy-csp-admx-startmenu.md)
+- [ShowAppsViewOnStart](policy-csp-admx-startmenu.md)
+- [NoAutoTrayNotify](policy-csp-admx-startmenu.md)
+- [Intellimenus](policy-csp-admx-startmenu.md)
+- [NoInstrumentation](policy-csp-admx-startmenu.md)
+- [StartPinAppsWhenInstalled](policy-csp-admx-startmenu.md)
+- [NoSetTaskbar](policy-csp-admx-startmenu.md)
+- [NoChangeStartMenu](policy-csp-admx-startmenu.md)
+- [NoUninstallFromStart](policy-csp-admx-startmenu.md)
+- [NoTrayContextMenu](policy-csp-admx-startmenu.md)
+- [NoMoreProgramsList](policy-csp-admx-startmenu.md)
+- [HidePowerOptions](policy-csp-admx-startmenu.md)
+- [NoRun](policy-csp-admx-startmenu.md)
+
+## ADMX_SystemRestore
+
+- [SR_DisableConfig](policy-csp-admx-systemrestore.md)
+
+## ADMX_TabletPCInputPanel
+
+- [Prediction_1](policy-csp-admx-tabletpcinputpanel.md)
+- [IPTIPTarget_1](policy-csp-admx-tabletpcinputpanel.md)
+- [IPTIPTouchTarget_1](policy-csp-admx-tabletpcinputpanel.md)
+- [RareChar_1](policy-csp-admx-tabletpcinputpanel.md)
+- [EdgeTarget_1](policy-csp-admx-tabletpcinputpanel.md)
+- [AutoComplete_1](policy-csp-admx-tabletpcinputpanel.md)
+- [PasswordSecurity_1](policy-csp-admx-tabletpcinputpanel.md)
+- [ScratchOut_1](policy-csp-admx-tabletpcinputpanel.md)
+- [Prediction_2](policy-csp-admx-tabletpcinputpanel.md)
+- [IPTIPTarget_2](policy-csp-admx-tabletpcinputpanel.md)
+- [IPTIPTouchTarget_2](policy-csp-admx-tabletpcinputpanel.md)
+- [RareChar_2](policy-csp-admx-tabletpcinputpanel.md)
+- [EdgeTarget_2](policy-csp-admx-tabletpcinputpanel.md)
+- [AutoComplete_2](policy-csp-admx-tabletpcinputpanel.md)
+- [PasswordSecurity_2](policy-csp-admx-tabletpcinputpanel.md)
+- [ScratchOut_2](policy-csp-admx-tabletpcinputpanel.md)
+
+## ADMX_TabletShell
+
+- [DisableInkball_1](policy-csp-admx-tabletshell.md)
+- [DisableNoteWriterPrinting_1](policy-csp-admx-tabletshell.md)
+- [DisableSnippingTool_1](policy-csp-admx-tabletshell.md)
+- [DisableJournal_1](policy-csp-admx-tabletshell.md)
+- [TurnOffFeedback_1](policy-csp-admx-tabletshell.md)
+- [PreventBackEscMapping_1](policy-csp-admx-tabletshell.md)
+- [PreventLaunchApp_1](policy-csp-admx-tabletshell.md)
+- [PreventPressAndHold_1](policy-csp-admx-tabletshell.md)
+- [TurnOffButtons_1](policy-csp-admx-tabletshell.md)
+- [PreventFlicksLearningMode_1](policy-csp-admx-tabletshell.md)
+- [PreventFlicks_1](policy-csp-admx-tabletshell.md)
+- [DisableInkball_2](policy-csp-admx-tabletshell.md)
+- [DisableNoteWriterPrinting_2](policy-csp-admx-tabletshell.md)
+- [DisableSnippingTool_2](policy-csp-admx-tabletshell.md)
+- [DisableJournal_2](policy-csp-admx-tabletshell.md)
+- [TurnOffFeedback_2](policy-csp-admx-tabletshell.md)
+- [PreventBackEscMapping_2](policy-csp-admx-tabletshell.md)
+- [PreventLaunchApp_2](policy-csp-admx-tabletshell.md)
+- [PreventPressAndHold_2](policy-csp-admx-tabletshell.md)
+- [TurnOffButtons_2](policy-csp-admx-tabletshell.md)
+- [PreventFlicksLearningMode_2](policy-csp-admx-tabletshell.md)
+- [PreventFlicks_2](policy-csp-admx-tabletshell.md)
+
+## ADMX_Taskbar
+
+- [EnableLegacyBalloonNotifications](policy-csp-admx-taskbar.md)
+- [NoPinningToDestinations](policy-csp-admx-taskbar.md)
+- [NoPinningToTaskbar](policy-csp-admx-taskbar.md)
+- [NoPinningStoreToTaskbar](policy-csp-admx-taskbar.md)
+- [TaskbarNoMultimon](policy-csp-admx-taskbar.md)
+- [NoRemoteDestinations](policy-csp-admx-taskbar.md)
+- [TaskbarLockAll](policy-csp-admx-taskbar.md)
+- [TaskbarNoAddRemoveToolbar](policy-csp-admx-taskbar.md)
+- [TaskbarNoRedock](policy-csp-admx-taskbar.md)
+- [TaskbarNoDragToolbar](policy-csp-admx-taskbar.md)
+- [TaskbarNoResize](policy-csp-admx-taskbar.md)
+- [DisableNotificationCenter](policy-csp-admx-taskbar.md)
+- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md)
+- [HideSCAPower](policy-csp-admx-taskbar.md)
+- [HideSCANetwork](policy-csp-admx-taskbar.md)
+- [HideSCAHealth](policy-csp-admx-taskbar.md)
+- [HideSCAVolume](policy-csp-admx-taskbar.md)
+- [ShowWindowsStoreAppsOnTaskbar](policy-csp-admx-taskbar.md)
+- [TaskbarNoNotification](policy-csp-admx-taskbar.md)
+- [NoSystraySystemPromotion](policy-csp-admx-taskbar.md)
+- [NoBalloonFeatureAdvertisements](policy-csp-admx-taskbar.md)
+- [TaskbarNoThumbnail](policy-csp-admx-taskbar.md)
+- [DisableNotificationCenter](policy-csp-admx-taskbar.md)
+- [TaskbarNoPinnedList](policy-csp-admx-taskbar.md)
+
+## ADMX_tcpip
+
+- [6to4_Router_Name](policy-csp-admx-tcpip.md)
+- [6to4_Router_Name_Resolution_Interval](policy-csp-admx-tcpip.md)
+- [6to4_State](policy-csp-admx-tcpip.md)
+- [IPHTTPS_ClientState](policy-csp-admx-tcpip.md)
+- [ISATAP_Router_Name](policy-csp-admx-tcpip.md)
+- [ISATAP_State](policy-csp-admx-tcpip.md)
+- [Teredo_Client_Port](policy-csp-admx-tcpip.md)
+- [Teredo_Default_Qualified](policy-csp-admx-tcpip.md)
+- [Teredo_Refresh_Rate](policy-csp-admx-tcpip.md)
+- [Teredo_Server_Name](policy-csp-admx-tcpip.md)
+- [Teredo_State](policy-csp-admx-tcpip.md)
+- [IP_Stateless_Autoconfiguration_Limits_State](policy-csp-admx-tcpip.md)
+- [Windows_Scaling_Heuristics_State](policy-csp-admx-tcpip.md)
+
+## ADMX_TerminalServer
+
+- [TS_GATEWAY_POLICY_ENABLE](policy-csp-admx-terminalserver.md)
+- [TS_GATEWAY_POLICY_AUTH_METHOD](policy-csp-admx-terminalserver.md)
+- [TS_GATEWAY_POLICY_SERVER](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_ALLOW_UNSIGNED_FILES_1](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_ALLOW_SIGNED_FILES_1](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_DISABLE_PASSWORD_SAVING_1](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2](policy-csp-admx-terminalserver.md)
+- [TS_RemoteControl_1](policy-csp-admx-terminalserver.md)
+- [TS_EASY_PRINT_User](policy-csp-admx-terminalserver.md)
+- [TS_START_PROGRAM_1](policy-csp-admx-terminalserver.md)
+- [TS_Session_End_On_Limit_1](policy-csp-admx-terminalserver.md)
+- [TS_SESSIONS_Idle_Limit_1](policy-csp-admx-terminalserver.md)
+- [TS_SESSIONS_Limits_1](policy-csp-admx-terminalserver.md)
+- [TS_SESSIONS_Disconnected_Timeout_1](policy-csp-admx-terminalserver.md)
+- [TS_RADC_DefaultConnection](policy-csp-admx-terminalserver.md)
+- [TS_LICENSE_SECGROUP](policy-csp-admx-terminalserver.md)
+- [TS_PreventLicenseUpgrade](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_ALLOW_UNSIGNED_FILES_2](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_ALLOW_SIGNED_FILES_2](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_AUTH](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_DISABLE_HARDWARE_MODE](policy-csp-admx-terminalserver.md)
+- [TS_PROMT_CREDS_CLIENT_COMP](policy-csp-admx-terminalserver.md)
+- [TS_USB_REDIRECTION_DISABLE](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_TURN_OFF_UDP](policy-csp-admx-terminalserver.md)
+- [TS_AUTO_RECONNECT](policy-csp-admx-terminalserver.md)
+- [TS_KEEP_ALIVE](policy-csp-admx-terminalserver.md)
+- [TS_FORCIBLE_LOGOFF](policy-csp-admx-terminalserver.md)
+- [TS_MAX_CON_POLICY](policy-csp-admx-terminalserver.md)
+- [TS_SINGLE_SESSION](policy-csp-admx-terminalserver.md)
+- [TS_SELECT_NETWORK_DETECT](policy-csp-admx-terminalserver.md)
+- [TS_SELECT_TRANSPORT](policy-csp-admx-terminalserver.md)
+- [TS_RemoteControl_2](policy-csp-admx-terminalserver.md)
+- [TS_RDSAppX_WaitForRegistration](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_AUDIO](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_AUDIO_CAPTURE](policy-csp-admx-terminalserver.md)
+- [TS_TIME_ZONE](policy-csp-admx-terminalserver.md)
+- [TS_UIA](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_CLIPBOARD](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_COM](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_LPT](policy-csp-admx-terminalserver.md)
+- [TS_SMART_CARD](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_PNP](policy-csp-admx-terminalserver.md)
+- [TS_CAMERA_REDIRECTION](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_AUDIO_QUALITY](policy-csp-admx-terminalserver.md)
+- [TS_LICENSE_TOOLTIP](policy-csp-admx-terminalserver.md)
+- [TS_LICENSING_MODE](policy-csp-admx-terminalserver.md)
+- [TS_LICENSE_SERVERS](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_PRINTER](policy-csp-admx-terminalserver.md)
+- [TS_CLIENT_DEFAULT_M](policy-csp-admx-terminalserver.md)
+- [TS_FALLBACKPRINTDRIVERTYPE](policy-csp-admx-terminalserver.md)
+- [TS_EASY_PRINT](policy-csp-admx-terminalserver.md)
+- [TS_DELETE_ROAMING_USER_PROFILES](policy-csp-admx-terminalserver.md)
+- [TS_USER_PROFILES](policy-csp-admx-terminalserver.md)
+- [TS_USER_HOME](policy-csp-admx-terminalserver.md)
+- [TS_USER_MANDATORY_PROFILES](policy-csp-admx-terminalserver.md)
+- [TS_SD_ClustName](policy-csp-admx-terminalserver.md)
+- [TS_SD_Loc](policy-csp-admx-terminalserver.md)
+- [TS_JOIN_SESSION_DIRECTORY](policy-csp-admx-terminalserver.md)
+- [TS_SD_EXPOSE_ADDRESS](policy-csp-admx-terminalserver.md)
+- [TS_TURNOFF_SINGLEAPP](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_COMPRESSOR](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_AVC_HW_ENCODE_PREFERRED](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_IMAGE_QUALITY](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_PROFILE](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_LEGACY_RFX](policy-csp-admx-terminalserver.md)
+- [TS_DISABLE_REMOTE_DESKTOP_WALLPAPER](policy-csp-admx-terminalserver.md)
+- [TS_COLORDEPTH](policy-csp-admx-terminalserver.md)
+- [TS_MAXDISPLAYRES](policy-csp-admx-terminalserver.md)
+- [TS_MAXMONITOR](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_AVC444_MODE_PREFERRED](policy-csp-admx-terminalserver.md)
+- [TS_EnableVirtualGraphics](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_VISEXP](policy-csp-admx-terminalserver.md)
+- [TS_RemoteDesktopVirtualGraphics](policy-csp-admx-terminalserver.md)
+- [TS_NoDisconnectMenu](policy-csp-admx-terminalserver.md)
+- [TS_NoSecurityMenu](policy-csp-admx-terminalserver.md)
+- [TS_START_PROGRAM_2](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP](policy-csp-admx-terminalserver.md)
+- [TS_DX_USE_FULL_HWGPU](policy-csp-admx-terminalserver.md)
+- [TS_SERVER_WDDM_GRAPHICS_DRIVER](policy-csp-admx-terminalserver.md)
+- [TS_TSCC_PERMISSIONS_POLICY](policy-csp-admx-terminalserver.md)
+- [TS_SECURITY_LAYER_POLICY](policy-csp-admx-terminalserver.md)
+- [TS_USER_AUTHENTICATION_POLICY](policy-csp-admx-terminalserver.md)
+- [TS_CERTIFICATE_TEMPLATE_POLICY](policy-csp-admx-terminalserver.md)
+- [TS_Session_End_On_Limit_2](policy-csp-admx-terminalserver.md)
+- [TS_SESSIONS_Idle_Limit_2](policy-csp-admx-terminalserver.md)
+- [TS_SESSIONS_Limits_2](policy-csp-admx-terminalserver.md)
+- [TS_SESSIONS_Disconnected_Timeout_2](policy-csp-admx-terminalserver.md)
+- [TS_TEMP_DELETE](policy-csp-admx-terminalserver.md)
+- [TS_TEMP_PER_SESSION](policy-csp-admx-terminalserver.md)
+
+## ADMX_Thumbnails
+
+- [DisableThumbsDBOnNetworkFolders](policy-csp-admx-thumbnails.md)
+- [DisableThumbnailsOnNetworkFolders](policy-csp-admx-thumbnails.md)
+- [DisableThumbnails](policy-csp-admx-thumbnails.md)
+
+## ADMX_TouchInput
+
+- [TouchInputOff_1](policy-csp-admx-touchinput.md)
+- [PanningEverywhereOff_1](policy-csp-admx-touchinput.md)
+- [TouchInputOff_2](policy-csp-admx-touchinput.md)
+- [PanningEverywhereOff_2](policy-csp-admx-touchinput.md)
+
+## ADMX_TPM
+
+- [OptIntoDSHA_Name](policy-csp-admx-tpm.md)
+- [OSManagedAuth_Name](policy-csp-admx-tpm.md)
+- [BlockedCommandsList_Name](policy-csp-admx-tpm.md)
+- [ClearTPMIfNotReady_Name](policy-csp-admx-tpm.md)
+- [UseLegacyDAP_Name](policy-csp-admx-tpm.md)
+- [IgnoreDefaultList_Name](policy-csp-admx-tpm.md)
+- [IgnoreLocalList_Name](policy-csp-admx-tpm.md)
+- [StandardUserAuthorizationFailureIndividualThreshold_Name](policy-csp-admx-tpm.md)
+- [StandardUserAuthorizationFailureDuration_Name](policy-csp-admx-tpm.md)
+- [StandardUserAuthorizationFailureTotalThreshold_Name](policy-csp-admx-tpm.md)
+
+## ADMX_UserExperienceVirtualization
+
+- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [Calculator](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md)
+- [Notepad](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [Wordpad](policy-csp-admx-userexperiencevirtualization.md)
+- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md)
+- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md)
+- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md)
+- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md)
+- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md)
+- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md)
+- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md)
+- [Finance](policy-csp-admx-userexperiencevirtualization.md)
+- [Games](policy-csp-admx-userexperiencevirtualization.md)
+- [Maps](policy-csp-admx-userexperiencevirtualization.md)
+- [Music](policy-csp-admx-userexperiencevirtualization.md)
+- [News](policy-csp-admx-userexperiencevirtualization.md)
+- [Reader](policy-csp-admx-userexperiencevirtualization.md)
+- [Sports](policy-csp-admx-userexperiencevirtualization.md)
+- [Travel](policy-csp-admx-userexperiencevirtualization.md)
+- [Video](policy-csp-admx-userexperiencevirtualization.md)
+- [Weather](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016AccessBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [Calculator](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016CommonBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016ExcelBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013InfoPathBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorer10](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorer11](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorer8](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorer9](policy-csp-admx-userexperiencevirtualization.md)
+- [InternetExplorerCommon](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016LyncBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Access](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Access](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Access](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Excel](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Excel](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Excel](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010InfoPath](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013InfoPath](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Lync](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Lync](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Lync](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Common](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Common](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Common](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016UploadCenter](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Access2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Access2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Common2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Common2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Excel2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Excel2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365InfoPath2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Lync2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Lync2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365OneNote2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365OneNote2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Outlook2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Outlook2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365PowerPoint2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365PowerPoint2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Project2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Project2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Publisher2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Publisher2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365SharePointDesigner2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Visio2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Visio2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Word2013](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice365Word2016](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016OneDriveForBusiness](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010OneNote](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013OneNote](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016OneNote](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Outlook](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Outlook](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Outlook](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016PowerPoint](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Project](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Project](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Project](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Publisher](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Publisher](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Publisher](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013SharePointDesigner](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010SharePointWorkspace](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Visio](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Visio](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Visio](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2010Word](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013Word](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016Word](policy-csp-admx-userexperiencevirtualization.md)
+- [Notepad](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016OneNoteBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016OutlookBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016PowerPointBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016ProjectBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016PublisherBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013SharePointDesignerBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016VisioBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2013WordBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [MicrosoftOffice2016WordBackup](policy-csp-admx-userexperiencevirtualization.md)
+- [Wordpad](policy-csp-admx-userexperiencevirtualization.md)
+- [ConfigureSyncMethod](policy-csp-admx-userexperiencevirtualization.md)
+- [ContactITDescription](policy-csp-admx-userexperiencevirtualization.md)
+- [ContactITUrl](policy-csp-admx-userexperiencevirtualization.md)
+- [DisableWin8Sync](policy-csp-admx-userexperiencevirtualization.md)
+- [EnableUEV](policy-csp-admx-userexperiencevirtualization.md)
+- [FirstUseNotificationEnabled](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncProviderPingEnabled](policy-csp-admx-userexperiencevirtualization.md)
+- [MaxPackageSizeInBytes](policy-csp-admx-userexperiencevirtualization.md)
+- [SettingsStoragePath](policy-csp-admx-userexperiencevirtualization.md)
+- [SettingsTemplateCatalogPath](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncOverMeteredNetwork](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncOverMeteredNetworkWhenRoaming](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncUnlistedWindows8Apps](policy-csp-admx-userexperiencevirtualization.md)
+- [RepositoryTimeout](policy-csp-admx-userexperiencevirtualization.md)
+- [DisableWindowsOSSettings](policy-csp-admx-userexperiencevirtualization.md)
+- [TrayIconEnabled](policy-csp-admx-userexperiencevirtualization.md)
+- [SyncEnabled](policy-csp-admx-userexperiencevirtualization.md)
+- [ConfigureVdi](policy-csp-admx-userexperiencevirtualization.md)
+- [Finance](policy-csp-admx-userexperiencevirtualization.md)
+- [Games](policy-csp-admx-userexperiencevirtualization.md)
+- [Maps](policy-csp-admx-userexperiencevirtualization.md)
+- [Music](policy-csp-admx-userexperiencevirtualization.md)
+- [News](policy-csp-admx-userexperiencevirtualization.md)
+- [Reader](policy-csp-admx-userexperiencevirtualization.md)
+- [Sports](policy-csp-admx-userexperiencevirtualization.md)
+- [Travel](policy-csp-admx-userexperiencevirtualization.md)
+- [Video](policy-csp-admx-userexperiencevirtualization.md)
+- [Weather](policy-csp-admx-userexperiencevirtualization.md)
+
+## ADMX_UserProfiles
+
+- [LimitSize](policy-csp-admx-userprofiles.md)
+- [SlowLinkTimeOut](policy-csp-admx-userprofiles.md)
+- [CleanupProfiles](policy-csp-admx-userprofiles.md)
+- [DontForceUnloadHive](policy-csp-admx-userprofiles.md)
+- [ProfileErrorAction](policy-csp-admx-userprofiles.md)
+- [LeaveAppMgmtData](policy-csp-admx-userprofiles.md)
+- [USER_HOME](policy-csp-admx-userprofiles.md)
+- [UserInfoAccessAction](policy-csp-admx-userprofiles.md)
+
+## ADMX_W32Time
+
+- [W32TIME_POLICY_CONFIG](policy-csp-admx-w32time.md)
+- [W32TIME_POLICY_CONFIGURE_NTPCLIENT](policy-csp-admx-w32time.md)
+- [W32TIME_POLICY_ENABLE_NTPCLIENT](policy-csp-admx-w32time.md)
+- [W32TIME_POLICY_ENABLE_NTPSERVER](policy-csp-admx-w32time.md)
+
+## ADMX_WCM
+
+- [WCM_DisablePowerManagement](policy-csp-admx-wcm.md)
+- [WCM_EnableSoftDisconnect](policy-csp-admx-wcm.md)
+- [WCM_MinimizeConnections](policy-csp-admx-wcm.md)
+
+## ADMX_WDI
+
+- [WdiDpsScenarioExecutionPolicy](policy-csp-admx-wdi.md)
+- [WdiDpsScenarioDataSizeLimitPolicy](policy-csp-admx-wdi.md)
+
+## ADMX_WinCal
+
+- [TurnOffWinCal_1](policy-csp-admx-wincal.md)
+- [TurnOffWinCal_2](policy-csp-admx-wincal.md)
+
+## ADMX_WindowsColorSystem
+
+- [ProhibitChangingInstalledProfileList_1](policy-csp-admx-windowscolorsystem.md)
+- [ProhibitChangingInstalledProfileList_2](policy-csp-admx-windowscolorsystem.md)
+
+## ADMX_WindowsConnectNow
+
+- [WCN_DisableWcnUi_1](policy-csp-admx-windowsconnectnow.md)
+- [WCN_EnableRegistrar](policy-csp-admx-windowsconnectnow.md)
+- [WCN_DisableWcnUi_2](policy-csp-admx-windowsconnectnow.md)
+
+## ADMX_WindowsExplorer
+
+- [EnforceShellExtensionSecurity](policy-csp-admx-windowsexplorer.md)
+- [NoBackButton](policy-csp-admx-windowsexplorer.md)
+- [NoPlacesBar](policy-csp-admx-windowsexplorer.md)
+- [NoFileMRU](policy-csp-admx-windowsexplorer.md)
+- [PlacesBar](policy-csp-admx-windowsexplorer.md)
+- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md)
+- [DisableKnownFolders](policy-csp-admx-windowsexplorer.md)
+- [ConfirmFileDelete](policy-csp-admx-windowsexplorer.md)
+- [NoFolderOptions](policy-csp-admx-windowsexplorer.md)
+- [NoRecycleFiles](policy-csp-admx-windowsexplorer.md)
+- [NoRunAsInstallPrompt](policy-csp-admx-windowsexplorer.md)
+- [LinkResolveIgnoreLinkInfo](policy-csp-admx-windowsexplorer.md)
+- [NoDrives](policy-csp-admx-windowsexplorer.md)
+- [NoManageMyComputerVerb](policy-csp-admx-windowsexplorer.md)
+- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md)
+- [RecycleBinSize](policy-csp-admx-windowsexplorer.md)
+- [MaxRecentDocs](policy-csp-admx-windowsexplorer.md)
+- [NoWorkgroupContents](policy-csp-admx-windowsexplorer.md)
+- [NoEntireNetwork](policy-csp-admx-windowsexplorer.md)
+- [TryHarderPinnedOpenSearch](policy-csp-admx-windowsexplorer.md)
+- [TryHarderPinnedLibrary](policy-csp-admx-windowsexplorer.md)
+- [NoViewOnDrive](policy-csp-admx-windowsexplorer.md)
+- [NoNetConnectDisconnect](policy-csp-admx-windowsexplorer.md)
+- [NoCDBurning](policy-csp-admx-windowsexplorer.md)
+- [NoDFSTab](policy-csp-admx-windowsexplorer.md)
+- [NoViewContextMenu](policy-csp-admx-windowsexplorer.md)
+- [NoFileMenu](policy-csp-admx-windowsexplorer.md)
+- [NoHardwareTab](policy-csp-admx-windowsexplorer.md)
+- [NoShellSearchButton](policy-csp-admx-windowsexplorer.md)
+- [NoSecurityTab](policy-csp-admx-windowsexplorer.md)
+- [NoMyComputerSharedDocuments](policy-csp-admx-windowsexplorer.md)
+- [NoSearchInternetTryHarderButton](policy-csp-admx-windowsexplorer.md)
+- [NoChangeKeyboardNavigationIndicators](policy-csp-admx-windowsexplorer.md)
+- [NoChangeAnimation](policy-csp-admx-windowsexplorer.md)
+- [PromptRunasInstallNetPath](policy-csp-admx-windowsexplorer.md)
+- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md)
+- [NoCacheThumbNailPictures](policy-csp-admx-windowsexplorer.md)
+- [DisableSearchBoxSuggestions](policy-csp-admx-windowsexplorer.md)
+- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md)
+- [ShellProtocolProtectedModeTitle_1](policy-csp-admx-windowsexplorer.md)
+- [HideContentViewModeSnippets](policy-csp-admx-windowsexplorer.md)
+- [NoWindowsHotKeys](policy-csp-admx-windowsexplorer.md)
+- [DisableIndexedLibraryExperience](policy-csp-admx-windowsexplorer.md)
+- [ClassicShell](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
+- [EnableShellShortcutIconRemotePath](policy-csp-admx-windowsexplorer.md)
+- [EnableSmartScreen](policy-csp-admx-windowsexplorer.md)
+- [DisableBindDirectlyToPropertySetStorage](policy-csp-admx-windowsexplorer.md)
+- [NoNewAppAlert](policy-csp-admx-windowsexplorer.md)
+- [DefaultLibrariesLocation](policy-csp-admx-windowsexplorer.md)
+- [ShowHibernateOption](policy-csp-admx-windowsexplorer.md)
+- [ShowSleepOption](policy-csp-admx-windowsexplorer.md)
+- [ExplorerRibbonStartsMinimized](policy-csp-admx-windowsexplorer.md)
+- [NoStrCmpLogical](policy-csp-admx-windowsexplorer.md)
+- [ShellProtocolProtectedModeTitle_2](policy-csp-admx-windowsexplorer.md)
+- [CheckSameSourceAndTargetForFRAndDFS](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_Internet](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_Internet](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_Intranet](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_Intranet](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_LocalMachine](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_LocalMachine](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_InternetLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_InternetLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_IntranetLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_LocalMachineLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_RestrictedLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_TrustedLockdown](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_Restricted](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_Restricted](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchQuery_Trusted](policy-csp-admx-windowsexplorer.md)
+- [IZ_Policy_OpenSearchPreview_Trusted](policy-csp-admx-windowsexplorer.md)
+
+## ADMX_WindowsMediaDRM
+
+- [DisableOnline](policy-csp-admx-windowsmediadrm.md)
+
+## ADMX_WindowsMediaPlayer
+
+- [ConfigureHTTPProxySettings](policy-csp-admx-windowsmediaplayer.md)
+- [ConfigureMMSProxySettings](policy-csp-admx-windowsmediaplayer.md)
+- [NetworkBuffering](policy-csp-admx-windowsmediaplayer.md)
+- [ConfigureRTSPProxySettings](policy-csp-admx-windowsmediaplayer.md)
+- [DisableNetworkSettings](policy-csp-admx-windowsmediaplayer.md)
+- [WindowsStreamingMediaProtocols](policy-csp-admx-windowsmediaplayer.md)
+- [EnableScreenSaver](policy-csp-admx-windowsmediaplayer.md)
+- [PolicyCodecUpdate](policy-csp-admx-windowsmediaplayer.md)
+- [PreventCDDVDMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md)
+- [PreventMusicFileMetadataRetrieval](policy-csp-admx-windowsmediaplayer.md)
+- [PreventRadioPresetsRetrieval](policy-csp-admx-windowsmediaplayer.md)
+- [DoNotShowAnchor](policy-csp-admx-windowsmediaplayer.md)
+- [HidePrivacyTab](policy-csp-admx-windowsmediaplayer.md)
+- [HideSecurityTab](policy-csp-admx-windowsmediaplayer.md)
+- [SkinLockDown](policy-csp-admx-windowsmediaplayer.md)
+- [DisableSetupFirstUseConfiguration](policy-csp-admx-windowsmediaplayer.md)
+- [DisableAutoUpdate](policy-csp-admx-windowsmediaplayer.md)
+- [PreventWMPDeskTopShortcut](policy-csp-admx-windowsmediaplayer.md)
+- [PreventLibrarySharing](policy-csp-admx-windowsmediaplayer.md)
+- [PreventQuickLaunchShortcut](policy-csp-admx-windowsmediaplayer.md)
+- [DontUseFrameInterpolation](policy-csp-admx-windowsmediaplayer.md)
+
+## ADMX_WindowsRemoteManagement
+
+- [DisallowKerberos_2](policy-csp-admx-windowsremotemanagement.md)
+- [DisallowKerberos_1](policy-csp-admx-windowsremotemanagement.md)
+
+## ADMX_WindowsStore
+
+- [DisableOSUpgrade_1](policy-csp-admx-windowsstore.md)
+- [RemoveWindowsStore_1](policy-csp-admx-windowsstore.md)
+- [DisableAutoDownloadWin8](policy-csp-admx-windowsstore.md)
+- [DisableOSUpgrade_2](policy-csp-admx-windowsstore.md)
+- [RemoveWindowsStore_2](policy-csp-admx-windowsstore.md)
+
+## ADMX_WinInit
+
+- [Hiberboot](policy-csp-admx-wininit.md)
+- [ShutdownTimeoutHungSessionsDescription](policy-csp-admx-wininit.md)
+- [DisableNamedPipeShutdownPolicyDescription](policy-csp-admx-wininit.md)
+
+## ADMX_WinLogon
+
+- [CustomShell](policy-csp-admx-winlogon.md)
+- [LogonHoursNotificationPolicyDescription](policy-csp-admx-winlogon.md)
+- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md)
+- [LogonHoursPolicyDescription](policy-csp-admx-winlogon.md)
+- [SoftwareSASGeneration](policy-csp-admx-winlogon.md)
+- [DisplayLastLogonInfoDescription](policy-csp-admx-winlogon.md)
+- [ReportCachedLogonPolicyDescription](policy-csp-admx-winlogon.md)
+
+## ADMX_Winsrv
+
+- [AllowBlockingAppsAtShutdown](policy-csp-admx-winsrv.md)
+
+## ADMX_wlansvc
+
+- [SetPINPreferred](policy-csp-admx-wlansvc.md)
+- [SetPINEnforced](policy-csp-admx-wlansvc.md)
+- [SetCost](policy-csp-admx-wlansvc.md)
+
+## ADMX_WordWheel
+
+- [CustomSearch](policy-csp-admx-wordwheel.md)
+
+## ADMX_WorkFoldersClient
+
+- [Pol_UserEnableTokenBroker](policy-csp-admx-workfoldersclient.md)
+- [Pol_UserEnableWorkFolders](policy-csp-admx-workfoldersclient.md)
+- [Pol_MachineEnableWorkFolders](policy-csp-admx-workfoldersclient.md)
+
+## ADMX_WPN
+
+- [QuietHoursDailyBeginMinute](policy-csp-admx-wpn.md)
+- [QuietHoursDailyEndMinute](policy-csp-admx-wpn.md)
+- [NoCallsDuringQuietHours](policy-csp-admx-wpn.md)
+- [NoQuietHours](policy-csp-admx-wpn.md)
+- [NoToastNotification](policy-csp-admx-wpn.md)
+- [NoLockScreenToastNotification](policy-csp-admx-wpn.md)
+- [NoToastNotification](policy-csp-admx-wpn.md)
+
+## AppRuntime
+
+- [AllowMicrosoftAccountsToBeOptional](policy-csp-appruntime.md)
+
+## AppVirtualization
+
+- [AllowAppVClient](policy-csp-appvirtualization.md)
+- [ClientCoexistenceAllowMigrationmode](policy-csp-appvirtualization.md)
+- [IntegrationAllowRootUser](policy-csp-appvirtualization.md)
+- [IntegrationAllowRootGlobal](policy-csp-appvirtualization.md)
+- [AllowRoamingFileExclusions](policy-csp-appvirtualization.md)
+- [AllowRoamingRegistryExclusions](policy-csp-appvirtualization.md)
+- [AllowPackageCleanup](policy-csp-appvirtualization.md)
+- [AllowPublishingRefreshUX](policy-csp-appvirtualization.md)
+- [PublishingAllowServer1](policy-csp-appvirtualization.md)
+- [PublishingAllowServer2](policy-csp-appvirtualization.md)
+- [PublishingAllowServer3](policy-csp-appvirtualization.md)
+- [PublishingAllowServer4](policy-csp-appvirtualization.md)
+- [PublishingAllowServer5](policy-csp-appvirtualization.md)
+- [AllowReportingServer](policy-csp-appvirtualization.md)
+- [AllowPackageScripts](policy-csp-appvirtualization.md)
+- [StreamingAllowHighCostLaunch](policy-csp-appvirtualization.md)
+- [StreamingAllowCertificateFilterForClient_SSL](policy-csp-appvirtualization.md)
+- [StreamingSupportBranchCache](policy-csp-appvirtualization.md)
+- [StreamingAllowLocationProvider](policy-csp-appvirtualization.md)
+- [StreamingAllowPackageInstallationRoot](policy-csp-appvirtualization.md)
+- [StreamingAllowPackageSourceRoot](policy-csp-appvirtualization.md)
+- [StreamingAllowReestablishmentInterval](policy-csp-appvirtualization.md)
+- [StreamingAllowReestablishmentRetries](policy-csp-appvirtualization.md)
+- [StreamingSharedContentStoreMode](policy-csp-appvirtualization.md)
+- [AllowStreamingAutoload](policy-csp-appvirtualization.md)
+- [StreamingVerifyCertificateRevocationList](policy-csp-appvirtualization.md)
+- [AllowDynamicVirtualization](policy-csp-appvirtualization.md)
+- [VirtualComponentsAllowList](policy-csp-appvirtualization.md)
+
+## AttachmentManager
+
+- [DoNotPreserveZoneInformation](policy-csp-attachmentmanager.md)
+- [HideZoneInfoMechanism](policy-csp-attachmentmanager.md)
+- [NotifyAntivirusPrograms](policy-csp-attachmentmanager.md)
+
+## Autoplay
+
+- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
+- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
+- [TurnOffAutoPlay](policy-csp-autoplay.md)
+- [DisallowAutoplayForNonVolumeDevices](policy-csp-autoplay.md)
+- [SetDefaultAutoRunBehavior](policy-csp-autoplay.md)
+- [TurnOffAutoPlay](policy-csp-autoplay.md)
+
+## Cellular
+
+- [ShowAppCellularAccessUI](policy-csp-cellular.md)
+
+## Connectivity
+
+- [HardenedUNCPaths](policy-csp-connectivity.md)
+- [ProhibitInstallationAndConfigurationOfNetworkBridge](policy-csp-connectivity.md)
+- [DisableDownloadingOfPrintDriversOverHTTP](policy-csp-connectivity.md)
+- [DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](policy-csp-connectivity.md)
+- [DiablePrintingOverHTTP](policy-csp-connectivity.md)
+
+## CredentialProviders
+
+- [BlockPicturePassword](policy-csp-credentialproviders.md)
+- [AllowPINLogon](policy-csp-credentialproviders.md)
+
+## CredentialsDelegation
+
+- [RemoteHostAllowsDelegationOfNonExportableCredentials](policy-csp-credentialsdelegation.md)
+
+## CredentialsUI
+
+- [DisablePasswordReveal](policy-csp-credentialsui.md)
+- [DisablePasswordReveal](policy-csp-credentialsui.md)
+- [EnumerateAdministrators](policy-csp-credentialsui.md)
+
+## DataUsage
+
+- [SetCost3G](policy-csp-datausage.md)
+- [SetCost4G](policy-csp-datausage.md)
+
+## DeliveryOptimization
+
+- [DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md)
+- [DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md)
+
+## Desktop
+
+- [PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md)
+
+## DesktopAppInstaller
+
+- [EnableAppInstaller](policy-csp-desktopappinstaller.md)
+- [EnableSettings](policy-csp-desktopappinstaller.md)
+- [EnableExperimentalFeatures](policy-csp-desktopappinstaller.md)
+- [EnableLocalManifestFiles](policy-csp-desktopappinstaller.md)
+- [EnableHashOverride](policy-csp-desktopappinstaller.md)
+- [EnableDefaultSource](policy-csp-desktopappinstaller.md)
+- [EnableMicrosoftStoreSource](policy-csp-desktopappinstaller.md)
+- [SourceAutoUpdateInterval](policy-csp-desktopappinstaller.md)
+- [EnableAdditionalSources](policy-csp-desktopappinstaller.md)
+- [EnableAllowedSources](policy-csp-desktopappinstaller.md)
+- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
+
+## DeviceInstallation
+
+- [PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md)
+- [PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md)
+- [PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md)
+- [PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md)
+- [EnableInstallationPolicyLayering](policy-csp-deviceinstallation.md)
+- [AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md)
+- [AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md)
+- [AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md)
+- [PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md)
+
+## DeviceLock
+
+- [PreventLockScreenSlideShow](policy-csp-devicelock.md)
+- [PreventEnablingLockScreenCamera](policy-csp-devicelock.md)
+
+## ErrorReporting
+
+- [DisableWindowsErrorReporting](policy-csp-errorreporting.md)
+- [DisplayErrorNotification](policy-csp-errorreporting.md)
+- [DoNotSendAdditionalData](policy-csp-errorreporting.md)
+- [PreventCriticalErrorDisplay](policy-csp-errorreporting.md)
+- [CustomizeConsentSettings](policy-csp-errorreporting.md)
+
+## EventLogService
+
+- [ControlEventLogBehavior](policy-csp-eventlogservice.md)
+- [SpecifyMaximumFileSizeApplicationLog](policy-csp-eventlogservice.md)
+- [SpecifyMaximumFileSizeSecurityLog](policy-csp-eventlogservice.md)
+- [SpecifyMaximumFileSizeSystemLog](policy-csp-eventlogservice.md)
+
+## FileExplorer
+
+- [TurnOffDataExecutionPreventionForExplorer](policy-csp-fileexplorer.md)
+- [TurnOffHeapTerminationOnCorruption](policy-csp-fileexplorer.md)
+
+## InternetExplorer
+
+- [AddSearchProvider](policy-csp-internetexplorer.md)
+- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md)
+- [DisableProxyChange](policy-csp-internetexplorer.md)
+- [DisableSearchProviderChange](policy-csp-internetexplorer.md)
+- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md)
+- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md)
+- [AllowSuggestedSites](policy-csp-internetexplorer.md)
+- [DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md)
+- [DisableCompatView](policy-csp-internetexplorer.md)
+- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md)
+- [DisableFirstRunWizard](policy-csp-internetexplorer.md)
+- [DisableFlipAheadFeature](policy-csp-internetexplorer.md)
+- [DisableGeolocation](policy-csp-internetexplorer.md)
+- [DisableHomePageChange](policy-csp-internetexplorer.md)
+- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md)
+- [NewTabDefaultPage](policy-csp-internetexplorer.md)
+- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md)
+- [SearchProviderList](policy-csp-internetexplorer.md)
+- [AllowActiveXFiltering](policy-csp-internetexplorer.md)
+- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md)
+- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md)
+- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md)
+- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md)
+- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md)
+- [DisableInternetExplorerApp](policy-csp-internetexplorer.md)
+- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md)
+- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md)
+- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md)
+- [JScriptReplacement](policy-csp-internetexplorer.md)
+- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md)
+- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md)
+- [DisableEncryptionSupport](policy-csp-internetexplorer.md)
+- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md)
+- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md)
+- [IncludeAllLocalSites](policy-csp-internetexplorer.md)
+- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md)
+- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md)
+- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
+- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [AllowAddOnList](policy-csp-internetexplorer.md)
+- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md)
+- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md)
+- [DisableEnclosureDownloading](policy-csp-internetexplorer.md)
+- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md)
+- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md)
+- [AllowOneWordEntry](policy-csp-internetexplorer.md)
+- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md)
+- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
+- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md)
+- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md)
+- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md)
+- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
+- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
+- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
+- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md)
+- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
+- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md)
+- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md)
+- [DisableConfiguringHistory](policy-csp-internetexplorer.md)
+- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md)
+- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
+- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
+- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
+- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
+- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
+- [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
+- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
+- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
+- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
+- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md)
+- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
+- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md)
+- [DisableCrashDetection](policy-csp-internetexplorer.md)
+- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md)
+- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md)
+- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md)
+- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md)
+- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
+- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md)
+- [AllowAutoComplete](policy-csp-internetexplorer.md)
+- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md)
+- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
+- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
+- [DisableHTMLApplication](policy-csp-internetexplorer.md)
+- [AddSearchProvider](policy-csp-internetexplorer.md)
+- [DisableSecondaryHomePageChange](policy-csp-internetexplorer.md)
+- [DisableUpdateCheck](policy-csp-internetexplorer.md)
+- [DisableProxyChange](policy-csp-internetexplorer.md)
+- [DisableSearchProviderChange](policy-csp-internetexplorer.md)
+- [DisableCustomerExperienceImprovementProgramParticipation](policy-csp-internetexplorer.md)
+- [AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md)
+- [AllowSuggestedSites](policy-csp-internetexplorer.md)
+- [DisableCompatView](policy-csp-internetexplorer.md)
+- [DisableFeedsBackgroundSync](policy-csp-internetexplorer.md)
+- [DisableFirstRunWizard](policy-csp-internetexplorer.md)
+- [DisableFlipAheadFeature](policy-csp-internetexplorer.md)
+- [DisableGeolocation](policy-csp-internetexplorer.md)
+- [DisableWebAddressAutoComplete](policy-csp-internetexplorer.md)
+- [NewTabDefaultPage](policy-csp-internetexplorer.md)
+- [PreventManagingSmartScreenFilter](policy-csp-internetexplorer.md)
+- [SearchProviderList](policy-csp-internetexplorer.md)
+- [DoNotAllowUsersToAddSites](policy-csp-internetexplorer.md)
+- [DoNotAllowUsersToChangePolicies](policy-csp-internetexplorer.md)
+- [AllowActiveXFiltering](policy-csp-internetexplorer.md)
+- [AllowEnterpriseModeSiteList](policy-csp-internetexplorer.md)
+- [SendSitesNotInEnterpriseSiteListToEdge](policy-csp-internetexplorer.md)
+- [ConfigureEdgeRedirectChannel](policy-csp-internetexplorer.md)
+- [KeepIntranetSitesInInternetExplorer](policy-csp-internetexplorer.md)
+- [AllowSaveTargetAsInIEMode](policy-csp-internetexplorer.md)
+- [DisableInternetExplorerApp](policy-csp-internetexplorer.md)
+- [EnableExtendedIEModeHotkeys](policy-csp-internetexplorer.md)
+- [ResetZoomForDialogInIEMode](policy-csp-internetexplorer.md)
+- [EnableGlobalWindowListInIEMode](policy-csp-internetexplorer.md)
+- [JScriptReplacement](policy-csp-internetexplorer.md)
+- [AllowInternetExplorerStandardsMode](policy-csp-internetexplorer.md)
+- [AllowInternetExplorer7PolicyList](policy-csp-internetexplorer.md)
+- [DisableEncryptionSupport](policy-csp-internetexplorer.md)
+- [AllowEnhancedProtectedMode](policy-csp-internetexplorer.md)
+- [AllowInternetZoneTemplate](policy-csp-internetexplorer.md)
+- [IncludeAllLocalSites](policy-csp-internetexplorer.md)
+- [IncludeAllNetworkPaths](policy-csp-internetexplorer.md)
+- [AllowIntranetZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLockedDownInternetZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLockedDownIntranetZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLockedDownLocalMachineZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowLockedDownRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowsLockedDownTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowsRestrictedSitesZoneTemplate](policy-csp-internetexplorer.md)
+- [AllowSiteToZoneAssignmentList](policy-csp-internetexplorer.md)
+- [AllowTrustedSitesZoneTemplate](policy-csp-internetexplorer.md)
+- [InternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowAccessToDataSources](policy-csp-internetexplorer.md)
+- [InternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowFontDownloads](policy-csp-internetexplorer.md)
+- [InternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowScriptlets](policy-csp-internetexplorer.md)
+- [InternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](policy-csp-internetexplorer.md)
+- [InternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [IntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [IntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneNavigateWindowsAndFrames](policy-csp-internetexplorer.md)
+- [InternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](policy-csp-internetexplorer.md)
+- [InternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowSmartScreenIE](policy-csp-internetexplorer.md)
+- [InternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowUserDataPersistence](policy-csp-internetexplorer.md)
+- [InternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [IntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownIntranetZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneAllowLessPrivilegedSites](policy-csp-internetexplorer.md)
+- [AllowAddOnList](policy-csp-internetexplorer.md)
+- [DoNotBlockOutdatedActiveXControls](policy-csp-internetexplorer.md)
+- [DoNotBlockOutdatedActiveXControlsOnSpecificDomains](policy-csp-internetexplorer.md)
+- [DisableEnclosureDownloading](policy-csp-internetexplorer.md)
+- [DisableBypassOfSmartScreenWarnings](policy-csp-internetexplorer.md)
+- [DisableBypassOfSmartScreenWarningsAboutUncommonFiles](policy-csp-internetexplorer.md)
+- [AllowOneWordEntry](policy-csp-internetexplorer.md)
+- [AllowEnterpriseModeFromToolsMenu](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowActiveScripting](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowBinaryAndScriptBehaviors](policy-csp-internetexplorer.md)
+- [InternetZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowCopyPasteViaScript](policy-csp-internetexplorer.md)
+- [AllowDeletingBrowsingHistoryOnExit](policy-csp-internetexplorer.md)
+- [InternetZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](policy-csp-internetexplorer.md)
+- [AllowFallbackToSSL3](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowFileDownloads](policy-csp-internetexplorer.md)
+- [InternetZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowLoadingOfXAMLFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowMETAREFRESH](policy-csp-internetexplorer.md)
+- [InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](policy-csp-internetexplorer.md)
+- [InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](policy-csp-internetexplorer.md)
+- [InternetZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowScriptInitiatedWindows](policy-csp-internetexplorer.md)
+- [AllowSoftwareWhenSignatureIsInvalid](policy-csp-internetexplorer.md)
+- [InternetZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](policy-csp-internetexplorer.md)
+- [CheckServerCertificateRevocation](policy-csp-internetexplorer.md)
+- [CheckSignaturesOnDownloadedPrograms](policy-csp-internetexplorer.md)
+- [DisableConfiguringHistory](policy-csp-internetexplorer.md)
+- [DoNotAllowActiveXControlsInProtectedMode](policy-csp-internetexplorer.md)
+- [InternetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneDownloadSignedActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneDownloadUnsignedActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](policy-csp-internetexplorer.md)
+- [InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](policy-csp-internetexplorer.md)
+- [InternetZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneEnableMIMESniffing](policy-csp-internetexplorer.md)
+- [InternetZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](policy-csp-internetexplorer.md)
+- [ConsistentMimeHandlingInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [MimeSniffingSafetyFeatureInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [MKProtocolSecurityRestrictionInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [NotificationBarInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [ProtectionFromZoneElevationInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [RestrictActiveXInstallInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [RestrictFileDownloadInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](policy-csp-internetexplorer.md)
+- [InternetZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [IntranetZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LockedDownInternetZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LockedDownLocalMachineZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LockedDownRestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [LockedDownTrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [TrustedSitesZoneJavaPermissions](policy-csp-internetexplorer.md)
+- [InternetZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](policy-csp-internetexplorer.md)
+- [InternetZoneLogonOptions](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneLogonOptions](policy-csp-internetexplorer.md)
+- [DisableDeletingUserVisitedWebsites](policy-csp-internetexplorer.md)
+- [DisableIgnoringCertificateErrors](policy-csp-internetexplorer.md)
+- [PreventPerUserInstallationOfActiveXControls](policy-csp-internetexplorer.md)
+- [RemoveRunThisTimeButtonForOutdatedActiveXControls](policy-csp-internetexplorer.md)
+- [InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneRunActiveXControlsAndPlugins](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneScriptingOfJavaApplets](policy-csp-internetexplorer.md)
+- [SecurityZonesUseOnlyMachineSettings](policy-csp-internetexplorer.md)
+- [InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](policy-csp-internetexplorer.md)
+- [SpecifyUseOfActiveXInstallerService](policy-csp-internetexplorer.md)
+- [DisableCrashDetection](policy-csp-internetexplorer.md)
+- [DisableInPrivateBrowsing](policy-csp-internetexplorer.md)
+- [DisableSecuritySettingsCheck](policy-csp-internetexplorer.md)
+- [DisableProcessesInEnhancedProtectedMode](policy-csp-internetexplorer.md)
+- [AllowCertificateAddressMismatchWarning](policy-csp-internetexplorer.md)
+- [InternetZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneEnableCrossSiteScriptingFilter](policy-csp-internetexplorer.md)
+- [InternetZoneEnableProtectedMode](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneTurnOnProtectedMode](policy-csp-internetexplorer.md)
+- [InternetZoneUsePopupBlocker](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneUsePopupBlocker](policy-csp-internetexplorer.md)
+- [InternetZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
+- [LockedDownIntranetJavaPermissions](policy-csp-internetexplorer.md)
+- [RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](policy-csp-internetexplorer.md)
+- [DisableHTMLApplication](policy-csp-internetexplorer.md)
+
+## Kerberos
+
+- [RequireKerberosArmoring](policy-csp-kerberos.md)
+- [KerberosClientSupportsClaimsCompoundArmor](policy-csp-kerberos.md)
+- [RequireStrictKDCValidation](policy-csp-kerberos.md)
+- [SetMaximumContextTokenSize](policy-csp-kerberos.md)
+- [AllowForestSearchOrder](policy-csp-kerberos.md)
+
+## LocalSecurityAuthority
+
+- [AllowCustomSSPsAPs](policy-csp-lsa.md)
+
+## MixedReality
+
+- [ConfigureNtpClient](policy-csp-mixedreality.md)
+- [NtpClientEnabled](policy-csp-mixedreality.md)
+
+## MSSecurityGuide
+
+- [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md)
+- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
+- [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md)
+- [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md)
+- [WDigestAuthentication](policy-csp-mssecurityguide.md)
+- [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md)
+
+## MSSLegacy
+
+- [IPv6SourceRoutingProtectionLevel](policy-csp-msslegacy.md)
+- [IPSourceRoutingProtectionLevel](policy-csp-msslegacy.md)
+- [AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](policy-csp-msslegacy.md)
+- [AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](policy-csp-msslegacy.md)
+
+## Power
+
+- [AllowStandbyWhenSleepingPluggedIn](policy-csp-power.md)
+- [RequirePasswordWhenComputerWakesOnBattery](policy-csp-power.md)
+- [RequirePasswordWhenComputerWakesPluggedIn](policy-csp-power.md)
+- [StandbyTimeoutPluggedIn](policy-csp-power.md)
+- [StandbyTimeoutOnBattery](policy-csp-power.md)
+- [HibernateTimeoutPluggedIn](policy-csp-power.md)
+- [HibernateTimeoutOnBattery](policy-csp-power.md)
+- [DisplayOffTimeoutPluggedIn](policy-csp-power.md)
+- [DisplayOffTimeoutOnBattery](policy-csp-power.md)
+- [AllowStandbyStatesWhenSleepingOnBattery](policy-csp-power.md)
+
+## Printers
+
+- [PointAndPrintRestrictions_User](policy-csp-printers.md)
+- [EnableDeviceControlUser](policy-csp-printers.md)
+- [ApprovedUsbPrintDevicesUser](policy-csp-printers.md)
+- [PointAndPrintRestrictions](policy-csp-printers.md)
+- [PublishPrinters](policy-csp-printers.md)
+- [EnableDeviceControl](policy-csp-printers.md)
+- [ApprovedUsbPrintDevices](policy-csp-printers.md)
+- [RestrictDriverInstallationToAdministrators](policy-csp-printers.md)
+- [ConfigureCopyFilesPolicy](policy-csp-printers.md)
+- [ConfigureDriverValidationLevel](policy-csp-printers.md)
+- [ManageDriverExclusionList](policy-csp-printers.md)
+- [ConfigureRpcListenerPolicy](policy-csp-printers.md)
+- [ConfigureRpcConnectionPolicy](policy-csp-printers.md)
+- [ConfigureRpcTcpPort](policy-csp-printers.md)
+- [ConfigureIppPageCountsPolicy](policy-csp-printers.md)
+- [ConfigureRedirectionGuardPolicy](policy-csp-printers.md)
+
+## RemoteAssistance
+
+- [UnsolicitedRemoteAssistance](policy-csp-remoteassistance.md)
+- [SolicitedRemoteAssistance](policy-csp-remoteassistance.md)
+- [CustomizeWarningMessages](policy-csp-remoteassistance.md)
+- [SessionLogging](policy-csp-remoteassistance.md)
+
+## RemoteDesktopServices
+
+- [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md)
+- [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md)
+- [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md)
+- [PromptForPasswordUponConnection](policy-csp-remotedesktopservices.md)
+- [RequireSecureRPCCommunication](policy-csp-remotedesktopservices.md)
+- [ClientConnectionEncryptionLevel](policy-csp-remotedesktopservices.md)
+- [DoNotAllowWebAuthnRedirection](policy-csp-remotedesktopservices.md)
+
+## RemoteManagement
+
+- [AllowBasicAuthentication_Client](policy-csp-remotemanagement.md)
+- [AllowBasicAuthentication_Service](policy-csp-remotemanagement.md)
+- [AllowUnencryptedTraffic_Client](policy-csp-remotemanagement.md)
+- [AllowUnencryptedTraffic_Service](policy-csp-remotemanagement.md)
+- [DisallowDigestAuthentication](policy-csp-remotemanagement.md)
+- [DisallowStoringOfRunAsCredentials](policy-csp-remotemanagement.md)
+- [AllowCredSSPAuthenticationClient](policy-csp-remotemanagement.md)
+- [AllowCredSSPAuthenticationService](policy-csp-remotemanagement.md)
+- [DisallowNegotiateAuthenticationClient](policy-csp-remotemanagement.md)
+- [DisallowNegotiateAuthenticationService](policy-csp-remotemanagement.md)
+- [TrustedHosts](policy-csp-remotemanagement.md)
+- [AllowRemoteServerManagement](policy-csp-remotemanagement.md)
+- [SpecifyChannelBindingTokenHardeningLevel](policy-csp-remotemanagement.md)
+- [TurnOnCompatibilityHTTPListener](policy-csp-remotemanagement.md)
+- [TurnOnCompatibilityHTTPSListener](policy-csp-remotemanagement.md)
+
+## RemoteProcedureCall
+
+- [RPCEndpointMapperClientAuthentication](policy-csp-remoteprocedurecall.md)
+- [RestrictUnauthenticatedRPCClients](policy-csp-remoteprocedurecall.md)
+
+## RemoteShell
+
+- [AllowRemoteShellAccess](policy-csp-remoteshell.md)
+- [SpecifyIdleTimeout](policy-csp-remoteshell.md)
+- [MaxConcurrentUsers](policy-csp-remoteshell.md)
+- [SpecifyMaxMemory](policy-csp-remoteshell.md)
+- [SpecifyMaxProcesses](policy-csp-remoteshell.md)
+- [SpecifyMaxRemoteShells](policy-csp-remoteshell.md)
+- [SpecifyShellTimeout](policy-csp-remoteshell.md)
+
+## ServiceControlManager
+
+- [SvchostProcessMitigation](policy-csp-servicecontrolmanager.md)
+
+## SettingsSync
+
+- [DisableAccessibilitySettingSync](policy-csp-settingssync.md)
+
+## Storage
+
+- [WPDDevicesDenyReadAccessPerUser](policy-csp-storage.md)
+- [WPDDevicesDenyWriteAccessPerUser](policy-csp-storage.md)
+- [EnhancedStorageDevices](policy-csp-storage.md)
+- [WPDDevicesDenyReadAccessPerDevice](policy-csp-storage.md)
+- [WPDDevicesDenyWriteAccessPerDevice](policy-csp-storage.md)
+
+## System
+
+- [BootStartDriverInitialization](policy-csp-system.md)
+- [DisableSystemRestore](policy-csp-system.md)
+
+## TenantRestrictions
+
+- [ConfigureTenantRestrictions](policy-csp-tenantrestrictions.md)
+
+## WindowsConnectionManager
+
+- [ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](policy-csp-windowsconnectionmanager.md)
+
+## WindowsLogon
+
+- [DontDisplayNetworkSelectionUI](policy-csp-windowslogon.md)
+- [DisableLockScreenAppNotifications](policy-csp-windowslogon.md)
+- [EnumerateLocalUsersOnDomainJoinedComputers](policy-csp-windowslogon.md)
+- [AllowAutomaticRestartSignOn](policy-csp-windowslogon.md)
+- [ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md)
+- [EnableMPRNotifications](policy-csp-windowslogon.md)
+
+## WindowsPowerShell
+
+- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
+- [TurnOnPowerShellScriptBlockLogging](policy-csp-windowspowershell.md)
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 7dbc408509..df5363e3dd 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -1,903 +1,937 @@
 ---
 title: Policies in Policy CSP supported by Group Policy
 description: Learn about the policies in Policy CSP supported by Group Policy.
-ms.reviewer:
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: vinaypamnani-msft
+ms.date: 11/29/2022
 ms.localizationpriority: medium
-ms.date: 07/18/2019
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
 ---
 
-# Policies in Policy CSP supported by Group Policy
+<!-- Auto-Generated CSP Document -->
 
-- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock)
-- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
-- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
-- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
-- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
-- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup)
-- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts)
-- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux)
-- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver)
-- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions)
-- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions)
-- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload)
-- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode)
-- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal)
-- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser)
-- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1)
-- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2)
-- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3)
-- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4)
-- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5)
-- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl)
-- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch)
-- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider)
-- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot)
-- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot)
-- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval)
-- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries)
-- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode)
-- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache)
-- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist)
-- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist)
-- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration)
-- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers)
-- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps)
-- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate)
-- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock)
-- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr)
-- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata)
-- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps)
-- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall)
-- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges)
-- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly)
-- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume)
-- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume)
-- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation)
-- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism)
-- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms)
-- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice)
-- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
-- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
-- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
-- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime)
-- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime)
-- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate)
-- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority)
-- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority)
-- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout)
-- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown)
-- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill)
-- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies)
-- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools)
-- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack)
-- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions)
-- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash)
-- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun)
-- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode)
-- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate)
-- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist)
-- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager)
-- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups)
-- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch)
-- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting)
-- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory)
-- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization)
-- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar)
-- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions)
-- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen)
-- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading)
-- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage)
-- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary)
-- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit)
-- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines)
-- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar)
-- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton)
-- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode)
-- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout)
-- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith)
-- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics)
-- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages)
-- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry)
-- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist)
-- [Browser/HomePages](./policy-csp-browser.md#browser-homepages)
-- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites)
-- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge)
-- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides)
-- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage)
-- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection)
-- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride)
-- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles)
-- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc)
-- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites)
-- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer)
-- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine)
-- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl)
-- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl)
-- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer)
-- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge)
-- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton)
-- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks)
-- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera)
-- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata)
-- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps)
-- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps)
-- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps)
-- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
-- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp)
-- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
-- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
-- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests)
-- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
-- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge)
-- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon)
-- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword)
-- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials)
-- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal)
-- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators)
-- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
-- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g)
-- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning)
-- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring)
-- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection)
-- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning)
-- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
-- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
-- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection)
-- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection)
-- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring)
-- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles)
-- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess)
-- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions)
-- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules)
-- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor)
-- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan)
-- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel)
-- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout)
-- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications)
-- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders)
-- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware)
-- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan)
-- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan)
-- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess)
-- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority)
-- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection)
-- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions)
-- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths)
-- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses)
-- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection)
-- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter)
-- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime)
-- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday)
-- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime)
-- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder)
-- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources)
-- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval)
-- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent)
-- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction)
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
-- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
-- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
-- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
-- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
-- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
-- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
-- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch)
-- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
-- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
-- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
-- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)
-- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses)
-- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage)
-- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
-- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
-- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps)
-- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi)
-- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps)
-- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps)
-- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps)
-- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy)
-- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters)
-- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
-- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting)
-- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification)
-- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata)
-- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay)
-- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior)
-- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog)
-- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog)
-- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog)
-- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory)
-- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana)
-- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice)
-- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata)
-- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight)
-- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures)
-- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight)
-- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter)
-- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings)
-- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience)
-- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips)
-- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen)
-- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications)
-- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting)
-- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing)
-- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
-- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings)
-- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer)
-- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption)
-- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked)
-- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider)
-- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering)
-- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist)
-- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete)
-- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning)
-- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit)
-- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode)
-- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
-- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu)
-- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist)
-- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3)
-- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist)
-- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode)
-- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate)
-- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate)
-- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate)
-- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate)
-- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate)
-- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate)
-- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate)
-- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry)
-- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist)
-- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid)
-- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites)
-- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate)
-- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate)
-- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate)
-- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation)
-- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms)
-- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash)
-- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings)
-- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles)
-- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory)
-- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection)
-- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation)
-- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites)
-- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading)
-- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport)
-- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
-- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard)
-- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature)
-- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
-- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange)
-- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors)
-- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing)
-- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode)
-- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange)
-- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange)
-- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange)
-- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck)
-- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck)
-- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
-- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode)
-- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites)
-- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies)
-- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols)
-- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains)
-- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites)
-- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths)
-- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources)
-- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript)
-- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles)
-- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads)
-- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites)
-- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles)
-- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols)
-- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol)
-- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows)
-- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols)
-- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets)
-- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie)
-- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript)
-- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence)
-- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer)
-- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols)
-- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols)
-- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
-- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows)
-- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing)
-- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode)
-- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver)
-- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions)
-- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe)
-- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions)
-- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes)
-- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode)
-- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker)
-- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources)
-- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads)
-- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites)
-- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets)
-- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie)
-- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence)
-- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions)
-- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes)
-- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources)
-- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads)
-- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites)
-- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets)
-- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie)
-- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions)
-- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads)
-- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets)
-- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie)
-- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions)
-- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions)
-- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads)
-- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets)
-- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie)
-- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie)
-- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions)
-- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions)
-- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie)
-- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions)
-- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses)
-- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses)
-- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
-- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses)
-- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter)
-- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols)
-- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses)
-- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols)
-- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses)
-- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses)
-- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting)
-- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors)
-- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript)
-- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles)
-- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads)
-- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles)
-- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh)
-- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols)
-- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets)
-- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie)
-- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript)
-- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer)
-- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows)
-- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows)
-- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing)
-- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver)
-- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions)
-- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe)
-- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions)
-- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes)
-- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins)
-- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode)
-- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting)
-- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets)
-- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles)
-- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode)
-- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker)
-- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses)
-- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist)
-- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings)
-- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice)
-- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources)
-- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads)
-- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads)
-- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites)
-- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents)
-- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets)
-- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie)
-- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence)
-- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols)
-- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions)
-- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes)
-- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder)
-- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor)
-- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring)
-- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation)
-- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize)
-- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons)
-- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation)
-- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation)
-- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts)
-- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly)
-- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount)
-- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount)
-- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon)
-- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
-- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
-- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon)
-- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
-- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
-- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
-- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
-- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
-- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
-- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares)
-- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares)
-- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic)
-- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers)
-- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon)
-- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile)
-- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation)
-- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators)
-- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers)
-- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation)
-- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated)
-- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations)
-- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode)
-- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation)
-- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode)
-- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations)
-- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe)
-- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes)
-- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers)
-- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel)
-- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel)
-- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon)
-- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver)
-- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server)
-- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection)
-- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications)
-- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication)
-- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate)
-- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync)
-- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources)
-- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange)
-- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative)
-- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers)
-- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers)
-- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative)
-- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources)
-- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification)
-- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring)
-- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification)
-- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery)
-- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
-- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
-- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
-- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery)
-- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
-- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
-- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
-- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
-- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
-- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery)
-- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin)
-- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery)
-- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
-- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery)
-- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
-- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
-- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
-- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery)
-- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin)
-- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
-- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
-- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
-- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
-- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
-- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard)
-- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization)
-- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid)
-- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience)
-- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed)
-- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
-- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
-- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps)
-- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps)
-- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar)
-- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps)
-- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps)
-- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps)
-- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory)
-- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps)
-- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps)
-- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps)
-- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera)
-- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps)
-- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps)
-- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps)
-- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts)
-- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps)
-- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps)
-- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps)
-- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail)
-- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps)
-- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps)
-- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps)
-- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation)
-- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps)
-- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps)
-- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps)
-- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging)
-- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps)
-- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps)
-- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps)
-- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone)
-- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps)
-- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps)
-- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps)
-- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion)
-- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps)
-- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps)
-- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps)
-- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications)
-- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps)
-- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps)
-- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps)
-- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone)
-- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps)
-- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps)
-- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps)
-- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios)
-- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps)
-- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps)
-- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps)
-- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks)
-- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps)
-- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps)
-- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps)
-- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices)
-- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps)
-- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps)
-- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
-- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps)
-- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground)
-- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps)
-- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps)
-- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps)
-- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices)
-- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps)
-- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps)
-- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps)
-- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities)
-- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities)
-- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages)
-- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging)
-- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance)
-- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance)
-- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely)
-- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel)
-- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection)
-- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving)
-- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection)
-- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication)
-- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client)
-- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service)
-- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient)
-- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice)
-- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement)
-- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client)
-- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service)
-- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication)
-- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient)
-- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice)
-- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials)
-- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel)
-- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts)
-- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener)
-- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener)
-- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication)
-- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients)
-- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess)
-- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers)
-- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout)
-- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory)
-- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses)
-- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
-- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
-- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
-- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles)
-- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
-- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)
-- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics)
-- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection)
-- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff)
-- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing)
-- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults)
-- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb)
-- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries)
-- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready)
-- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
-- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips)
-- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar)
-- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist)
-- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol)
-- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell)
-- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell)
-- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate)
-- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus)
-- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar)
-- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps)
-- [Start/StartLayout](./policy-csp-start.md#start-startlayout)
-- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates)
-- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices)
-- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview)
-- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline)
-- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata)
-- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders)
-- [System/AllowLocation](./policy-csp-system.md#system-allowlocation)
-- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry)
-- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
-- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint)
-- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification)
-- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux)
-- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete)
-- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer)
-- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy)
-- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync)
-- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
-- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics)
-- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy)
-- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory)
-- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode)
-- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode)
-- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode)
-- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode)
-- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode)
-- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode)
-- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall)
-- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection)
-- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
-- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend)
-- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange)
-- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart)
-- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate)
-- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork)
-- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice)
-- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice)
-- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays)
-- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates)
-- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule)
-- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal)
-- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup)
-- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel)
-- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates)
-- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod)
-- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot)
-- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays)
-- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays)
-- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod)
-- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod)
-- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency)
-- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan)
-- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline)
-- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates)
-- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule)
-- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates)
-- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule)
-- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates)
-- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate)
-- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls)
-- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds)
-- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals)
-- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates)
-- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime)
-- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates)
-- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime)
-- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade)
-- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning)
-- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning)
-- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday)
-- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek)
-- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek)
-- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek)
-- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek)
-- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek)
-- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime)
-- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable)
-- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess)
-- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess)
-- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart)
-- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel)
-- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl)
-- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate)
-- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller)
-- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork)
-- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem)
-- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon)
-- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories)
-- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime)
-- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects)
-- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile)
-- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects)
-- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks)
-- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken)
-- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms)
-- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork)
-- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon)
-- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon)
-- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation)
-- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits)
-- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient)
-- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority)
-- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers)
-- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory)
-- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog)
-- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume)
-- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment)
-- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel)
-- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess)
-- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown)
-- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories)
-- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership)
-- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots)
-- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing)
-- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
-- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname)
-- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui)
-- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui)
-- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton)
-- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui)
-- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications)
-- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui)
-- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui)
-- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui)
-- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications)
-- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning)
-- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui)
-- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride)
-- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email)
-- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts)
-- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization)
-- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery)
-- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot)
-- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting)
-- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol)
-- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone)
-- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url)
-- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace)
-- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace)
-- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
-- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
-- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
-- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
-- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)
-- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
-- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching)
-- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
-- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
-- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
+# Policies in Policy CSP supported by group policy
 
-## Related topics
+This article lists the policies in Policy CSP that have a group policy mapping.
 
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
+## AboveLock
+
+- [AllowCortanaAboveLock](policy-csp-abovelock.md)
+
+## Accounts
+
+- [RestrictToEnterpriseDeviceAuthenticationOnly](policy-csp-accounts.md)
+
+## ApplicationDefaults
+
+- [DefaultAssociationsConfiguration](policy-csp-applicationdefaults.md)
+- [EnableAppUriHandlers](policy-csp-applicationdefaults.md)
+
+## ApplicationManagement
+
+- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md)
+- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md)
+- [AllowAllTrustedApps](policy-csp-applicationmanagement.md)
+- [AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md)
+- [AllowAutomaticAppArchiving](policy-csp-applicationmanagement.md)
+- [AllowDeveloperUnlock](policy-csp-applicationmanagement.md)
+- [AllowGameDVR](policy-csp-applicationmanagement.md)
+- [AllowSharedUserAppData](policy-csp-applicationmanagement.md)
+- [RequirePrivateStoreOnly](policy-csp-applicationmanagement.md)
+- [MSIAlwaysInstallWithElevatedPrivileges](policy-csp-applicationmanagement.md)
+- [MSIAllowUserControlOverInstall](policy-csp-applicationmanagement.md)
+- [RestrictAppDataToSystemVolume](policy-csp-applicationmanagement.md)
+- [RestrictAppToSystemVolume](policy-csp-applicationmanagement.md)
+- [DisableStoreOriginatedApps](policy-csp-applicationmanagement.md)
+- [BlockNonAdminUserInstall](policy-csp-applicationmanagement.md)
+
+## Audit
+
+- [AccountLogon_AuditCredentialValidation](policy-csp-audit.md)
+- [AccountLogon_AuditKerberosAuthenticationService](policy-csp-audit.md)
+- [AccountLogon_AuditKerberosServiceTicketOperations](policy-csp-audit.md)
+- [AccountLogon_AuditOtherAccountLogonEvents](policy-csp-audit.md)
+- [AccountManagement_AuditApplicationGroupManagement](policy-csp-audit.md)
+- [AccountManagement_AuditComputerAccountManagement](policy-csp-audit.md)
+- [AccountManagement_AuditDistributionGroupManagement](policy-csp-audit.md)
+- [AccountManagement_AuditOtherAccountManagementEvents](policy-csp-audit.md)
+- [AccountManagement_AuditSecurityGroupManagement](policy-csp-audit.md)
+- [AccountManagement_AuditUserAccountManagement](policy-csp-audit.md)
+- [DetailedTracking_AuditDPAPIActivity](policy-csp-audit.md)
+- [DetailedTracking_AuditPNPActivity](policy-csp-audit.md)
+- [DetailedTracking_AuditProcessCreation](policy-csp-audit.md)
+- [DetailedTracking_AuditProcessTermination](policy-csp-audit.md)
+- [DetailedTracking_AuditRPCEvents](policy-csp-audit.md)
+- [DetailedTracking_AuditTokenRightAdjusted](policy-csp-audit.md)
+- [DSAccess_AuditDetailedDirectoryServiceReplication](policy-csp-audit.md)
+- [DSAccess_AuditDirectoryServiceAccess](policy-csp-audit.md)
+- [DSAccess_AuditDirectoryServiceChanges](policy-csp-audit.md)
+- [DSAccess_AuditDirectoryServiceReplication](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditAccountLockout](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditUserDeviceClaims](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditGroupMembership](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditIPsecExtendedMode](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditIPsecMainMode](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditIPsecQuickMode](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditLogoff](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditLogon](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditNetworkPolicyServer](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditOtherLogonLogoffEvents](policy-csp-audit.md)
+- [AccountLogonLogoff_AuditSpecialLogon](policy-csp-audit.md)
+- [ObjectAccess_AuditApplicationGenerated](policy-csp-audit.md)
+- [ObjectAccess_AuditCertificationServices](policy-csp-audit.md)
+- [ObjectAccess_AuditDetailedFileShare](policy-csp-audit.md)
+- [ObjectAccess_AuditFileShare](policy-csp-audit.md)
+- [ObjectAccess_AuditFileSystem](policy-csp-audit.md)
+- [ObjectAccess_AuditFilteringPlatformConnection](policy-csp-audit.md)
+- [ObjectAccess_AuditFilteringPlatformPacketDrop](policy-csp-audit.md)
+- [ObjectAccess_AuditHandleManipulation](policy-csp-audit.md)
+- [ObjectAccess_AuditKernelObject](policy-csp-audit.md)
+- [ObjectAccess_AuditOtherObjectAccessEvents](policy-csp-audit.md)
+- [ObjectAccess_AuditRegistry](policy-csp-audit.md)
+- [ObjectAccess_AuditRemovableStorage](policy-csp-audit.md)
+- [ObjectAccess_AuditSAM](policy-csp-audit.md)
+- [ObjectAccess_AuditCentralAccessPolicyStaging](policy-csp-audit.md)
+- [PolicyChange_AuditPolicyChange](policy-csp-audit.md)
+- [PolicyChange_AuditAuthenticationPolicyChange](policy-csp-audit.md)
+- [PolicyChange_AuditAuthorizationPolicyChange](policy-csp-audit.md)
+- [PolicyChange_AuditFilteringPlatformPolicyChange](policy-csp-audit.md)
+- [PolicyChange_AuditMPSSVCRuleLevelPolicyChange](policy-csp-audit.md)
+- [PolicyChange_AuditOtherPolicyChangeEvents](policy-csp-audit.md)
+- [PrivilegeUse_AuditNonSensitivePrivilegeUse](policy-csp-audit.md)
+- [PrivilegeUse_AuditOtherPrivilegeUseEvents](policy-csp-audit.md)
+- [PrivilegeUse_AuditSensitivePrivilegeUse](policy-csp-audit.md)
+- [System_AuditIPsecDriver](policy-csp-audit.md)
+- [System_AuditOtherSystemEvents](policy-csp-audit.md)
+- [System_AuditSecurityStateChange](policy-csp-audit.md)
+- [System_AuditSecuritySystemExtension](policy-csp-audit.md)
+- [System_AuditSystemIntegrity](policy-csp-audit.md)
+
+## Authentication
+
+- [AllowSecondaryAuthenticationDevice](policy-csp-authentication.md)
+
+## BITS
+
+- [JobInactivityTimeout](policy-csp-bits.md)
+- [BandwidthThrottlingStartTime](policy-csp-bits.md)
+- [BandwidthThrottlingEndTime](policy-csp-bits.md)
+- [BandwidthThrottlingTransferRate](policy-csp-bits.md)
+- [CostedNetworkBehaviorForegroundPriority](policy-csp-bits.md)
+- [CostedNetworkBehaviorBackgroundPriority](policy-csp-bits.md)
+
+## Browser
+
+- [AllowAddressBarDropdown](policy-csp-browser.md)
+- [AllowAutofill](policy-csp-browser.md)
+- [AllowCookies](policy-csp-browser.md)
+- [AllowDeveloperTools](policy-csp-browser.md)
+- [AllowDoNotTrack](policy-csp-browser.md)
+- [AllowExtensions](policy-csp-browser.md)
+- [AllowFlash](policy-csp-browser.md)
+- [AllowFlashClickToRun](policy-csp-browser.md)
+- [AllowFullScreenMode](policy-csp-browser.md)
+- [AllowInPrivate](policy-csp-browser.md)
+- [AllowMicrosoftCompatibilityList](policy-csp-browser.md)
+- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md)
+- [AllowPasswordManager](policy-csp-browser.md)
+- [AllowPopups](policy-csp-browser.md)
+- [AllowPrinting](policy-csp-browser.md)
+- [AllowSavingHistory](policy-csp-browser.md)
+- [AllowSearchEngineCustomization](policy-csp-browser.md)
+- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md)
+- [AllowSideloadingOfExtensions](policy-csp-browser.md)
+- [AllowSmartScreen](policy-csp-browser.md)
+- [AllowWebContentOnNewTabPage](policy-csp-browser.md)
+- [AlwaysEnableBooksLibrary](policy-csp-browser.md)
+- [ClearBrowsingDataOnExit](policy-csp-browser.md)
+- [ConfigureAdditionalSearchEngines](policy-csp-browser.md)
+- [ConfigureFavoritesBar](policy-csp-browser.md)
+- [ConfigureHomeButton](policy-csp-browser.md)
+- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md)
+- [DisableLockdownOfStartPages](policy-csp-browser.md)
+- [EnableExtendedBooksTelemetry](policy-csp-browser.md)
+- [AllowTabPreloading](policy-csp-browser.md)
+- [AllowPrelaunch](policy-csp-browser.md)
+- [EnterpriseModeSiteList](policy-csp-browser.md)
+- [PreventTurningOffRequiredExtensions](policy-csp-browser.md)
+- [HomePages](policy-csp-browser.md)
+- [LockdownFavorites](policy-csp-browser.md)
+- [ConfigureKioskMode](policy-csp-browser.md)
+- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md)
+- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md)
+- [PreventFirstRunPage](policy-csp-browser.md)
+- [PreventCertErrorOverrides](policy-csp-browser.md)
+- [PreventSmartScreenPromptOverride](policy-csp-browser.md)
+- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md)
+- [PreventLiveTileDataCollection](policy-csp-browser.md)
+- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md)
+- [ProvisionFavorites](policy-csp-browser.md)
+- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md)
+- [SetDefaultSearchEngine](policy-csp-browser.md)
+- [SetHomeButtonURL](policy-csp-browser.md)
+- [SetNewTabPageURL](policy-csp-browser.md)
+- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md)
+- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md)
+- [UnlockHomeButton](policy-csp-browser.md)
+- [UseSharedFolderForBooks](policy-csp-browser.md)
+- [AllowAddressBarDropdown](policy-csp-browser.md)
+- [AllowAutofill](policy-csp-browser.md)
+- [AllowCookies](policy-csp-browser.md)
+- [AllowDeveloperTools](policy-csp-browser.md)
+- [AllowDoNotTrack](policy-csp-browser.md)
+- [AllowExtensions](policy-csp-browser.md)
+- [AllowFlash](policy-csp-browser.md)
+- [AllowFlashClickToRun](policy-csp-browser.md)
+- [AllowFullScreenMode](policy-csp-browser.md)
+- [AllowInPrivate](policy-csp-browser.md)
+- [AllowMicrosoftCompatibilityList](policy-csp-browser.md)
+- [ConfigureTelemetryForMicrosoft365Analytics](policy-csp-browser.md)
+- [AllowPasswordManager](policy-csp-browser.md)
+- [AllowPopups](policy-csp-browser.md)
+- [AllowPrinting](policy-csp-browser.md)
+- [AllowSavingHistory](policy-csp-browser.md)
+- [AllowSearchEngineCustomization](policy-csp-browser.md)
+- [AllowSearchSuggestionsinAddressBar](policy-csp-browser.md)
+- [AllowSideloadingOfExtensions](policy-csp-browser.md)
+- [AllowSmartScreen](policy-csp-browser.md)
+- [AllowWebContentOnNewTabPage](policy-csp-browser.md)
+- [AlwaysEnableBooksLibrary](policy-csp-browser.md)
+- [ClearBrowsingDataOnExit](policy-csp-browser.md)
+- [ConfigureAdditionalSearchEngines](policy-csp-browser.md)
+- [ConfigureFavoritesBar](policy-csp-browser.md)
+- [ConfigureHomeButton](policy-csp-browser.md)
+- [ConfigureOpenMicrosoftEdgeWith](policy-csp-browser.md)
+- [DisableLockdownOfStartPages](policy-csp-browser.md)
+- [EnableExtendedBooksTelemetry](policy-csp-browser.md)
+- [AllowTabPreloading](policy-csp-browser.md)
+- [AllowPrelaunch](policy-csp-browser.md)
+- [EnterpriseModeSiteList](policy-csp-browser.md)
+- [PreventTurningOffRequiredExtensions](policy-csp-browser.md)
+- [HomePages](policy-csp-browser.md)
+- [LockdownFavorites](policy-csp-browser.md)
+- [ConfigureKioskMode](policy-csp-browser.md)
+- [ConfigureKioskResetAfterIdleTimeout](policy-csp-browser.md)
+- [PreventAccessToAboutFlagsInMicrosoftEdge](policy-csp-browser.md)
+- [PreventFirstRunPage](policy-csp-browser.md)
+- [PreventCertErrorOverrides](policy-csp-browser.md)
+- [PreventSmartScreenPromptOverride](policy-csp-browser.md)
+- [PreventSmartScreenPromptOverrideForFiles](policy-csp-browser.md)
+- [PreventLiveTileDataCollection](policy-csp-browser.md)
+- [PreventUsingLocalHostIPAddressForWebRTC](policy-csp-browser.md)
+- [ProvisionFavorites](policy-csp-browser.md)
+- [SendIntranetTraffictoInternetExplorer](policy-csp-browser.md)
+- [SetDefaultSearchEngine](policy-csp-browser.md)
+- [SetHomeButtonURL](policy-csp-browser.md)
+- [SetNewTabPageURL](policy-csp-browser.md)
+- [ShowMessageWhenOpeningSitesInInternetExplorer](policy-csp-browser.md)
+- [SyncFavoritesBetweenIEAndMicrosoftEdge](policy-csp-browser.md)
+- [UnlockHomeButton](policy-csp-browser.md)
+- [UseSharedFolderForBooks](policy-csp-browser.md)
+
+## Camera
+
+- [AllowCamera](policy-csp-camera.md)
+
+## Cellular
+
+- [LetAppsAccessCellularData](policy-csp-cellular.md)
+- [LetAppsAccessCellularData_ForceAllowTheseApps](policy-csp-cellular.md)
+- [LetAppsAccessCellularData_ForceDenyTheseApps](policy-csp-cellular.md)
+- [LetAppsAccessCellularData_UserInControlOfTheseApps](policy-csp-cellular.md)
+
+## Connectivity
+
+- [AllowCellularDataRoaming](policy-csp-connectivity.md)
+- [AllowPhonePCLinking](policy-csp-connectivity.md)
+- [DisallowNetworkConnectivityActiveTests](policy-csp-connectivity.md)
+
+## Cryptography
+
+- [AllowFipsAlgorithmPolicy](policy-csp-cryptography.md)
+
+## Defender
+
+- [AllowArchiveScanning](policy-csp-defender.md)
+- [AllowBehaviorMonitoring](policy-csp-defender.md)
+- [AllowCloudProtection](policy-csp-defender.md)
+- [AllowEmailScanning](policy-csp-defender.md)
+- [AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md)
+- [AllowFullScanRemovableDriveScanning](policy-csp-defender.md)
+- [AllowIOAVProtection](policy-csp-defender.md)
+- [AllowOnAccessProtection](policy-csp-defender.md)
+- [AllowRealtimeMonitoring](policy-csp-defender.md)
+- [AllowScanningNetworkFiles](policy-csp-defender.md)
+- [AllowUserUIAccess](policy-csp-defender.md)
+- [AttackSurfaceReductionOnlyExclusions](policy-csp-defender.md)
+- [AttackSurfaceReductionRules](policy-csp-defender.md)
+- [AvgCPULoadFactor](policy-csp-defender.md)
+- [CloudBlockLevel](policy-csp-defender.md)
+- [CloudExtendedTimeout](policy-csp-defender.md)
+- [ControlledFolderAccessAllowedApplications](policy-csp-defender.md)
+- [CheckForSignaturesBeforeRunningScan](policy-csp-defender.md)
+- [SecurityIntelligenceLocation](policy-csp-defender.md)
+- [ControlledFolderAccessProtectedFolders](policy-csp-defender.md)
+- [DaysToRetainCleanedMalware](policy-csp-defender.md)
+- [DisableCatchupFullScan](policy-csp-defender.md)
+- [DisableCatchupQuickScan](policy-csp-defender.md)
+- [EnableControlledFolderAccess](policy-csp-defender.md)
+- [EnableLowCPUPriority](policy-csp-defender.md)
+- [EnableNetworkProtection](policy-csp-defender.md)
+- [ExcludedPaths](policy-csp-defender.md)
+- [ExcludedExtensions](policy-csp-defender.md)
+- [ExcludedProcesses](policy-csp-defender.md)
+- [PUAProtection](policy-csp-defender.md)
+- [RealTimeScanDirection](policy-csp-defender.md)
+- [ScanParameter](policy-csp-defender.md)
+- [ScheduleQuickScanTime](policy-csp-defender.md)
+- [ScheduleScanDay](policy-csp-defender.md)
+- [ScheduleScanTime](policy-csp-defender.md)
+- [SignatureUpdateFallbackOrder](policy-csp-defender.md)
+- [SignatureUpdateFileSharesSources](policy-csp-defender.md)
+- [SignatureUpdateInterval](policy-csp-defender.md)
+- [SubmitSamplesConsent](policy-csp-defender.md)
+- [ThreatSeverityDefaultAction](policy-csp-defender.md)
+
+## DeliveryOptimization
+
+- [DODownloadMode](policy-csp-deliveryoptimization.md)
+- [DOGroupId](policy-csp-deliveryoptimization.md)
+- [DOMaxCacheSize](policy-csp-deliveryoptimization.md)
+- [DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md)
+- [DOMaxCacheAge](policy-csp-deliveryoptimization.md)
+- [DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md)
+- [DOMinBackgroundQos](policy-csp-deliveryoptimization.md)
+- [DOModifyCacheDrive](policy-csp-deliveryoptimization.md)
+- [DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md)
+- [DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md)
+- [DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md)
+- [DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md)
+- [DOMinFileSizeToCache](policy-csp-deliveryoptimization.md)
+- [DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md)
+- [DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md)
+- [DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md)
+- [DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md)
+- [DOCacheHost](policy-csp-deliveryoptimization.md)
+- [DOCacheHostSource](policy-csp-deliveryoptimization.md)
+- [DOGroupIdSource](policy-csp-deliveryoptimization.md)
+- [DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md)
+- [DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md)
+- [DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md)
+- [DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md)
+- [DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md)
+
+## DeviceGuard
+
+- [EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md)
+- [RequirePlatformSecurityFeatures](policy-csp-deviceguard.md)
+- [LsaCfgFlags](policy-csp-deviceguard.md)
+- [ConfigureSystemGuardLaunch](policy-csp-deviceguard.md)
+
+## DeviceLock
+
+- [MinimumPasswordAge](policy-csp-devicelock.md)
+- [MaximumPasswordAge](policy-csp-devicelock.md)
+- [ClearTextPassword](policy-csp-devicelock.md)
+- [PasswordComplexity](policy-csp-devicelock.md)
+- [PasswordHistorySize](policy-csp-devicelock.md)
+
+## Display
+
+- [EnablePerProcessDpi](policy-csp-display.md)
+- [TurnOnGdiDPIScalingForApps](policy-csp-display.md)
+- [TurnOffGdiDPIScalingForApps](policy-csp-display.md)
+- [EnablePerProcessDpi](policy-csp-display.md)
+- [EnablePerProcessDpiForApps](policy-csp-display.md)
+- [DisablePerProcessDpiForApps](policy-csp-display.md)
+
+## DmaGuard
+
+- [DeviceEnumerationPolicy](policy-csp-dmaguard.md)
+
+## Education
+
+- [AllowGraphingCalculator](policy-csp-education.md)
+- [PreventAddingNewPrinters](policy-csp-education.md)
+
+## Experience
+
+- [AllowSpotlightCollection](policy-csp-experience.md)
+- [AllowThirdPartySuggestionsInWindowsSpotlight](policy-csp-experience.md)
+- [AllowWindowsSpotlight](policy-csp-experience.md)
+- [AllowWindowsSpotlightOnActionCenter](policy-csp-experience.md)
+- [AllowWindowsSpotlightOnSettings](policy-csp-experience.md)
+- [AllowWindowsSpotlightWindowsWelcomeExperience](policy-csp-experience.md)
+- [AllowTailoredExperiencesWithDiagnosticData](policy-csp-experience.md)
+- [ConfigureWindowsSpotlightOnLockScreen](policy-csp-experience.md)
+- [AllowCortana](policy-csp-experience.md)
+- [AllowWindowsConsumerFeatures](policy-csp-experience.md)
+- [AllowWindowsTips](policy-csp-experience.md)
+- [DoNotShowFeedbackNotifications](policy-csp-experience.md)
+- [AllowFindMyDevice](policy-csp-experience.md)
+- [AllowClipboardHistory](policy-csp-experience.md)
+- [DoNotSyncBrowserSettings](policy-csp-experience.md)
+- [PreventUsersFromTurningOnBrowserSyncing](policy-csp-experience.md)
+- [ShowLockOnUserTile](policy-csp-experience.md)
+- [DisableCloudOptimizedContent](policy-csp-experience.md)
+- [DisableConsumerAccountStateContent](policy-csp-experience.md)
+- [ConfigureChatIcon](policy-csp-experience.md)
+
+## ExploitGuard
+
+- [ExploitProtectionSettings](policy-csp-exploitguard.md)
+
+## FileExplorer
+
+- [DisableGraphRecentItems](policy-csp-fileexplorer.md)
+
+## Handwriting
+
+- [PanelDefaultModeDocked](policy-csp-handwriting.md)
+
+## HumanPresence
+
+- [ForceInstantWake](policy-csp-humanpresence.md)
+- [ForceInstantLock](policy-csp-humanpresence.md)
+- [ForceLockTimeout](policy-csp-humanpresence.md)
+- [ForceInstantDim](policy-csp-humanpresence.md)
+
+## Kerberos
+
+- [PKInitHashAlgorithmConfiguration](policy-csp-kerberos.md)
+- [PKInitHashAlgorithmSHA1](policy-csp-kerberos.md)
+- [PKInitHashAlgorithmSHA256](policy-csp-kerberos.md)
+- [PKInitHashAlgorithmSHA384](policy-csp-kerberos.md)
+- [PKInitHashAlgorithmSHA512](policy-csp-kerberos.md)
+- [CloudKerberosTicketRetrievalEnabled](policy-csp-kerberos.md)
+
+## LanmanWorkstation
+
+- [EnableInsecureGuestLogons](policy-csp-lanmanworkstation.md)
+
+## Licensing
+
+- [AllowWindowsEntitlementReactivation](policy-csp-licensing.md)
+- [DisallowKMSClientOnlineAVSValidation](policy-csp-licensing.md)
+
+## LocalPoliciesSecurityOptions
+
+- [Accounts_EnableAdministratorAccountStatus](policy-csp-localpoliciessecurityoptions.md)
+- [Accounts_BlockMicrosoftAccounts](policy-csp-localpoliciessecurityoptions.md)
+- [Accounts_EnableGuestAccountStatus](policy-csp-localpoliciessecurityoptions.md)
+- [Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](policy-csp-localpoliciessecurityoptions.md)
+- [Accounts_RenameAdministratorAccount](policy-csp-localpoliciessecurityoptions.md)
+- [Accounts_RenameGuestAccount](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_AllowUndockWithoutHavingToLogon](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_AllowedToFormatAndEjectRemovableMedia](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](policy-csp-localpoliciessecurityoptions.md)
+- [Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_DoNotRequireCTRLALTDEL](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_DoNotDisplayLastSignedIn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_DoNotDisplayUsernameAtSignIn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_MachineInactivityLimit](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_MessageTextForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](policy-csp-localpoliciessecurityoptions.md)
+- [InteractiveLogon_SmartCardRemovalBehavior](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkClient_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkServer_DigitallySignCommunicationsAlways](policy-csp-localpoliciessecurityoptions.md)
+- [MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_AllowAnonymousSIDOrNameTranslation](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_AllowPKU2UAuthenticationRequests](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_ForceLogoffWhenLogonHoursExpire](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_LANManagerAuthenticationLevel](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](policy-csp-localpoliciessecurityoptions.md)
+- [NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](policy-csp-localpoliciessecurityoptions.md)
+- [Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](policy-csp-localpoliciessecurityoptions.md)
+- [Shutdown_ClearVirtualMemoryPageFile](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_UseAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_RunAllAdministratorsInAdminApprovalMode](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](policy-csp-localpoliciessecurityoptions.md)
+- [UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](policy-csp-localpoliciessecurityoptions.md)
+
+## LocalSecurityAuthority
+
+- [ConfigureLsaProtectedProcess](policy-csp-lsa.md)
+
+## LockDown
+
+- [AllowEdgeSwipe](policy-csp-lockdown.md)
+
+## Maps
+
+- [EnableOfflineMapsAutoUpdate](policy-csp-maps.md)
+
+## Messaging
+
+- [AllowMessageSync](policy-csp-messaging.md)
+
+## Multitasking
+
+- [BrowserAltTabBlowout](policy-csp-multitasking.md)
+
+## NetworkIsolation
+
+- [EnterpriseCloudResources](policy-csp-networkisolation.md)
+- [EnterpriseInternalProxyServers](policy-csp-networkisolation.md)
+- [EnterpriseIPRange](policy-csp-networkisolation.md)
+- [EnterpriseIPRangesAreAuthoritative](policy-csp-networkisolation.md)
+- [EnterpriseProxyServers](policy-csp-networkisolation.md)
+- [EnterpriseProxyServersAreAuthoritative](policy-csp-networkisolation.md)
+- [NeutralResources](policy-csp-networkisolation.md)
+
+## NewsAndInterests
+
+- [AllowNewsAndInterests](policy-csp-newsandinterests.md)
+
+## Notifications
+
+- [DisallowNotificationMirroring](policy-csp-notifications.md)
+- [DisallowTileNotification](policy-csp-notifications.md)
+- [DisallowCloudNotification](policy-csp-notifications.md)
+- [WnsEndpoint](policy-csp-notifications.md)
+
+## Power
+
+- [EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md)
+- [EnergySaverBatteryThresholdOnBattery](policy-csp-power.md)
+- [SelectPowerButtonActionPluggedIn](policy-csp-power.md)
+- [SelectPowerButtonActionOnBattery](policy-csp-power.md)
+- [SelectSleepButtonActionPluggedIn](policy-csp-power.md)
+- [SelectSleepButtonActionOnBattery](policy-csp-power.md)
+- [SelectLidCloseActionPluggedIn](policy-csp-power.md)
+- [SelectLidCloseActionOnBattery](policy-csp-power.md)
+- [TurnOffHybridSleepPluggedIn](policy-csp-power.md)
+- [TurnOffHybridSleepOnBattery](policy-csp-power.md)
+- [UnattendedSleepTimeoutPluggedIn](policy-csp-power.md)
+- [UnattendedSleepTimeoutOnBattery](policy-csp-power.md)
+
+## Privacy
+
+- [DisablePrivacyExperience](policy-csp-privacy.md)
+- [DisableAdvertisingId](policy-csp-privacy.md)
+- [LetAppsGetDiagnosticInfo](policy-csp-privacy.md)
+- [LetAppsGetDiagnosticInfo_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsGetDiagnosticInfo_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsRunInBackground](policy-csp-privacy.md)
+- [LetAppsRunInBackground_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsRunInBackground_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsRunInBackground_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [AllowInputPersonalization](policy-csp-privacy.md)
+- [LetAppsAccessAccountInfo](policy-csp-privacy.md)
+- [LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCalendar](policy-csp-privacy.md)
+- [LetAppsAccessCalendar_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCalendar_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCalendar_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCallHistory](policy-csp-privacy.md)
+- [LetAppsAccessCallHistory_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCallHistory_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCallHistory_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCamera](policy-csp-privacy.md)
+- [LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessContacts](policy-csp-privacy.md)
+- [LetAppsAccessContacts_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessContacts_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessContacts_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessEmail](policy-csp-privacy.md)
+- [LetAppsAccessEmail_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessEmail_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessEmail_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessGraphicsCaptureProgrammatic](policy-csp-privacy.md)
+- [LetAppsAccessGraphicsCaptureProgrammatic_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessGraphicsCaptureProgrammatic_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessGraphicsCaptureProgrammatic_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessGraphicsCaptureWithoutBorder](policy-csp-privacy.md)
+- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessGraphicsCaptureWithoutBorder_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessGraphicsCaptureWithoutBorder_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessLocation](policy-csp-privacy.md)
+- [LetAppsAccessLocation_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessLocation_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessLocation_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMessaging](policy-csp-privacy.md)
+- [LetAppsAccessMessaging_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMessaging_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMessaging_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMicrophone](policy-csp-privacy.md)
+- [LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMotion](policy-csp-privacy.md)
+- [LetAppsAccessMotion_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMotion_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessMotion_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessNotifications](policy-csp-privacy.md)
+- [LetAppsAccessNotifications_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessNotifications_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessNotifications_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessPhone](policy-csp-privacy.md)
+- [LetAppsAccessPhone_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessPhone_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessPhone_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessRadios](policy-csp-privacy.md)
+- [LetAppsAccessRadios_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessRadios_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessRadios_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessTasks](policy-csp-privacy.md)
+- [LetAppsAccessTasks_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessTasks_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessTasks_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessTrustedDevices](policy-csp-privacy.md)
+- [LetAppsAccessTrustedDevices_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessTrustedDevices_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsAccessTrustedDevices_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [LetAppsSyncWithDevices](policy-csp-privacy.md)
+- [LetAppsSyncWithDevices_ForceAllowTheseApps](policy-csp-privacy.md)
+- [LetAppsSyncWithDevices_ForceDenyTheseApps](policy-csp-privacy.md)
+- [LetAppsSyncWithDevices_UserInControlOfTheseApps](policy-csp-privacy.md)
+- [EnableActivityFeed](policy-csp-privacy.md)
+- [PublishUserActivities](policy-csp-privacy.md)
+- [UploadUserActivities](policy-csp-privacy.md)
+- [AllowCrossDeviceClipboard](policy-csp-privacy.md)
+- [DisablePrivacyExperience](policy-csp-privacy.md)
+- [LetAppsActivateWithVoice](policy-csp-privacy.md)
+- [LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md)
+
+## RemoteDesktop
+
+- [AutoSubscription](policy-csp-remotedesktop.md)
+
+## Search
+
+- [AllowIndexingEncryptedStoresOrItems](policy-csp-search.md)
+- [AllowSearchToUseLocation](policy-csp-search.md)
+- [AllowUsingDiacritics](policy-csp-search.md)
+- [AlwaysUseAutoLangDetection](policy-csp-search.md)
+- [DisableBackoff](policy-csp-search.md)
+- [DisableRemovableDriveIndexing](policy-csp-search.md)
+- [DisableSearch](policy-csp-search.md)
+- [PreventIndexingLowDiskSpaceMB](policy-csp-search.md)
+- [PreventRemoteQueries](policy-csp-search.md)
+- [AllowCloudSearch](policy-csp-search.md)
+- [DoNotUseWebResults](policy-csp-search.md)
+- [AllowCortanaInAAD](policy-csp-search.md)
+- [AllowFindMyFiles](policy-csp-search.md)
+- [AllowSearchHighlights](policy-csp-search.md)
+
+## Security
+
+- [ClearTPMIfNotReady](policy-csp-security.md)
+
+## Settings
+
+- [ConfigureTaskbarCalendar](policy-csp-settings.md)
+- [PageVisibilityList](policy-csp-settings.md)
+- [PageVisibilityList](policy-csp-settings.md)
+- [AllowOnlineTips](policy-csp-settings.md)
+
+## SmartScreen
+
+- [EnableSmartScreenInShell](policy-csp-smartscreen.md)
+- [PreventOverrideForFilesInShell](policy-csp-smartscreen.md)
+- [EnableAppInstallControl](policy-csp-smartscreen.md)
+
+## Speech
+
+- [AllowSpeechModelUpdate](policy-csp-speech.md)
+
+## Start
+
+- [ForceStartSize](policy-csp-start.md)
+- [DisableContextMenus](policy-csp-start.md)
+- [ShowOrHideMostUsedApps](policy-csp-start.md)
+- [HideFrequentlyUsedApps](policy-csp-start.md)
+- [HideRecentlyAddedApps](policy-csp-start.md)
+- [HidePeopleBar](policy-csp-start.md)
+- [StartLayout](policy-csp-start.md)
+- [ConfigureStartPins](policy-csp-start.md)
+- [HideRecommendedSection](policy-csp-start.md)
+- [HideTaskViewButton](policy-csp-start.md)
+- [DisableControlCenter](policy-csp-start.md)
+- [ForceStartSize](policy-csp-start.md)
+- [DisableContextMenus](policy-csp-start.md)
+- [ShowOrHideMostUsedApps](policy-csp-start.md)
+- [HideFrequentlyUsedApps](policy-csp-start.md)
+- [HideRecentlyAddedApps](policy-csp-start.md)
+- [StartLayout](policy-csp-start.md)
+- [ConfigureStartPins](policy-csp-start.md)
+- [HideRecommendedSection](policy-csp-start.md)
+- [SimplifyQuickSettings](policy-csp-start.md)
+- [DisableEditingQuickSettings](policy-csp-start.md)
+- [HideTaskViewButton](policy-csp-start.md)
+
+## Storage
+
+- [AllowDiskHealthModelUpdates](policy-csp-storage.md)
+- [RemovableDiskDenyWriteAccess](policy-csp-storage.md)
+- [AllowStorageSenseGlobal](policy-csp-storage.md)
+- [ConfigStorageSenseGlobalCadence](policy-csp-storage.md)
+- [AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md)
+- [ConfigStorageSenseRecycleBinCleanupThreshold](policy-csp-storage.md)
+- [ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md)
+- [ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md)
+
+## System
+
+- [AllowTelemetry](policy-csp-system.md)
+- [AllowBuildPreview](policy-csp-system.md)
+- [AllowFontProviders](policy-csp-system.md)
+- [AllowLocation](policy-csp-system.md)
+- [AllowTelemetry](policy-csp-system.md)
+- [TelemetryProxy](policy-csp-system.md)
+- [DisableOneDriveFileSync](policy-csp-system.md)
+- [AllowWUfBCloudProcessing](policy-csp-system.md)
+- [AllowUpdateComplianceProcessing](policy-csp-system.md)
+- [AllowDesktopAnalyticsProcessing](policy-csp-system.md)
+- [DisableEnterpriseAuthProxy](policy-csp-system.md)
+- [LimitEnhancedDiagnosticDataWindowsAnalytics](policy-csp-system.md)
+- [AllowDeviceNameInDiagnosticData](policy-csp-system.md)
+- [ConfigureTelemetryOptInSettingsUx](policy-csp-system.md)
+- [ConfigureTelemetryOptInChangeNotification](policy-csp-system.md)
+- [DisableDeviceDelete](policy-csp-system.md)
+- [DisableDiagnosticDataViewer](policy-csp-system.md)
+- [ConfigureMicrosoft365UploadEndpoint](policy-csp-system.md)
+- [TurnOffFileHistory](policy-csp-system.md)
+- [DisableDirectXDatabaseUpdate](policy-csp-system.md)
+- [AllowCommercialDataPipeline](policy-csp-system.md)
+- [LimitDiagnosticLogCollection](policy-csp-system.md)
+- [LimitDumpCollection](policy-csp-system.md)
+- [EnableOneSettingsAuditing](policy-csp-system.md)
+- [DisableOneSettingsDownloads](policy-csp-system.md)
+- [HideUnsupportedHardwareNotifications](policy-csp-system.md)
+
+## SystemServices
+
+- [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureXboxLiveNetworkingServiceStartupMode](policy-csp-systemservices.md)
+
+## TextInput
+
+- [AllowLanguageFeaturesUninstall](policy-csp-textinput.md)
+- [AllowLinguisticDataCollection](policy-csp-textinput.md)
+- [ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md)
+- [ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md)
+- [ConfigureJapaneseIMEVersion](policy-csp-textinput.md)
+- [ConfigureKoreanIMEVersion](policy-csp-textinput.md)
+
+## TimeLanguageSettings
+
+- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
+- [BlockCleanupOfUnusedPreinstalledLangPacks](policy-csp-timelanguagesettings.md)
+- [MachineUILanguageOverwrite](policy-csp-timelanguagesettings.md)
+- [RestrictLanguagePacksAndFeaturesInstall](policy-csp-timelanguagesettings.md)
+
+## Troubleshooting
+
+- [AllowRecommendations](policy-csp-troubleshooting.md)
+
+## Update
+
+- [ActiveHoursEnd](policy-csp-update.md)
+- [ActiveHoursStart](policy-csp-update.md)
+- [ActiveHoursMaxRange](policy-csp-update.md)
+- [AutoRestartRequiredNotificationDismissal](policy-csp-update.md)
+- [AutoRestartNotificationSchedule](policy-csp-update.md)
+- [SetAutoRestartNotificationDisable](policy-csp-update.md)
+- [ScheduleRestartWarning](policy-csp-update.md)
+- [ScheduleImminentRestartWarning](policy-csp-update.md)
+- [AllowAutoUpdate](policy-csp-update.md)
+- [AutoRestartDeadlinePeriodInDays](policy-csp-update.md)
+- [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](policy-csp-update.md)
+- [EngagedRestartTransitionSchedule](policy-csp-update.md)
+- [EngagedRestartSnoozeSchedule](policy-csp-update.md)
+- [EngagedRestartDeadline](policy-csp-update.md)
+- [EngagedRestartTransitionScheduleForFeatureUpdates](policy-csp-update.md)
+- [EngagedRestartSnoozeScheduleForFeatureUpdates](policy-csp-update.md)
+- [EngagedRestartDeadlineForFeatureUpdates](policy-csp-update.md)
+- [DetectionFrequency](policy-csp-update.md)
+- [ManagePreviewBuilds](policy-csp-update.md)
+- [BranchReadinessLevel](policy-csp-update.md)
+- [ProductVersion](policy-csp-update.md)
+- [TargetReleaseVersion](policy-csp-update.md)
+- [AllowUpdateService](policy-csp-update.md)
+- [DeferFeatureUpdatesPeriodInDays](policy-csp-update.md)
+- [DeferQualityUpdatesPeriodInDays](policy-csp-update.md)
+- [DeferUpdatePeriod](policy-csp-update.md)
+- [DeferUpgradePeriod](policy-csp-update.md)
+- [ExcludeWUDriversInQualityUpdate](policy-csp-update.md)
+- [PauseDeferrals](policy-csp-update.md)
+- [PauseFeatureUpdates](policy-csp-update.md)
+- [PauseQualityUpdates](policy-csp-update.md)
+- [PauseFeatureUpdatesStartTime](policy-csp-update.md)
+- [PauseQualityUpdatesStartTime](policy-csp-update.md)
+- [RequireDeferUpgrade](policy-csp-update.md)
+- [AllowMUUpdateService](policy-csp-update.md)
+- [ScheduledInstallDay](policy-csp-update.md)
+- [ScheduledInstallTime](policy-csp-update.md)
+- [ScheduledInstallEveryWeek](policy-csp-update.md)
+- [ScheduledInstallFirstWeek](policy-csp-update.md)
+- [ScheduledInstallSecondWeek](policy-csp-update.md)
+- [ScheduledInstallThirdWeek](policy-csp-update.md)
+- [ScheduledInstallFourthWeek](policy-csp-update.md)
+- [UpdateServiceUrl](policy-csp-update.md)
+- [UpdateServiceUrlAlternate](policy-csp-update.md)
+- [FillEmptyContentUrls](policy-csp-update.md)
+- [SetProxyBehaviorForUpdateDetection](policy-csp-update.md)
+- [DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection](policy-csp-update.md)
+- [SetPolicyDrivenUpdateSourceForFeatureUpdates](policy-csp-update.md)
+- [SetPolicyDrivenUpdateSourceForQualityUpdates](policy-csp-update.md)
+- [SetPolicyDrivenUpdateSourceForDriverUpdates](policy-csp-update.md)
+- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md)
+- [SetEDURestart](policy-csp-update.md)
+- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md)
+- [SetDisableUXWUAccess](policy-csp-update.md)
+- [SetDisablePauseUXAccess](policy-csp-update.md)
+- [UpdateNotificationLevel](policy-csp-update.md)
+- [NoUpdateNotificationsDuringActiveHours](policy-csp-update.md)
+- [DisableDualScan](policy-csp-update.md)
+- [AutomaticMaintenanceWakeUp](policy-csp-update.md)
+- [ConfigureDeadlineForQualityUpdates](policy-csp-update.md)
+- [ConfigureDeadlineForFeatureUpdates](policy-csp-update.md)
+- [ConfigureDeadlineGracePeriod](policy-csp-update.md)
+- [ConfigureDeadlineGracePeriodForFeatureUpdates](policy-csp-update.md)
+- [ConfigureDeadlineNoAutoReboot](policy-csp-update.md)
+- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](policy-csp-update.md)
+- [ConfigureDeadlineNoAutoRebootForQualityUpdates](policy-csp-update.md)
+
+## UserRights
+
+- [AccessCredentialManagerAsTrustedCaller](policy-csp-userrights.md)
+- [AccessFromNetwork](policy-csp-userrights.md)
+- [ActAsPartOfTheOperatingSystem](policy-csp-userrights.md)
+- [AllowLocalLogOn](policy-csp-userrights.md)
+- [BackupFilesAndDirectories](policy-csp-userrights.md)
+- [ChangeSystemTime](policy-csp-userrights.md)
+- [CreatePageFile](policy-csp-userrights.md)
+- [CreateToken](policy-csp-userrights.md)
+- [CreateGlobalObjects](policy-csp-userrights.md)
+- [CreatePermanentSharedObjects](policy-csp-userrights.md)
+- [CreateSymbolicLinks](policy-csp-userrights.md)
+- [DebugPrograms](policy-csp-userrights.md)
+- [DenyAccessFromNetwork](policy-csp-userrights.md)
+- [DenyLocalLogOn](policy-csp-userrights.md)
+- [DenyRemoteDesktopServicesLogOn](policy-csp-userrights.md)
+- [EnableDelegation](policy-csp-userrights.md)
+- [RemoteShutdown](policy-csp-userrights.md)
+- [GenerateSecurityAudits](policy-csp-userrights.md)
+- [ImpersonateClient](policy-csp-userrights.md)
+- [IncreaseSchedulingPriority](policy-csp-userrights.md)
+- [LoadUnloadDeviceDrivers](policy-csp-userrights.md)
+- [LockMemory](policy-csp-userrights.md)
+- [ManageAuditingAndSecurityLog](policy-csp-userrights.md)
+- [ModifyObjectLabel](policy-csp-userrights.md)
+- [ModifyFirmwareEnvironment](policy-csp-userrights.md)
+- [ManageVolume](policy-csp-userrights.md)
+- [ProfileSingleProcess](policy-csp-userrights.md)
+- [RestoreFilesAndDirectories](policy-csp-userrights.md)
+- [TakeOwnership](policy-csp-userrights.md)
+- [BypassTraverseChecking](policy-csp-userrights.md)
+- [ReplaceProcessLevelToken](policy-csp-userrights.md)
+- [ChangeTimeZone](policy-csp-userrights.md)
+- [ShutDownTheSystem](policy-csp-userrights.md)
+- [LogOnAsBatchJob](policy-csp-userrights.md)
+- [ProfileSystemPerformance](policy-csp-userrights.md)
+- [DenyLogOnAsBatchJob](policy-csp-userrights.md)
+- [LogOnAsService](policy-csp-userrights.md)
+- [IncreaseProcessWorkingSet](policy-csp-userrights.md)
+
+## VirtualizationBasedTechnology
+
+- [HypervisorEnforcedCodeIntegrity](policy-csp-virtualizationbasedtechnology.md)
+- [RequireUEFIMemoryAttributesTable](policy-csp-virtualizationbasedtechnology.md)
+
+## WebThreatDefense
+
+- [ServiceEnabled](policy-csp-webthreatdefense.md)
+- [NotifyMalicious](policy-csp-webthreatdefense.md)
+- [NotifyPasswordReuse](policy-csp-webthreatdefense.md)
+- [NotifyUnsafeApp](policy-csp-webthreatdefense.md)
+
+## Wifi
+
+- [AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md)
+- [AllowInternetSharing](policy-csp-wifi.md)
+
+## WindowsDefenderSecurityCenter
+
+- [CompanyName](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableNotifications](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)
+- [DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md)
+- [DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md)
+- [Email](policy-csp-windowsdefendersecuritycenter.md)
+- [EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md)
+- [EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md)
+- [HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md)
+- [HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md)
+- [HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md)
+- [HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md)
+- [Phone](policy-csp-windowsdefendersecuritycenter.md)
+- [URL](policy-csp-windowsdefendersecuritycenter.md)
+
+## WindowsInkWorkspace
+
+- [AllowWindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
+- [AllowSuggestedAppsInWindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
+
+## WindowsLogon
+
+- [HideFastUserSwitching](policy-csp-windowslogon.md)
+- [EnableFirstLogonAnimation](policy-csp-windowslogon.md)
+
+## WindowsSandbox
+
+- [AllowVGPU](policy-csp-windowssandbox.md)
+- [AllowNetworking](policy-csp-windowssandbox.md)
+- [AllowAudioInput](policy-csp-windowssandbox.md)
+- [AllowVideoInput](policy-csp-windowssandbox.md)
+- [AllowPrinterRedirection](policy-csp-windowssandbox.md)
+- [AllowClipboardRedirection](policy-csp-windowssandbox.md)
+
+## WirelessDisplay
+
+- [AllowProjectionToPC](policy-csp-wirelessdisplay.md)
+- [RequirePinForPairing](policy-csp-wirelessdisplay.md)
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
index 12859f6173..5b7486628f 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
@@ -1,12 +1,12 @@
 ---
 title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
 description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/17/2019
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
index ae4a2340c2..eebc6a88cf 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
@@ -1,12 +1,12 @@
 ---
 title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
 description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 07/18/2019
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 10fd8d3bcf..00aeb772d0 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -1,12 +1,12 @@
 ---
 title: Policies in Policy CSP supported by HoloLens 2
 description: Learn about the policies in Policy CSP supported by HoloLens 2.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 08/01/2022
@@ -45,20 +45,20 @@ ms.date: 08/01/2022
 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
 - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
 - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) <sup>9</sup>
-- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) <sup>Insider</sup>
+- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforelogon) <sup>12</sup>
 - [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)<sup>10</sup>
 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) <sup>11</sup>
 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) <sup>9</sup>
 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
-- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) <sup>Insider</sup>
-- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) <sup>Insider</sup>
+- [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#mixedreality-configurentpclient) <sup>12</sup>
+- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) <sup>12</sup>
 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) <sup>9</sup>
 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) <sup>9</sup>
 - [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#mixedreality-manualdowndirectiondisabled) <sup>*[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update)</sup>
 - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) <sup>9</sup>
-- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) <sup>Insider</sup>
-- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) <sup>Insider</sup>
-- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) <sup>Insider</sup>
+- [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#mixedreality-ntpclientenabled) <sup>12</sup>
+- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) <sup>12</sup>
+- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) <sup>12</sup>
 - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) <sup>10</sup>
 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) <sup>9</sup>
 - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) <sup>9</sup>
@@ -98,11 +98,11 @@ ms.date: 08/01/2022
 - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
 - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) <sup>9</sup>
 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
-- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) <sup>Insider</sup>
-- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) <sup>Insider</sup>
-- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) <sup>Insider</sup>
-- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) <sup>Insider</sup>
-- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) <sup>Insider</sup>
+- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) <sup>12</sup>
+- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) <sup>12</sup>
+- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) <sup>12</sup>
+- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) <sup>12</sup>
+- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) <sup>12</sup>
 - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
 - [System/AllowLocation](policy-csp-system.md#system-allowlocation)
 - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
@@ -147,6 +147,7 @@ Footnotes:
 - 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2)
 - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1)
 - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2)
+- 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2)
 - Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider).
 
 ## Related topics
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
index ab56c3de1b..3e333af7f9 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
@@ -1,12 +1,12 @@
 ---
 title: Policies in Policy CSP supported by Windows 10 IoT Core
 description: Learn about the policies in Policy CSP supported by Windows 10 IoT Core.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/16/2019
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 8e07d4bcd1..bcc22cc6cb 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 07/22/2020
@@ -21,32 +21,32 @@ ms.date: 07/22/2020
 - [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
 - [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy)
 - [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites)
-- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning)
-- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring)
-- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection)
-- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning)
-- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives)
-- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning)
-- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection)
-- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection)
-- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring)
-- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles)
-- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning)
-- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess)
-- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor)
-- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware)
-- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions)
-- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths)
-- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses)
-- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection)
-- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection)
-- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter)
-- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime)
-- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday)
-- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime)
-- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval)
-- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent)
-- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction)
+- [Defender/AllowArchiveScanning](policy-csp-defender.md#allowarchivescanning)
+- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#allowbehaviormonitoring)
+- [Defender/AllowCloudProtection](policy-csp-defender.md#allowcloudprotection)
+- [Defender/AllowEmailScanning](policy-csp-defender.md#allowemailscanning)
+- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#allowfullscanonmappednetworkdrives)
+- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#allowfullscanremovabledrivescanning)
+- [Defender/AllowIOAVProtection](policy-csp-defender.md#allowioavprotection)
+- [Defender/AllowOnAccessProtection](policy-csp-defender.md#allowonaccessprotection)
+- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#allowrealtimemonitoring)
+- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#allowscanningnetworkfiles)
+- [Defender/AllowScriptScanning](policy-csp-defender.md#allowscriptscanning)
+- [Defender/AllowUserUIAccess](policy-csp-defender.md#allowuseruiaccess)
+- [Defender/AvgCPULoadFactor](policy-csp-defender.md#avgcpuloadfactor)
+- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#daystoretaincleanedmalware)
+- [Defender/ExcludedExtensions](policy-csp-defender.md#excludedextensions)
+- [Defender/ExcludedPaths](policy-csp-defender.md#excludedpaths)
+- [Defender/ExcludedProcesses](policy-csp-defender.md#excludedprocesses)
+- [Defender/PUAProtection](policy-csp-defender.md#puaprotection)
+- [Defender/RealTimeScanDirection](policy-csp-defender.md#realtimescandirection)
+- [Defender/ScanParameter](policy-csp-defender.md#scanparameter)
+- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#schedulequickscantime)
+- [Defender/ScheduleScanDay](policy-csp-defender.md#schedulescanday)
+- [Defender/ScheduleScanTime](policy-csp-defender.md#schedulescantime)
+- [Defender/SignatureUpdateInterval](policy-csp-defender.md#signatureupdateinterval)
+- [Defender/SubmitSamplesConsent](policy-csp-defender.md#submitsamplesconsent)
+- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#threatseveritydefaultaction)
 - [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
 - [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
 - [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
index 9cf93f4e1e..601ad0b197 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
@@ -1,12 +1,12 @@
 ---
 title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS)
 description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 07/18/2019
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index ec5e0b87bc..283417da87 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1,30 +1,33 @@
 ---
 title: Policy CSP
-description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10 and Windows 11.
-ms.reviewer:
+description: Learn more about the Policy CSP
+author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: vinaypamnani-msft
+ms.date: 11/22/2022
 ms.localizationpriority: medium
-ms.date: 07/18/2019
-ms.collection: highpri
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- Policy-Begin -->
 # Policy CSP
 
+<!-- Policy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 11. Use this configuration service provider to configure any company policies.
 
 The Policy configuration service provider has the following sub-categories:
 
-- Policy/Config/*AreaName* – Handles the policy configuration request from the server.
-- Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device.
+- Policy/Config/**AreaName** - Handles the policy configuration request from the server.
+- Policy/Result/**AreaName** - Provides a read-only path to policies enforced on the device.
 
 <a href="" id="policy-scope"></a>
 
-> [!Important]
+> [!IMPORTANT]
 > Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user.
 >
 > The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths:
@@ -43,9490 +46,1133 @@ The Policy configuration service provider has the following sub-categories:
 >
 > - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
 > - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
+<!-- Policy-Editable-End -->
 
-The following shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
+<!-- Policy-Tree-Begin -->
+The following example shows the Policy configuration service provider in tree format.
 
-```console
-./Vendor/MSFT
-Policy
--------Config
-----------AreaName
--------------PolicyName
--------Result
-----------AreaName
--------------PolicyName
--------ConfigOperations
-----------ADMXInstall
--------------AppName
-----------------Policy
-------------------UniqueID
-----------------Preference
-------------------UniqueID
+```text
+./Device/Vendor/MSFT/Policy
+--- Config
+------ {AreaName}
+--------- {PolicyName}
+--- ConfigOperations
+------ ADMXInstall
+--------- {AppName}
+------------ {SettingsType}
+--------------- {AdmxFileId}
+------------ Properties
+--------------- {SettingsType}
+------------------ {AdmxFileId}
+--------------------- Version
+--- Result
+------ {AreaName}
+--------- {PolicyName}
+./User/Vendor/MSFT/Policy
+--- Config
+------ {AreaName}
+--------- {PolicyName}
+--- Result
+------ {AreaName}
+--------- {PolicyName}
 ```
+<!-- Policy-Tree-End -->
 
+<!-- Device-Config-Begin -->
+## Device/Config
 
-<a href="" id="--vendor-msft-policy"></a>**./Vendor/MSFT/Policy**
-The root node for the Policy configuration service provider.
+<!-- Device-Config-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- Device-Config-Applicability-End -->
 
-Supported operation is Get.
+<!-- Device-Config-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config
+```
+<!-- Device-Config-OmaUri-End -->
 
-<a href="" id="policy-config"></a>**Policy/Config**
-Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value.
+<!-- Device-Config-Description-Begin -->
+Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
+<!-- Device-Config-Description-End -->
 
-Supported operation is Get.
+<!-- Device-Config-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Config-Editable-End -->
 
-<a href="" id="policy-config-areaname"></a>**Policy/Config/_AreaName_**
-The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
+<!-- Device-Config-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operations are Add, Get, and Delete.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+<!-- Device-Config-DFProperties-End -->
 
-<a href="" id="policy-config-areaname-policyname"></a>**Policy/Config/_AreaName/PolicyName_**
-Specifies the name/value pair used in the policy.
+<!-- Device-Config-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Config-Examples-End -->
 
+<!-- Device-Config-End -->
+
+<!-- Device-Config-{AreaName}-Begin -->
+### Device/Config/{AreaName}
+
+<!-- Device-Config-{AreaName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- Device-Config-{AreaName}-Applicability-End -->
+
+<!-- Device-Config-{AreaName}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/{AreaName}
+```
+<!-- Device-Config-{AreaName}-OmaUri-End -->
+
+<!-- Device-Config-{AreaName}-Description-Begin -->
+The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.  See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
+<!-- Device-Config-{AreaName}-Description-End -->
+
+<!-- Device-Config-{AreaName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Config-{AreaName}-Editable-End -->
+
+<!-- Device-Config-{AreaName}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Config-{AreaName}-DFProperties-End -->
+
+<!-- Device-Config-{AreaName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Config-{AreaName}-Examples-End -->
+
+<!-- Device-Config-{AreaName}-End -->
+
+<!-- Device-Config-{AreaName}-{PolicyName}-Begin -->
+#### Device/Config/{AreaName}/{PolicyName}
+
+<!-- Device-Config-{AreaName}-{PolicyName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- Device-Config-{AreaName}-{PolicyName}-Applicability-End -->
+
+<!-- Device-Config-{AreaName}-{PolicyName}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}
+```
+<!-- Device-Config-{AreaName}-{PolicyName}-OmaUri-End -->
+
+<!-- Device-Config-{AreaName}-{PolicyName}-Description-Begin -->
+Specifies the name/value pair used in the policy.  See the individual Area DDFs for more information about the policies available to configure.
+<!-- Device-Config-{AreaName}-{PolicyName}-Description-End -->
+
+<!-- Device-Config-{AreaName}-{PolicyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The following list shows some tips to help you when configuring policies:
 
-- Separate substring values by the Unicode &\#xF000; in the XML file.
-
+- Separate substring values by Unicode `0xF000` in the XML file.
     > [!NOTE]
     > A query from a different caller could provide a different value as each caller could have different values for a named policy.
-
 - In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
 - Supported operations are Add, Get, Delete, and Replace.
 - Value type is string.
+<!-- Device-Config-{AreaName}-{PolicyName}-Editable-End -->
 
-<a href="" id="policy-result"></a>**Policy/Result**
-Groups the evaluated policies from all providers that can be configured.
+<!-- Device-Config-{AreaName}-{PolicyName}-DFProperties-Begin -->
+**Description framework properties**:
 
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Config-{AreaName}-{PolicyName}-DFProperties-End -->
 
-<a href="" id="policy-result-areaname"></a>**Policy/Result/_AreaName_**
-The area group that can be configured by a single technology independent of the providers.
+<!-- Device-Config-{AreaName}-{PolicyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Config-{AreaName}-{PolicyName}-Examples-End -->
 
-Supported operation is Get.
+<!-- Device-Config-{AreaName}-{PolicyName}-End -->
 
-<a href="" id="policy-result-areaname-policyname"></a>**Policy/Result/_AreaName/PolicyName_**
-Specifies the name/value pair used in the policy.
+<!-- Device-ConfigOperations-Begin -->
+## Device/ConfigOperations
 
-Supported operation is Get.
+<!-- Device-ConfigOperations-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- Device-ConfigOperations-Applicability-End -->
 
-<a href="" id="policy-result"></a>**Policy/ConfigOperations**
-Added in Windows 10, version 1703. The root node for grouping different configuration operations.
+<!-- Device-ConfigOperations-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations
+```
+<!-- Device-ConfigOperations-OmaUri-End -->
 
-Supported operations are Add, Get, and Delete.
+<!-- Device-ConfigOperations-Description-Begin -->
+The root node for grouping different configuration operations.
+<!-- Device-ConfigOperations-Description-End -->
 
-<a href="" id="policy-configoperations-admxinstall"></a>**Policy/ConfigOperations/ADMXInstall**
-Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: <code>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall</code>. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](../win32-and-centennial-app-policy-configuration.md).
+<!-- Device-ConfigOperations-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-Editable-End -->
+
+<!-- Device-ConfigOperations-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+<!-- Device-ConfigOperations-DFProperties-End -->
+
+<!-- Device-ConfigOperations-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-Examples-End -->
+
+<!-- Device-ConfigOperations-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-Begin -->
+### Device/ConfigOperations/ADMXInstall
+
+<!-- Device-ConfigOperations-ADMXInstall-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- Device-ConfigOperations-ADMXInstall-Applicability-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall
+```
+<!-- Device-ConfigOperations-ADMXInstall-OmaUri-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-Description-Begin -->
+Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+<!-- Device-ConfigOperations-ADMXInstall-Description-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+ For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](../win32-and-centennial-app-policy-configuration.md).
 
 > [!NOTE]
 > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
-
-ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, <code>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}</code>.
-
-Supported operations are Add, Get, and Delete.
-
-<a href="" id="policy-configoperations-admxinstall-appname"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_**
-Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
-
-Supported operations are Add, Get, and Delete.
-
-<a href="" id="policy-configoperations-admxinstall-appname-policy"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy**
-Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
-
-Supported operations are Add, Get, and Delete.
-
-<a href="" id="policy-configoperations-admxinstall-appname-policy-uniqueid"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_**
-Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
-
-Supported operations are Add and Get. Does not support Delete.
-
-<a href="" id="policy-configoperations-admxinstall-appname-preference"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference**
-Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
-
-Supported operations are Add, Get, and Delete.
-
-<a href="" id="policy-configoperations-admxinstall-appname-preference-uniqueid"></a>**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_**
-Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
-
-Supported operations are Add and Get. Does not support Delete.
-
-## Policies
-
-### AboveLock policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-abovelock.md#abovelock-allowcortanaabovelock" id="abovelock-allowcortanaabovelock">AboveLock/AllowCortanaAboveLock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-abovelock.md#abovelock-allowtoasts" id="abovelock-allowtoasts">AboveLock/AllowToasts</a>
-  </dd>
-</dl>
-
-### Accounts policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-accounts.md#accounts-allowaddingnonmicrosoftaccountsmanually" id="accounts-allowaddingnonmicrosoftaccountsmanually">Accounts/AllowAddingNonMicrosoftAccountsManually</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection" id="accounts-allowmicrosoftaccountconnection">Accounts/AllowMicrosoftAccountConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-accounts.md#accounts-allowmicrosoftaccountsigninassistant" id="accounts-allowmicrosoftaccountsigninassistant">Accounts/AllowMicrosoftAccountSignInAssistant</a>
-  </dd>
-
-</dl>
-
-### ActiveXControls policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites" id="activexcontrols-approvedinstallationsites">ActiveXControls/ApprovedInstallationSites</a>
-  </dd>
-</dl>
-
-### ADMX_ActiveXInstallService policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies" id="admx-activexinstallservice-axisurlzonepolicies">ADMX_ActiveXInstallService/AxISURLZonePolicies</a>
-  </dd>
-</dl>
-
-### ADMX_AddRemovePrograms policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory" id="admx-addremoveprograms-defaultcategory">ADMX_AddRemovePrograms/DefaultCategory</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy" id="admx-addremoveprograms-noaddfromcdorfloppy">ADMX_AddRemovePrograms/NoAddFromCDorFloppy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet" id="admx-addremoveprograms-noaddfrominternet">ADMX_AddRemovePrograms/NoAddFromInternet</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork" id="admx-addremoveprograms-noaddfromnetwork">ADMX_AddRemovePrograms/NoAddFromNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddpage" id="admx-addremoveprograms-noaddpage">ADMX_AddRemovePrograms/NoAddPage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddremoveprograms" id="admx-addremoveprograms-noaddremoveprograms">ADMX_AddRemovePrograms/NoAddRemovePrograms</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nochooseprogramspage" id="admx-addremoveprograms-nochooseprogramspage">ADMX_AddRemovePrograms/NoChooseProgramsPage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noremovepage" id="admx-addremoveprograms-noremovepage">ADMX_AddRemovePrograms/NoRemovePage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices" id="admx-addremoveprograms-noservices">ADMX_AddRemovePrograms/NoServices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo" id="admx-addremoveprograms-nosupportinfo">ADMX_AddRemovePrograms/NoSupportInfo</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage" id="admx-addremoveprograms-nowindowssetuppage">ADMX_AddRemovePrograms/NoWindowsSetupPage</a>
-  </dd>
-</dl>
-
-### ADMX_AdmPwd policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_dontallowpwdexpirationbehindpolicy" id="admx-admpwd-pol_admpwd_dontallowpwdexpirationbehindpolicy">ADMX_AdmPwd/POL_AdmPwd_DontAllowPwdExpirationBehindPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_enabled" id="admx-admpwd-pol_admpwd_enabled">ADMX_AdmPwd/POL_AdmPwd_Enabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd_adminname" id="admx-admpwd-pol_admpwd_adminname">ADMX_AdmPwd/POL_AdmPwd_AdminName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-admpwd.md#admx-admpwd-pol_admpwd" id="admx-admpwd-pol_admpwd">ADMX_AdmPwd/POL_AdmPwd</a>
-  </dd>
-<dl>
-
-### ADMX_AppCompat policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach" id="admx-appcompat-appcompatprevent16bitmach">ADMX_AppCompat/AppCompatPrevent16BitMach</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage" id="admx-appcompat-appcompatremoveprogramcompatproppage">ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry" id="admx-appcompat-appcompatturnoffapplicationimpacttelemetry">ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffswitchback" id="admx-appcompat-appcompatturnoffswitchback">ADMX_AppCompat/AppCompatTurnOffSwitchBack</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffengine" id="admx-appcompat-appcompatturnoffengine">ADMX_AppCompat/AppCompatTurnOffEngine</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1" id="admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1">ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2" id="admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2">ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord" id="admx-appcompat-appcompatturnoffuseractionrecord">ADMX_AppCompat/AppCompatTurnOffUserActionRecord</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory" id="admx-appcompat-appcompatturnoffprograminventory">ADMX_AppCompat/AppCompatTurnOffProgramInventory</a>
-  </dd>
-</dl>
-
-### ADMX_AppxPackageManager policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles" id="admx-appxpackagemanager-allowdeploymentinspecialprofiles">ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles</a>
-  </dd>
-</dl>
-
-### ADMX_AppXRuntime policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules" id="admx-appxruntime-appxruntimeapplicationcontenturirules">ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation" id="admx-appxruntime-appxruntimeblockfileelevation">ADMX_AppXRuntime/AppxRuntimeBlockFileElevation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt" id="admx-appxruntime-appxruntimeblockhostedappaccesswinrt">ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation" id="admx-appxruntime-appxruntimeblockprotocolelevation">ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation</a>
-  </dd>
-</dl>
-
-### ADMX_AttachmentManager policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk" id="admx-attachmentmanager-am-estimatefilehandlerrisk">ADMX_AttachmentManager/AM_EstimateFileHandlerRisk</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel" id="admx-attachmentmanager-am-setfilerisklevel">ADMX_AttachmentManager/AM_SetFileRiskLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion" id="admx-attachmentmanager-am-sethighriskinclusion">ADMX_AttachmentManager/AM_SetHighRiskInclusion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion" id="admx-attachmentmanager-am-setlowriskinclusion">ADMX_AttachmentManager/AM_SetLowRiskInclusion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion" id="admx-attachmentmanager-am-setmodriskinclusion">ADMX_AttachmentManager/AM_SetModRiskInclusion</a>
-  </dd>
-</dl>
-
-### ADMX_AuditSettings policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline" id="admx-auditsettings-includecmdline">ADMX_AuditSettings/IncludeCmdLine</a>
-  </dd>
-</dl>
-
-
-### ADMX_Bits policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache" id="admx-bits-bits-disablebranchcache">ADMX_Bits/BITS_DisableBranchCache</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient" id="admx-bits-bits-disablepeercachingclient">ADMX_Bits/BITS_DisablePeercachingClient</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingserver" id="admx-bits-bits-disablepeercachingserver">ADMX_Bits/BITS_DisablePeercachingServer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-enablepeercaching" id="admx-bits-bits-enablepeercaching">ADMX_Bits/BITS_EnablePeercaching</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthservedforpeers" id="admx-bits-bits-maxbandwidthservedforpeers">ADMX_Bits/BITS_MaxBandwidthServedForPeers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-maintenance" id="admx-bits-bits-maxbandwidthv2-maintenance">ADMX_Bits/BITS_MaxBandwidthV2_Maintenance</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-work" id="admx-bits-bits-maxbandwidthv2-work">ADMX_Bits/BITS_MaxBandwidthV2_Work</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxcachesize" id="admx-bits-bits-maxcachesize">ADMX_Bits/BITS_MaxCacheSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxcontentage" id="admx-bits-bits-maxcontentage">ADMX_Bits/BITS_MaxContentAge</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxdownloadtime" id="admx-bits-bits-maxdownloadtime">ADMX_Bits/BITS_MaxDownloadTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxfilesperjob" id="admx-bits-bits-maxfilesperjob">ADMX_Bits/BITS_MaxFilesPerJob</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxjobspermachine" id="admx-bits-bits-maxjobspermachine">ADMX_Bits/BITS_MaxJobsPerMachine</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxjobsperuser" id="admx-bits-bits-maxjobsperuser">ADMX_Bits/BITS_MaxJobsPerUser</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-bits.md#admx-bits-bits-maxrangesperfile" id="admx-bits-bits-maxrangesperfile">ADMX_Bits/BITS_MaxRangesPerFile</a>
-  </dd>
-</dl>
-
-### ADMX_CipherSuiteOrder policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslciphersuiteorder" id="admx-ciphersuiteorder-sslciphersuiteorder">ADMX_CipherSuiteOrder/SSLCipherSuiteOrder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder" id="admx-ciphersuiteorder-sslcurveorder">ADMX_CipherSuiteOrder/SSLCurveOrder</a>
-  </dd>
-</dl>
-
-### ADMX_COM policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1" id="admx-com-appmgmt-com-searchforclsid-1">ADMX_COM/AppMgmt_COM_SearchForCLSID_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2" id="admx-com-appmgmt-com-searchforclsid-2">ADMX_COM/AppMgmt_COM_SearchForCLSID_2</a>
-  </dd>
-</dl>
-
-### ADMX_ControlPanel policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls" id="admx-controlpanel-disallowcpls">ADMX_ControlPanel/DisallowCpls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel" id="admx-controlpanel-forceclassiccontrolpanel">ADMX_ControlPanel/ForceClassicControlPanel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel" id="admx-controlpanel-nocontrolpanel">ADMX_ControlPanel/NoControlPanel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls" id="admx-controlpanel-restrictcpls">ADMX_ControlPanel/RestrictCpls</a>
-  </dd>
-</dl>
-
-### ADMX_ControlPanelDisplay policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable" id="">ADMX_ControlPanelDisplay/CPL_Display_Disable</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings" id="">ADMX_ControlPanelDisplay/CPL_Display_HideSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice" id="">ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange" id="">ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle" id="">ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver" id="admx-controlpaneldisplay-cpl-personalization-enablescreensaver">ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen" id="admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen">ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize" id="admx-controlpaneldisplay-cpl-personalization-lockfontsize">ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen" id="admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen">ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground" id="admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground">ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui" id="admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui">ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui" id="admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui">ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui" id="admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui">ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen" id="admx-controlpaneldisplay-cpl-personalization-nolockscreen">ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui" id="admx-controlpaneldisplay-cpl-personalization-nomousepointersui">ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui" id="admx-controlpaneldisplay-cpl-personalization-noscreensaverui">ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui" id="admx-controlpaneldisplay-cpl-personalization-nosoundschemeui">ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors" id="admx-controlpaneldisplay-cpl-personalization-personalcolors">ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure" id="admx-controlpaneldisplay-cpl-personalization-screensaverissecure">ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout" id="admx-controlpaneldisplay-cpl-personalization-screensavertimeout">ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver" id="admx-controlpaneldisplay-cpl-personalization-setscreensaver">ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme" id="admx-controlpaneldisplay-cpl-personalization-settheme">ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle" id="admx-controlpaneldisplay-cpl-personalization-setvisualstyle">ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground" id="admx-controlpaneldisplay-cpl-personalization-startbackground">ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground</a>
-  </dd>
-</dl>
-
-### ADMX_Cpls policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword" id="#admx-ctrlaltdel-disablechangepassword">ADMX_CtrlAltDel/DisableChangePassword</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer" id="#admx-ctrlaltdel-disablelockcomputer">ADMX_CtrlAltDel/DisableLockComputer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr" id="#admx-ctrlaltdel-disabletaskmgr">ADMX_CtrlAltDel/DisableTaskMgr</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff" id="#admx-ctrlaltdel-nologoff">ADMX_CtrlAltDel/NoLogoff</a>
-  </dd>
-</dl>
-
-### ADMX_CredentialProviders policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock" id="admx-credentialproviders-allowdomaindelaylock">ADMX_CredentialProviders/AllowDomainDelayLock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider" id="admx-credentialproviders-defaultcredentialprovider">ADMX_CredentialProviders/DefaultCredentialProvider</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders" id="admx-credentialproviders-excludedcredentialproviders">ADMX_CredentialProviders/ExcludedCredentialProviders</a>
-  </dd>
-</dl>
-
-### ADMX_CredSsp policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly" id="admx-credssp-allowdefcredentialswhenntlmonly">ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials" id="admx-credssp-allowdefaultcredentials">ADMX_CredSsp/AllowDefaultCredentials</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle" id="admx-credssp-allowencryptionoracle">ADMX_CredSsp/AllowEncryptionOracle</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials" id="admx-credssp-allowfreshcredentials">ADMX_CredSsp/AllowFreshCredentials</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly" id="admx-credssp-allowfreshcredentialswhenntlmonly">ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials" id="admx-credssp-allowsavedcredentials">ADMX_CredSsp/AllowSavedCredentials</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly" id="admx-credssp-allowsavedcredentialswhenntlmonly">ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials" id="admx-credssp-denydefaultcredentials">ADMX_CredSsp/DenyDefaultCredentials</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials" id="admx-credssp-denyfreshcredentials">ADMX_CredSsp/DenyFreshCredentials</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials" id="admx-credssp-denysavedcredentials">ADMX_CredSsp/DenySavedCredentials</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration" id="admx-credssp-restrictedremoteadministration">ADMX_CredSsp/RestrictedRemoteAdministration</a>
-
-### ADMX_CredUI policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting" id="admx-credui-enablesecurecredentialprompting">ADMX_CredUI/EnableSecureCredentialPrompting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions" id="admx-credui-nolocalpasswordresetquestions">ADMX_CredUI/NoLocalPasswordResetQuestions</a>
-  </dd>
-</dl>
-
-###  ADMX_CtrlAltDel policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile" id="#admx-cpls-usedefaulttile">ADMX_Cpls/UseDefaultTile</a>
-  </dd>
-</dl>
-
-### ADMX_DataCollection policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy" id="admx-datacollection-commercialidpolicy">ADMX_DataCollection/CommercialIdPolicy</a>
-  </dd>
-</dl>
-
-### ADMX_DCOM policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckallowlocallist" id="admx-dcom-dcomactivationsecuritycheckallowlocallist">ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckexemptionlist" id="admx-dcom-dcomactivationsecuritycheckexemptionlist">ADMX_DCOM/DCOMActivationSecurityCheckExemptionList</a>
-  </dd>
-</dl>
-
-### ADMX_Desktop policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter" id="admx-desktop-ad-enablefilter">ADMX_Desktop/AD_EnableFilter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder" id="admx-desktop-ad-hidedirectoryfolder">ADMX_Desktop/AD_HideDirectoryFolder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit" id="admx-desktop-ad-querylimit">ADMX_Desktop/AD_QueryLimit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon" id="admx-desktop-forceactivedesktopon">ADMX_Desktop/ForceActiveDesktopOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop" id="admx-desktop-noactivedesktop">ADMX_Desktop/NoActiveDesktop</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges" id="admx-desktop-noactivedesktopchanges">ADMX_Desktop/NoActiveDesktopChanges</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nodesktop" id="admx-desktop-nodesktop">ADMX_Desktop/NoDesktop</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard" id="admx-desktop-nodesktopcleanupwizard">ADMX_Desktop/NoDesktopCleanupWizard</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nointerneticon" id="admx-desktop-nointerneticon">ADMX_Desktop/NoInternetIcon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon" id="admx-desktop-nomycomputericon">ADMX_Desktop/NoMyComputerIcon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon" id="admx-desktop-nomydocumentsicon">ADMX_Desktop/NoMyDocumentsIcon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nonethood" id="admx-desktop-nonethood">ADMX_Desktop/NoNetHood</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer" id="admx-desktop-nopropertiesmycomputer">ADMX_Desktop/NoPropertiesMyComputer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments" id="admx-desktop-nopropertiesmydocuments">ADMX_Desktop/NoPropertiesMyDocuments</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood" id="admx-desktop-norecentdocsnethood">ADMX_Desktop/NoRecentDocsNetHood</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon" id="admx-desktop-norecyclebinicon">ADMX_Desktop/NoRecycleBinIcon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties" id="admx-desktop-norecyclebinproperties">ADMX_Desktop/NoRecycleBinProperties</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nosavesettings" id="admx-desktop-nosavesettings">ADMX_Desktop/NoSaveSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts" id="admx-desktop-nowindowminimizingshortcuts">ADMX_Desktop/NoWindowMinimizingShortcuts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-wallpaper" id="admx-desktop-wallpaper">ADMX_Desktop/Wallpaper</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd" id="admx-desktop-sz-atc-disableadd">ADMX_Desktop/sz_ATC_DisableAdd</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose" id="admx-desktop-sz-atc-disableclose">ADMX_Desktop/sz_ATC_DisableClose</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel" id="admx-desktop-sz-atc-disabledel">ADMX_Desktop/sz_ATC_DisableDel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit" id="admx-desktop-sz-atc-disableedit">ADMX_Desktop/sz_ATC_DisableEdit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents" id="admx-desktop-sz-atc-nocomponents">ADMX_Desktop/sz_ATC_NoComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title" id="admx-desktop-sz-admincomponents-title">ADMX_Desktop/sz_AdminComponents_Title</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose" id="admx-desktop-sz-db-dragdropclose">ADMX_Desktop/sz_DB_DragDropClose</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving" id="admx-desktop-sz-db-moving">ADMX_Desktop/sz_DB_Moving</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper" id="admx-desktop-sz-dwp-nohtmlpaper">ADMX_Desktop/sz_DWP_NoHTMLPaper</a>
-  </dd>
-</dl>
-
-### ADMX_DeviceCompat policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-devicecompat.md#admx-devicecompat-deviceflags" id="#admx-devicecompat-deviceflags">ADMX_DeviceCompat/DeviceFlags</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-devicecompat.md#admx-devicecompat-drivershims" id="#admx-devicecompat-drivershims">ADMX_DeviceCompat/DriverShims</a>
-  </dd>
-<dl>
-
-### ADMX_DeviceGuard policies
-
- <dd>
-    <a href="./policy-csp-admx-deviceguard.md#admx-deviceguard-configcipolicy" id="admx-deviceguard-configcipolicy">ADMX_DeviceGuard/ConfigCIPolicy</a>
-  </dd>
-<dl>
-
-### ADMX_DeviceInstallation policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall" id="admx-deviceinstallation-deviceinstall-allowadmininstall">ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext" id="admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext">ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext" id="admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext">ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout" id="admx-deviceinstallation-deviceinstall-installtimeout">ADMX_DeviceInstallation/DeviceInstall_InstallTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime" id="admx-deviceinstallation-deviceinstall-policy-reboottime">ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny" id="admx-deviceinstallation-deviceinstall-removable-deny">ADMX_DeviceInstallation/DeviceInstall_Removable_Deny</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore" id="admx-deviceinstallation-deviceinstall-systemrestore">ADMX_DeviceInstallation/DeviceInstall_SystemRestore</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser" id="admx-deviceinstallation-deviceinstall-classes-allowuser">ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser</a>
-  </dd>
-</dl>
-
-### ADMX_DeviceSetup policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips" id="admx-devicesetup-deviceinstall-balloontips">ADMX_DeviceSetup/DeviceInstall_BalloonTips</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration" id="admx-devicesetup-driversearchplaces-searchorderconfiguration">ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration</a>
-  </dd>
-</dl>
-
-### ADMX_DFS policies
-
-</dl>
-  <dd>
-    <a href="./policy-csp-admx-dfs.md#admx-dfs-dfsdiscoverdc"id="admx-devicesetup-
-dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
-  </dd>
-</dl>
-
-### ADMX_DigitalLocker policies
-
-</dl>
-<dd>
-    <a href="./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1" id="admx-digitallocker-digitalx-diableapplication-titletext-1">ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2" id="admx-digitallocker-digitalx-diableapplication-titletext-2">ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2</a>
-  </dd>
-</dl>
-
-### ADMX_DiskDiagnostic policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-diskdiagnostic.md#admx-diskdiagnostic-dfdalertpolicy" id="admx-diskdiagnostic-dfdalertpolicy">ADMX_DiskDiagnostic/DfdAlertPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-diskdiagnostic.md#admx-diskdiagnostic-wdiscenarioexecutionpolicy" id="admx-diskdiagnostic-wdiscenarioexecutionpolicy">ADMX_DiskDiagnostic/WdiScenarioExecutionPolicy</a>
-  </dd>
-</dl>
-
-### ADMX_DiskNVCache policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-disknvcache.md#admx-disknvcache-bootresumepolicy" id="admx-disknvcache-bootresumepolicy">ADMX_DiskNVCache/BootResumePolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-disknvcache.md#admx-disknvcache-featureoffpolicy" id="admx-disknvcache-featureoffpolicy">ADMX_DiskNVCache/FeatureOffPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-disknvcache.md#admx-disknvcache-solidstatepolicy" id="admx-disknvcache-solidstatepolicy">ADMX_DiskNVCache/SolidStatePolicy</a>
-  </dd>
-<dl>
-
-### ADMX_DiskQuota policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_removablemedia" id="admx-diskquota-dq_removablemedia">ADMX_DiskQuota/DQ_RemovableMedia</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_enable" id="admx-diskquota-dq_enable">ADMX_DiskQuota/DQ_Enable</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_enforce" id="admx-diskquota-dq_enforce">ADMX_DiskQuota/DQ_Enforce</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverlimit" id="admx-diskquota-dq_logeventoverlimit">ADMX_DiskQuota/DQ_LogEventOverLimit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_logeventoverthreshold" id="admx-diskquota-dq_logeventoverthreshold">ADMX_DiskQuota/DQ_LogEventOverThreshold</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-diskquota.md#admx-diskquota-dq_limit" id="admx-diskquota-dq_limit">ADMX_DiskQuota/DQ_Limit</a>
-  </dd>
-<dl>
-
-### ADMX_DistributedLinkTracking policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-distributedlinktracking.md#admx-distributedlinktracking-dlt_allowdomainmode" id="admx-distributedlinktracking-dlt_allowdomainmode">ADMX_DistributedLinkTracking/DLT_AllowDomainMode</a>
-  </dd>
-</dl>
-
-
-### ADMX_DnsClient policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries" id="admx-dnsclient-dns-allowfqdnnetbiosqueries">ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname" id="admx-dnsclient-dns-appendtomultilabelname">ADMX_DnsClient/DNS_AppendToMultiLabelName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domain" id="admx-dnsclient-dns-domain">ADMX_DnsClient/DNS_Domain</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domainnamedevolutionlevel" id="admx-dnsclient-dns-domainnamedevolutionlevel">ADMX_DnsClient/DNS_DomainNameDevolutionLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnencoding" id="admx-dnsclient-dns-idnencoding">ADMX_DnsClient/DNS_IdnEncoding</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnmapping" id="admx-dnsclient-dns-idnmapping">ADMX_DnsClient/DNS_IdnMapping</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-nameserver" id="admx-dnsclient-dns-nameserver">ADMX_DnsClient/DNS_NameServer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns" id="admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns">ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-primarydnssuffix" id="admx-dnsclient-dns-primarydnssuffix">ADMX_DnsClient/DNS_PrimaryDnsSuffix</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registeradaptername" id="admx-dnsclient-dns-registeradaptername">ADMX_DnsClient/DNS_RegisterAdapterName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registerreverselookup" id="admx-dnsclient-dns-registerreverselookup">ADMX_DnsClient/DNS_RegisterReverseLookup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationenabled" id="admx-dnsclient-dns-registrationenabled">ADMX_DnsClient/DNS_RegistrationEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationoverwritesinconflict" id="admx-dnsclient-dns-registrationoverwritesinconflict">ADMX_DnsClient/DNS_RegistrationOverwritesInConflict</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationrefreshinterval" id="admx-dnsclient-dns-registrationrefreshinterval">ADMX_DnsClient/DNS_RegistrationRefreshInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationttl" id="admx-dnsclient-dns-registrationttl">ADMX_DnsClient/DNS_RegistrationTtl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-searchlist" id="admx-dnsclient-dns-searchlist">ADMX_DnsClient/DNS_SearchList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartmultihomednameresolution" id="admx-dnsclient-dns-smartmultihomednameresolution">ADMX_DnsClient/DNS_SmartMultiHomedNameResolution</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartprotocolreorder" id="admx-dnsclient-dns-smartprotocolreorder">ADMX_DnsClient/DNS_SmartProtocolReorder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatesecuritylevel" id="admx-dnsclient-dns-updatesecuritylevel">ADMX_DnsClient/DNS_UpdateSecurityLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones" id="admx-dnsclient-dns-updatetopleveldomainzones">ADMX_DnsClient/DNS_UpdateTopLevelDomainZones</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution" id="admx-dnsclient-dns-usedomainnamedevolution">ADMX_DnsClient/DNS_UseDomainNameDevolution</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast" id="admx-dnsclient-turn-off-multicast">ADMX_DnsClient/Turn_Off_Multicast</a>
-  </dd>
-</dl>
-
-### ADMX_DWM policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-1" id="admx-dwm-dwmdefaultcolorizationcolor-1">ADMX_DWM/DwmDefaultColorizationColor_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-2" id="admx-dwm-dwmdefaultcolorizationcolor-2">ADMX_DWM/DwmDefaultColorizationColor_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-1" id="admx-dwm-dwmdisallowanimations-1">ADMX_DWM/DwmDisallowAnimations_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2" id="admx-dwm-dwmdisallowanimations-2">ADMX_DWM/DwmDisallowAnimations_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1" id="admx-dwm-dwmdisallowcolorizationcolorchanges-1">ADMX_DWM/DwmDisallowColorizationColorChanges_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2" id="admx-dwm-dwmdisallowcolorizationcolorchanges-2">ADMX_DWM/DwmDisallowColorizationColorChanges_2</a>
-  </dd>
-</dl>
-
-### ADMX_EAIME policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist" id="">ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion" id="">ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary" id="admx-eaime-l-turnoffcustomdictionary">ADMX_EAIME/L_TurnOffCustomDictionary</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput" id="admx-eaime-l-turnoffhistorybasedpredictiveinput">ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration" id="admx-eaime-l-turnoffinternetsearchintegration">ADMX_EAIME/L_TurnOffInternetSearchIntegration</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary" id="admx-eaime-l-turnoffopenextendeddictionary">ADMX_EAIME/L_TurnOffOpenExtendedDictionary</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile" id="admx-eaime-l-turnoffsavingautotuningdatatofile">ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate" id="admx-eaime-l-turnoncloudcandidate">ADMX_EAIME/L_TurnOnCloudCandidate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs" id="admx-eaime-l-turnoncloudcandidatechs">ADMX_EAIME/L_TurnOnCloudCandidateCHS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate" id="admx-eaime-l-turnonlexiconupdate">ADMX_EAIME/L_TurnOnLexiconUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers" id="admx-eaime-l-turnonlivestickers">ADMX_EAIME/L_TurnOnLiveStickers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport" id="admx-eaime-l-turnonmisconversionloggingformisconversionreport">ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport</a>
-  </dd>
-</dl>
-
-### ADMX_EncryptFilesonMove policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove" id="admx-encryptfilesonmove-noencryptonmove">ADMX_EncryptFilesonMove/NoEncryptOnMove</a>
-  </dd>
-</dl>
-
-### ADMX_EventLogging policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-eventlogging.md#admx-eventlogging-enableprotectedeventlogging" id="admx-eventlogging-enableprotectedeventlogging">ADMX_EventLogging/EnableProtectedEventLogging</a>
-  </dd>
-</dl>
-
-### ADMX_EnhancedStorage policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices" id="admx-enhancedstorage-approvedenstordevices">ADMX_EnhancedStorage/ApprovedEnStorDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos" id="admx-enhancedstorage-approvedsilos">ADMX_EnhancedStorage/ApprovedSilos</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication" id="admx-enhancedstorage-disablepasswordauthentication">ADMX_EnhancedStorage/DisablePasswordAuthentication</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices" id="admx-enhancedstorage-disallowlegacydiskdevices">ADMX_EnhancedStorage/DisallowLegacyDiskDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock" id="admx-enhancedstorage-lockdeviceonmachinelock">ADMX_EnhancedStorage/LockDeviceOnMachineLock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices" id="admx-enhancedstorage-roothubconnectedenstordevices">ADMX_EnhancedStorage/RootHubConnectedEnStorDevices</a>
-  </dd>
-</dl>
-
-### ADMX_ErrorReporting policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef" id="admx-errorreporting-pch-allornonedef">ADMX_ErrorReporting/PCH_AllOrNoneDef</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex" id="admx-errorreporting-pch-allornoneex">ADMX_ErrorReporting/PCH_AllOrNoneEx</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc" id="admx-errorreporting-pch-allornoneinc">ADMX_ErrorReporting/PCH_AllOrNoneInc</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport" id="admx-errorreporting-pch-configurereport">ADMX_ErrorReporting/PCH_ConfigureReport</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults" id="admx-errorreporting-pch-reportoperatingsystemfaults">ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1" id="admx-errorreporting-werarchive-1">ADMX_ErrorReporting/WerArchive_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2" id="admx-errorreporting-werarchive-2">ADMX_ErrorReporting/WerArchive_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1" id="admx-errorreporting-werautoapproveosdumps-1">ADMX_ErrorReporting/WerAutoApproveOSDumps_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2" id="admx-errorreporting-werautoapproveosdumps-2">ADMX_ErrorReporting/WerAutoApproveOSDumps_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1" id="admx-errorreporting-werbypassdatathrottling-1">ADMX_ErrorReporting/WerBypassDataThrottling_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2" id="admx-errorreporting-werbypassdatathrottling-2">ADMX_ErrorReporting/WerBypassDataThrottling_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1" id="admx-errorreporting-werbypassnetworkcostthrottling-1">ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2" id="admx-errorreporting-werbypassnetworkcostthrottling-2">ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1" id="admx-errorreporting-werbypasspowerthrottling-1">ADMX_ErrorReporting/WerBypassPowerThrottling_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2" id="admx-errorreporting-werbypasspowerthrottling-2">ADMX_ErrorReporting/WerBypassPowerThrottling_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer" id="admx-errorreporting-wercer">ADMX_ErrorReporting/WerCER</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1" id="admx-errorreporting-werconsentcustomize-1">ADMX_ErrorReporting/WerConsentCustomize_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1" id="admx-errorreporting-werconsentoverride-1">ADMX_ErrorReporting/WerConsentOverride_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2" id="admx-errorreporting-werconsentoverride-2">ADMX_ErrorReporting/WerConsentOverride_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1" id="admx-errorreporting-werdefaultconsent-1">ADMX_ErrorReporting/WerDefaultConsent_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2" id="admx-errorreporting-werdefaultconsent-2">ADMX_ErrorReporting/WerDefaultConsent_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1" id="admx-errorreporting-werdisable-1">ADMX_ErrorReporting/WerDisable_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1" id="admx-errorreporting-werexlusion-1">ADMX_ErrorReporting/WerExlusion_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2" id="admx-errorreporting-werexlusion-2">ADMX_ErrorReporting/WerExlusion_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1" id="admx-errorreporting-wernologging-1">ADMX_ErrorReporting/WerNoLogging_1</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2" id="admx-errorreporting-wernologging-2">ADMX_ErrorReporting/WerNoLogging_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1" id="admx-errorreporting-wernosecondleveldata-1">ADMX_ErrorReporting/WerNoSecondLevelData_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1" id="admx-errorreporting-werqueue-1">ADMX_ErrorReporting/WerQueue_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2" id="admx-errorreporting-werqueue-2">ADMX_ErrorReporting/WerQueue_2</a>
-  </dd>
-</dl>
-
-### ADMX_EventForwarding policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage" id="admx_eventforwarding-forwarderresourceusage">ADMX_EventForwarding/ForwarderResourceUsage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager" id="admx_eventforwarding-subscriptionmanager">ADMX_EventForwarding/SubscriptionManager</a>
-  </dd>
-</dl>
-
-### ADMX_EventLog policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled" id="admx-eventlog-channel-logenabled">ADMX_EventLog/Channel_LogEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1" id="admx-eventlog-channel-logfilepath-1">ADMX_EventLog/Channel_LogFilePath_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2" id="admx-eventlog-channel-logfilepath-2">ADMX_EventLog/Channel_LogFilePath_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3" id="admx-eventlog-channel-logfilepath-3">ADMX_EventLog/Channel_LogFilePath_3</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4" id="admx-eventlog-channel-logfilepath-4">ADMX_EventLog/Channel_LogFilePath_4</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3" id="admx-eventlog-channel-logmaxsize-3">ADMX_EventLog/Channel_LogMaxSize_3</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1" id="admx-eventlog-channel-log-autobackup-1">ADMX_EventLog/Channel_Log_AutoBackup_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2" id="admx-eventlog-channel-log-autobackup-2">ADMX_EventLog/Channel_Log_AutoBackup_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3" id="admx-eventlog-channel-log-autobackup-3">ADMX_EventLog/Channel_Log_AutoBackup_3</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4" id="admx-eventlog-channel-log-autobackup-4">ADMX_EventLog/Channel_Log_AutoBackup_4</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1" id="admx-eventlog-channel-log-filelogaccess-1">ADMX_EventLog/Channel_Log_FileLogAccess_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2" id="admx-eventlog-channel-log-filelogaccess-2">ADMX_EventLog/Channel_Log_FileLogAccess_2</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3" id="admx-eventlog-channel-log-filelogaccess-3">ADMX_EventLog/Channel_Log_FileLogAccess_3</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4" id="admx-eventlog-channel-log-filelogaccess-4">ADMX_EventLog/Channel_Log_FileLogAccess_4</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5" id="admx-eventlog-channel-log-filelogaccess-5">ADMX_EventLog/Channel_Log_FileLogAccess_5</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6" id="admx-eventlog-channel-log-filelogaccess-6">ADMX_EventLog/Channel_Log_FileLogAccess_6</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7" id="admx-eventlog-channel-log-filelogaccess-7">ADMX_EventLog/Channel_Log_FileLogAccess_7</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8" id="admx-eventlog-channel-log-filelogaccess-8">ADMX_EventLog/Channel_Log_FileLogAccess_8</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2" id="admx-eventlog-channel-log-retention-2">ADMX_EventLog/Channel_Log_Retention_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3" id="admx-eventlog-channel-log-retention-3">ADMX_EventLog/Channel_Log_Retention_3</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4" id="admx-eventlog-channel-log-retention-4">ADMX_EventLog/Channel_Log_Retention_4</a>
-  </dd>
-</dl>
-
-### ADMX_EventViewer policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogram" id="admx-eventviewer-eventviewer_redirectionprogram">ADMX_EventViewer/EventViewer_RedirectionProgram</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters" id="admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters">ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionurl" id="admx-eventviewer-eventviewer_redirectionurl">ADMX_EventViewer/EventViewer_RedirectionURL</a>
-  <dd>
-
-### ADMX_Explorer policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-explorer.md#admx-explorer-admininfourl" id="admx-explorer-admininfourl">ADMX_Explorer/AdminInfoUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu" id="admx-explorer-alwaysshowclassicmenu">ADMX_Explorer/AlwaysShowClassicMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit" id="admx-explorer-disableroamedprofileinit">ADMX_Explorer/DisableRoamedProfileInit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder" id="admx-explorer-preventitemcreationinusersfilesfolder">ADMX_Explorer/PreventItemCreationInUsersFilesFolder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations" id="admx-explorer-turnoffspianimations">ADMX_Explorer/TurnOffSPIAnimations</a>
-  </dd>
-</dl>
-
-### ADMX_ExternalBoot policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate" id="admx-externalboot-portableoperatingsystem_hibernate">ADMX_ExternalBoot/PortableOperatingSystem_Hibernate</a>
-  </dd>
-    <a href="./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep" id="admx-externalboot-portableoperatingsystem_sleep">ADMX_ExternalBoot/PortableOperatingSystem_Sleep</a>
-  </dd>
-  </dd>
-    <a href="./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher" id="admx-externalboot-portableoperatingsystem_launcher">ADMX_ExternalBoot/PortableOperatingSystem_Launcher</a>
-  </dd>
-<dl>
-
-### ADMX_FileRecovery policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy" id="admx-filerecovery-wdiscenarioexecutionpolicy">ADMX_FileRecovery/WdiScenarioExecutionPolicy</a>
-  </dd>
-</dl>
-
-### ADMX_FileRevocation policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-filerevocation.md#admx-filerevocation-delegatedpackagefamilynames" id="admx-filerevocation-delegatedpackagefamilynames">ADMX_FileRevocation/DelegatedPackageFamilyNames</a>
-  </dd>
-</dl>
-
-### ADMX_FileServerVSSProvider policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol" id="admx-fileservervssprovider-pol-encryptprotocol">ADMX_FileServerVSSProvider/Pol_EncryptProtocol</a>
-  </dd>
-</dl>
-
-### ADMX_FileSys policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-filesys.md#admx-filesys-disablecompression" id="admx-filesys-disablecompression">ADMX_FileSys/DisableCompression</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification" id="admx-filesys-disabledeletenotification">ADMX_FileSys/DisableDeleteNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-filesys.md#admx-filesys-disableencryption" id="admx-filesys-disableencryption">ADMX_FileSys/DisableEncryption</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption" id="admx-filesys-enablepagefileencryption">ADMX_FileSys/EnablePagefileEncryption</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled" id="admx-filesys-longpathsenabled">ADMX_FileSys/LongPathsEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings" id="admx-filesys-shortnamecreationsettings">ADMX_FileSys/ShortNameCreationSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-filesys.md#admx-filesys-symlinkevaluation" id="admx-filesys-symlinkevaluation">ADMX_FileSys/SymlinkEvaluation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-filesys.md#admx-filesys-txfdeprecatedfunctionality" id="admx-filesys-txfdeprecatedfunctionality">ADMX_FileSys/TxfDeprecatedFunctionality</a>
-  </dd>
-</dl>
-
-### ADMX_FolderRedirection policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpin" id="admx-folderredirection-disablefradminpin">ADMX_FolderRedirection/DisableFRAdminPin</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpinbyfolder" id="admx-folderredirection-disablefradminpinbyfolder">ADMX_FolderRedirection/DisableFRAdminPinByFolder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-folderredirection.md#admx-folderredirection-folderredirectionenablecacherename" id="admx-folderredirection-folderredirectionenablecacherename">ADMX_FolderRedirection/FolderRedirectionEnableCacheRename</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-1" id="admx-folderredirection-localizexprelativepaths-1">ADMX_FolderRedirection/LocalizeXPRelativePaths_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2" id="admx-folderredirection-localizexprelativepaths-2">ADMX_FolderRedirection/LocalizeXPRelativePaths_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1" id="admx-folderredirection-primarycomputer-fr-1">ADMX_FolderRedirection/PrimaryComputer_FR_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2" id="admx-folderredirection-primarycomputer-fr-2">ADMX_FolderRedirection/PrimaryComputer_FR_2</a>
-  </dd>
-</dl>
-
-### ADMX_FramePanes policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane" id="admx-framepanes-noreadingpane">ADMX_FramePanes/NoReadingPane</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane" id="admx-framepanes-nopreviewpane">ADMX_FramePanes/NoPreviewPane</a>
-  </dd>
-<dl>
-
-### ADMX_FTHSVC policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy" id="admx-fthsvc-wdiscenarioexecutionpolicy">ADMX_FTHSVC/WdiScenarioExecutionPolicy</a>
-  </dd>
-<dl>
-
-### ADMX_Help policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-help.md#admx-help-disablehhdep" id="admx-help-disablehhdep">ADMX_Help/DisableHHDEP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-help.md#admx-help-helpqualifiedrootdir-comp" id="admx-help-helpqualifiedrootdir-comp">ADMX_Help/HelpQualifiedRootDir_Comp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-help.md#admx-help-restrictrunfromhelp" id="admx-help-restrictrunfromhelp">ADMX_Help/RestrictRunFromHelp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-help.md#admx-help-restrictrunfromhelp-comp" id="admx-help-restrictrunfromhelp-comp">ADMX_Help/RestrictRunFromHelp_Comp</a>
-  </dd>
-</dl>
-
-### ADMX_HotSpotAuth policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-hotspotauth.md#admx-hotspotauth-hotspotauth_enable" id="admx-hotspotauth-hotspotauth_enable">ADMX_HotSpotAuth/HotspotAuth_Enable</a>
-  </dd>
-</dl>
-
-### ADMX_Globalization policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin" id="admx-globalization-blockuserinputmethodsforsignin">ADMX_Globalization/BlockUserInputMethodsForSignIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1" id="admx-globalization-customlocalesnoselect-1">ADMX_Globalization/CustomLocalesNoSelect_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2" id="admx-globalization-customlocalesnoselect-2">ADMX_Globalization/CustomLocalesNoSelect_2</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-hideadminoptions" id="admx-globalization-hideadminoptions">ADMX_Globalization/HideAdminOptions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-hidecurrentlocation" id="admx-globalization-hidecurrentlocation">ADMX_Globalization/HideCurrentLocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-hidelanguageselection" id="admx-globalization-hidelanguageselection">ADMX_Globalization/HideLanguageSelection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-hidelocaleselectandcustomize" id="admx-globalization-hidelocaleselectandcustomize">ADMX_Globalization/HideLocaleSelectAndCustomize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-1" id="admx-globalization-implicitdatacollectionoff-1">ADMX_Globalization/ImplicitDataCollectionOff_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-2" id="admx-globalization-implicitdatacollectionoff-2">ADMX_Globalization/ImplicitDataCollectionOff_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-localesystemrestrict" id="admx-globalization-localesystemrestrict">ADMX_Globalization/LocaleSystemRestrict</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-1" id="admx-globalization-localeuserrestrict-1">ADMX_Globalization/LocaleUserRestrict_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-2" id="admx-globalization-localeuserrestrict-2">ADMX_Globalization/LocaleUserRestrict_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-lockmachineuilanguage" id="admx-globalization-lockmachineuilanguage">ADMX_Globalization/LockMachineUILanguage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-lockuseruilanguage" id="admx-globalization-lockuseruilanguage">ADMX_Globalization/LockUserUILanguage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-1" id="admx-globalization-preventgeoidchange-1">ADMX_Globalization/PreventGeoIdChange_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-2" id="admx-globalization-preventgeoidchange-2">ADMX_Globalization/PreventGeoIdChange_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-1" id="admx-globalization-preventuseroverrides-1">ADMX_Globalization/PreventUserOverrides_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-2" id="admx-globalization-preventuseroverrides-2">ADMX_Globalization/PreventUserOverrides_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-restrictuilangselect" id="admx-globalization-restrictuilangselect">ADMX_Globalization/RestrictUILangSelect</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-turnoffautocorrectmisspelledwords" id="admx-globalization-turnoffautocorrectmisspelledwords">ADMX_Globalization/TurnOffAutocorrectMisspelledWords</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-turnoffhighlightmisspelledwords" id="admx-globalization-turnoffhighlightmisspelledwords">ADMX_Globalization/TurnOffHighlightMisspelledWords</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-turnoffinsertspace" id="admx-globalization-turnoffinsertspace">ADMX_Globalization/TurnOffInsertSpace</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-turnoffoffertextpredictions" id="admx-globalization-turnoffoffertextpredictions">ADMX_Globalization/TurnOffOfferTextPredictions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-globalization.md#admx-globalization-y2k" id="admx-globalization-y2k">ADMX_Globalization/Y2K</a>
-  </dd>
-</dl>
-
-### ADMX_GroupPolicy policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-allowx-forestpolicy-and-rup" id="admx-grouppolicy-allowx-forestpolicy-and-rup">ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-appmgmt" id="admx-grouppolicy-cse-appmgmt">ADMX_GroupPolicy/CSE_AppMgmt</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-diskquota" id="admx-grouppolicy-cse-diskquota">ADMX_GroupPolicy/CSE_DiskQuota</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-efsrecovery" id="admx-grouppolicy-cse-efsrecovery">ADMX_GroupPolicy/CSE_EFSRecovery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-folderredirection" id="admx-grouppolicy-cse-folderredirection">ADMX_GroupPolicy/CSE_FolderRedirection</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-iem" id="admx-grouppolicy-cse-iem">ADMX_GroupPolicy/CSE_IEM</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-ipsecurity" id="admx-grouppolicy-cse-ipsecurity">ADMX_GroupPolicy/CSE_IPSecurity</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-registry" id="admx-grouppolicy-cse-registry">ADMX_GroupPolicy/CSE_Registry</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-scripts" id="admx-grouppolicy-cse-scripts">ADMX_GroupPolicy/CSE_Scripts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-security" id="admx-grouppolicy-cse-security">ADMX_GroupPolicy/CSE_Security</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wired" id="admx-grouppolicy-cse-wired">ADMX_GroupPolicy/CSE_Wired</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wireless" id="admx-grouppolicy-cse-wireless">ADMX_GroupPolicy/CSE_Wireless</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-corpconnsyncwaittime" id="admx-grouppolicy-corpconnsyncwaittime">ADMX_GroupPolicy/CorpConnSyncWaitTime</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-1" id="admx-grouppolicy-denyrsoptointeractiveuser-1">ADMX_GroupPolicy/DenyRsopToInteractiveUser_1</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-2" id="admx-grouppolicy-denyrsoptointeractiveuser-2">ADMX_GroupPolicy/DenyRsopToInteractiveUser_2</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableaoacprocessing" id="admx-grouppolicy-disableaoacprocessing">ADMX_GroupPolicy/DisableAOACProcessing</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableautoadmupdate" id="admx-grouppolicy-disableautoadmupdate">ADMX_GroupPolicy/DisableAutoADMUpdate</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablebackgroundpolicy" id="admx-grouppolicy-disablebackgroundpolicy">ADMX_GroupPolicy/DisableBackgroundPolicy</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablelgpoprocessing" id="admx-grouppolicy-disablelgpoprocessing">ADMX_GroupPolicy/DisableLGPOProcessing</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableusersfrommachgp" id="admx-grouppolicy-disableusersfrommachgp">ADMX_GroupPolicy/DisableUsersFromMachGP</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablecdp" id="admx-grouppolicy-enablecdp">ADMX_GroupPolicy/EnableCDP</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimization" id="admx-grouppolicy-enablelogonoptimization">ADMX_GroupPolicy/EnableLogonOptimization</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimizationonserversku" id="admx-grouppolicy-enablelogonoptimizationonserversku">ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablemmx" id="admx-grouppolicy-enablemmx">ADMX_GroupPolicy/EnableMMX</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enforcepoliciesonly" id="admx-grouppolicy-enforcepoliciesonly">ADMX_GroupPolicy/EnforcePoliciesOnly</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-fontmitigation" id="admx-grouppolicy-fontmitigation">ADMX_GroupPolicy/FontMitigation</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gpdcoptions" id="admx-grouppolicy-gpdcoptions">ADMX_GroupPolicy/GPDCOptions</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-1" id="admx-grouppolicy-gptransferrate-1">ADMX_GroupPolicy/GPTransferRate_1</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-2" id="admx-grouppolicy-gptransferrate-2">ADMX_GroupPolicy/GPTransferRate_2</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrate" id="admx-grouppolicy-grouppolicyrefreshrate">ADMX_GroupPolicy/GroupPolicyRefreshRate</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshratedc" id="admx-grouppolicy-grouppolicyrefreshratedc">ADMX_GroupPolicy/GroupPolicyRefreshRateDC</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrateuser" id="admx-grouppolicy-grouppolicyrefreshrateuser">ADMX_GroupPolicy/GroupPolicyRefreshRateUser</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-logonscriptdelay" id="admx-grouppolicy-logonscriptdelay">ADMX_GroupPolicy/LogonScriptDelay</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpodisplayname" id="admx-grouppolicy-newgpodisplayname">ADMX_GroupPolicy/NewGPODisplayName</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpolinksdisabled" id="admx-grouppolicy-newgpolinksdisabled">ADMX_GroupPolicy/NewGPOLinksDisabled</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-onlyuselocaladminfiles" id="admx-grouppolicy-onlyuselocaladminfiles">ADMX_GroupPolicy/OnlyUseLocalAdminFiles</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-processmitigationoptions" id="admx-grouppolicy-processmitigationoptions">ADMX_GroupPolicy/ProcessMitigationOptions</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-rsoplogging" id="admx-grouppolicy-rsoplogging">ADMX_GroupPolicy/RSoPLogging</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-resetdfsclientinfoduringrefreshpolicy" id="admx-grouppolicy-resetdfsclientinfoduringrefreshpolicy">ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaultfordirectaccess" id="admx-grouppolicy-slowlinkdefaultfordirectaccess">ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaulttoasync" id="admx-grouppolicy-slowlinkdefaulttoasync">ADMX_GroupPolicy/SlowlinkDefaultToAsync</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-syncwaittime" id="admx-grouppolicy-syncwaittime">ADMX_GroupPolicy/SyncWaitTime</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-admx-grouppolicy.md#admx-grouppolicy-userpolicymode" id="admx-grouppolicy-userpolicymode">ADMX_GroupPolicy/UserPolicyMode</a>
-  </dd>
-</dl>
-
-### ADMX_HelpAndSupport policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-helpandsupport.md#admx-helpandsupport-activehelp" id="admx-helpandsupport-activehelp">ADMX_HelpAndSupport/ActiveHelp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpexplicitfeedback" id="admx-helpandsupport-hpexplicitfeedback">ADMX_HelpAndSupport/HPExplicitFeedback</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpimplicitfeedback" id="admx-helpandsupport-hpimplicitfeedback">ADMX_HelpAndSupport/HPImplicitFeedback</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hponlineassistance" id="admx-helpandsupport-hponlineassistance">ADMX_HelpAndSupport/HPOnlineAssistance</a>
-  </dd>
-</dl>
-
-
-## ADMX_ICM policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-ceipenable" id="admx-icm-ceipenable">ADMX_ICM/CEIPEnable</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-certmgr-disableautorootupdates" id="admx-icm-certmgr-disableautorootupdates">ADMX_ICM/CertMgr_DisableAutoRootUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-disablehttpprinting-1" id="admx-icm-disablehttpprinting-1">ADMX_ICM/DisableHTTPPrinting_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-disablewebpnpdownload-1" id="admx-icm-disablewebpnpdownload-1">ADMX_ICM/DisableWebPnPDownload_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-driversearchplaces-dontsearchwindowsupdate" id="admx-icm-driversearchplaces-dontsearchwindowsupdate">ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-eventviewer-disablelinks" id="admx-icm-eventviewer-disablelinks">ADMX_ICM/EventViewer_DisableLinks</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-hss-headlinespolicy" id="admx-icm-hss-headlinespolicy">ADMX_ICM/HSS_HeadlinesPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-hss-kbsearchpolicy" id="admx-icm-hss-kbsearchpolicy">ADMX_ICM/HSS_KBSearchPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-1" id="admx-icm-internetmanagement-restrictcommunication-1">ADMX_ICM/InternetManagement_RestrictCommunication_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-2" id="admx-icm-internetmanagement-restrictcommunication-2">ADMX_ICM/InternetManagement_RestrictCommunication_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-nc-exitonisp" id="admx-icm-nc-exitonisp">ADMX_ICM/NC_ExitOnISP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-nc-noregistration" id="admx-icm-nc-noregistration">ADMX_ICM/NC_NoRegistration</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-pch-donotreport" id="admx-icm-pch-donotreport">ADMX_ICM/PCH_DoNotReport</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-removewindowsupdate-icm" id="admx-icm-removewindowsupdate-icm">ADMX_ICM/RemoveWindowsUpdate_ICM</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-searchcompanion-disablefileupdates" id="admx-icm-searchcompanion-disablefileupdates">ADMX_ICM/SearchCompanion_DisableFileUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-1" id="admx-icm-shellnouseinternetopenwith-1">ADMX_ICM/ShellNoUseInternetOpenWith_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-2" id="admx-icm-shellnouseinternetopenwith-2">ADMX_ICM/ShellNoUseInternetOpenWith_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-1" id="admx-icm-shellnousestoreopenwith-1">ADMX_ICM/ShellNoUseStoreOpenWith_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-2" id="admx-icm-shellnousestoreopenwith-2">ADMX_ICM/ShellNoUseStoreOpenWith_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellpreventwpwdownload-1" id="admx-icm-shellpreventwpwdownload-1">ADMX_ICM/ShellPreventWPWDownload_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-1" id="admx-icm-shellremoveorderprints-1">ADMX_ICM/ShellRemoveOrderPrints_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-2" id="admx-icm-shellremoveorderprints-2">ADMX_ICM/ShellRemoveOrderPrints_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-1" id="admx-icm-shellremovepublishtoweb-1">ADMX_ICM/ShellRemovePublishToWeb_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2" id="admx-icm-shellremovepublishtoweb-2">ADMX_ICM/ShellRemovePublishToWeb_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1" id="admx-icm-winmsg_noinstrumentation-1">ADMX_ICM/WinMSG_NoInstrumentation_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2" id="admx-icm-winmsg_noinstrumentation-2">ADMX_ICM/WinMSG_NoInstrumentation_2</a>
-  </dd>
-</dl>
-
-### ADMX_IIS policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-iis.md#admx-iis-preventiisinstall
-" id="admx-iis-preventiisinstall
-">ADMX_IIS/PreventIISInstall</a>
-  </dd>
-<dl>
-
-### ADMX_iSCSI policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_restrictadditionallogins
-" id="admx-iscsi-iscsigeneral_restrictadditionallogins
-">ADMX_iSCSI/iSCSIGeneral_RestrictAdditionalLogins</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-iscsi.md#admx-iscsi-iscsigeneral_changeiqnname
-" id="admx-iscsi-iscsigeneral_changeiqnname
-">ADMX_iSCSI/iSCSIGeneral_ChangeIQNName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-iscsi.md#admx-iscsi-iscsisecurity_changechapsecret
-" id="admx-iscsi-iscsisecurity_changechapsecret
-">ADMX_iSCSI/iSCSISecurity_ChangeCHAPSecret</a>
-  </dd>
-<dl>
-
-### ADMX_kdc policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor" id="admx-kdc-cbacandarmor">ADMX_kdc/CbacAndArmor</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kdc.md#admx-kdc-forestsearch" id="admx-kdc-forestsearch">ADMX_kdc/ForestSearch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness" id="admx-kdc-pkinitfreshness">ADMX_kdc/PKINITFreshness</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid" id="admx-kdc-requestcompoundid">ADMX_kdc/RequestCompoundId</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold" id="admx-kdc-ticketsizethreshold">ADMX_kdc/TicketSizeThreshold</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kdc.md#admx-kdc-emitlili" id="admx-kdc-emitlili">ADMX_kdc/emitlili</a>
-  </dd>
-</dl>
-
-### ADMX_Kerberos policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid" id="admx-kerberos-alwayssendcompoundid">ADMX_Kerberos/AlwaysSendCompoundId</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled" id="admx-kerberos-devicepkinitenabled">ADMX_Kerberos/DevicePKInitEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm" id="admx-kerberos-hosttorealm">ADMX_Kerberos/HostToRealm</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck" id="admx-kerberos-kdcproxydisableserverrevocationcheck">ADMX_Kerberos/KdcProxyDisableServerRevocationCheck</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver" id="admx-kerberos-kdcproxyserver">ADMX_Kerberos/KdcProxyServer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms" id="admx-kerberos-mitrealms">ADMX_Kerberos/MitRealms</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound" id="admx-kerberos-serveracceptscompound">ADMX_Kerberos/ServerAcceptsCompound</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget" id="admx-kerberos-stricttarget">ADMX_Kerberos/StrictTarget</a>
-  </dd>
-</dl>
-
-### ADMX_LanmanServer policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder" id="admx-lanmanserver-pol-ciphersuiteorder">ADMX_LanmanServer/Pol_CipherSuiteOrder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication" id="admx-lanmanserver-pol-hashpublication">ADMX_LanmanServer/Pol_HashPublication</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion" id="admx-lanmanserver-pol-hashsupportversion">ADMX_LanmanServer/Pol_HashSupportVersion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder" id="admx-lanmanserver-pol-honorciphersuiteorder">ADMX_LanmanServer/Pol_HonorCipherSuiteOrder</a>
-  </dd>
-</dl>
-
-### ADMX_LanmanWorkstation policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder" id="admx-lanmanworkstation-pol-ciphersuiteorder">ADMX_LanmanWorkstation/Pol_CipherSuiteOrder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles" id="admx-lanmanworkstation-pol-enablehandlecachingforcafiles">ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares" id="admx-lanmanworkstation-pol-enableofflinefilesforcashares">ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares</a>
-  </dd>
-</dl>
-
-### ADMX_LeakDiagnostic policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy" id="admx-leakdiagnostic-wdiscenarioexecutionpolicy">ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy</a>
-  </dd>
-<dl>
-
-### ADMX_LinkLayerTopologyDiscovery policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio" id="admx-linklayertopologydiscovery-lltd-enablelltdio">ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr" id="admx-linklayertopologydiscovery-lltd-enablerspndr">ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr</a>
-  </dd>
-</dl>
-
-### ADMX_LocationProviderAdm policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1" id="admx-locationprovideradm-disablewindowslocationprovider_1">ADMX_LocationProviderAdm/BlockUserFromShowingAccountDetailsOnSignin</a>
-  </dd>
-<dl>
-
-### ADMX_Logon policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin" id="admx-logon-blockuserfromshowingaccountdetailsonsignin">ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon" id="admx-logon-disableacrylicbackgroundonlogon">ADMX_Logon/DisableAcrylicBackgroundOnLogon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1" id="admx-logon-disableexplorerrunlegacy-1">ADMX_Logon/DisableExplorerRunLegacy_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-2" id="admx-logon-disableexplorerrunlegacy-2">ADMX_Logon/DisableExplorerRunLegacy_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-1" id="admx-logon-disableexplorerrunoncelegacy-1">ADMX_Logon/DisableExplorerRunOnceLegacy_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-2" id="admx-logon-disableexplorerrunoncelegacy-2">ADMX_Logon/DisableExplorerRunOnceLegacy_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-disablestatusmessages" id="admx-logon-disablestatusmessages">ADMX_Logon/DisableStatusMessages</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-dontenumerateconnectedusers" id="admx-logon-dontenumerateconnectedusers">ADMX_Logon/DontEnumerateConnectedUsers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-nowelcometips-1" id="admx-logon-nowelcometips-1">ADMX_Logon/NoWelcomeTips_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-nowelcometips-2" id="admx-logon-nowelcometips-2">ADMX_Logon/NoWelcomeTips_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-run-1" id="admx-logon-run-1">ADMX_Logon/Run_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-run-2" id="admx-logon-run-2">ADMX_Logon/Run_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-syncforegroundpolicy" id="admx-logon-syncforegroundpolicy">ADMX_Logon/SyncForegroundPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-useoembackground" id="admx-logon-useoembackground">ADMX_Logon/UseOEMBackground</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-logon.md#admx-logon-verbosestatus" id="admx-logon-verbosestatus">ADMX_Logon/VerboseStatus</a>
-  </dd>
-</dl>
-
-### ADMX_MicrosoftDefenderAntivirus policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup" id="admx-microsoftdefenderantivirus-allowfastservicestartup">ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender" id="admx-microsoftdefenderantivirus-disableantispywaredefender">ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions" id="admx-microsoftdefenderantivirus-disableautoexclusions">ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen" id="admx-microsoftdefenderantivirus-disableblockatfirstseen">ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge" id="admx-microsoftdefenderantivirus-disablelocaladminmerge">ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring" id="admx-microsoftdefenderantivirus-disablerealtimemonitoring">ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction" id="admx-microsoftdefenderantivirus-disableroutinelytakingaction">ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions" id="admx-microsoftdefenderantivirus-exclusions-extensions">ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths" id="admx-microsoftdefenderantivirus-exclusions-paths">ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes" id="admx-microsoftdefenderantivirus-exclusions-processes">ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions" id="admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions">ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules" id="admx-microsoftdefenderantivirus-exploitguard-asr-rules">ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications" id="admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications">ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders" id="admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders">ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation" id="admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation">ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement" id="admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement">ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid" id="admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid">ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition" id="admx-microsoftdefenderantivirus-nis-disableprotocolrecognition">ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass" id="admx-microsoftdefenderantivirus-proxybypass">ADMX_MicrosoftDefenderAntivirus/ProxyBypass</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl" id="admx-microsoftdefenderantivirus-proxypacurl">ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver" id="admx-microsoftdefenderantivirus-proxyserver">ADMX_MicrosoftDefenderAntivirus/ProxyServer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay" id="admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay">ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay" id="admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay">ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes" id="admx-microsoftdefenderantivirus-randomizescheduletasktimes">ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring" id="admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection" id="admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection" id="admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification" id="admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable" id="admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize" id="admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection" id="admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection">ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime" id="admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime">ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday" id="admx-microsoftdefenderantivirus-remediation-scan-scheduleday">ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime" id="admx-microsoftdefenderantivirus-remediation-scan-scheduletime">ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout" id="admx-microsoftdefenderantivirus-reporting-additionalactiontimeout">ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout" id="admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout">ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications" id="admx-microsoftdefenderantivirus-reporting-disableenhancednotifications">ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports" id="admx-microsoftdefenderantivirus-reporting-disablegenericreports">ADMX_MicrosoftDefenderAntivirus/Reporting_Disablegenericreports</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout" id="admx-microsoftdefenderantivirus-reporting-noncriticaltimeout">ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout" id="admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout">ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents" id="admx-microsoftdefenderantivirus-reporting-wpptracingcomponents">ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel" id="admx-microsoftdefenderantivirus-reporting-wpptracinglevel">ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause" id="admx-microsoftdefenderantivirus-scan-allowpause">ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth" id="admx-microsoftdefenderantivirus-scan-archivemaxdepth">ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize" id="admx-microsoftdefenderantivirus-scan-archivemaxsize">ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning" id="admx-microsoftdefenderantivirus-scan-disablearchivescanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning" id="admx-microsoftdefenderantivirus-scan-disableemailscanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics" id="admx-microsoftdefenderantivirus-scan-disableheuristics">ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning" id="admx-microsoftdefenderantivirus-scan-disablepackedexescanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning" id="admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning" id="admx-microsoftdefenderantivirus-scan-disablereparsepointscanning">ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint" id="admx-microsoftdefenderantivirus-scan-disablerestorepoint">ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan" id="admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan">ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles" id="admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles">ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor" id="admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters" id="admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday" id="admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime" id="admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime" id="admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime">ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority" id="admx-microsoftdefenderantivirus-scan-lowcpupriority">ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup" id="admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup">ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay" id="admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay">ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval" id="admx-microsoftdefenderantivirus-scan-quickscaninterval">ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle" id="admx-microsoftdefenderantivirus-scan-scanonlyifidle">ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday" id="admx-microsoftdefenderantivirus-scan-scheduleday">ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime" id="admx-microsoftdefenderantivirus-scan-scheduletime">ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive" id="admx-microsoftdefenderantivirus-servicekeepalive">ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue" id="admx-microsoftdefenderantivirus-signatureupdate-assignaturedue">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue" id="admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources" id="admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate" id="admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery" id="admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine" id="admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder" id="admx-microsoftdefenderantivirus-signatureupdate-fallbackorder">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu" id="admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery" id="admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday" id="admx-microsoftdefenderantivirus-signatureupdate-scheduleday">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime" id="admx-microsoftdefenderantivirus-signatureupdate-scheduletime">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation" id="admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification" id="admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval" id="admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup" id="admx-microsoftdefenderantivirus-signatureupdate-updateonstartup">ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting" id="admx-microsoftdefenderantivirus-spynetreporting">ADMX_MicrosoftDefenderAntivirus/SpynetReporting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting" id="#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting">ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction" id="admx-microsoftdefenderantivirus-threats-threatiddefaultaction">ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring" id="admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring">ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress" id="admx-microsoftdefenderantivirus-ux-configuration-notification-suppress">ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification" id="admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification">ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown" id="admx-microsoftdefenderantivirus-ux-configuration-uilockdown">ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown</a>
-  </dd>
-</dl>
-
-### ADMX_MMC policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol" id="admx-mmc-mmc-activexcontrol">ADMX_MMC/MMC_ActiveXControl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview" id="admx-mmc-mmc-extendview">ADMX_MMC/MMC_ExtendView</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb" id="admx-mmc-mmc-linktoweb">ADMX_MMC/MMC_LinkToWeb</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author" id="admx-mmc-mmc-restrict-author">ADMX_MMC/MMC_Restrict_Author</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins" id="admx-mmc-mmc-restrict-to-permitted-snapins">ADMX_MMC/MMC_Restrict_To_Permitted_Snapins</a>
-  </dd>
-</dl>
-
-### ADMX_MMCSnapins policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-1" id="admx-mmcsnapins-mmc-admcomputers-1">ADMX_MMCSnapins/MMC_ADMComputers_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-2" id="admx-mmcsnapins-mmc-admcomputers-2">ADMX_MMCSnapins/MMC_ADMComputers_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-1" id="admx-mmcsnapins-mmc-admusers-1">ADMX_MMCSnapins/MMC_ADMUsers_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-2" id="admx-mmcsnapins-mmc-admusers-2">ADMX_MMCSnapins/MMC_ADMUsers_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-adsi" id="admx-mmcsnapins-mmc-adsi">ADMX_MMCSnapins/MMC_ADSI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirdomtrusts" id="admx-mmcsnapins-mmc-activedirdomtrusts">ADMX_MMCSnapins/MMC_ActiveDirDomTrusts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirsitesservices" id="admx-mmcsnapins-mmc-activedirsitesservices">ADMX_MMCSnapins/MMC_ActiveDirSitesServices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activediruserscomp" id="admx-mmcsnapins-mmc-activediruserscomp">ADMX_MMCSnapins/MMC_ActiveDirUsersComp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-appletalkrouting" id="admx-mmcsnapins-mmc-appletalkrouting">ADMX_MMCSnapins/MMC_AppleTalkRouting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-authman" id="admx-mmcsnapins-mmc-authman">ADMX_MMCSnapins/MMC_AuthMan</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauth" id="admx-mmcsnapins-mmc-certauth">ADMX_MMCSnapins/MMC_CertAuth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauthpolset" id="admx-mmcsnapins-mmc-certauthpolset">ADMX_MMCSnapins/MMC_CertAuthPolSet</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certs" id="admx-mmcsnapins-mmc-certs">ADMX_MMCSnapins/MMC_Certs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certstemplate" id="admx-mmcsnapins-mmc-certstemplate">ADMX_MMCSnapins/MMC_CertsTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-componentservices" id="admx-mmcsnapins-mmc-componentservices">ADMX_MMCSnapins/MMC_ComponentServices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-computermanagement" id="admx-mmcsnapins-mmc-computermanagement">ADMX_MMCSnapins/MMC_ComputerManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-connectionsharingnat" id="admx-mmcsnapins-mmc-connectionsharingnat">ADMX_MMCSnapins/MMC_ConnectionSharingNAT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dcomcfg" id="admx-mmcsnapins-mmc-dcomcfg">ADMX_MMCSnapins/MMC_DCOMCFG</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dfs" id="admx-mmcsnapins-mmc-dfs">ADMX_MMCSnapins/MMC_DFS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dhcprelaymgmt" id="admx-mmcsnapins-mmc-dhcprelaymgmt">ADMX_MMCSnapins/MMC_DHCPRelayMgmt</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-1" id="admx-mmcsnapins-mmc-devicemanager-1">ADMX_MMCSnapins/MMC_DeviceManager_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-2" id="admx-mmcsnapins-mmc-devicemanager-2">ADMX_MMCSnapins/MMC_DeviceManager_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskdefrag" id="admx-mmcsnapins-mmc-diskdefrag">ADMX_MMCSnapins/MMC_DiskDefrag</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskmgmt" id="admx-mmcsnapins-mmc-diskmgmt">ADMX_MMCSnapins/MMC_DiskMgmt</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-enterprisepki" id="admx-mmcsnapins-mmc-enterprisepki">ADMX_MMCSnapins/MMC_EnterprisePKI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-1" id="admx-mmcsnapins-mmc-eventviewer-1">ADMX_MMCSnapins/MMC_EventViewer_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-2" id="admx-mmcsnapins-mmc-eventviewer-2">ADMX_MMCSnapins/MMC_EventViewer_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-3" id="admx-mmcsnapins-mmc-eventviewer-3">ADMX_MMCSnapins/MMC_EventViewer_3</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-4" id="admx-mmcsnapins-mmc-eventviewer-4">ADMX_MMCSnapins/MMC_EventViewer_4</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-faxservice" id="admx-mmcsnapins-mmc-faxservice">ADMX_MMCSnapins/MMC_FAXService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-failoverclusters" id="admx-mmcsnapins-mmc-failoverclusters">ADMX_MMCSnapins/MMC_FailoverClusters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-1" id="admx-mmcsnapins-mmc-folderredirection-1">ADMX_MMCSnapins/MMC_FolderRedirection_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-2" id="admx-mmcsnapins-mmc-folderredirection-2">ADMX_MMCSnapins/MMC_FolderRedirection_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-frontpageext" id="admx-mmcsnapins-mmc-frontpageext">ADMX_MMCSnapins/MMC_FrontPageExt</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicymanagementsnapin" id="admx-mmcsnapins-mmc-grouppolicymanagementsnapin">ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicysnapin" id="admx-mmcsnapins-mmc-grouppolicysnapin">ADMX_MMCSnapins/MMC_GroupPolicySnapIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicytab" id="admx-mmcsnapins-mmc-grouppolicytab">ADMX_MMCSnapins/MMC_GroupPolicyTab</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-hra" id="admx-mmcsnapins-mmc-hra">ADMX_MMCSnapins/MMC_HRA</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ias" id="admx-mmcsnapins-mmc-ias">ADMX_MMCSnapins/MMC_IAS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iaslogging" id="admx-mmcsnapins-mmc-iaslogging">ADMX_MMCSnapins/MMC_IASLogging</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-1" id="admx-mmcsnapins-mmc-iemaintenance-1">ADMX_MMCSnapins/MMC_IEMaintenance_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-2" id="admx-mmcsnapins-mmc-iemaintenance-2">ADMX_MMCSnapins/MMC_IEMaintenance_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-igmprouting" id="admx-mmcsnapins-mmc-igmprouting">ADMX_MMCSnapins/MMC_IGMPRouting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iis" id="admx-mmcsnapins-mmc-iis">ADMX_MMCSnapins/MMC_IIS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iprouting" id="admx-mmcsnapins-mmc-iprouting">ADMX_MMCSnapins/MMC_IPRouting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage-gp" id="admx-mmcsnapins-mmc-ipsecmanage-gp">ADMX_MMCSnapins/MMC_IPSecManage_GP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxriprouting" id="admx-mmcsnapins-mmc-ipxriprouting">ADMX_MMCSnapins/MMC_IPXRIPRouting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxrouting" id="admx-mmcsnapins-mmc-ipxrouting">ADMX_MMCSnapins/MMC_IPXRouting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxsaprouting" id="admx-mmcsnapins-mmc-ipxsaprouting">ADMX_MMCSnapins/MMC_IPXSAPRouting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-indexingservice" id="admx-mmcsnapins-mmc-indexingservice">ADMX_MMCSnapins/MMC_IndexingService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage" id="admx-mmcsnapins-mmc-ipsecmanage">ADMX_MMCSnapins/MMC_IpSecManage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmonitor" id="admx-mmcsnapins-mmc-ipsecmonitor">ADMX_MMCSnapins/MMC_IpSecMonitor</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-localusersgroups" id="admx-mmcsnapins-mmc-localusersgroups">ADMX_MMCSnapins/MMC_LocalUsersGroups</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-logicalmappeddrives" id="admx-mmcsnapins-mmc-logicalmappeddrives">ADMX_MMCSnapins/MMC_LogicalMappedDrives</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-npsui" id="admx-mmcsnapins-mmc-npsui">ADMX_MMCSnapins/MMC_NPSUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap" id="admx-mmcsnapins-mmc-napsnap">ADMX_MMCSnapins/MMC_NapSnap</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap-gp" id="admx-mmcsnapins-mmc-napsnap-gp">ADMX_MMCSnapins/MMC_NapSnap_GP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-net-framework" id="admx-mmcsnapins-mmc-net-framework">ADMX_MMCSnapins/MMC_Net_Framework</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ocsp" id="admx-mmcsnapins-mmc-ocsp">ADMX_MMCSnapins/MMC_OCSP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ospfrouting" id="admx-mmcsnapins-mmc-ospfrouting">ADMX_MMCSnapins/MMC_OSPFRouting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-perflogsalerts" id="admx-mmcsnapins-mmc-perflogsalerts">ADMX_MMCSnapins/MMC_PerfLogsAlerts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-publickey" id="admx-mmcsnapins-mmc-publickey">ADMX_MMCSnapins/MMC_PublicKey</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-qosadmission" id="admx-mmcsnapins-mmc-qosadmission">ADMX_MMCSnapins/MMC_QoSAdmission</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ras-dialinuser" id="admx-mmcsnapins-mmc-ras-dialinuser">ADMX_MMCSnapins/MMC_RAS_DialinUser</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-riprouting" id="admx-mmcsnapins-mmc-riprouting">ADMX_MMCSnapins/MMC_RIPRouting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ris" id="admx-mmcsnapins-mmc-ris">ADMX_MMCSnapins/MMC_RIS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rra" id="admx-mmcsnapins-mmc-rra">ADMX_MMCSnapins/MMC_RRA</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rsm" id="admx-mmcsnapins-mmc-rsm">ADMX_MMCSnapins/MMC_RSM</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remstore" id="admx-mmcsnapins-mmc-remstore">ADMX_MMCSnapins/MMC_RemStore</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remoteaccess" id="admx-mmcsnapins-mmc-remoteaccess">ADMX_MMCSnapins/MMC_RemoteAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remotedesktop" id="admx-mmcsnapins-mmc-remotedesktop">ADMX_MMCSnapins/MMC_RemoteDesktop</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-resultantsetofpolicysnapin" id="admx-mmcsnapins-mmc-resultantsetofpolicysnapin">ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-routing" id="admx-mmcsnapins-mmc-routing">ADMX_MMCSnapins/MMC_Routing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sca" id="admx-mmcsnapins-mmc-sca">ADMX_MMCSnapins/MMC_SCA</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-smtpprotocol" id="admx-mmcsnapins-mmc-smtpprotocol">ADMX_MMCSnapins/MMC_SMTPProtocol</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-snmp" id="admx-mmcsnapins-mmc-snmp">ADMX_MMCSnapins/MMC_SNMP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-1" id="admx-mmcsnapins-mmc-scriptsmachine-1">ADMX_MMCSnapins/MMC_ScriptsMachine_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-2" id="admx-mmcsnapins-mmc-scriptsmachine-2">ADMX_MMCSnapins/MMC_ScriptsMachine_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-1" id="admx-mmcsnapins-mmc-scriptsuser-1">ADMX_MMCSnapins/MMC_ScriptsUser_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-2" id="admx-mmcsnapins-mmc-scriptsuser-2">ADMX_MMCSnapins/MMC_ScriptsUser_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-1" id="admx-mmcsnapins-mmc-securitysettings-1">ADMX_MMCSnapins/MMC_SecuritySettings_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-2" id="admx-mmcsnapins-mmc-securitysettings-2">ADMX_MMCSnapins/MMC_SecuritySettings_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitytemplates" id="admx-mmcsnapins-mmc-securitytemplates">ADMX_MMCSnapins/MMC_SecurityTemplates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sendconsolemessage" id="">ADMX_MMCSnapins/MMC_SendConsoleMessage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servermanager" id="admx-mmcsnapins-mmc-servermanager">ADMX_MMCSnapins/MMC_ServerManager</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servicedependencies" id="admx-mmcsnapins-mmc-servicedependencies">ADMX_MMCSnapins/MMC_ServiceDependencies</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-services" id="admx-mmcsnapins-mmc-services">ADMX_MMCSnapins/MMC_Services</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders" id="admx-mmcsnapins-mmc-sharedfolders">ADMX_MMCSnapins/MMC_SharedFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders-ext" id="admx-mmcsnapins-mmc-sharedfolders-ext">ADMX_MMCSnapins/MMC_SharedFolders_Ext</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-1" id="admx-mmcsnapins-mmc-softwareinstalationcomputers-1">ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-2" id="admx-mmcsnapins-mmc-softwareinstalationcomputers-2">ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-1" id="admx-mmcsnapins-mmc-softwareinstallationusers-1">ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-2" id="admx-mmcsnapins-mmc-softwareinstallationusers-2">ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysinfo" id="admx-mmcsnapins-mmc-sysinfo">ADMX_MMCSnapins/MMC_SysInfo</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysprop" id="admx-mmcsnapins-mmc-sysprop">ADMX_MMCSnapins/MMC_SysProp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-tpmmanagement" id="admx-mmcsnapins-mmc-tpmmanagement">ADMX_MMCSnapins/MMC_TPMManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-telephony" id="admx-mmcsnapins-mmc-telephony">ADMX_MMCSnapins/MMC_Telephony</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-terminalservices" id="admx-mmcsnapins-mmc-terminalservices">ADMX_MMCSnapins/MMC_TerminalServices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wmi" id="admx-mmcsnapins-mmc-wmi">ADMX_MMCSnapins/MMC_WMI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall" id="admx-mmcsnapins-mmc-windowsfirewall">ADMX_MMCSnapins/MMC_WindowsFirewall</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall-gp" id="admx-mmcsnapins-mmc-windowsfirewall-gp">ADMX_MMCSnapins/MMC_WindowsFirewall_GP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy" id="admx-mmcsnapins-mmc-wirednetworkpolicy">ADMX_MMCSnapins/MMC_WiredNetworkPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon" id="admx-mmcsnapins-mmc-wirelessmon">ADMX_MMCSnapins/MMC_WirelessMon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy" id="admx-mmcsnapins-mmc-wirelessnetworkpolicy">ADMX_MMCSnapins/MMC_WirelessNetworkPolicy</a>
-  </dd>
-</dl>
-
-### ADMX_MobilePCMobilityCenter policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_1" id="admx-mobilepcmobilitycenter-mobilitycenterenable_1">ADMX_MobilePCMobilityCenter/MobilityCenterEnable_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mobilepcmobilitycenter.md#admx-mobilepcmobilitycenter-mobilitycenterenable_2" id="admx-mobilepcmobilitycenter-mobilitycenterenable_2">ADMX_MobilePCMobilityCenter/MobilityCenterEnable_2</a>
-  </dd>
-<dl>
-
-### ADMX_MobilePCPresentationSettings policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_1" id="admx-mobilepcpresentationsettings-presentationsettingsenable_1">ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-mobilepcpresentationsettings.md#admx-mobilepcpresentationsettings-presentationsettingsenable_2" id="admx-mobilepcpresentationsettings-presentationsettingsenable_2">ADMX_MobilePCPresentationSettings/PresentationSettingsEnable_2</a>
-  </dd>
-<dl>
-
-### ADMX_MSAPolicy policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth" id="admx-msapolicy-microsoftaccount-disableuserauth">ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine</a>
-  </dd>
-  <dd>
-
-### ADMX_msched policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy" id="admx-msched-activationboundarypolicy">ADMX_msched/ActivationBoundaryPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy" id="admx-msched-randomdelaypolicy">ADMX_msched/RandomDelayPolicy</a>
-  </dd>
-</dl>
-
-### ADMX_MSDT policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-msdt.md#admx-msdt-msdtsupportprovider" id="admx-msdt-msdtsupportprovider">ADMX_MSDT/MsdtSupportProvider</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-msdt.md#admx-msdt-msdttooldownloadpolicy" id="admx-msdt-msdttooldownloadpolicy">ADMX_MSDT/MsdtToolDownloadPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-msdt.md#admx-msdt-wdiscenarioexecutionpolicy" id="admx-msdt-wdiscenarioexecutionpolicy">ADMX_MSDT/WdiScenarioExecutionPolicy</a>
-  </dd>
-</dl>
-
-### ADMX_MSI policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-allowlockdownbrowse" id="admx-msi-allowlockdownbrowse">ADMX_MSI/AllowLockdownBrowse</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-allowlockdownmedia" id="admx-msi-allowlockdownmedia">ADMX_MSI/AllowLockdownMedia</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-allowlockdownpatch" id="admx-msi-allowlockdownpatch">ADMX_MSI/AllowLockdownPatch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disableautomaticapplicationshutdown" id="admx-msi-disableautomaticapplicationshutdown">ADMX_MSI/DisableAutomaticApplicationShutdown</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disablebrowse" id="admx-msi-disablebrowse">ADMX_MSI/DisableBrowse</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disableflyweightpatching" id="admx-msi-disableflyweightpatching">ADMX_MSI/DisableFlyweightPatching</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disableloggingfrompackage" id="admx-msi-disableloggingfrompackage">ADMX_MSI/DisableLoggingFromPackage</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disablemsi" id="admx-msi-disablemsi">ADMX_MSI/DisableMSI</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disablemedia" id="admx-msi-disablemedia">ADMX_MSI/DisableMedia</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disablepatch" id="admx-msi-disablepatch">ADMX_MSI/DisablePatch</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disablerollback-1" id="admx-msi-disablerollback-1">ADMX_MSI/DisableRollback_1</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disablerollback-2" id="admx-msi-disablerollback-2">ADMX_MSI/DisableRollback_2</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-disablesharedcomponent" id="admx-msi-disablesharedcomponent">ADMX_MSI/DisableSharedComponent</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-msilogging" id="admx-msi-msilogging">ADMX_MSI/MSILogging</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-msi-disableluapatching" id="admx-msi-msi-disableluapatching">ADMX_MSI/MSI_DisableLUAPatching</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-msi-disablepatchuninstall" id="admx-msi-msi-disablepatchuninstall">ADMX_MSI/MSI_DisablePatchUninstall</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-msi-disablesrcheckpoints" id="admx-msi-msi-disablesrcheckpoints">ADMX_MSI/MSI_DisableSRCheckPoints</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-msi-disableuserinstalls" id="admx-msi-msi-disableuserinstalls">ADMX_MSI/MSI_DisableUserInstalls</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-msi-enforceupgradecomponentrules" id="admx-msi-msi-enforceupgradecomponentrules">ADMX_MSI/MSI_EnforceUpgradeComponentRules</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-msi-maxpatchcachesize" id="admx-msi-msi-maxpatchcachesize">ADMX_MSI/MSI_MaxPatchCacheSize</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-msidisableembeddedui" id="admx-msi-msidisableembeddedui">ADMX_MSI/MsiDisableEmbeddedUI</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-safeforscripting" id="admx-msi-safeforscripting">ADMX_MSI/SafeForScripting</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-searchorder" id="admx-msi-searchorder">ADMX_MSI/SearchOrder</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-msi.md#admx-msi-transformssecure" id="admx-msi-transformssecure">ADMX_MSI/TransformsSecure</a>
-  </dd>
-</dl>
-
-### ADMX_MsiFileRecovery policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-msifilerecovery.md#admx-msifilerecovery-wdiscenarioexecutionpolicy" id="admx-msifilerecovery-wdiscenarioexecutionpolicy">ADMX_MsiFileRecovery/WdiScenarioExecutionPolicy</a>
-  </dd>
-<dl>
-
-### ADMX_nca policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-nca.md#admx-nca-corporateresources" id="admx-nca-corporateresources">ADMX_nca/CorporateResources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-nca.md#admx-nca-customcommands" id="admx-nca-customcommands">ADMX_nca/CustomCommands</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-nca.md#admx-nca-dtes" id="admx-nca-dtes">ADMX_nca/DTEs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-nca.md#admx-nca-friendlyname" id="admx-nca-friendlyname">ADMX_nca/FriendlyName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-nca.md#admx-nca-localnameson" id="admx-nca-localnameson">ADMX_nca/LocalNamesOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-nca.md#admx-nca-passivemode" id="admx-nca-passivemode">ADMX_nca/PassiveMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-nca.md#admx-nca-showui" id="admx-nca-showui">ADMX_nca/ShowUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-nca.md#admx-nca-supportemail" id="admx-nca-supportemail">ADMX_nca/SupportEmail</a>
-  </dd>
-</dl>
-
-### ADMX_NCSI policies
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobecontent" id="admx-ncsi-ncsi-corpdnsprobecontent">ADMX_NCSI/NCSI_CorpDnsProbeContent</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpdnsprobehost" id="admx-ncsi-ncsi-corpdnsprobehost">ADMX_NCSI/NCSI_CorpDnsProbeHost</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpsiteprefixes" id="admx-ncsi-ncsi-corpsiteprefixes">ADMX_NCSI/NCSI_CorpSitePrefixes</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-corpwebprobeurl" id="admx-ncsi-ncsi-corpwebprobeurl">ADMX_NCSI/NCSI_CorpWebProbeUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-domainlocationdeterminationurl" id="admx-ncsi-ncsi-domainlocationdeterminationurl">ADMX_NCSI/NCSI_DomainLocationDeterminationUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-globaldns" id="admx-ncsi-ncsi-globaldns">ADMX_NCSI/NCSI_GlobalDns</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-ncsi.md#admx-ncsi-ncsi-passivepolling" id="admx-ncsi-ncsi-passivepolling">ADMX_NCSI/NCSI_PassivePolling</a>
-  </dd>
-</dl>
-
-### ADMX_Netlogon policies
-
-<dl>
- <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresslookuponpingbehavior"id="admx-netlogon-netlogon-addresslookuponpingbehavior">ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-addresstypereturned"id="admx-netlogon-netlogon-addresstypereturned">ADMX_Netlogon/Netlogon_AddressTypeReturned</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowdnssuffixsearch"id="admx-netlogon-netlogon-allowdnssuffixsearch">ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allownt4crypto"id="admx-netlogon-netlogon-allownt4crypto">ADMX_Netlogon/Netlogon_AllowNT4Crypto</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-allowsinglelabeldnsdomain"id="admx-netlogon-netlogon-allowsinglelabeldnsdomain">ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-autositecoverage"id="admx-netlogon-netlogon-autositecoverage">ADMX_Netlogon/Netlogon_AutoSiteCoverage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidfallbacknetbiosdiscovery"id="admx-netlogon-netlogon-avoidfallbacknetbiosdiscovery">ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-avoidpdconwan"id="admx-netlogon-netlogon-avoidpdconwan">ADMX_Netlogon/Netlogon_AvoidPdcOnWan</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryinitialperiod"id="admx-netlogon-netlogon-backgroundretryinitialperiod">ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretrymaximumperiod"id="admx-netlogon-netlogon-backgroundretrymaximumperiod">ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundretryquittime"id="admx-netlogon-netlogon-backgroundretryquittime">ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-backgroundsuccessfulrefreshperiod"id="admx-netlogon-netlogon-backgroundsuccessfulrefreshperiod">ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-debugflag"id="admx-netlogon-netlogon-debugflag">ADMX_Netlogon/Netlogon_DebugFlag</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsavoidregisterrecords"id="admx-netlogon-netlogon-dnsavoidregisterrecords">ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsrefreshinterval"id="admx-netlogon-netlogon-dnsrefreshinterval">ADMX_Netlogon/Netlogon_DnsRefreshInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnssrvrecorduselowercasehostnames"id="admx-netlogon-netlogon-dnssrvrecorduselowercasehostnames">ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-dnsttl"id="admx-netlogon-netlogon-dnsttl">ADMX_Netlogon/Netlogon_DnsTtl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-expecteddialupdelay"id="admx-netlogon-netlogon-expecteddialupdelay">ADMX_Netlogon/Netlogon_ExpectedDialupDelay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-forcerediscoveryinterval"id="admx-netlogon-netlogon-forcerediscoveryinterval">ADMX_Netlogon/Netlogon_ForceRediscoveryInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-gcsitecoverage"id="admx-netlogon-netlogon-gcsitecoverage">ADMX_Netlogon/Netlogon_GcSiteCoverage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ignoreincomingmailslotmessages"id="admx-netlogon-netlogon-ignoreincomingmailslotmessages">ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvpriority"id="admx-netlogon-netlogon-ldapsrvpriority">ADMX_Netlogon/Netlogon_LdapSrvPriority</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ldapsrvweight"id="admx-netlogon-netlogon-ldapsrvweight">ADMX_Netlogon/Netlogon_LdapSrvWeight</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-maximumlogfilesize"id="admx-netlogon-netlogon-maximumlogfilesize">ADMX_Netlogon/Netlogon_MaximumLogFileSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-ndncsitecoverage"id="admx-netlogon-netlogon-ndncsitecoverage">ADMX_Netlogon/Netlogon_NdncSiteCoverage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-negativecacheperiod"id="admx-netlogon-netlogon-negativecacheperiod">ADMX_Netlogon/Netlogon_NegativeCachePeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-netlogonsharecompatibilitymode"id="admx-netlogon-netlogon-netlogonsharecompatibilitymode">ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-nonbackgroundsuccessfulrefreshperiod"id="admx-netlogon-netlogon-nonbackgroundsuccessfulrefreshperiod">ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-pingurgencymode"id="admx-netlogon-netlogon-pingurgencymode">ADMX_Netlogon/Netlogon_PingUrgencyMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-scavengeinterval"id="admx-netlogon-netlogon-scavengeinterval">ADMX_Netlogon/Netlogon_ScavengeInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitecoverage"id="admx-netlogon-netlogon-sitecoverage">ADMX_Netlogon/Netlogon_SiteCoverage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sitename"id="admx-netlogon-netlogon-sitename">ADMX_Netlogon/Netlogon_SiteName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode"id="admx-netlogon-netlogon-sysvolsharecompatibilitymode">ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite"id="admx-netlogon-netlogon-trynextclosestsite">ADMX_Netlogon/Netlogon_TryNextClosestSite</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns"id="admx-netlogon-netlogon-usedynamicdns">ADMX_Netlogon/Netlogon_UseDynamicDns</a>
-  </dd>
-</dl>
-
-### ADMX_NetworkConnections policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents" id="admx-networkconnections-nc-addremovecomponents">ADMX_NetworkConnections/NC_AddRemoveComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-advancedsettings" id="admx-networkconnections-nc-advancedsettings">ADMX_NetworkConnections/NC_AdvancedSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-allowadvancedtcpipconfig" id="admx-networkconnections-nc-allowadvancedtcpipconfig">ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-changebindstate" id="admx-networkconnections-nc-changebindstate">ADMX_NetworkConnections/NC_ChangeBindState</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deletealluserconnection" id="admx-networkconnections-nc-deletealluserconnection">ADMX_NetworkConnections/NC_DeleteAllUserConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deleteconnection" id="admx-networkconnections-nc-deleteconnection">ADMX_NetworkConnections/NC_DeleteConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-dialupprefs" id="admx-networkconnections-nc-dialupprefs">ADMX_NetworkConnections/NC_DialupPrefs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-donotshowlocalonlyicon" id="admx-networkconnections-nc-donotshowlocalonlyicon">ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-enableadminprohibits" id="admx-networkconnections-nc-enableadminprohibits">ADMX_NetworkConnections/NC_EnableAdminProhibits</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-forcetunneling" id="admx-networkconnections-nc-forcetunneling">ADMX_NetworkConnections/NC_ForceTunneling</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-ipstatechecking" id="admx-networkconnections-nc-ipstatechecking">ADMX_NetworkConnections/NC_IpStateChecking</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanchangeproperties" id="admx-networkconnections-nc-lanchangeproperties">ADMX_NetworkConnections/NC_LanChangeProperties</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanconnect" id="admx-networkconnections-nc-lanconnect">ADMX_NetworkConnections/NC_LanConnect</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanproperties" id="admx-networkconnections-nc-lanproperties">ADMX_NetworkConnections/NC_LanProperties</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-newconnectionwizard" id="admx-networkconnections-nc-newconnectionwizard">ADMX_NetworkConnections/NC_NewConnectionWizard</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-personalfirewallconfig" id="admx-networkconnections-nc-personalfirewallconfig">ADMX_NetworkConnections/NC_PersonalFirewallConfig</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasalluserproperties" id="admx-networkconnections-nc-rasalluserproperties">ADMX_NetworkConnections/NC_RasAllUserProperties</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-raschangeproperties" id="admx-networkconnections-nc-raschangeproperties">ADMX_NetworkConnections/NC_RasChangeProperties</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasconnect" id="admx-networkconnections-nc-rasconnect">ADMX_NetworkConnections/NC_RasConnect</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasmyproperties" id="admx-networkconnections-nc-rasmyproperties">ADMX_NetworkConnections/NC_RasMyProperties</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamealluserrasconnection" id="admx-networkconnections-nc-renamealluserrasconnection">ADMX_NetworkConnections/NC_RenameAllUserRasConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renameconnection" id="admx-networkconnections-nc-renameconnection">ADMX_NetworkConnections/NC_RenameConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamelanconnection" id="admx-networkconnections-nc-renamelanconnection">ADMX_NetworkConnections/NC_RenameLanConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamemyrasconnection" id="admx-networkconnections-nc-renamemyrasconnection">ADMX_NetworkConnections/NC_RenameMyRasConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-showsharedaccessui" id="admx-networkconnections-nc-showsharedaccessui">ADMX_NetworkConnections/NC_ShowSharedAccessUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-statistics" id="admx-networkconnections-nc-statistics">ADMX_NetworkConnections/NC_Statistics</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-stddomainusersetlocation" id="admx-networkconnections-nc-stddomainusersetlocation">ADMX_NetworkConnections/NC_StdDomainUserSetLocation</a>
-  </dd>
-</dl>
-
-### ADMX_OfflineFiles policies
-
-<dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders" id="admx-offlinefiles-pol-alwayspinsubfolders">ADMX_OfflineFiles/Pol_AlwaysPinSubFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1" id="admx-offlinefiles-pol-assignedofflinefiles-1">ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2" id="admx-offlinefiles-pol-assignedofflinefiles-2">ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-backgroundsyncsettings" id="admx-offlinefiles-pol-backgroundsyncsettings">ADMX_OfflineFiles/Pol_BackgroundSyncSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-cachesize" id="admx-offlinefiles-pol-cachesize">ADMX_OfflineFiles/Pol_CacheSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-1" id="admx-offlinefiles-pol-customgoofflineactions-1">ADMX_OfflineFiles/Pol_CustomGoOfflineActions_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-customgoofflineactions-2" id="admx-offlinefiles-pol-customgoofflineactions-2">ADMX_OfflineFiles/Pol_CustomGoOfflineActions_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-defcachesize" id="admx-offlinefiles-pol-defcachesize">ADMX_OfflineFiles/Pol_DefCacheSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-enabled" id="admx-offlinefiles-pol-enabled">ADMX_OfflineFiles/Pol_Enabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-encryptofflinefiles" id="admx-offlinefiles-pol-encryptofflinefiles">ADMX_OfflineFiles/Pol_EncryptOfflineFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-1" id="admx-offlinefiles-pol-eventlogginglevel-1">ADMX_OfflineFiles/Pol_EventLoggingLevel_1</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-eventlogginglevel-2" id="admx-offlinefiles-pol-eventlogginglevel-2">ADMX_OfflineFiles/Pol_EventLoggingLevel_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-exclusionlistsettings" id="admx-offlinefiles-pol-exclusionlistsettings">ADMX_OfflineFiles/Pol_ExclusionListSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-extexclusionlist" id="admx-offlinefiles-pol-extexclusionlist">ADMX_OfflineFiles/Pol_ExtExclusionList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-1" id="admx-offlinefiles-pol-goofflineaction-1">ADMX_OfflineFiles/Pol_GoOfflineAction_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-goofflineaction-2" id="admx-offlinefiles-pol-goofflineaction-2">ADMX_OfflineFiles/Pol_GoOfflineAction_2</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-1" id="admx-offlinefiles-pol-nocacheviewer-1">ADMX_OfflineFiles/Pol_NoCacheViewer_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nocacheviewer-2" id="admx-offlinefiles-pol-nocacheviewer-2">ADMX_OfflineFiles/Pol_NoCacheViewer_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-1" id="admx-offlinefiles-pol-noconfigcache-1">ADMX_OfflineFiles/Pol_NoConfigCache_1</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noconfigcache-2" id="admx-offlinefiles-pol-noconfigcache-2">ADMX_OfflineFiles/Pol_NoConfigCache_2</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-1" id="admx-offlinefiles-pol-nomakeavailableoffline-1">ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nomakeavailableoffline-2" id="admx-offlinefiles-pol-nomakeavailableoffline-2">ADMX_OfflineFiles/Pol_NoMakeAvailableOffline_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-1" id="admx-offlinefiles-pol-nopinfiles-1">ADMX_OfflineFiles/Pol_NoPinFiles_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-nopinfiles-2" id="admx-offlinefiles-pol-nopinfiles-2">ADMX_OfflineFiles/Pol_NoPinFiles_2</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-1" id="admx-offlinefiles-pol-noreminders-1">ADMX_OfflineFiles/Pol_NoReminders_1</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-noreminders-2" id="admx-offlinefiles-pol-noreminders-2">ADMX_OfflineFiles/Pol_NoReminders_2</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-onlinecachingsettings" id="admx-offlinefiles-pol-onlinecachingsettings">ADMX_OfflineFiles/Pol_OnlineCachingSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-purgeatlogoff" id="admx-offlinefiles-pol-purgeatlogoff">ADMX_OfflineFiles/Pol_PurgeAtLogoff</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-quickadimpin" id="admx-offlinefiles-pol-quickadimpin">ADMX_OfflineFiles/Pol_QuickAdimPin</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-1" id="admx-offlinefiles-pol-reminderfreq-1">ADMX_OfflineFiles/Pol_ReminderFreq_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderfreq-2" id="admx-offlinefiles-pol-reminderfreq-2">ADMX_OfflineFiles/Pol_ReminderFreq_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-1" id="admx-offlinefiles-pol-reminderinittimeout-1">ADMX_OfflineFiles/Pol_ReminderInitTimeout_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-reminderinittimeout-2" id="admx-offlinefiles-pol-reminderinittimeout-2">ADMX_OfflineFiles/Pol_ReminderInitTimeout_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-1" id="admx-offlinefiles-pol-remindertimeout-1">ADMX_OfflineFiles/Pol_ReminderTimeout_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-remindertimeout-2" id="admx-offlinefiles-pol-remindertimeout-2">ADMX_OfflineFiles/Pol_ReminderTimeout_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinksettings" id="admx-offlinefiles-pol-slowlinksettings">ADMX_OfflineFiles/Pol_SlowLinkSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-slowlinkspeed" id="admx-offlinefiles-pol-slowlinkspeed">ADMX_OfflineFiles/Pol_SlowLinkSpeed</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-1" id="admx-offlinefiles-pol-syncatlogoff-1">ADMX_OfflineFiles/Pol_SyncAtLogoff_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogoff-2" id="admx-offlinefiles-pol-syncatlogoff-2">ADMX_OfflineFiles/Pol_SyncAtLogoff_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-1" id="admx-offlinefiles-pol-syncatlogon-1">ADMX_OfflineFiles/Pol_SyncAtLogon_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatlogon-2" id="admx-offlinefiles-pol-syncatlogon-2">ADMX_OfflineFiles/Pol_SyncAtLogon_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-1" id="admx-offlinefiles-pol-syncatsuspend-1">ADMX_OfflineFiles/Pol_SyncAtSuspend_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-syncatsuspend-2" id="admx-offlinefiles-pol-syncatsuspend-2">ADMX_OfflineFiles/Pol_SyncAtSuspend_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-synconcostednetwork" id="admx-offlinefiles-pol-synconcostednetwork">ADMX_OfflineFiles/Pol_SyncOnCostedNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-1" id="admx-offlinefiles-pol-workofflinedisabled-1">ADMX_OfflineFiles/Pol_WorkOfflineDisabled_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-workofflinedisabled-2" id="admx-offlinefiles-pol-workofflinedisabled-2">ADMX_OfflineFiles/Pol_WorkOfflineDisabled_2</a>
-  </dd>
-</dl>
-
-### ADMX_pca policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomcomponentfailurespolicy" id="admx-pca-detectdeprecatedcomcomponentfailurespolicy">ADMX_pca/DetectDeprecatedCOMComponentFailuresPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-pca.md#admx-pca-detectdeprecatedcomponentfailurespolicy" id="admx-pca-detectdeprecatedcomponentfailurespolicy">ADMX_pca/DetectDeprecatedComponentFailuresPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-pca.md#admx-pca-detectinstallfailurespolicy" id="admx-pca-detectinstallfailurespolicy">ADMX_pca/DetectInstallFailuresPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-pca.md#admx-pca-detectundetectedinstallerspolicy" id="admx-pca-detectundetectedinstallerspolicy">ADMX_pca/DetectUndetectedInstallersPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-pca.md#admx-pca-detectupdatefailurespolicy" id="admx-pca-detectupdatefailurespolicy">ADMX_pca/DetectUpdateFailuresPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-pca.md#admx-pca-disablepcauipolicy" id="admx-pca-disablepcauipolicy">ADMX_pca/DisablePcaUIPolicy</a>
-  </dd>
-<dd>
-    <a href="./policy-csp-admx-pca.md#admx-pca-detectblockeddriverspolicy" id="admx-pca-detectblockeddriverspolicy">ADMX_pca/DetectBlockedDriversPolicy</a>
-</dd>
-<dl>
-
-### ADMX_PeerToPeerCaching policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache" id="admx-peertopeercaching-enablewindowsbranchcache">ADMX_PeerToPeerCaching/EnableWindowsBranchCache</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-distributed" id="admx-peertopeercaching-enablewindowsbranchcache-distributed">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Distributed</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hosted" id="admx-peertopeercaching-enablewindowsbranchcache-hosted">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_Hosted</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery" id="admx-peertopeercaching-enablewindowsbranchcache-hostedcachediscovery">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedCacheDiscovery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers" id="admx-peertopeercaching-enablewindowsbranchcache-hostedmultipleservers">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_HostedMultipleServers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-enablewindowsbranchcache-smb" id="admx-peertopeercaching-enablewindowsbranchcache-smb">ADMX_PeerToPeerCaching/EnableWindowsBranchCache_SMB</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setcachepercent" id="admx-peertopeercaching-setcachepercent">ADMX_PeerToPeerCaching/SetCachePercent</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdatacacheentrymaxage" id="admx-peertopeercaching-setdatacacheentrymaxage">ADMX_PeerToPeerCaching/SetDataCacheEntryMaxAge</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-peertopeercaching.md#admx-peertopeercaching-setdowngrading" id="admx-peertopeercaching-setdowngrading">ADMX_PeerToPeerCaching/SetDowngrading</a>
-  </dd>
-</dl>
-
-### ADMX_PenTraining policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_1" id="admx-pentraining-pentrainingoff_1">ADMX_PenTraining/PenTrainingOff_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-pentraining.md#admx-pentraining-pentrainingoff_2" id="admx-pentraining-pentrainingoff_2">ADMX_PenTraining/PenTrainingOff_2</a>
-  </dd>
-<dl>
-
-### ADMX_PerformanceDiagnostics policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-1" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-1">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-2">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-3">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4" id="admx-performancediagnostics-wdiscenarioexecutionpolicy-4">ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4</a>
-  </dd>
-</dl>
-
-### ADMX_Power policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-acconnectivityinstandby-2" id="admx-power-acconnectivityinstandby-2">ADMX_Power/ACConnectivityInStandby_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-accriticalsleeptransitionsdisable-2" id="admx-power-accriticalsleeptransitionsdisable-2">ADMX_Power/ACCriticalSleepTransitionsDisable_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-acstartmenubuttonaction-2" id="admx-power-acstartmenubuttonaction-2">ADMX_Power/ACStartMenuButtonAction_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-allowsystempowerrequestac" id="admx-power-allowsystempowerrequestac">ADMX_Power/AllowSystemPowerRequestAC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-allowsystempowerrequestdc" id="admx-power-allowsystempowerrequestdc">ADMX_Power/AllowSystemPowerRequestDC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopenac" id="admx-power-allowsystemsleepwithremotefilesopenac">ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopendc" id="admx-power-allowsystemsleepwithremotefilesopendc">ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-customactiveschemeoverride-2" id="admx-power-customactiveschemeoverride-2">ADMX_Power/CustomActiveSchemeOverride_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction0-2" id="admx-power-dcbatterydischargeaction0-2">ADMX_Power/DCBatteryDischargeAction0_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction1-2" id="admx-power-dcbatterydischargeaction1-2">ADMX_Power/DCBatteryDischargeAction1_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel0-2" id="admx-power-dcbatterydischargelevel0-2">ADMX_Power/DCBatteryDischargeLevel0_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1uinotification-2" id="admx-power-dcbatterydischargelevel1uinotification-2">ADMX_Power/DCBatteryDischargeLevel1UINotification_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1-2" id="admx-power-dcbatterydischargelevel1-2">ADMX_Power/DCBatteryDischargeLevel1_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dcconnectivityinstandby-2" id="admx-power-dcconnectivityinstandby-2">ADMX_Power/DCConnectivityInStandby_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dccriticalsleeptransitionsdisable-2" id="admx-power-dccriticalsleeptransitionsdisable-2">ADMX_Power/DCCriticalSleepTransitionsDisable_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dcstartmenubuttonaction-2" id="admx-power-dcstartmenubuttonaction-2">ADMX_Power/DCStartMenuButtonAction_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-diskacpowerdowntimeout-2" id="admx-power-diskacpowerdowntimeout-2">ADMX_Power/DiskACPowerDownTimeOut_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-diskdcpowerdowntimeout-2" id="admx-power-diskdcpowerdowntimeout-2">ADMX_Power/DiskDCPowerDownTimeOut_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-dont-poweroff-aftershutdown" id="admx-power-dont-poweroff-aftershutdown">ADMX_Power/Dont_PowerOff_AfterShutdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-enabledesktopslideshowac" id="admx-power-enabledesktopslideshowac">ADMX_Power/EnableDesktopSlideShowAC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-enabledesktopslideshowdc" id="admx-power-enabledesktopslideshowdc">ADMX_Power/EnableDesktopSlideShowDC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-inboxactiveschemeoverride-2" id="admx-power-inboxactiveschemeoverride-2">ADMX_Power/InboxActiveSchemeOverride_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-pw-promptpasswordonresume" id="admx-power-pw-promptpasswordonresume">ADMX_Power/PW_PromptPasswordOnResume</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-powerthrottlingturnoff" id="admx-power-powerthrottlingturnoff">ADMX_Power/PowerThrottlingTurnOff</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-power.md#admx-power-reservebatterynotificationlevel" id="admx-power-reservebatterynotificationlevel">ADMX_Power/ReserveBatteryNotificationLevel</a>
-  </dd>
-</dl>
-
-### ADMX_PowerShellExecutionPolicy policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging" id="admx-powershellexecutionpolicy-enablemodulelogging">ADMX_PowerShellExecutionPolicy/EnableModuleLogging</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts" id="admx-powershellexecutionpolicy-enablescripts">ADMX_PowerShellExecutionPolicy/EnableScripts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting" id="admx-powershellexecutionpolicy-enabletranscripting">ADMX_PowerShellExecutionPolicy/EnableTranscripting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath" id="admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath">ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath</a>
-  </dd>
-</dl>
-
-### ADMX_PreviousVersions policies
-
-</dl>
-  <dd>
-    <a href="./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_1" id="admx-previousversions-disablelocalpage_1">ADMX_PreviousVersions/DisableLocalPage_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalpage_2" id="admx-previousversions-disablelocalpage_2">ADMX_PreviousVersions/DisableLocalPage_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_1" id="admx-previousversions-disableremotepage_1">ADMX_PreviousVersions/DisableRemotePage_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-previousversions.md#admx-previousversions-disableremotepage_2" id="admx-previousversions-disableremotepage_2">ADMX_PreviousVersions/DisableRemotePage_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_1" id="admx-previousversions-hidebackupentries_1">ADMX_PreviousVersions/HideBackupEntries_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-previousversions.md#admx-previousversions-hidebackupentries_2" id="admx-previousversions-hidebackupentries_2">ADMX_PreviousVersions/HideBackupEntries_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_1" id="admx-previousversions-disablelocalrestore_1">ADMX_PreviousVersions/DisableLocalRestore_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-previousversions.md#admx-previousversions-disablelocalrestore_2" id="admx-previousversions-disablelocalrestore_2">ADMX_PreviousVersions/DisableLocalRestore_2</a>
-  </dd>
-</dl>
-
-### ADMX_Printing policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-allowwebprinting" id="admx-printing-allowwebprinting">ADMX_Printing/AllowWebPrinting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation" id="admx-printing-applicationdriverisolation">ADMX_Printing/ApplicationDriverIsolation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-customizedsupporturl" id="admx-printing-customizedsupporturl">ADMX_Printing/CustomizedSupportUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-donotinstallcompatibledriverfromwindowsupdate" id="admx-printing-donotinstallcompatibledriverfromwindowsupdate">ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-domainprinters" id="admx-printing-domainprinters">ADMX_Printing/DomainPrinters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-downlevelbrowse" id="admx-printing-downlevelbrowse">ADMX_Printing/DownlevelBrowse</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-emfdespooling" id="admx-printing-emfdespooling">ADMX_Printing/EMFDespooling</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-forcesoftwarerasterization" id="admx-printing-forcesoftwarerasterization">ADMX_Printing/ForceSoftwareRasterization</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-intranetprintersurl" id="admx-printing-intranetprintersurl">ADMX_Printing/IntranetPrintersUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-kmprintersareblocked" id="admx-printing-kmprintersareblocked">ADMX_Printing/KMPrintersAreBlocked</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-legacydefaultprintermode" id="admx-printing-legacydefaultprintermode">ADMX_Printing/LegacyDefaultPrinterMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-mxdwuselegacyoutputformatmsxps" id="admx-printing-mxdwuselegacyoutputformatmsxps">ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-nodeleteprinter" id="admx-printing-nodeleteprinter">ADMX_Printing/NoDeletePrinter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-nondomainprinters" id="admx-printing-nondomainprinters">ADMX_Printing/NonDomainPrinters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly" id="admx-printing-packagepointandprintonly">ADMX_Printing/PackagePointAndPrintOnly</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly-win7" id="admx-printing-packagepointandprintonly-win7">ADMX_Printing/PackagePointAndPrintOnly_Win7</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist" id="admx-printing-packagepointandprintserverlist">ADMX_Printing/PackagePointAndPrintServerList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist-win7" id="admx-printing-packagepointandprintserverlist-win7">ADMX_Printing/PackagePointAndPrintServerList_Win7</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-physicallocation" id="admx-printing-physicallocation">ADMX_Printing/PhysicalLocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-physicallocationsupport" id="admx-printing-physicallocationsupport">ADMX_Printing/PhysicalLocationSupport</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-printdriverisolationexecutionpolicy
-" id="admx-printing-printdriverisolationexecutionpolicy">ADMX_Printing/PrintDriverIsolationExecutionPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-printdriverisolationoverridecompat" id="admx-printing-printdriverisolationoverridecompat">ADMX_Printing/PrintDriverIsolationOverrideCompat</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-printerdirectorysearchscope" id="admx-printing-printerdirectorysearchscope">ADMX_Printing/PrinterDirectorySearchScope</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-printerserverthread" id="admx-printing-printerserverthread">ADMX_Printing/PrinterServerThread</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-showjobtitleineventlogs" id="admx-printing-showjobtitleineventlogs">ADMX_Printing/ShowJobTitleInEventLogs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing.md#admx-printing-v4driverdisallowprinterextension" id="admx-printing-v4driverdisallowprinterextension">ADMX_Printing/V4DriverDisallowPrinterExtension</a>
-  </dd>
-</dl>
-
-### ADMX_Printing2 policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-autopublishing" id="admx-printing2-autopublishing">ADMX_Printing2/AutoPublishing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-immortalprintqueue" id="admx-printing2-immortalprintqueue">ADMX_Printing2/ImmortalPrintQueue</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-prunedownlevel" id="admx-printing2-prunedownlevel">ADMX_Printing2/PruneDownlevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-pruninginterval" id="admx-printing2-pruninginterval">ADMX_Printing2/PruningInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-pruningpriority" id="admx-printing2-pruningpriority">ADMX_Printing2/PruningPriority</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-pruningretries" id="admx-printing2-pruningretries">ADMX_Printing2/PruningRetries</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-pruningretrylog" id="admx-printing2-pruningretrylog">ADMX_Printing2/PruningRetryLog</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-registerspoolerremoterpcendpoint" id="admx-printing2-registerspoolerremoterpcendpoint">ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-printing2.md#admx-printing2-verifypublishedstate" id="admx-printing2-verifypublishedstate">ADMX_Printing2/VerifyPublishedState</a>
-  </dd>
-</dl>
-
-### ADMX_Programs policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-programs.md#admx-programs-nodefaultprograms" id="admx-programs-nodefaultprograms">ADMX_Programs/NoDefaultPrograms</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-programs.md#admx-programs-nogetprograms" id="admx-programs-nogetprograms">ADMX_Programs/NoGetPrograms</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-programs.md#admx-programs-noinstalledupdates" id="admx-programs-noinstalledupdates">ADMX_Programs/NoInstalledUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures" id="admx-programs-noprogramsandfeatures">ADMX_Programs/NoProgramsAndFeatures</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-programs.md#admx-programs-noprogramscpl" id="admx-programs-noprogramscpl">ADMX_Programs/NoProgramsCPL</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures" id="admx-programs-nowindowsfeatures">ADMX_Programs/NoWindowsFeatures</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace" id="admx-programs-nowindowsmarketplace">ADMX_Programs/NoWindowsMarketplace</a>
-  </dd>
-</dl>
-
-### ADMX_Reliability policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp" id="admx-reliability-ee-enablepersistenttimestamp">ADMX_Reliability/EE_EnablePersistentTimeStamp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents" id="admx-reliability-pch-reportshutdownevents">ADMX_Reliability/PCH_ReportShutdownEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile" id="admx-reliability-shutdowneventtrackerstatefile">ADMX_Reliability/ShutdownEventTrackerStateFile</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-reliability.md#admx-reliability-shutdownreason" id="admx-reliability-shutdownreason">ADMX_Reliability/ShutdownReason</a>
-  </dd>
-</dl>
-
-### ADMX_RemoteAssistance policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-encryptedticketonly" id="admx-remoteassistance-ra-encryptedticketonly">ADMX_RemoteAssistance/RA_EncryptedTicketOnly</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-optimize-bandwidth" id="admx-remoteassistance-ra-optimize-bandwidth">ADMX_RemoteAssistance/RA_Optimize_Bandwidth</a>
-  </dd>
-</dl>
-
-### ADMX_RemovableStorage policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-1" id="admx-removablestorage-accessrights-reboottime-1">ADMX_RemovableStorage/AccessRights_RebootTime_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-2" id="admx-removablestorage-accessrights-reboottime-2">ADMX_RemovableStorage/AccessRights_RebootTime_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyexecute-access-2" id="admx-removablestorage-cdanddvd-denyexecute-access-2">ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-1" id="admx-removablestorage-cdanddvd-denyread-access-1">ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-2" id="admx-removablestorage-cdanddvd-denyread-access-2">ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-1" id="admx-removablestorage-cdanddvd-denywrite-access-1">ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-2" id="admx-removablestorage-cdanddvd-denywrite-access-2">ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-1" id="admx-removablestorage-customclasses-denyread-access-1">ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-2" id="admx-removablestorage-customclasses-denyread-access-2">ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-1" id="admx-removablestorage-customclasses-denywrite-access-1">ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-2" id="admx-removablestorage-customclasses-denywrite-access-2">ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyexecute-access-2" id="admx-removablestorage-floppydrives-denyexecute-access-2">ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-1" id="admx-removablestorage-floppydrives-denyread-access-1">ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-2" id="admx-removablestorage-floppydrives-denyread-access-2">ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-1" id="admx-removablestorage-floppydrives-denywrite-access-1">ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-2" id="admx-removablestorage-floppydrives-denywrite-access-2">ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyexecute-access-2" id="admx-removablestorage-removabledisks-denyexecute-access-2">ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-1" id="admx-removablestorage-removabledisks-denyread-access-1">ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-2" id="admx-removablestorage-removabledisks-denyread-access-2">ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denywrite-access-1" id="admx-removablestorage-removabledisks-denywrite-access-1">ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-1" id="admx-removablestorage-removablestorageclasses-denyall-access-1">ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-2" id="admx-removablestorage-removablestorageclasses-denyall-access-2">ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-removable-remote-allow-access" id="admx-removablestorage-removable-remote-allow-access">ADMX_RemovableStorage/Removable_Remote_Allow_Access</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyexecute-access-2" id="admx-removablestorage-tapedrives-denyexecute-access-2">ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-1" id="admx-removablestorage-tapedrives-denyread-access-1">ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-2" id="admx-removablestorage-tapedrives-denyread-access-2">ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-1" id="admx-removablestorage-tapedrives-denywrite-access-1">ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-2" id="admx-removablestorage-tapedrives-denywrite-access-2">ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-1" id="admx-removablestorage-wpddevices-denyread-access-1">ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-2" id="admx-removablestorage-wpddevices-denyread-access-2">ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-1" id="admx-removablestorage-wpddevices-denywrite-access-1">ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-2" id="admx-removablestorage-wpddevices-denywrite-access-2">ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2</a>
-  </dd>
-</dl>
-
-### ADMX_RPC policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-rpc.md#admx-rpc-rpcextendederrorinformation" id="admx-rpc-rpcextendederrorinformation">ADMX_RPC/RpcExtendedErrorInformation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-rpc.md#admx-rpc-rpcignoredelegationfailure" id="admx-rpc-rpcignoredelegationfailure">ADMX_RPC/RpcIgnoreDelegationFailure</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-rpc.md#admx-rpc-rpcminimumhttpconnectiontimeout" id="admx-rpc-rpcminimumhttpconnectiontimeout">ADMX_RPC/RpcMinimumHttpConnectionTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-rpc.md#admx-rpc-rpcstateinformation" id="admx-rpc-rpcstateinformation">ADMX_RPC/RpcStateInformation</a>
-  </dd>
-</dl>
-
-### ADMX_Scripts policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled" id="admx-scripts-allow-logon-script-netbiosdisabled">ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy" id="admx-scripts-maxgposcriptwaitpolicy">ADMX_Scripts/MaxGPOScriptWaitPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first" id="admx-scripts-run-computer-ps-scripts-first">ADMX_Scripts/Run_Computer_PS_Scripts_First</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-legacy-logon-script-hidden" id="admx-scripts-run-legacy-logon-script-hidden">ADMX_Scripts/Run_Legacy_Logon_Script_Hidden</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-logoff-script-visible" id="admx-scripts-run-logoff-script-visible">ADMX_Scripts/Run_Logoff_Script_Visible</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-1" id="admx-scripts-run-logon-script-sync-1">ADMX_Scripts/Run_Logon_Script_Sync_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-sync-2" id="admx-scripts-run-logon-script-sync-2">ADMX_Scripts/Run_Logon_Script_Sync_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-logon-script-visible" id="admx-scripts-run-logon-script-visible">ADMX_Scripts/Run_Logon_Script_Visible</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-shutdown-script-visible" id="admx-scripts-run-shutdown-script-visible">ADMX_Scripts/Run_Shutdown_Script_Visible</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-sync" id="admx-scripts-run-startup-script-sync">ADMX_Scripts/Run_Startup_Script_Sync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-startup-script-visible" id="admx-scripts-run-startup-script-visible">ADMX_Scripts/Run_Startup_Script_Visible</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-scripts.md#admx-scripts-run-user-ps-scripts-first" id="admx-scripts-run-user-ps-scripts-first">ADMX_Scripts/Run_User_PS_Scripts_First</a>
-  </dd>
-</dl>
-
-### ADMX_sdiagschd policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy" id="admx-sdiagschd-scheduleddiagnosticsexecutionpolicy">ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy</a>
-  </dd>
-<dl>
-
-### ADMX_sdiageng policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected" id="admx-sdiageng-betterwhenconnected">ADMX_sdiageng/BetterWhenConnected</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy" id="admx-sdiageng-scripteddiagnosticsexecutionpolicy">ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy" id="admx-sdiageng-scripteddiagnosticssecuritypolicy">ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy</a>
-  </dd>
-</dl>
-
-### ADMX_Securitycenter policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain" id="admx-securitycenter-securitycenter-securitycenterindomain">ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain</a>
-  </dd>
-</dl>
-
-### ADMX_Sensors policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1" id="admx-sensors-disablelocationscripting-1">ADMX_Sensors/DisableLocationScripting_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2" id="admx-sensors-disablelocationscripting-2">ADMX_Sensors/DisableLocationScripting_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1" id="admx-sensors-disablelocation-1">ADMX_Sensors/DisableLocation_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1" id="admx-sensors-disablesensors-1">ADMX_Sensors/DisableSensors_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2" id="admx-sensors-disablesensors-2">ADMX_Sensors/DisableSensors_2</a>
-  </dd>
-</dl>
-
-### ADMX_ServerManager policies
-
-</dl>
-  <dd>
-    <a href="./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page" id="admx-servermanager-do_not_display_manage_your_server_page">ADMX_ServerManager/Do_not_display_Manage_Your_Server_page</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate" id="admx-servermanager-servermanagerautorefreshrate">ADMX_ServerManager/ServerManagerAutoRefreshRate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks" id="admx-servermanager-donotlaunchinitialconfigurationtasks">ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager" id="admx-servermanager-donotlaunchservermanager">ADMX_ServerManager/DoNotLaunchServerManager</a>
-  </dd>
-</dl>
-
-### ADMX_Servicing policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-servicing.md#admx-servicing-servicing" id="admx-servicing-servicing">ADMX_Servicing/Servicing</a>
-  </dd>
-</dl>
-
-### ADMX_SettingSync policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync" id="admx-settingsync-disableappsyncsettingsync">ADMX_SettingSync/DisableAppSyncSettingSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync" id="admx-settingsync-disableapplicationsettingsync">ADMX_SettingSync/DisableApplicationSettingSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync" id="admx-settingsync-disablecredentialssettingsync">ADMX_SettingSync/DisableCredentialsSettingSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync" id="admx-settingsync-disabledesktopthemesettingsync">ADMX_SettingSync/DisableDesktopThemeSettingSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync" id="admx-settingsync-disablepersonalizationsettingsync">ADMX_SettingSync/DisablePersonalizationSettingSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync" id="admx-settingsync-disablesettingsync">ADMX_SettingSync/DisableSettingSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync" id="admx-settingsync-disablestartlayoutsettingsync">ADMX_SettingSync/DisableStartLayoutSettingSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork" id="admx-settingsync-disablesynconpaidnetwork">ADMX_SettingSync/DisableSyncOnPaidNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync" id="admx-settingsync-disablewindowssettingsync">ADMX_SettingSync/DisableWindowsSettingSync</a>
-  </dd>
-</dl>
-
-### ADMX_SharedFolders policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots" id="admx-sharedfolders-publishdfsroots">ADMX_SharedFolders/PublishDfsRoots</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders" id="admx-sharedfolders-publishsharedfolders">ADMX_SharedFolders/PublishSharedFolders</a>
-  </dd>
-</dl>
-
-### ADMX_Sharing policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing" id="admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
-  </dd>
-</dl>
-
-### ADMX_ShellCommandPromptRegEditTools policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps" id="admx-shellcommandpromptregedittools-disallowapps">ADMX_ShellCommandPromptRegEditTools/DisallowApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit" id="admx-shellcommandpromptregedittools-disableregedit">ADMX_ShellCommandPromptRegEditTools/DisableRegedit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd" id="admx-shellcommandpromptregedittools-disablecmd">ADMX_ShellCommandPromptRegEditTools/DisableCMD</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-restrictapps" id="admx-shellcommandpromptregedittools-restrictapps">ADMX_ShellCommandPromptRegEditTools/RestrictApps</a>
-  </dd>
-<dl>
-
-### ADMX_Smartcard policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku" id="admx-smartcard-allowcertificateswithnoeku">ADMX_Smartcard/AllowCertificatesWithNoEKU</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock" id="admx-smartcard-allowintegratedunblock">ADMX_Smartcard/AllowIntegratedUnblock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys" id="admx-smartcard-allowsignatureonlykeys">ADMX_Smartcard/AllowSignatureOnlyKeys</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-allowtimeinvalidcertificates" id="admx-smartcard-allowtimeinvalidcertificates">ADMX_Smartcard/AllowTimeInvalidCertificates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-certpropenabledstring" id="admx-smartcard-certpropenabledstring">ADMX_Smartcard/CertPropEnabledString</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-certproprootcleanupstring" id="admx-smartcard-certproprootcleanupstring">ADMX_Smartcard/CertPropRootCleanupString</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-certproprootenabledstring" id="admx-smartcard-certproprootenabledstring">ADMX_Smartcard/CertPropRootEnabledString</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-disallowplaintextpin" id="admx-smartcard-disallowplaintextpin">ADMX_Smartcard/DisallowPlaintextPin</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-enumerateecccerts" id="admx-smartcard-enumerateecccerts">ADMX_Smartcard/EnumerateECCCerts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-filterduplicatecerts" id="admx-smartcard-filterduplicatecerts">ADMX_Smartcard/FilterDuplicateCerts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-forcereadingallcertificates" id="admx-smartcard-forcereadingallcertificates">ADMX_Smartcard/ForceReadingAllCertificates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-integratedunblockpromptstring" id="admx-smartcard-integratedunblockpromptstring">ADMX_Smartcard/IntegratedUnblockPromptString</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-reversesubject" id="admx-smartcard-reversesubject">ADMX_Smartcard/ReverseSubject</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-scpnpenabled" id="admx-smartcard-scpnpenabled">ADMX_Smartcard/SCPnPEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-scpnpnotification" id="admx-smartcard-scpnpnotification">ADMX_Smartcard/SCPnPNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-smartcard.md#admx-smartcard-x509hintsneeded" id="admx-smartcard-x509hintsneeded">ADMX_Smartcard/X509HintsNeeded</a>
-  </dd>
-</dl>
-
-### ADMX_Snmp policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-snmp.md#admx-snmp-snmp-communities" id="admx-snmp-snmp-communities">ADMX_Snmp/SNMP_Communities</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers" id="admx-snmp-snmp-permittedmanagers">ADMX_Snmp/SNMP_PermittedManagers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public" id="admx-snmp-snmp-traps-public">ADMX_Snmp/SNMP_Traps_Public</a>
-  </dd>
-</dl>
-  </dd>
-<dl>
-
-### ADMX_StartMenu policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu" id="admx-startmenu-addsearchinternetlinkinstartmenu">ADMX_StartMenu/AddSearchInternetLinkInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit" id="admx-startmenu-clearrecentdocsonexit">ADMX_StartMenu/ClearRecentDocsOnExit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu" id="admx-startmenu-clearrecentprogfornewuserinstartmenu">ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-cleartilesonexit" id="admx-startmenu-cleartilesonexit">ADMX_StartMenu/ClearTilesOnExit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-desktopappsfirstinappsview" id="admx-startmenu-desktopappsfirstinappsview">ADMX_StartMenu/DesktopAppsFirstInAppsView</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-disableglobalsearchonappsview" id="admx-startmenu-disableglobalsearchonappsview">ADMX_StartMenu/DisableGlobalSearchOnAppsView</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-forcestartmenulogoff" id="admx-startmenu-forcestartmenulogoff">ADMX_StartMenu/ForceStartMenuLogOff</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-gotodesktoponsignin" id="admx-startmenu-gotodesktoponsignin">ADMX_StartMenu/GoToDesktopOnSignIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-greymsiads" id="admx-startmenu-greymsiads">ADMX_StartMenu/GreyMSIAds</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-hidepoweroptions" id="admx-startmenu-hidepoweroptions">ADMX_StartMenu/HidePowerOptions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-intellimenus" id="admx-startmenu-intellimenus">ADMX_StartMenu/Intellimenus</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-locktaskbar" id="admx-startmenu-locktaskbar">ADMX_StartMenu/LockTaskbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-memcheckboxinrundlg" id="admx-startmenu-memcheckboxinrundlg">ADMX_StartMenu/MemCheckBoxInRunDlg</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-noautotraynotify" id="admx-startmenu-noautotraynotify">ADMX_StartMenu/NoAutoTrayNotify</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-noballoontip" id="admx-startmenu-noballoontip">ADMX_StartMenu/NoBalloonTip</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nochangestartmenu" id="admx-startmenu-nochangestartmenu">ADMX_StartMenu/NoChangeStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-noclose" id="admx-startmenu-noclose">ADMX_StartMenu/NoClose</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nocommongroups" id="admx-startmenu-nocommongroups">ADMX_StartMenu/NoCommonGroups</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nofavoritesmenu" id="admx-startmenu-nofavoritesmenu">ADMX_StartMenu/NoFavoritesMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nofind" id="admx-startmenu-nofind">ADMX_StartMenu/NoFind</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nogamesfolderonstartmenu" id="admx-startmenu-nogamesfolderonstartmenu">ADMX_StartMenu/NoGamesFolderOnStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nohelp" id="admx-startmenu-nohelp">ADMX_StartMenu/NoHelp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-noinstrumentation" id="admx-startmenu-noinstrumentation">ADMX_StartMenu/NoInstrumentation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nomoreprogramslist" id="admx-startmenu-nomoreprogramslist">ADMX_StartMenu/NoMoreProgramsList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nonetanddialupconnect" id="admx-startmenu-nonetanddialupconnect">ADMX_StartMenu/NoNetAndDialupConnect</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nopinnedprograms" id="admx-startmenu-nopinnedprograms">ADMX_StartMenu/NoPinnedPrograms</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-norecentdocsmenu" id="admx-startmenu-norecentdocsmenu">ADMX_StartMenu/NoRecentDocsMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-noresolvesearch" id="admx-startmenu-noresolvesearch">ADMX_StartMenu/NoResolveSearch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-noresolvetrack" id="admx-startmenu-noresolvetrack">ADMX_StartMenu/NoResolveTrack</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-norun" id="admx-startmenu-norun">ADMX_StartMenu/NoRun</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosmconfigureprograms" id="admx-startmenu-nosmconfigureprograms">ADMX_StartMenu/NoSMConfigurePrograms</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosmmydocuments" id="admx-startmenu-nosmmydocuments">ADMX_StartMenu/NoSMMyDocuments</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosmmymusic" id="admx-startmenu-nosmmymusic">ADMX_StartMenu/NoSMMyMusic</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosmmynetworkplaces" id="admx-startmenu-nosmmynetworkplaces">ADMX_StartMenu/NoSMMyNetworkPlaces</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosmmypictures" id="admx-startmenu-nosmmypictures">ADMX_StartMenu/NoSMMyPictures</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomminstartmenu" id="admx-startmenu-nosearchcomminstartmenu">ADMX_StartMenu/NoSearchCommInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomputerlinkinstartmenu" id="admx-startmenu-nosearchcomputerlinkinstartmenu">ADMX_StartMenu/NoSearchComputerLinkInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosearcheverywherelinkinstartmenu" id="admx-startmenu-nosearcheverywherelinkinstartmenu">ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosearchfilesinstartmenu" id="admx-startmenu-nosearchfilesinstartmenu">ADMX_StartMenu/NoSearchFilesInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosearchinternetinstartmenu" id="admx-startmenu-nosearchinternetinstartmenu">ADMX_StartMenu/NoSearchInternetInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosearchprogramsinstartmenu" id="admx-startmenu-nosearchprogramsinstartmenu">ADMX_StartMenu/NoSearchProgramsInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosetfolders" id="admx-startmenu-nosetfolders">ADMX_StartMenu/NoSetFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nosettaskbar" id="admx-startmenu-nosettaskbar">ADMX_StartMenu/NoSetTaskbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenudownload" id="admx-startmenu-nostartmenudownload">ADMX_StartMenu/NoStartMenuDownload</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuhomegroup" id="admx-startmenu-nostartmenuhomegroup">ADMX_StartMenu/NoStartMenuHomegroup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenurecordedtv" id="admx-startmenu-nostartmenurecordedtv">ADMX_StartMenu/NoStartMenuRecordedTV</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenusubfolders" id="admx-startmenu-nostartmenusubfolders">ADMX_StartMenu/NoStartMenuSubFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuvideos" id="admx-startmenu-nostartmenuvideos">ADMX_StartMenu/NoStartMenuVideos</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nostartpage" id="admx-startmenu-nostartpage">ADMX_StartMenu/NoStartPage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-notaskbarclock" id="admx-startmenu-notaskbarclock">ADMX_StartMenu/NoTaskBarClock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-notaskgrouping" id="admx-startmenu-notaskgrouping">ADMX_StartMenu/NoTaskGrouping</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-notoolbarsontaskbar" id="admx-startmenu-notoolbarsontaskbar">ADMX_StartMenu/NoToolbarsOnTaskbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-notraycontextmenu" id="admx-startmenu-notraycontextmenu">ADMX_StartMenu/NoTrayContextMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-notrayitemsdisplay" id="admx-startmenu-notrayitemsdisplay">ADMX_StartMenu/NoTrayItemsDisplay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nouninstallfromstart" id="admx-startmenu-nouninstallfromstart">ADMX_StartMenu/NoUninstallFromStart</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nouserfolderonstartmenu" id="admx-startmenu-nouserfolderonstartmenu">ADMX_StartMenu/NoUserFolderOnStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nousernameonstartmenu" id="admx-startmenu-nousernameonstartmenu">ADMX_StartMenu/NoUserNameOnStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-nowindowsupdate" id="admx-startmenu-nowindowsupdate">ADMX_StartMenu/NoWindowsUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-powerbuttonaction" id="admx-startmenu-powerbuttonaction">ADMX_StartMenu/PowerButtonAction</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-quicklaunchenabled" id="admx-startmenu-quicklaunchenabled">ADMX_StartMenu/QuickLaunchEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-removeundockpcbutton" id="admx-startmenu-removeundockpcbutton">ADMX_StartMenu/RemoveUnDockPCButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-showappsviewonstart" id="admx-startmenu-showappsviewonstart">ADMX_StartMenu/ShowAppsViewOnStart</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-showrunasdifferentuserinstart" id="admx-startmenu-showrunasdifferentuserinstart">ADMX_StartMenu/ShowRunAsDifferentUserInStart</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-showruninstartmenu" id="admx-startmenu-showruninstartmenu">ADMX_StartMenu/ShowRunInStartMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey" id="admx-startmenu-showstartondisplaywithforegroundonwinkey">ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff" id="admx-startmenu-startmenulogoff">ADMX_StartMenu/StartMenuLogOff</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled" id="admx-startmenu-startpinappswheninstalled">ADMX_StartMenu/StartPinAppsWhenInstalled</a>
-  </dd>
-</dl>
-
-### ADMX_SystemRestore policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig" ID="admx-systemrestore-sr-disableconfig">ADMX_SystemRestore/SR_DisableConfig</a>
-  </dd>
-</dl>
-
-### ADMX_TabletShell policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-tabletshell.md#admx-tabletshell-disableinkball_1" ID="admx-tabletshell-disableinkball_1">ADMX_TabletShell/DisableInkball_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tabletshell.md#admx-tabletshell-disablenotewriterprinting_1" ID="admx-tabletshell-disablenotewriterprinting_1">ADMX_TabletShell/DisableNoteWriterPrinting_1</a>
-  </dd>
-<dl>
-
-### ADMX_Taskbar policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter" ID="admx-taskbar-disablenotificationcenter">ADMX_Taskbar/DisableNotificationCenter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications" ID="admx-taskbar-enablelegacyballoonnotifications">ADMX_Taskbar/EnableLegacyBalloonNotifications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth" ID="admx-taskbar-hidescahealth">ADMX_Taskbar/HideSCAHealth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-hidescanetwork" ID="admx-taskbar-hidescanetwork">ADMX_Taskbar/HideSCANetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-hidescapower" ID="admx-taskbar-hidescapower">ADMX_Taskbar/HideSCAPower</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-hidescavolume" ID="admx-taskbar-hidescavolume">ADMX_Taskbar/HideSCAVolume</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-noballoonfeatureadvertisements" ID="admx-taskbar-noballoonfeatureadvertisements">ADMX_Taskbar/NoBalloonFeatureAdvertisements</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-nopinningstoretotaskbar" ID="admx-taskbar-nopinningstoretotaskbar">ADMX_Taskbar/NoPinningStoreToTaskbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtodestinations" ID="admx-taskbar-nopinningtodestinations">ADMX_Taskbar/NoPinningToDestinations</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtotaskbar" ID="admx-taskbar-nopinningtotaskbar">ADMX_Taskbar/NoPinningToTaskbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-noremotedestinations" ID="admx-taskbar-noremotedestinations">ADMX_Taskbar/NoRemoteDestinations</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-nosystraysystempromotion" ID="admx-taskbar-nosystraysystempromotion">ADMX_Taskbar/NoSystraySystemPromotion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-showwindowsstoreappsontaskbar" ID="admx-taskbar-showwindowsstoreappsontaskbar">ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarlockall" ID="admx-taskbar-taskbarlockall">ADMX_Taskbar/TaskbarLockAll</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoaddremovetoolbar" ID="admx-taskbar-taskbarnoaddremovetoolbar">ADMX_Taskbar/TaskbarNoAddRemoveToolbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnodragtoolbar" ID="admx-taskbar-taskbarnodragtoolbar">ADMX_Taskbar/TaskbarNoDragToolbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnomultimon" ID="admx-taskbar-taskbarnomultimon">ADMX_Taskbar/TaskbarNoMultimon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnonotification" ID="admx-taskbar-taskbarnonotification">ADMX_Taskbar/TaskbarNoNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnopinnedlist" ID="admx-taskbar-taskbarnopinnedlist">ADMX_Taskbar/TaskbarNoPinnedList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoredock" ID="admx-taskbar-taskbarnoredock">ADMX_Taskbar/TaskbarNoRedock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoresize" ID="admx-taskbar-taskbarnoresize">ADMX_Taskbar/TaskbarNoResize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnothumbnail" ID="admx-taskbar-taskbarnothumbnail">ADMX_Taskbar/TaskbarNoThumbnail</a>
-  </dd>
-</dl>
-
-### ADMX_tcpip policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name" id="admx-tcpip-6to4-router-name">ADMX_tcpip/6to4_Router_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval" id="admx-tcpip-6to4-router-name-resolution-interval">ADMX_tcpip/6to4_Router_Name_Resolution_Interval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state" id="admx-tcpip-6to4-state">ADMX_tcpip/6to4_State</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-iphttps-clientstate" id="admx-tcpip-iphttps-clientstate">ADMX_tcpip/IPHTTPS_ClientState</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-ip-stateless-autoconfiguration-limits-state" id="admx-tcpip-ip-stateless-autoconfiguration-limits-state">ADMX_tcpip/IP_Stateless_Autoconfiguration_Limits_State</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-isatap-router-name" id="admx-tcpip-isatap-router-name">ADMX_tcpip/ISATAP_Router_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-isatap-state" id="admx-tcpip-isatap-state">ADMX_tcpip/ISATAP_State</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-teredo-client-port" id="admx-tcpip-teredo-client-port">ADMX_tcpip/Teredo_Client_Port</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-teredo-default-qualified" id="admx-tcpip-teredo-default-qualified">ADMX_tcpip/Teredo_Default_Qualified</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-teredo-refresh-rate" id="admx-tcpip-teredo-refresh-rate">ADMX_tcpip/Teredo_Refresh_Rate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-teredo-server-name" id="admx-tcpip-teredo-server-name">ADMX_tcpip/Teredo_Server_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-teredo-state" id="admx-tcpip-teredo-state">ADMX_tcpip/Teredo_State</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tcpip.md#admx-tcpip-windows-scaling-heuristics-state" id="admx-tcpip-windows-scaling-heuristics-state">ADMX_tcpip/Windows_Scaling_Heuristics_State</a>
-  </dd>
-</dl>
-
-### ADMX_TerminalServer policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_auto_reconnect" id="admx-terminalserver-ts_auto_reconnect">ADMX_TerminalServer/TS_AUTO_RECONNECT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_camera_redirection" id="admx-terminalserver-ts_camera_redirection">ADMX_TerminalServer/TS_CAMERA_REDIRECTION</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_certificate_template_policy" id="admx-terminalserver-ts_certificate_template_policy">ADMX_TerminalServer/TS_CERTIFICATE_TEMPLATE_POLICY</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_1" id="admx-terminalserver-ts_client_allow_signed_files_1">ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_signed_files_2" id="admx-terminalserver-ts_client_allow_signed_files_2">ADMX_TerminalServer/TS_CLIENT_ALLOW_SIGNED_FILES_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_1" id="admx-terminalserver-ts_client_allow_unsigned_files_1">ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_allow_unsigned_files_2" id="admx-terminalserver-ts_client_allow_unsigned_files_2">ADMX_TerminalServer/TS_CLIENT_ALLOW_UNSIGNED_FILES_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio" id="admx-terminalserver-ts_client_audio">ADMX_TerminalServer/TS_CLIENT_AUDIO</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_capture" id="admx-terminalserver-ts_client_audio_capture">ADMX_TerminalServer/TS_CLIENT_AUDIO_CAPTURE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_audio_quality" id="admx-terminalserver-ts_client_audio_quality">ADMX_TerminalServer/TS_CLIENT_AUDIO_QUALITY</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_clipboard" id="admx-terminalserver-ts_client_clipboard">ADMX_TerminalServer/TS_CLIENT_CLIPBOARD</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_com" id="admx-terminalserver-ts_client_com">ADMX_TerminalServer/TS_CLIENT_COM</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_default_m" id="admx-terminalserver-ts_client_default_m">ADMX_TerminalServer/TS_CLIENT_DEFAULT_M</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_hardware_mode" id="admx-terminalserver-ts_client_disable_hardware_mode">ADMX_TerminalServer/TS_CLIENT_DISABLE_HARDWARE_MODE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_disable_password_saving_1" id="admx-terminalserver-ts_client_disable_password_saving_1">ADMX_TerminalServer/TS_CLIENT_DISABLE_PASSWORD_SAVING_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_lpt" id="admx-terminalserver-ts_client_lpt">ADMX_TerminalServer/TS_CLIENT_LPT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_pnp" id="admx-terminalserver-ts_client_pnp">ADMX_TerminalServer/TS_CLIENT_PNP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_printer" id="admx-terminalserver-ts_client_printer">ADMX_TerminalServer/TS_CLIENT_PRINTER</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_1" id="admx-terminalserver-ts_client_trusted_certificate_thumbprints_1">ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_trusted_certificate_thumbprints_2" id="admx-terminalserver-ts_client_trusted_certificate_thumbprints_2">ADMX_TerminalServer/TS_CLIENT_TRUSTED_CERTIFICATE_THUMBPRINTS_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_client_turn_off_udp" id="admx-terminalserver-ts_client_turn_off_udp">ADMX_TerminalServer/TS_CLIENT_TURN_OFF_UDP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_colordepth" id="admx-terminalserver-ts_colordepth">ADMX_TerminalServer/TS_COLORDEPTH</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_delete_roaming_user_profiles" id="admx-terminalserver-ts_delete_roaming_user_profiles">ADMX_TerminalServer/TS_DELETE_ROAMING_USER_PROFILES</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_disable_remote_desktop_wallpaper" id="admx-terminalserver-ts_disable_remote_desktop_wallpaper">ADMX_TerminalServer/TS_DISABLE_REMOTE_DESKTOP_WALLPAPER</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_dx_use_full_hwgpu" id="admx-terminalserver-ts_dx_use_full_hwgpu">ADMX_TerminalServer/TS_DX_USE_FULL_HWGPU</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print" id="admx-terminalserver-ts_easy_print">ADMX_TerminalServer/TS_EASY_PRINT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_easy_print_user" id="admx-terminalserver-ts_easy_print_user">ADMX_TerminalServer/TS_EASY_PRINT_User</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_enablevirtualgraphics" id="admx-terminalserver-ts_enablevirtualgraphics">ADMX_TerminalServer/TS_EnableVirtualGraphics</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_fallbackprintdrivertype" id="admx-terminalserver-ts_fallbackprintdrivertype">ADMX_TerminalServer/TS_FALLBACKPRINTDRIVERTYPE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_forcible_logoff" id="admx-terminalserver-ts_forcible_logoff">ADMX_TerminalServer/TS_FORCIBLE_LOGOFF</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_enable" id="admx-terminalserver-ts_gateway_policy_enable">ADMX_TerminalServer/TS_GATEWAY_POLICY_ENABLE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_auth_method" id="admx-terminalserver-ts_gateway_policy_auth_method">ADMX_TerminalServer/TS_GATEWAY_POLICY_AUTH_METHOD</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_gateway_policy_server" id="admx-terminalserver-ts_gateway_policy_server">ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_join_session_directory" id="admx-terminalserver-ts_join_session_directory">ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_keep_alive" id="admx-terminalserver-ts_keep_alive">ADMX_TerminalServer/TS_KEEP_ALIVE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_secgroup" id="admx-terminalserver-ts_license_secgroup">ADMX_TerminalServer/TS_LICENSE_SECGROUP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_servers" id="admx-terminalserver-ts_license_servers">ADMX_TerminalServer/TS_LICENSE_SERVERS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_license_tooltip" id="admx-terminalserver-ts_license_tooltip">ADMX_TerminalServer/TS_LICENSE_TOOLTIP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_licensing_mode" id="admx-terminalserver-ts_licensing_mode">ADMX_TerminalServer/TS_LICENSING_MODE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_max_con_policy" id="admx-terminalserver-ts_max_con_policy">ADMX_TerminalServer/TS_MAX_CON_POLICY</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxdisplayres" id="admx-terminalserver-ts_maxdisplayres">ADMX_TerminalServer/TS_MAXDISPLAYRES</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_maxmonitor" id="admx-terminalserver-ts_maxmonitor">ADMX_TerminalServer/TS_MAXMONITOR</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nodisconnectmenu" id="admx-terminalserver-ts_nodisconnectmenu">ADMX_TerminalServer/TS_NoDisconnectMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_nosecuritymenu" id="admx-terminalserver-ts_nosecuritymenu">ADMX_TerminalServer/TS_NoSecurityMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_preventlicenseupgrade" id="admx-terminalserver-ts_preventlicenseupgrade">ADMX_TerminalServer/TS_PreventLicenseUpgrade</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_promt_creds_client_comp" id="admx-terminalserver-ts_promt_creds_client_comp">ADMX_TerminalServer/TS_PROMT_CREDS_CLIENT_COMP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_radc_defaultconnection" id="admx-terminalserver-ts_radc_defaultconnection">ADMX_TerminalServer/TS_RADC_DefaultConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_rdsappx_waitforregistration" id="admx-terminalserver-ts_rdsappx_waitforregistration">ADMX_TerminalServer/TS_RDSAppX_WaitForRegistration</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_1" id="admx-terminalserver-ts_remotecontrol_1">ADMX_TerminalServer/TS_RemoteControl_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotecontrol_2" id="admx-terminalserver-ts_remotecontrol_2">ADMX_TerminalServer/TS_RemoteControl_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_remotedesktopvirtualgraphics" id="admx-terminalserver-ts_remotedesktopvirtualgraphics">ADMX_TerminalServer/TS_RemoteDesktopVirtualGraphics</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_clustname" id="admx-terminalserver-ts_sd_clustname">ADMX_TerminalServer/TS_SD_ClustName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_expose_address" id="admx-terminalserver-ts_sd_expose_address">ADMX_TerminalServer/TS_SD_EXPOSE_ADDRESS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sd_loc" id="admx-terminalserver-ts_sd_loc">ADMX_TerminalServer/TS_SD_Loc</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_security_layer_policy" id="admx-terminalserver-ts_security_layer_policy">ADMX_TerminalServer/TS_SECURITY_LAYER_POLICY</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_network_detect" id="admx-terminalserver-ts_select_network_detect">ADMX_TerminalServer/TS_SELECT_NETWORK_DETECT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_select_transport" id="admx-terminalserver-ts_select_transport">ADMX_TerminalServer/TS_SELECT_TRANSPORT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_advanced_remotefx_remoteapp" id="admx-terminalserver-ts_server_advanced_remotefx_remoteapp">ADMX_TerminalServer/TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_auth" id="admx-terminalserver-ts_server_auth">ADMX_TerminalServer/TS_SERVER_AUTH</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc_hw_encode_preferred" id="admx-terminalserver-ts_server_avc_hw_encode_preferred">ADMX_TerminalServer/TS_SERVER_AVC_HW_ENCODE_PREFERRED</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_avc444_mode_preferred" id="admx-terminalserver-ts_server_avc444_mode_preferred">ADMX_TerminalServer/TS_SERVER_AVC444_MODE_PREFERRED</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_compressor" id="admx-terminalserver-ts_server_compressor">ADMX_TerminalServer/TS_SERVER_COMPRESSOR</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_image_quality" id="admx-terminalserver-ts_server_image_quality">ADMX_TerminalServer/TS_SERVER_IMAGE_QUALITY</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_legacy_rfx" id="admx-terminalserver-ts_server_legacy_rfx">ADMX_TerminalServer/TS_SERVER_LEGACY_RFX</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_profile" id="admx-terminalserver-ts_server_profile">ADMX_TerminalServer/TS_SERVER_PROFILE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_visexp" id="admx-terminalserver-ts_server_visexp">ADMX_TerminalServer/TS_SERVER_VISEXP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_server_wddm_graphics_driver" id="admx-terminalserver-ts_server_wddm_graphics_driver">ADMX_TerminalServer/TS_SERVER_WDDM_GRAPHICS_DRIVER</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_1" id="admx-terminalserver-ts_session_end_on_limit_1">ADMX_TerminalServer/TS_Session_End_On_Limit_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_session_end_on_limit_2" id="admx-terminalserver-ts_session_end_on_limit_2">ADMX_TerminalServer/TS_Session_End_On_Limit_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_1" id="admx-terminalserver-ts_sessions_disconnected_timeout_1">ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_disconnected_timeout_2" id="admx-terminalserver-ts_sessions_disconnected_timeout_2">ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2</a>
-  </dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_1" id="admx-terminalserver-ts_sessions_idle_limit_1">ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_sessions_idle_limit_2" id="admx-terminalserver-ts_sessions_idle_limit_2">ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_single_session" id="admx-terminalserver-ts_single_session">ADMX_TerminalServer/TS_SINGLE_SESSION</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_smart_card" id="admx-terminalserver-ts_smart_card">ADMX_TerminalServer/TS_SMART_CARD</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_1" id="admx-terminalserver-ts_start_program_1">ADMX_TerminalServer/TS_START_PROGRAM_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_start_program_2" id="admx-terminalserver-ts_start_program_2">ADMX_TerminalServer/TS_START_PROGRAM_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_delete" id="admx-terminalserver-ts_temp_delete">ADMX_TerminalServer/TS_TEMP_DELETE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_temp_per_session" id="admx-terminalserver-ts_temp_per_session">ADMX_TerminalServer/TS_TEMP_PER_SESSION</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_time_zone" id="admx-terminalserver-ts_time_zone">ADMX_TerminalServer/TS_TIME_ZONE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_tscc_permissions_policy" id="admx-terminalserver-ts_tscc_permissions_policy">ADMX_TerminalServer/TS_TSCC_PERMISSIONS_POLICY</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_turnoff_singleapp" id="admx-terminalserver-ts_turnoff_singleapp">ADMX_TerminalServer/TS_TURNOFF_SINGLEAPP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_uia" id="admx-terminalserver-ts_uia">ADMX_TerminalServer/TS_UIA</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_usb_redirection_disable" id="admx-terminalserver-ts_usb_redirection_disable">ADMX_TerminalServer/TS_USB_REDIRECTION_DISABLE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_authentication_policy" id="admx-terminalserver-ts_user_authentication_policy">ADMX_TerminalServer/TS_USER_AUTHENTICATION_POLICY</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_home" id="admx-terminalserver-ts_user_home">ADMX_TerminalServer/TS_USER_HOME</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_mandatory_profiles" id="admx-terminalserver-ts_user_mandatory_profiles">ADMX_TerminalServer/TS_USER_MANDATORY_PROFILES</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-terminalserver.md#admx-terminalserver-ts_user_profiles" id="admx-terminalserver-ts_user_profiles">ADMX_TerminalServer/TS_USER_PROFILES</a>
-  </dd>
-<dl>
-
-### ADMX_Thumbnails policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnails" id="admx-thumbnails-disablethumbnails">ADMX_Thumbnails/DisableThumbnails</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbnailsonnetworkfolders" id="admx-thumbnails-disablethumbnailsonnetworkfolders">ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-thumbnails.md#admx-thumbnails-disablethumbsdbonnetworkfolders" id="admx-thumbnails-disablethumbsdbonnetworkfolders">ADMX_Thumbnails/DisableThumbsDBOnNetworkFolders</a>
-  </dd>
-</dl>
-
-### ADMX_TouchInput policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_1" id="admx-touchinput-touchinputoff_1">ADMX_TouchInput/TouchInputOff_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-touchinput.md#admx-touchinput-touchinputoff_2" id="admx-touchinput-touchinputoff_2">ADMX_TouchInput/TouchInputOff_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_1" id="admx-touchinput-panningeverywhereoff_1">ADMX_TouchInput/PanningEverywhereOff_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-touchinput.md#admx-touchinput-panningeverywhereoff_2" id="admx-touchinput-panningeverywhereoff_2">ADMX_TouchInput/PanningEverywhereOff_2</a>
-  </dd>
-</dl>
-
-### ADMX_TPM policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-blockedcommandslist-name" id="admx-tpm-blockedcommandslist-name">ADMX_TPM/BlockedCommandsList_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-cleartpmifnotready-name" id="admx-tpm-cleartpmifnotready-name">ADMX_TPM/ClearTPMIfNotReady_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-ignoredefaultlist-name" id="admx-tpm-ignoredefaultlist-name">ADMX_TPM/IgnoreDefaultList_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-ignorelocallist-name" id="admx-tpm-ignorelocallist-name">ADMX_TPM/IgnoreLocalList_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-osmanagedauth-name" id="admx-tpm-osmanagedauth-name">ADMX_TPM/OSManagedAuth_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-optintodsha-name" id="admx-tpm-optintodsha-name">ADMX_TPM/OptIntoDSHA_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailureduration-name" id="admx-tpm-standarduserauthorizationfailureduration-name">ADMX_TPM/StandardUserAuthorizationFailureDuration_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailureindividualthreshold-name" id="admx-tpm-standarduserauthorizationfailureindividualthreshold-name">ADMX_TPM/StandardUserAuthorizationFailureIndividualThreshold_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-standarduserauthorizationfailuretotalthreshold-name" id="admx-tpm-standarduserauthorizationfailuretotalthreshold-name">ADMX_TPM/StandardUserAuthorizationFailureTotalThreshold_Name</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-tpm.md#admx-tpm-uselegacydap-name" id="admx-tpm-uselegacydap-name">ADMX_TPM/UseLegacyDAP_Name</a>
-  </dd>
-</dl>
-
-### ADMX_UserExperienceVirtualization policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-calculator" id="admx-userexperiencevirtualization-calculator">ADMX_UserExperienceVirtualization/Calculator</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-configuresyncmethod" id="admx-userexperiencevirtualization-configuresyncmethod">ADMX_UserExperienceVirtualization/ConfigureSyncMethod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-configurevdi" id="admx-userexperiencevirtualization-configurevdi">ADMX_UserExperienceVirtualization/ConfigureVdi</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-contactitdescription" id="admx-userexperiencevirtualization-contactitdescription">ADMX_UserExperienceVirtualization/ContactITDescription</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-contactiturl" id="admx-userexperiencevirtualization-contactiturl">ADMX_UserExperienceVirtualization/ContactITUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-disablewin8sync" id="admx-userexperiencevirtualization-disablewin8sync">ADMX_UserExperienceVirtualization/DisableWin8Sync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-disablewindowsossettings" id="admx-userexperiencevirtualization-disablewindowsossettings">ADMX_UserExperienceVirtualization/DisableWindowsOSSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-enableuev" id="admx-userexperiencevirtualization-enableuev">ADMX_UserExperienceVirtualization/EnableUEV</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-finance" id="admx-userexperiencevirtualization-finance">ADMX_UserExperienceVirtualization/Finance</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-firstusenotificationenabled" id="admx-userexperiencevirtualization-firstusenotificationenabled">ADMX_UserExperienceVirtualization/FirstUseNotificationEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-games" id="admx-userexperiencevirtualization-games">ADMX_UserExperienceVirtualization/Games</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer8" id="admx-userexperiencevirtualization-internetexplorer8">ADMX_UserExperienceVirtualization/InternetExplorer8</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer9" id="admx-userexperiencevirtualization-internetexplorer9">ADMX_UserExperienceVirtualization/InternetExplorer9</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer10" id="admx-userexperiencevirtualization-internetexplorer10">ADMX_UserExperienceVirtualization/InternetExplorer10</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorer11" id="admx-userexperiencevirtualization-internetexplorer11">ADMX_UserExperienceVirtualization/InternetExplorer11</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-internetexplorercommon" id="admx-userexperiencevirtualization-internetexplorercommon">ADMX_UserExperienceVirtualization/InternetExplorerCommon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-maps" id="admx-userexperiencevirtualization-maps">ADMX_UserExperienceVirtualization/Maps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-maxpackagesizeinbytes" id="admx-userexperiencevirtualization-maxpackagesizeinbytes">ADMX_UserExperienceVirtualization/MaxPackageSizeInBytes</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010access" id="admx-userexperiencevirtualization-microsoftoffice2010access">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Access</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010common" id="admx-userexperiencevirtualization-microsoftoffice2010common">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Common</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010excel" id="admx-userexperiencevirtualization-microsoftoffice2010excel">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Excel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010infopath" id="admx-userexperiencevirtualization-microsoftoffice2010infopath">ADMX_UserExperienceVirtualization/MicrosoftOffice2010InfoPath</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010lync" id="admx-userexperiencevirtualization-microsoftoffice2010lync">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Lync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010onenote" id="admx-userexperiencevirtualization-microsoftoffice2010onenote">ADMX_UserExperienceVirtualization/MicrosoftOffice2010OneNote</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010outlook" id="admx-userexperiencevirtualization-microsoftoffice2010outlook">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Outlook</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010powerpoint" id="admx-userexperiencevirtualization-microsoftoffice2010powerpoint">ADMX_UserExperienceVirtualization/MicrosoftOffice2010PowerPoint</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010project" id="admx-userexperiencevirtualization-microsoftoffice2010project">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Project</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010publisher" id="admx-userexperiencevirtualization-microsoftoffice2010publisher">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Publisher</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010sharepointdesigner" id="admx-userexperiencevirtualization-microsoftoffice2010sharepointdesigner">ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointDesigner</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010sharepointworkspace" id="admx-userexperiencevirtualization-microsoftoffice2010sharepointworkspace">ADMX_UserExperienceVirtualization/MicrosoftOffice2010SharePointWorkspace</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010visio" id="admx-userexperiencevirtualization-microsoftoffice2010visio">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Visio</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2010word" id="admx-userexperiencevirtualization-microsoftoffice2010word">ADMX_UserExperienceVirtualization/MicrosoftOffice2010Word</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013access" id="admx-userexperiencevirtualization-microsoftoffice2013access">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Access</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013accessbackup" id="admx-userexperiencevirtualization-microsoftoffice2013accessbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013AccessBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013common" id="admx-userexperiencevirtualization-microsoftoffice2013common">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Common</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013commonbackup" id="admx-userexperiencevirtualization-microsoftoffice2013commonbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013CommonBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013excel" id="admx-userexperiencevirtualization-microsoftoffice2013excel">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Excel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013excelbackup" id="admx-userexperiencevirtualization-microsoftoffice2013excelbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013ExcelBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013infopath" id="admx-userexperiencevirtualization-microsoftoffice2013infopath">ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPath</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013infopathbackup" id="admx-userexperiencevirtualization-microsoftoffice2013infopathbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013InfoPathBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013lync" id="admx-userexperiencevirtualization-microsoftoffice2013lync">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Lync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013lyncbackup" id="admx-userexperiencevirtualization-microsoftoffice2013lyncbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013LyncBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onedriveforbusiness" id="admx-userexperiencevirtualization-microsoftoffice2013onedriveforbusiness">ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneDriveForBusiness</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onenote" id="admx-userexperiencevirtualization-microsoftoffice2013onenote">ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNote</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013onenotebackup" id="admx-userexperiencevirtualization-microsoftoffice2013onenotebackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013OneNoteBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013outlook" id="admx-userexperiencevirtualization-microsoftoffice2013outlook">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Outlook</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013outlookbackup" id="admx-userexperiencevirtualization-microsoftoffice2013outlookbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013OutlookBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013powerpoint" id="admx-userexperiencevirtualization-microsoftoffice2013powerpoint">ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPoint</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013powerpointbackup" id="admx-userexperiencevirtualization-microsoftoffice2013powerpointbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013PowerPointBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013project" id="admx-userexperiencevirtualization-microsoftoffice2013project">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Project</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013projectbackup" id="admx-userexperiencevirtualization-microsoftoffice2013projectbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013ProjectBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013publisher" id="admx-userexperiencevirtualization-microsoftoffice2013publisher">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Publisher</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013publisherbackup" id="admx-userexperiencevirtualization-microsoftoffice2013publisherbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013PublisherBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013sharepointdesigner" id="admx-userexperiencevirtualization-microsoftoffice2013sharepointdesigner">ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesigner</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013sharepointdesignerbackup" id="admx-userexperiencevirtualization-microsoftoffice2013sharepointdesignerbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013SharePointDesignerBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013uploadcenter" id="admx-userexperiencevirtualization-microsoftoffice2013uploadcenter">ADMX_UserExperienceVirtualization/MicrosoftOffice2013UploadCenter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013visio" id="admx-userexperiencevirtualization-microsoftoffice2013visio">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Visio</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013visiobackup" id="admx-userexperiencevirtualization-microsoftoffice2013visiobackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013VisioBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013word" id="admx-userexperiencevirtualization-microsoftoffice2013word">ADMX_UserExperienceVirtualization/MicrosoftOffice2013Word</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2013wordbackup" id="admx-userexperiencevirtualization-microsoftoffice2013wordbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2013WordBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016access" id="admx-userexperiencevirtualization-microsoftoffice2016access">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Access</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016accessbackup" id="admx-userexperiencevirtualization-microsoftoffice2016accessbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016AccessBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016common" id="admx-userexperiencevirtualization-microsoftoffice2016common">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Common</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016commonbackup" id="admx-userexperiencevirtualization-microsoftoffice2016commonbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016CommonBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016excel" id="admx-userexperiencevirtualization-microsoftoffice2016excel">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Excel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016excelbackup" id="admx-userexperiencevirtualization-microsoftoffice2016excelbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016ExcelBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016lync" id="admx-userexperiencevirtualization-microsoftoffice2016lync">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Lync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016lyncbackup" id="admx-userexperiencevirtualization-microsoftoffice2016lyncbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016LyncBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onedriveforbusiness" id="admx-userexperiencevirtualization-microsoftoffice2016onedriveforbusiness">ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneDriveForBusiness</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onenote" id="admx-userexperiencevirtualization-microsoftoffice2016onenote">ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNote</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016onenotebackup" id="admx-userexperiencevirtualization-microsoftoffice2016onenotebackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016OneNoteBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016outlook" id="admx-userexperiencevirtualization-microsoftoffice2016outlook">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Outlook</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016outlookbackup" id="admx-userexperiencevirtualization-microsoftoffice2016outlookbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016OutlookBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016powerpoint" id="admx-userexperiencevirtualization-microsoftoffice2016powerpoint">ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPoint</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016powerpointbackup" id="admx-userexperiencevirtualization-microsoftoffice2016powerpointbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016PowerPointBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016project" id="admx-userexperiencevirtualization-microsoftoffice2016project">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Project</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016projectbackup" id="admx-userexperiencevirtualization-microsoftoffice2016projectbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016ProjectBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016publisher" id="admx-userexperiencevirtualization-microsoftoffice2016publisher">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Publisher</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016publisherbackup" id="admx-userexperiencevirtualization-microsoftoffice2016publisherbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016PublisherBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016uploadcenter" id="admx-userexperiencevirtualization-microsoftoffice2016uploadcenter">ADMX_UserExperienceVirtualization/MicrosoftOffice2016UploadCenter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016visio" id="admx-userexperiencevirtualization-microsoftoffice2016visio">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Visio</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016visiobackup" id="admx-userexperiencevirtualization-microsoftoffice2016visiobackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016VisioBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016word" id="admx-userexperiencevirtualization-microsoftoffice2016word">ADMX_UserExperienceVirtualization/MicrosoftOffice2016Word</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice2016wordbackup" id="admx-userexperiencevirtualization-microsoftoffice2016wordbackup">ADMX_UserExperienceVirtualization/MicrosoftOffice2016WordBackup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365access2013" id="admx-userexperiencevirtualization-microsoftoffice365access2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365access2016" id="admx-userexperiencevirtualization-microsoftoffice365access2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Access2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365common2013" id="admx-userexperiencevirtualization-microsoftoffice365common2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365common2016" id="admx-userexperiencevirtualization-microsoftoffice365common2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Common2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365excel2013" id="admx-userexperiencevirtualization-microsoftoffice365excel2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365excel2016" id="admx-userexperiencevirtualization-microsoftoffice365excel2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Excel2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365infopath2013" id="admx-userexperiencevirtualization-microsoftoffice365infopath2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365InfoPath2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365lync2013" id="admx-userexperiencevirtualization-microsoftoffice365lync2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365lync2016" id="admx-userexperiencevirtualization-microsoftoffice365lync2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Lync2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365onenote2013" id="admx-userexperiencevirtualization-microsoftoffice365onenote2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365onenote2016" id="admx-userexperiencevirtualization-microsoftoffice365onenote2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365OneNote2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365outlook2013" id="admx-userexperiencevirtualization-microsoftoffice365outlook2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365outlook2016" id="admx-userexperiencevirtualization-microsoftoffice365outlook2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Outlook2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365powerpoint2013" id="admx-userexperiencevirtualization-microsoftoffice365powerpoint2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365powerpoint2016" id="admx-userexperiencevirtualization-microsoftoffice365powerpoint2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365PowerPoint2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365project2013" id="admx-userexperiencevirtualization-microsoftoffice365project2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365project2016" id="admx-userexperiencevirtualization-microsoftoffice365project2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Project2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365publisher2013" id="admx-userexperiencevirtualization-microsoftoffice365publisher2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365publisher2016" id="admx-userexperiencevirtualization-microsoftoffice365publisher2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Publisher2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365sharepointdesigner2013" id="admx-userexperiencevirtualization-microsoftoffice365sharepointdesigner2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365SharePointDesigner2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365visio2013" id="admx-userexperiencevirtualization-microsoftoffice365visio2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365visio2016" id="admx-userexperiencevirtualization-microsoftoffice365visio2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Visio2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365word2013" id="admx-userexperiencevirtualization-microsoftoffice365word2013">ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2013</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-microsoftoffice365word2016" id="admx-userexperiencevirtualization-microsoftoffice365word2016">ADMX_UserExperienceVirtualization/MicrosoftOffice365Word2016</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-music" id="admx-userexperiencevirtualization-music">ADMX_UserExperienceVirtualization/Music</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-news" id="admx-userexperiencevirtualization-news">ADMX_UserExperienceVirtualization/News</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-notepad" id="admx-userexperiencevirtualization-notepad">ADMX_UserExperienceVirtualization/Notepad</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-reader" id="admx-userexperiencevirtualization-reader">ADMX_UserExperienceVirtualization/Reader</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-repositorytimeout" id="admx-userexperiencevirtualization-repositorytimeout">ADMX_UserExperienceVirtualization/RepositoryTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-settingsstoragepath" id="admx-userexperiencevirtualization-settingsstoragepath">ADMX_UserExperienceVirtualization/SettingsStoragePath</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-settingstemplatecatalogpath" id="admx-userexperiencevirtualization-settingstemplatecatalogpath">ADMX_UserExperienceVirtualization/SettingsTemplateCatalogPath</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-sports" id="admx-userexperiencevirtualization-sports">ADMX_UserExperienceVirtualization/Sports</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncenabled" id="admx-userexperiencevirtualization-syncenabled">ADMX_UserExperienceVirtualization/SyncEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncovermeterednetwork" id="admx-userexperiencevirtualization-syncovermeterednetwork">ADMX_UserExperienceVirtualization/SyncOverMeteredNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncovermeterednetworkwhenroaming" id="admx-userexperiencevirtualization-syncovermeterednetworkwhenroaming">ADMX_UserExperienceVirtualization/SyncOverMeteredNetworkWhenRoaming</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncproviderpingenabled" id="admx-userexperiencevirtualization-syncproviderpingenabled">ADMX_UserExperienceVirtualization/SyncProviderPingEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-syncunlistedwindows8apps" id="admx-userexperiencevirtualization-syncunlistedwindows8apps">ADMX_UserExperienceVirtualization/SyncUnlistedWindows8Apps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-travel" id="admx-userexperiencevirtualization-travel">ADMX_UserExperienceVirtualization/Travel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-trayiconenabled" id="admx-userexperiencevirtualization-trayiconenabled">ADMX_UserExperienceVirtualization/TrayIconEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video" id="admx-userexperiencevirtualization-video">ADMX_UserExperienceVirtualization/Video</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather" id="admx-userexperiencevirtualization-weather">ADMX_UserExperienceVirtualization/Weather</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad" id="admx-userexperiencevirtualization-wordpad">ADMX_UserExperienceVirtualization/Wordpad</a>
-  </dd>
-</dl>
-
-### ADMX_UserProfiles policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles" id="admx-userprofiles-cleanupprofiles">ADMX_UserProfiles/CleanupProfiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive" id="admx-userprofiles-dontforceunloadhive">ADMX_UserProfiles/DontForceUnloadHive</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata" id="admx-userprofiles-leaveappmgmtdata">ADMX_UserProfiles/LeaveAppMgmtData</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize" id="admx-userprofiles-limitsize">ADMX_UserProfiles/LimitSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction" id="admx-userprofiles-profileerroraction">ADMX_UserProfiles/ProfileErrorAction</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout" id="admx-userprofiles-slowlinktimeout">ADMX_UserProfiles/SlowLinkTimeOut</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home" id="admx-userprofiles-user-home">ADMX_UserProfiles/USER_HOME</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction" id="admx-userprofiles-userinfoaccessaction">ADMX_UserProfiles/UserInfoAccessAction</a>
-  </dd>
-</dl>
-
-### ADMX_W32Time policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-w32time.md#admx-w32time-policy-config" id="admx-w32time-policy-config">ADMX_W32Time/W32TIME_POLICY_CONFIG</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient" id="admx-w32time-policy-configure-ntpclient">ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient" id="admx-w32time-policy-enable-ntpclient">ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpserver" id="admx-w32time-policy-enable-ntpserver">ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER</a>
-  </dd>
-</dl>
-
-### ADMX_WCM policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement" id="admx-wcm-wcm-disablepowermanagement">ADMX_WCM/WCM_DisablePowerManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect" id="admx-wcm-wcm-enablesoftdisconnect">ADMX_WCM/WCM_EnableSoftDisconnect</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections" id="admx-wcm-wcm-minimizeconnections">ADMX_WCM/WCM_MinimizeConnections</a>
-  </dd>
-</dl>
-
-### ADMX_WDI Policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenarioexecutionpolicy" id="admx-wdi-wdidpsscenarioexecutionpolicy">ADMX_WDI/WdiDpsScenarioExecutionPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wdi.md#admx-wdi-wdidpsscenariodatasizelimitpolicy" id="admx-wdi-wdidpsscenariodatasizelimitpolicy">ADMX_WDI/WdiDpsScenarioDataSizeLimitPolicy</a>
-  </dd>
-<dl>
-
-### ADMX_WinCal policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1" id="admx-wincal-turnoffwincal-1">ADMX_WinCal/TurnOffWinCal_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2" id="admx-wincal-turnoffwincal-2">ADMX_WinCal/TurnOffWinCal_2</a>
-  </dd>
-</dl>
-
-### ADMX_WindowsConnectNow policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1" id="admx-windowsconnectnow-wcn-disablewcnui-1">ADMX_WindowsConnectNow/WCN_DisableWcnUi_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2" id="admx-windowsconnectnow-wcn-disablewcnui-2">ADMX_WindowsConnectNow/WCN_DisableWcnUi_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar" id="admx-windowsconnectnow-wcn-enableregistrar">ADMX_WindowsConnectNow/WCN_EnableRegistrar</a>
-  </dd>
-</dl>
-
-
-### ADMX_WindowsExplorer policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-checksamesourceandtargetforfranddfs" id="admx-windowsexplorer-checksamesourceandtargetforfranddfs">ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-classicshell" id="admx-windowsexplorer-classicshell">ADMX_WindowsExplorer/ClassicShell</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-confirmfiledelete" id="admx-windowsexplorer-confirmfiledelete">ADMX_WindowsExplorer/ConfirmFileDelete</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-defaultlibrarieslocation" id="admx-windowsexplorer-defaultlibrarieslocation">ADMX_WindowsExplorer/DefaultLibrariesLocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablebinddirectlytopropertysetstorage" id="admx-windowsexplorer-disablebinddirectlytopropertysetstorage">ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableindexedlibraryexperience" id="admx-windowsexplorer-disableindexedlibraryexperience">ADMX_WindowsExplorer/DisableIndexedLibraryExperience</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableknownfolders" id="admx-windowsexplorer-disableknownfolders">ADMX_WindowsExplorer/DisableKnownFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablesearchboxsuggestions" id="admx-windowsexplorer-disablesearchboxsuggestions">ADMX_WindowsExplorer/DisableSearchBoxSuggestions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enableshellshortcuticonremotepath" id="admx-windowsexplorer-enableshellshortcuticonremotepath">ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enablesmartscreen" id="admx-windowsexplorer-enablesmartscreen">ADMX_WindowsExplorer/EnableSmartScreen</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enforceshellextensionsecurity" id="admx-windowsexplorer-enforceshellextensionsecurity">ADMX_WindowsExplorer/EnforceShellExtensionSecurity</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-explorerribbonstartsminimized" id="admx-windowsexplorer-explorerribbonstartsminimized">ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-hidecontentviewmodesnippets" id="admx-windowsexplorer-hidecontentviewmodesnippets">ADMX_WindowsExplorer/HideContentViewModeSnippets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internet" id="admx-windowsexplorer-iz-policy-opensearchpreview-internet">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internetlockdown" id="admx-windowsexplorer-iz-policy-opensearchpreview-internetlockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranet" id="admx-windowsexplorer-iz-policy-opensearchpreview-intranet">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranetlockdown" id="admx-windowsexplorer-iz-policy-opensearchpreview-intranetlockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachine" id="admx-windowsexplorer-iz-policy-opensearchpreview-localmachine">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachinelockdown" id="admx-windowsexplorer-iz-policy-opensearchpreview-localmachinelockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restricted" id="admx-windowsexplorer-iz-policy-opensearchpreview-restricted">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restrictedlockdown" id="admx-windowsexplorer-iz-policy-opensearchpreview-restrictedlockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trusted" id="admx-windowsexplorer-iz-policy-opensearchpreview-trusted">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trustedlockdown" id="admx-windowsexplorer-iz-policy-opensearchpreview-trustedlockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internet" id="admx-windowsexplorer-iz-policy-opensearchquery-internet">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internetlockdown" id="admx-windowsexplorer-iz-policy-opensearchquery-internetlockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranet" id="admx-windowsexplorer-iz-policy-opensearchquery-intranet">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranetlockdown" id="admx-windowsexplorer-iz-policy-opensearchquery-intranetlockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachine" id="admx-windowsexplorer-iz-policy-opensearchquery-localmachine">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachinelockdown" id="admx-windowsexplorer-iz-policy-opensearchquery-localmachinelockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restricted" id="admx-windowsexplorer-iz-policy-opensearchquery-restricted">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restrictedlockdown" id="admx-windowsexplorer-iz-policy-opensearchquery-restrictedlockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trusted" id="admx-windowsexplorer-iz-policy-opensearchquery-trusted">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trustedlockdown" id="admx-windowsexplorer-iz-policy-opensearchquery-trustedlockdown">ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-linkresolveignorelinkinfo" id="admx-windowsexplorer-linkresolveignorelinkinfo">ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-maxrecentdocs" id="admx-windowsexplorer-maxrecentdocs">ADMX_WindowsExplorer/MaxRecentDocs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nobackbutton" id="admx-windowsexplorer-nobackbutton">ADMX_WindowsExplorer/NoBackButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocdburning" id="admx-windowsexplorer-nocdburning">ADMX_WindowsExplorer/NoCDBurning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocachethumbnailpictures" id="admx-windowsexplorer-nocachethumbnailpictures">ADMX_WindowsExplorer/NoCacheThumbNailPictures</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangeanimation" id="admx-windowsexplorer-nochangeanimation">ADMX_WindowsExplorer/NoChangeAnimation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangekeyboardnavigationindicators" id="admx-windowsexplorer-nochangekeyboardnavigationindicators">ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodfstab" id="admx-windowsexplorer-nodfstab">ADMX_WindowsExplorer/NoDFSTab</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodrives" id="admx-windowsexplorer-nodrives">ADMX_WindowsExplorer/NoDrives</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noentirenetwork" id="admx-windowsexplorer-noentirenetwork">ADMX_WindowsExplorer/NoEntireNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemru" id="admx-windowsexplorer-nofilemru">ADMX_WindowsExplorer/NoFileMRU</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemenu" id="admx-windowsexplorer-nofilemenu">ADMX_WindowsExplorer/NoFileMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofolderoptions" id="admx-windowsexplorer-nofolderoptions">ADMX_WindowsExplorer/NoFolderOptions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nohardwaretab" id="admx-windowsexplorer-nohardwaretab">ADMX_WindowsExplorer/NoHardwareTab</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomanagemycomputerverb" id="admx-windowsexplorer-nomanagemycomputerverb">ADMX_WindowsExplorer/NoManageMyComputerVerb</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomycomputershareddocuments" id="admx-windowsexplorer-nomycomputershareddocuments">ADMX_WindowsExplorer/NoMyComputerSharedDocuments</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonetconnectdisconnect" id="admx-windowsexplorer-nonetconnectdisconnect">ADMX_WindowsExplorer/NoNetConnectDisconnect</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonewappalert" id="admx-windowsexplorer-nonewappalert">ADMX_WindowsExplorer/NoNewAppAlert</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noplacesbar" id="admx-windowsexplorer-noplacesbar">ADMX_WindowsExplorer/NoPlacesBar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norecyclefiles" id="admx-windowsexplorer-norecyclefiles">ADMX_WindowsExplorer/NoRecycleFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norunasinstallprompt" id="admx-windowsexplorer-norunasinstallprompt">ADMX_WindowsExplorer/NoRunAsInstallPrompt</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosearchinternettryharderbutton" id="admx-windowsexplorer-nosearchinternettryharderbutton">ADMX_WindowsExplorer/NoSearchInternetTryHarderButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosecuritytab" id="admx-windowsexplorer-nosecuritytab">ADMX_WindowsExplorer/NoSecurityTab</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noshellsearchbutton" id="admx-windowsexplorer-noshellsearchbutton">ADMX_WindowsExplorer/NoShellSearchButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nostrcmplogical" id="admx-windowsexplorer-nostrcmplogical">ADMX_WindowsExplorer/NoStrCmpLogical</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewcontextmenu" id="admx-windowsexplorer-noviewcontextmenu">ADMX_WindowsExplorer/NoViewContextMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewondrive" id="admx-windowsexplorer-noviewondrive">ADMX_WindowsExplorer/NoViewOnDrive</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nowindowshotkeys" id="admx-windowsexplorer-nowindowshotkeys">ADMX_WindowsExplorer/NoWindowsHotKeys</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noworkgroupcontents" id="admx-windowsexplorer-noworkgroupcontents">ADMX_WindowsExplorer/NoWorkgroupContents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-placesbar" id="admx-windowsexplorer-placesbar">ADMX_WindowsExplorer/PlacesBar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-promptrunasinstallnetpath" id="admx-windowsexplorer-promptrunasinstallnetpath">ADMX_WindowsExplorer/PromptRunasInstallNetPath</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-recyclebinsize" id="admx-windowsexplorer-recyclebinsize">ADMX_WindowsExplorer/RecycleBinSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-1" id="admx-windowsexplorer-shellprotocolprotectedmodetitle-1">ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-2" id="admx-windowsexplorer-shellprotocolprotectedmodetitle-2">ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showhibernateoption" id="admx-windowsexplorer-showhibernateoption">ADMX_WindowsExplorer/ShowHibernateOption</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption" id="admx-windowsexplorer-showsleepoption">ADMX_WindowsExplorer/ShowSleepOption</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary" id="admx-windowsexplorer-tryharderpinnedlibrary">ADMX_WindowsExplorer/TryHarderPinnedLibrary</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch" id="admx-windowsexplorer-tryharderpinnedopensearch">ADMX_WindowsExplorer/TryHarderPinnedOpenSearch</a>
-  </dd>
-</dl>
-
-### ADMX_WindowsMediaDRM policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline" id="admx-windowsmediadrm-disableonline">ADMX_WindowsMediaDRM/DisableOnline</a>
-  </dd>
-</dl>
-
-### ADMX_WindowsMediaPlayer policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings" id="admx-windowsmediaplayer-configurehttpproxysettings">ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings" id="admx-windowsmediaplayer-configuremmsproxysettings">ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurertspproxysettings" id="admx-windowsmediaplayer-configurertspproxysettings">ADMX_WindowsMediaPlayer/ConfigureRTSPProxySettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disableautoupdate" id="admx-windowsmediaplayer-disableautoupdate">ADMX_WindowsMediaPlayer/DisableAutoUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disablenetworksettings" id="admx-windowsmediaplayer-disablenetworksettings">ADMX_WindowsMediaPlayer/DisableNetworkSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-disablesetupfirstuseconfiguration" id="admx-windowsmediaplayer-disablesetupfirstuseconfiguration">ADMX_WindowsMediaPlayer/DisableSetupFirstUseConfiguration</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-donotshowanchor" id="admx-windowsmediaplayer-donotshowanchor">ADMX_WindowsMediaPlayer/DoNotShowAnchor</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-dontuseframeinterpolation" id="admx-windowsmediaplayer-dontuseframeinterpolation">ADMX_WindowsMediaPlayer/DontUseFrameInterpolation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-enablescreensaver" id="admx-windowsmediaplayer-enablescreensaver">ADMX_WindowsMediaPlayer/EnableScreenSaver</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-hideprivacytab" id="admx-windowsmediaplayer-hideprivacytab">ADMX_WindowsMediaPlayer/HidePrivacyTab</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-hidesecuritytab" id="admx-windowsmediaplayer-hidesecuritytab">ADMX_WindowsMediaPlayer/HideSecurityTab</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-networkbuffering" id="admx-windowsmediaplayer-networkbuffering">ADMX_WindowsMediaPlayer/NetworkBuffering</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-policycodecupdate" id="admx-windowsmediaplayer-policycodecupdate">ADMX_WindowsMediaPlayer/PolicyCodecUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventcddvdmetadataretrieval" id="admx-windowsmediaplayer-preventcddvdmetadataretrieval">ADMX_WindowsMediaPlayer/PreventCDDVDMetadataRetrieval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventlibrarysharing" id="admx-windowsmediaplayer-preventlibrarysharing">ADMX_WindowsMediaPlayer/PreventLibrarySharing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventmusicfilemetadataretrieval" id="admx-windowsmediaplayer-preventmusicfilemetadataretrieval">ADMX_WindowsMediaPlayer/PreventMusicFileMetadataRetrieval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventquicklaunchshortcut" id="admx-windowsmediaplayer-preventquicklaunchshortcut">ADMX_WindowsMediaPlayer/PreventQuickLaunchShortcut</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventradiopresetsretrieval" id="admx-windowsmediaplayer-preventradiopresetsretrieval">ADMX_WindowsMediaPlayer/PreventRadioPresetsRetrieval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut" id="admx-windowsmediaplayer-preventwmpdesktopshortcut">ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown" id="admx-windowsmediaplayer-skinlockdown">ADMX_WindowsMediaPlayer/SkinLockDown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols" id="admx-windowsmediaplayer-windowsstreamingmediaprotocols">ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols</a>
-  </dd>
-</dl>
-
-
-### ADMX_WindowsRemoteManagement policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-1" id="admx-windowsremotemanagement-disallowkerberos-1">ADMX_WindowsRemoteManagement/DisallowKerberos_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-2" id="admx-windowsremotemanagement-disallowkerberos-2">ADMX_WindowsRemoteManagement/DisallowKerberos_2</a>
-  </dd>
-</dl>
-
-### ADMX_WindowsStore policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8" id="admx-windowsstore-disableautodownloadwin8">ADMX_WindowsStore/DisableAutoDownloadWin8</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1" id="admx-windowsstore-disableosupgrade-1">ADMX_WindowsStore/DisableOSUpgrade_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2" id="admx-windowsstore-disableosupgrade-2">ADMX_WindowsStore/DisableOSUpgrade_2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-1" id="admx-windowsstore-removewindowsstore-1">ADMX_WindowsStore/RemoveWindowsStore_1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-2" id="admx-windowsstore-removewindowsstore-2">ADMX_WindowsStore/RemoveWindowsStore_2</a>
-  </dd>
-</dl>
-
-### ADMX_WinInit policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription" id="admx-wininit-disablenamedpipeshutdownpolicydescription">ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wininit.md#admx-wininit-hiberboot" id="admx-wininit-hiberboot">ADMX_WinInit/Hiberboot</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription" id="admx-wininit-shutdowntimeouthungsessionsdescription">ADMX_WinInit/ShutdownTimeoutHungSessionsDescription</a>
-  </dd>
-</dl>
-
-### ADMX_WinLogon policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-winlogon.md#admx-winlogon-customshell" id="admx-winlogon-customshell">ADMX_WinLogon/CustomShell</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription" id="admx-winlogon-displaylastlogoninfodescription">ADMX_WinLogon/DisplayLastLogonInfoDescription</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription" id="admx-winlogon-logonhoursnotificationpolicydescription">ADMX_WinLogon/LogonHoursNotificationPolicyDescription</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription" id="admx-winlogon-logonhourspolicydescription">ADMX_WinLogon/LogonHoursPolicyDescription</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription" id="admx-winlogon-reportcachedlogonpolicydescription">ADMX_WinLogon/ReportCachedLogonPolicyDescription</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration" id="admx-winlogon-softwaresasgeneration">ADMX_WinLogon/SoftwareSASGeneration</a>
-  </dd>
-</dl>
-
-### ADMX_Winsrv policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-winsrv.md#admx-winsrv-allowblockingappsatshutdown" id="#admx-winsrv-allowblockingappsatshutdown">ADMX_Winsrv/AllowBlockingAppsAtShutdown</a>
-  </dd>
-</dl>
-
-### ADMX_wlansvc policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost" id="admx-wlansvc-setcost">ADMX_wlansvc/SetCost</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced" id="admx-wlansvc-setpinenforced">ADMX_wlansvc/SetPINEnforced</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred" id="admx-wlansvc-setpinpreferred">ADMX_wlansvc/SetPINPreferred</a>
-  </dd>
-</dl>
-
-### ADMX_WordWheel policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-wordwheel.md#admx-wordwheel-customsearch" id="admx-wordwheel-customsearch">ADMX_WordWheel/CustomSearch</a>
-  </dd>
-<dl>
-
-### ADMX_WorkFoldersClient policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenabletokenbroker" id="admx-workfoldersclient-pol_userenabletokenbroker">ADMX_WorkFoldersClient/Pol_UserEnableTokenBroker</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_userenableworkfolders" id="admx-workfoldersclient-pol_userenableworkfolders">ADMX_WorkFoldersClient/Pol_UserEnableWorkFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-workfoldersclient.md#admx-workfoldersclient-pol_machineenableworkfolders" id="admx-workfoldersclient-pol_machineenableworkfolders">ADMX_WorkFoldersClient/Pol_MachineEnableWorkFolders</a>
-  </dd>
-<dl>
-
-### ADMX_WPN policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours" id="admx-wpn-nocallsduringquiethours">ADMX_WPN/NoCallsDuringQuietHours</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification" id="admx-wpn-nolockscreentoastnotification">ADMX_WPN/NoLockScreenToastNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wpn.md#admx-wpn-noquiethours" id="admx-wpn-noquiethours">ADMX_WPN/NoQuietHours</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wpn.md#admx-wpn-notoastnotification" id="admx-wpn-notoastnotification">ADMX_WPN/NoToastNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute" id="admx-wpn-quiethoursdailybeginminute">ADMX_WPN/QuietHoursDailyBeginMinute</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute" id="admx-wpn-quiethoursdailyendminute">ADMX_WPN/QuietHoursDailyEndMinute</a>
-  </dd>
-</dl>
-
-### ApplicationDefaults policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration" id="applicationdefaults-defaultassociationsconfiguration">ApplicationDefaults/DefaultAssociationsConfiguration</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers" id="applicationdefaults-enableappurihandlers">ApplicationDefaults/EnableAppUriHandlers</a>
-  </dd>
-</dl>
-
-### ApplicationManagement policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps" id="applicationmanagement-allowalltrustedapps">ApplicationManagement/AllowAllTrustedApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate" id="applicationmanagement-allowappstoreautoupdate">ApplicationManagement/AllowAppStoreAutoUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock" id="applicationmanagement-allowdeveloperunlock">ApplicationManagement/AllowDeveloperUnlock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr" id="applicationmanagement-allowgamedvr">ApplicationManagement/AllowGameDVR</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata" id="applicationmanagement-allowshareduserappdata">ApplicationManagement/AllowSharedUserAppData</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall"id="applicationmanagement-blocknonadminuserinstall">ApplicationManagement/BlockNonAdminUserInstall</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps" id="applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-launchappafterlogon" id="applicationmanagement-launchappafterlogon">ApplicationManagement/LaunchAppAfterLogOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall" id="applicationmanagement-msiallowusercontroloverinstall">ApplicationManagement/MSIAllowUserControlOverInstall</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges" id="applicationmanagement-msialwaysinstallwithelevatedprivileges">ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly" id="applicationmanagement-requireprivatestoreonly">ApplicationManagement/RequirePrivateStoreOnly</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume" id="applicationmanagement-restrictappdatatosystemvolume">ApplicationManagement/RestrictAppDataToSystemVolume</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume" id="applicationmanagement-restrictapptosystemvolume">ApplicationManagement/RestrictAppToSystemVolume</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-scheduleforcerestartforupdatefailures" id="applicationmanagement-scheduleforcerestartforupdatefailures">ApplicationManagement/ScheduleForceRestartForUpdateFailures</a>
-  </dd>
-</dl>
-
-### AppRuntime policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional" id="appruntime-allowmicrosoftaccountstobeoptional">AppRuntime/AllowMicrosoftAccountsToBeOptional</a>
-  </dd>
-</dl>
-
-### AppVirtualization policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowappvclient" id="appvirtualization-allowappvclient">AppVirtualization/AllowAppVClient</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization" id="appvirtualization-allowdynamicvirtualization">AppVirtualization/AllowDynamicVirtualization</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup" id="appvirtualization-allowpackagecleanup">AppVirtualization/AllowPackageCleanup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts" id="appvirtualization-allowpackagescripts">AppVirtualization/AllowPackageScripts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux" id="appvirtualization-allowpublishingrefreshux">AppVirtualization/AllowPublishingRefreshUX</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver" id="appvirtualization-allowreportingserver">AppVirtualization/AllowReportingServer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions" id="appvirtualization-allowroamingfileexclusions">AppVirtualization/AllowRoamingFileExclusions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions" id="appvirtualization-allowroamingregistryexclusions">AppVirtualization/AllowRoamingRegistryExclusions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload" id="appvirtualization-allowstreamingautoload">AppVirtualization/AllowStreamingAutoload</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode" id="appvirtualization-clientcoexistenceallowmigrationmode">AppVirtualization/ClientCoexistenceAllowMigrationmode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal" id="appvirtualization-integrationallowrootglobal">AppVirtualization/IntegrationAllowRootGlobal</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser" id="appvirtualization-integrationallowrootuser">AppVirtualization/IntegrationAllowRootUser</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1" id="appvirtualization-publishingallowserver1">AppVirtualization/PublishingAllowServer1</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2" id="appvirtualization-publishingallowserver2">AppVirtualization/PublishingAllowServer2</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3" id="appvirtualization-publishingallowserver3">AppVirtualization/PublishingAllowServer3</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4" id="appvirtualization-publishingallowserver4">AppVirtualization/PublishingAllowServer4</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5" id="appvirtualization-publishingallowserver5">AppVirtualization/PublishingAllowServer5</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl" id="appvirtualization-streamingallowcertificatefilterforclient-ssl">AppVirtualization/StreamingAllowCertificateFilterForClient_SSL</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch" id="appvirtualization-streamingallowhighcostlaunch">AppVirtualization/StreamingAllowHighCostLaunch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider" id="appvirtualization-streamingallowlocationprovider">AppVirtualization/StreamingAllowLocationProvider</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot" id="appvirtualization-streamingallowpackageinstallationroot">AppVirtualization/StreamingAllowPackageInstallationRoot</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot" id="appvirtualization-streamingallowpackagesourceroot">AppVirtualization/StreamingAllowPackageSourceRoot</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval" id="appvirtualization-streamingallowreestablishmentinterval">AppVirtualization/StreamingAllowReestablishmentInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries" id="appvirtualization-streamingallowreestablishmentretries">AppVirtualization/StreamingAllowReestablishmentRetries</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode" id="appvirtualization-streamingsharedcontentstoremode">AppVirtualization/StreamingSharedContentStoreMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache" id="appvirtualization-streamingsupportbranchcache">AppVirtualization/StreamingSupportBranchCache</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist" id="appvirtualization-streamingverifycertificaterevocationlist">AppVirtualization/StreamingVerifyCertificateRevocationList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist" id="appvirtualization-virtualcomponentsallowlist">AppVirtualization/VirtualComponentsAllowList</a>
-  </dd>
-</dl>
-
-### AttachmentManager policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation" id="attachmentmanager-donotpreservezoneinformation">AttachmentManager/DoNotPreserveZoneInformation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism" id="attachmentmanager-hidezoneinfomechanism">AttachmentManager/HideZoneInfoMechanism</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms" id="attachmentmanager-notifyantivirusprograms">AttachmentManager/NotifyAntivirusPrograms</a>
-  </dd>
-</dl>
-
-### Audit policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditaccountlockout"id="audit-accountlogonlogoff-auditaccountlockout">Audit/AccountLogonLogoff_AuditAccountLockout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditgroupmembership"id="audit-accountlogonlogoff-auditgroupmembership">Audit/AccountLogonLogoff_AuditGroupMembership</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditipsecextendedmode"id="audit-accountlogonlogoff-auditipsecextendedmode">Audit/AccountLogonLogoff_AuditIPsecExtendedMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditipsecmainmode"id="audit-accountlogonlogoff-auditipsecmainmode">Audit/AccountLogonLogoff_AuditIPsecMainMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditipsecquickmode"id="audit-accountlogonlogoff-auditipsecquickmode">Audit/AccountLogonLogoff_AuditIPsecQuickMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditlogoff"id="audit-accountlogonlogoff-auditlogoff">Audit/AccountLogonLogoff_AuditLogoff</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditlogon"id="audit-accountlogonlogoff-auditlogon">Audit/AccountLogonLogoff_AuditLogon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditnetworkpolicyserver"id="audit-accountlogonlogoff-auditnetworkpolicyserver">Audit/AccountLogonLogoff_AuditNetworkPolicyServer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditotherlogonlogoffevents"id="audit-accountlogonlogoff-auditotherlogonlogoffevents">Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-auditspeciallogon"id="audit-accountlogonlogoff-auditspeciallogon">Audit/AccountLogonLogoff_AuditSpecialLogon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogonlogoff-audituserdeviceclaims"id="audit-accountlogonlogoff-audituserdeviceclaims">Audit/AccountLogonLogoff_AuditUserDeviceClaims</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogon-auditcredentialvalidation"id="audit-accountlogon-auditcredentialvalidation">Audit/AccountLogon_AuditCredentialValidation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogon-auditkerberosauthenticationservice"id="audit-accountlogon-auditkerberosauthenticationservice">Audit/AccountLogon_AuditKerberosAuthenticationService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogon-auditkerberosserviceticketoperations"id="audit-accountlogon-auditkerberosserviceticketoperations">Audit/AccountLogon_AuditKerberosServiceTicketOperations</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountlogon-auditotheraccountlogonevents"id="audit-accountlogon-auditotheraccountlogonevents">Audit/AccountLogon_AuditOtherAccountLogonEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountmanagement-auditapplicationgroupmanagement"id="audit-accountmanagement-auditapplicationgroupmanagement">Audit/AccountManagement_AuditApplicationGroupManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountmanagement-auditcomputeraccountmanagement"id="audit-accountmanagement-auditcomputeraccountmanagement">Audit/AccountManagement_AuditComputerAccountManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountmanagement-auditdistributiongroupmanagement"id="audit-accountmanagement-auditdistributiongroupmanagement">Audit/AccountManagement_AuditDistributionGroupManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountmanagement-auditotheraccountmanagementevents"id="audit-accountmanagement-auditotheraccountmanagementevents">Audit/AccountManagement_AuditOtherAccountManagementEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountmanagement-auditsecuritygroupmanagement"id="audit-accountmanagement-auditsecuritygroupmanagement">Audit/AccountManagement_AuditSecurityGroupManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-accountmanagement-audituseraccountmanagement"id="audit-accountmanagement-audituseraccountmanagement">Audit/AccountManagement_AuditUserAccountManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-dsaccess-auditdetaileddirectoryservicereplication"id="audit-dsaccess-auditdetaileddirectoryservicereplication">Audit/DSAccess_AuditDetailedDirectoryServiceReplication</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-dsaccess-auditdirectoryserviceaccess"id="audit-dsaccess-auditdirectoryserviceaccess">Audit/DSAccess_AuditDirectoryServiceAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-dsaccess-auditdirectoryservicechanges"id="audit-dsaccess-auditdirectoryservicechanges">Audit/DSAccess_AuditDirectoryServiceChanges</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-dsaccess-auditdirectoryservicereplication"id="audit-dsaccess-auditdirectoryservicereplication">Audit/DSAccess_AuditDirectoryServiceReplication</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-detailedtracking-auditdpapiactivity"id="audit-detailedtracking-auditdpapiactivity">Audit/DetailedTracking_AuditDPAPIActivity</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-detailedtracking-auditpnpactivity"id="audit-detailedtracking-auditpnpactivity">Audit/DetailedTracking_AuditPNPActivity</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-detailedtracking-auditprocesscreation"id="audit-detailedtracking-auditprocesscreation">Audit/DetailedTracking_AuditProcessCreation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-detailedtracking-auditprocesstermination"id="audit-detailedtracking-auditprocesstermination">Audit/DetailedTracking_AuditProcessTermination</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-detailedtracking-auditrpcevents"id="audit-detailedtracking-auditrpcevents">Audit/DetailedTracking_AuditRPCEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-detailedtracking-audittokenrightadjusted"id="audit-detailedtracking-audittokenrightadjusted">Audit/DetailedTracking_AuditTokenRightAdjusted</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditapplicationgenerated"id="audit-objectaccess-auditapplicationgenerated">Audit/ObjectAccess_AuditApplicationGenerated</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditcentralaccesspolicystaging"id="audit-objectaccess-auditcentralaccesspolicystaging">Audit/ObjectAccess_AuditCentralAccessPolicyStaging</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditcertificationservices"id="audit-objectaccess-auditcertificationservices">Audit/ObjectAccess_AuditCertificationServices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditdetailedfileshare"id="audit-objectaccess-auditdetailedfileshare">Audit/ObjectAccess_AuditDetailedFileShare</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditfileshare"id="audit-objectaccess-auditfileshare">Audit/ObjectAccess_AuditFileShare</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditfilesystem"id="audit-objectaccess-auditfilesystem">Audit/ObjectAccess_AuditFileSystem</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditfilteringplatformconnection"id="audit-objectaccess-auditfilteringplatformconnection">Audit/ObjectAccess_AuditFilteringPlatformConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditfilteringplatformpacketdrop"id="audit-objectaccess-auditfilteringplatformpacketdrop">Audit/ObjectAccess_AuditFilteringPlatformPacketDrop</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-audithandlemanipulation"id="audit-objectaccess-audithandlemanipulation">Audit/ObjectAccess_AuditHandleManipulation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditkernelobject"id="audit-objectaccess-auditkernelobject">Audit/ObjectAccess_AuditKernelObject</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditotherobjectaccessevents"id="audit-objectaccess-auditotherobjectaccessevents">Audit/ObjectAccess_AuditOtherObjectAccessEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditregistry"id="audit-objectaccess-auditregistry">Audit/ObjectAccess_AuditRegistry</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditremovablestorage"id="audit-objectaccess-auditremovablestorage">Audit/ObjectAccess_AuditRemovableStorage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-objectaccess-auditsam"id="audit-objectaccess-auditsam">Audit/ObjectAccess_AuditSAM</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-policychange-auditauthenticationpolicychange"id="audit-policychange-auditauthenticationpolicychange">Audit/PolicyChange_AuditAuthenticationPolicyChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-policychange-auditauthorizationpolicychange"id="audit-policychange-auditauthorizationpolicychange">Audit/PolicyChange_AuditAuthorizationPolicyChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-policychange-auditfilteringplatformpolicychange"id="audit-policychange-auditfilteringplatformpolicychange">Audit/PolicyChange_AuditFilteringPlatformPolicyChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-policychange-auditmpssvcrulelevelpolicychange"id="audit-policychange-auditmpssvcrulelevelpolicychange">Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-policychange-auditotherpolicychangeevents"id="audit-policychange-auditotherpolicychangeevents">Audit/PolicyChange_AuditOtherPolicyChangeEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-policychange-auditpolicychange"id="audit-policychange-auditpolicychange">Audit/PolicyChange_AuditPolicyChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-privilegeuse-auditnonsensitiveprivilegeuse"id="audit-privilegeuse-auditnonsensitiveprivilegeuse">Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-privilegeuse-auditotherprivilegeuseevents"id="audit-privilegeuse-auditotherprivilegeuseevents">Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-privilegeuse-auditsensitiveprivilegeuse"id="audit-privilegeuse-auditsensitiveprivilegeuse">Audit/PrivilegeUse_AuditSensitivePrivilegeUse</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-system-auditipsecdriver"id="audit-system-auditipsecdriver">Audit/System_AuditIPsecDriver</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-system-auditothersystemevents"id="audit-system-auditothersystemevents">Audit/System_AuditOtherSystemEvents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-system-auditsecuritystatechange"id="audit-system-auditsecuritystatechange">Audit/System_AuditSecurityStateChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-system-auditsecuritysystemextension"id="audit-system-auditsecuritysystemextension">Audit/System_AuditSecuritySystemExtension</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-audit.md#audit-system-auditsystemintegrity"id="audit-system-auditsystemintegrity">Audit/System_AuditSystemIntegrity</a>
-  </dd>
-</dl>
-
-### Authentication policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-authentication.md#authentication-allowaadpasswordreset" id="authentication-allowaadpasswordreset">Authentication/AllowAadPasswordReset</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-authentication.md#authentication-alloweapcertsso" id="authentication-alloweapcertsso">Authentication/AllowEAPCertSSO</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-authentication.md#authentication-allowfastreconnect" id="authentication-allowfastreconnect">Authentication/AllowFastReconnect</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-authentication.md#authentication-allowfidodevicesignon" id="authentication-allowfidodevicesignon">Authentication/AllowFidoDeviceSignon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice" id="authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a> (Preview mode only)
-  </dd>
-  <dd>
-    <a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a> (Preview mode only)
-  </dd>
-  <dd>
-    <a href="./policy-csp-authentication.md#authentication-preferredaadtenantdomainname" id="authentication-preferredaadtenantdomainname">Authentication/PreferredAadTenantDomainName</a>
-  </dd>
-</dl>
-
-### Autoplay policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices" id="autoplay-disallowautoplayfornonvolumedevices">Autoplay/DisallowAutoplayForNonVolumeDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior" id="autoplay-setdefaultautorunbehavior">Autoplay/SetDefaultAutoRunBehavior</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-autoplay.md#autoplay-turnoffautoplay" id="autoplay-turnoffautoplay">Autoplay/TurnOffAutoPlay</a>
-  </dd>
-</dl>
-
-### BitLocker policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-bitlocker.md#bitlocker-encryptionmethod" id="bitlocker-encryptionmethod">BitLocker/EncryptionMethod</a>
-  </dd>
-</dl>
-
-### BITS policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-bits.md#bits-bandwidththrottlingendtime" id="bits-bandwidththrottlingendtime">BITS/BandwidthThrottlingEndTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bits.md#bits-bandwidththrottlingstarttime" id="bits-bandwidththrottlingstarttime">BITS/BandwidthThrottlingStartTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bits.md#bits-bandwidththrottlingtransferrate" id="bits-bandwidththrottlingtransferrate">BITS/BandwidthThrottlingTransferRate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority" id="bits-costednetworkbehaviorbackgroundpriority">BITS/CostedNetworkBehaviorBackgroundPriority</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority" id="bits-costednetworkbehaviorforegroundpriority">BITS/CostedNetworkBehaviorForegroundPriority</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bits.md#bits-jobinactivitytimeout" id="bits-jobinactivitytimeout">BITS/JobInactivityTimeout</a>
-  </dd>
-</dl>
-
-### Bluetooth policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-bluetooth.md#bluetooth-allowadvertising" id="bluetooth-allowadvertising">Bluetooth/AllowAdvertising</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode" id="bluetooth-allowdiscoverablemode">Bluetooth/AllowDiscoverableMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bluetooth.md#bluetooth-allowprepairing" id="bluetooth-allowprepairing">Bluetooth/AllowPrepairing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bluetooth.md#bluetooth-allowpromptedproximalconnections" id="bluetooth-allowpromptedproximalconnections">Bluetooth/AllowPromptedProximalConnections</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bluetooth.md#bluetooth-localdevicename" id="bluetooth-localdevicename">Bluetooth/LocalDeviceName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-bluetooth.md#bluetooth-servicesallowedlist" id="bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
-  </dd>
-   <dd>
-    <a href="./policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize"id=bluetooth-setminimumencryptionkeysize>Bluetooth/SetMinimumEncryptionKeySize</a>
-  </dd>
-</dl>
-
-### Browser policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowaddressbardropdown" id="browser-allowaddressbardropdown">Browser/AllowAddressBarDropdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowautofill" id="browser-allowautofill">Browser/AllowAutofill</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowconfigurationupdateforbookslibrary" id="browser-allowconfigurationupdateforbookslibrary">Browser/AllowConfigurationUpdateForBooksLibrary</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowcookies" id="browser-allowcookies">Browser/AllowCookies</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowdevelopertools" id="browser-allowdevelopertools">Browser/AllowDeveloperTools</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowdonottrack" id="browser-allowdonottrack">Browser/AllowDoNotTrack</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowextensions" id="browser-allowextensions">Browser/AllowExtensions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowflash" id="browser-allowflash">Browser/AllowFlash</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowflashclicktorun" id="browser-allowflashclicktorun">Browser/AllowFlashClickToRun</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowfullscreenmode" id="browser-allowfullscreenmode">Browser/AllowFullScreenMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowinprivate" id="browser-allowinprivate">Browser/AllowInPrivate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist" id="browser-allowmicrosoftcompatibilitylist">Browser/AllowMicrosoftCompatibilityList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowpasswordmanager" id="browser-allowpasswordmanager">Browser/AllowPasswordManager</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowpopups" id="browser-allowpopups">Browser/AllowPopups</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowprelaunch" id="browser-allowprelaunch">Browser/AllowPrelaunch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowprinting" id="browser-allowprinting">Browser/AllowPrinting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowsavinghistory" id="browser-allowsavinghistory">Browser/AllowSavingHistory</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowsearchenginecustomization" id="browser-allowsearchenginecustomization">Browser/AllowSearchEngineCustomization</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar" id="browser-allowsearchsuggestionsinaddressbar">Browser/AllowSearchSuggestionsinAddressBar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowsideloadingofextensions" id="browser-allowsideloadingofextensions">Browser/AllowSideloadingOfExtensions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowsmartscreen" id="browser-allowsmartscreen">Browser/AllowSmartScreen</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowtabpreloading" id="browser-allowtabpreloading">Browser/AllowTabPreloading</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-allowwebcontentonnewtabpage" id="browser-allowwebcontentonnewtabpage">Browser/AllowWebContentOnNewTabPage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-alwaysenablebookslibrary" id="browser-alwaysenablebookslibrary">Browser/AlwaysEnableBooksLibrary</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-clearbrowsingdataonexit" id="browser-clearbrowsingdataonexit">Browser/ClearBrowsingDataOnExit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-configureadditionalsearchengines" id="browser-configureadditionalsearchengines">Browser/ConfigureAdditionalSearchEngines</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-configurefavoritesbar" id="browser-configurefavoritesbar">Browser/ConfigureFavoritesBar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-configurehomebutton" id="browser-configurehomebutton">Browser/ConfigureHomeButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-configurekioskmode" id="browser-configurekioskmode">Browser/ConfigureKioskMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-configurekioskresetafteridletimeout" id="browser-configurekioskresetafteridletimeout">Browser/ConfigureKioskResetAfterIdleTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-configureopenmicrosoftedgewith" id="browser-configureopenmicrosoftedgewith">Browser/ConfigureOpenMicrosoftEdgeWith</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics" id="browser-configuretelemetryformicrosoft365analytics">Browser/ConfigureTelemetryForMicrosoft365Analytics</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-disablelockdownofstartpages" id="browser-disablelockdownofstartpages">Browser/DisableLockdownOfStartPages</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-enableextendedbookstelemetry" id="browser-enableextendedbookstelemetry">Browser/EnableExtendedBooksTelemetry</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-enterprisemodesitelist" id="browser-enterprisemodesitelist">Browser/EnterpriseModeSiteList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-enterprisesitelistserviceurl" id="browser-enterprisesitelistserviceurl">Browser/EnterpriseSiteListServiceUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-homepages" id="browser-homepages">Browser/HomePages</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-lockdownfavorites" id="browser-lockdownfavorites">Browser/LockdownFavorites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge" id="browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-preventcerterroroverrides" id="browser-preventcerterroroverrides">Browser/PreventCertErrorOverrides</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-preventfirstrunpage" id="browser-preventfirstrunpage">Browser/PreventFirstRunPage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-preventlivetiledatacollection" id="browser-preventlivetiledatacollection">Browser/PreventLiveTileDataCollection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-preventsmartscreenpromptoverride" id="browser-preventsmartscreenpromptoverride">Browser/PreventSmartScreenPromptOverride</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles" id="browser-preventsmartscreenpromptoverrideforfiles">Browser/PreventSmartScreenPromptOverrideForFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc" id="browser-preventusinglocalhostipaddressforwebrtc">Browser/PreventUsingLocalHostIPAddressForWebRTC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-provisionfavorites" id="browser-provisionfavorites">Browser/ProvisionFavorites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer" id="browser-sendintranettraffictointernetexplorer">Browser/SendIntranetTraffictoInternetExplorer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-setdefaultsearchengine" id="browser-setdefaultsearchengine">Browser/SetDefaultSearchEngine</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-sethomebuttonurl" id="browser-sethomebuttonurl">Browser/SetHomeButtonURL</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-setnewtabpageurl" id="browser-setnewtabpageurl">Browser/SetNewTabPageURL</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer" id="browser-showmessagewhenopeningsitesininternetexplorer">Browser/ShowMessageWhenOpeningSitesInInternetExplorer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge" id="browser-syncfavoritesbetweenieandmicrosoftedge">Browser/SyncFavoritesBetweenIEAndMicrosoftEdge</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-unlockhomebutton" id="browser-unlockhomebutton">Browser/UnlockHomeButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-browser.md#browser-usesharedfolderforbooks" id="browser-usesharedfolderforbooks">Browser/UseSharedFolderForBooks</a>
-  </dd>
-</dl>
-
-### Camera policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-camera.md#camera-allowcamera" id="camera-allowcamera">Camera/AllowCamera</a>
-  </dd>
-</dl>
-
-### Cellular policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-cellular.md#cellular-letappsaccesscellulardata" id="cellular-letappsaccesscellulardata">Cellular/LetAppsAccessCellularData</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps" id="cellular-letappsaccesscellulardata-forceallowtheseapps">Cellular/LetAppsAccessCellularData_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps" id="cellular-letappsaccesscellulardata-forcedenytheseapps">Cellular/LetAppsAccessCellularData_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps" id="cellular-letappsaccesscellulardata-userincontroloftheseapps">Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-cellular.md#cellular-showappcellularaccessui" id="cellular-showappcellularaccessui">Cellular/ShowAppCellularAccessUI</a>
-  </dd>
-</dl>
-
-### Connectivity policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-allowbluetooth" id="connectivity-allowbluetooth">Connectivity/AllowBluetooth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-allowcellulardata" id="connectivity-allowcellulardata">Connectivity/AllowCellularData</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-allowcellulardataroaming" id="connectivity-allowcellulardataroaming">Connectivity/AllowCellularDataRoaming</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-allowconnecteddevices" id="connectivity-allowconnecteddevices">Connectivity/AllowConnectedDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-allowphonepclinking" id="connectivity-allowphonepclinking">Connectivity/AllowPhonePCLinking</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-allowusbconnection" id="connectivity-allowusbconnection">Connectivity/AllowUSBConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-allowvpnovercellular" id="connectivity-allowvpnovercellular">Connectivity/AllowVPNOverCellular</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-allowvpnroamingovercellular" id="connectivity-allowvpnroamingovercellular">Connectivity/AllowVPNRoamingOverCellular</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-disableprintingoverhttp" id="connectivity-disableprintingoverhttp">Connectivity/DiablePrintingOverHTTP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp" id="connectivity-disabledownloadingofprintdriversoverhttp">Connectivity/DisableDownloadingOfPrintDriversOverHTTP</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards" id="connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards">Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests" id="connectivity-disallownetworkconnectivityactivetests">Connectivity/DisallowNetworkConnectivityActiveTests</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-hardeneduncpaths" id="connectivity-hardeneduncpaths">Connectivity/HardenedUNCPaths</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge" id="connectivity-prohibitinstallationandconfigurationofnetworkbridge">Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge</a>
-  </dd>
-</dl>
-
-### ControlPolicyConflict policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp" id="controlpolicyconflict-mdmwinsovergp">ControlPolicyConflict/MDMWinsOverGP</a>
-  </dd>
-</dl>
-
-### CredentialProviders policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon" id="credentialproviders-allowpinlogon">CredentialProviders/AllowPINLogon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword" id="credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-credentialproviders.md#credentialproviders-disableautomaticredeploymentcredentials" id="credentialproviders-disableautomaticredeploymentcredentials">CredentialProviders/DisableAutomaticReDeploymentCredentials</a>
-  </dd>
-</dl>
-
-### CredentialsDelegation policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials" id="credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials">CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials</a>
-  </dd>
-</dl>
-
-### CredentialsUI policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal" id="credentialsui-disablepasswordreveal">CredentialsUI/DisablePasswordReveal</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-credentialsui.md#credentialsui-enumerateadministrators" id="credentialsui-enumerateadministrators">CredentialsUI/EnumerateAdministrators</a>
-  </dd>
-</dl>
-
-### Cryptography policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy" id="cryptography-allowfipsalgorithmpolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-cryptography.md#cryptography-tlsciphersuites" id="cryptography-tlsciphersuites">Cryptography/TLSCipherSuites</a>
-  </dd>
-</dl>
-
-### DataProtection policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess" id="dataprotection-allowdirectmemoryaccess">DataProtection/AllowDirectMemoryAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-dataprotection.md#dataprotection-legacyselectivewipeid" id="dataprotection-legacyselectivewipeid">DataProtection/LegacySelectiveWipeID</a>
-  </dd>
-</dl>
-
-### DataUsage policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-datausage.md#datausage-setcost3g" id="datausage-setcost3g">DataUsage/SetCost3G</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-datausage.md#datausage-setcost4g" id="datausage-setcost4g">DataUsage/SetCost4G</a>
-  </dd>
-</dl>
-
-### Defender policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowarchivescanning" id="defender-allowarchivescanning">Defender/AllowArchiveScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowbehaviormonitoring" id="defender-allowbehaviormonitoring">Defender/AllowBehaviorMonitoring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowcloudprotection" id="defender-allowcloudprotection">Defender/AllowCloudProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowemailscanning" id="defender-allowemailscanning">Defender/AllowEmailScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives" id="defender-allowfullscanonmappednetworkdrives">Defender/AllowFullScanOnMappedNetworkDrives</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning" id="defender-allowfullscanremovabledrivescanning">Defender/AllowFullScanRemovableDriveScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowioavprotection" id="defender-allowioavprotection">Defender/AllowIOAVProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowonaccessprotection" id="defender-allowonaccessprotection">Defender/AllowOnAccessProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowrealtimemonitoring" id="defender-allowrealtimemonitoring">Defender/AllowRealtimeMonitoring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowscanningnetworkfiles" id="defender-allowscanningnetworkfiles">Defender/AllowScanningNetworkFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowscriptscanning" id="defender-allowscriptscanning">Defender/AllowScriptScanning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-allowuseruiaccess" id="defender-allowuseruiaccess">Defender/AllowUserUIAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions" id="defender-attacksurfacereductiononlyexclusions">Defender/AttackSurfaceReductionOnlyExclusions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-attacksurfacereductionrules" id="defender-attacksurfacereductionrules">Defender/AttackSurfaceReductionRules</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-avgcpuloadfactor" id="defender-avgcpuloadfactor">Defender/AvgCPULoadFactor</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan" id="defender-checkforsignaturesbeforerunningscan">Defender/CheckForSignaturesBeforeRunningScan</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-cloudblocklevel" id="defender-cloudblocklevel">Defender/CloudBlockLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-cloudextendedtimeout" id="defender-cloudextendedtimeout">Defender/CloudExtendedTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications" id="defender-controlledfolderaccessallowedapplications">Defender/ControlledFolderAccessAllowedApplications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders" id="defender-controlledfolderaccessprotectedfolders">Defender/ControlledFolderAccessProtectedFolders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-daystoretaincleanedmalware" id="defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-disablecatchupfullscan" id="defender-disablecatchupfullscan">Defender/DisableCatchupFullScan</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-disablecatchupquickscan" id="defender-disablecatchupquickscan">Defender/DisableCatchupQuickScan</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-enablecontrolledfolderaccess" id="defender-enablecontrolledfolderaccess">Defender/EnableControlledFolderAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-enablelowcpupriority" id="defender-enablelowcpupriority">Defender/EnableLowCPUPriority</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-enablenetworkprotection" id="defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-excludedextensions" id="defender-excludedextensions">Defender/ExcludedExtensions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-excludedpaths" id="defender-excludedpaths">Defender/ExcludedPaths</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-excludedprocesses" id="defender-excludedprocesses">Defender/ExcludedProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-puaprotection" id="defender-puaprotection">Defender/PUAProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-realtimescandirection" id="defender-realtimescandirection">Defender/RealTimeScanDirection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-scanparameter" id="defender-scanparameter">Defender/ScanParameter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-schedulequickscantime" id="defender-schedulequickscantime">Defender/ScheduleQuickScanTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-schedulescanday" id="defender-schedulescanday">Defender/ScheduleScanDay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-schedulescantime" id="defender-schedulescantime">Defender/ScheduleScanTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-signatureupdatefallbackorder" id="defender-signatureupdatefallbackorder">Defender/SignatureUpdateFallbackOrder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-signatureupdatefilesharessources" id="defender-signatureupdatefilesharessources">Defender/SignatureUpdateFileSharesSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-signatureupdateinterval" id="defender-signatureupdateinterval">Defender/SignatureUpdateInterval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-submitsamplesconsent" id="defender-submitsamplesconsent">Defender/SubmitSamplesConsent</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-defender.md#defender-threatseveritydefaultaction" id="defender-threatseveritydefaultaction">Defender/ThreatSeverityDefaultAction</a>
-  </dd>
-</dl>
-
-### DeliveryOptimization policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize" id="deliveryoptimization-doabsolutemaxcachesize">DeliveryOptimization/DOAbsoluteMaxCacheSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching" id="deliveryoptimization-doallowvpnpeercaching">DeliveryOptimization/DOAllowVPNPeerCaching</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost" id="deliveryoptimization-docachehost">DeliveryOptimization/DOCacheHost</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource" id="deliveryoptimization-docachehostsource">DeliveryOptimization/DOCacheHostSource</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp" id="deliveryoptimization-dodelaybackgrounddownloadfromhttp">DeliveryOptimization/DODelayBackgroundDownloadFromHttp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp" id="deliveryoptimization-dodelayforegrounddownloadfromhttp">DeliveryOptimization/DODelayForegroundDownloadFromHttp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground" id="deliveryoptimization-dodelaycacheserverfallbackbackground">DeliveryOptimization/DODelayCacheServerFallbackBackground</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground" id="deliveryoptimization-dodelaycacheserverfallbackforeground">DeliveryOptimization/DODelayCacheServerFallbackForeground</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode" id="deliveryoptimization-dodownloadmode">DeliveryOptimization/DODownloadMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid" id="deliveryoptimization-dogroupid">DeliveryOptimization/DOGroupId</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource" id="deliveryoptimization-dogroupidsource">DeliveryOptimization/DOGroupIdSource</a>
-  </dd>
-    <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth" id="deliveryoptimization-domaxbackgrounddownloadbandwidth">DeliveryOptimization/DOMaxBackgroundDownloadBandwidth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage" id="deliveryoptimization-domaxcacheage">DeliveryOptimization/DOMaxCacheAge</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize" id="deliveryoptimization-domaxcachesize">DeliveryOptimization/DOMaxCacheSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth" id="deliveryoptimization-domaxdownloadbandwidth">DeliveryOptimization/DOMaxDownloadBandwidth</a> (deprecated)
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth" id="deliveryoptimization-domaxforegrounddownloadbandwidth">DeliveryOptimization/DOMaxForegroundDownloadBandwidth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth" id="deliveryoptimization-domaxuploadbandwidth">DeliveryOptimization/DOMaxUploadBandwidth</a> (deprecated)
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos" id="deliveryoptimization-dominbackgroundqos">DeliveryOptimization/DOMinBackgroundQos</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload" id="deliveryoptimization-dominbatterypercentageallowedtoupload">DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer" id="deliveryoptimization-domindisksizeallowedtopeer">DeliveryOptimization/DOMinDiskSizeAllowedToPeer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache" id="deliveryoptimization-dominfilesizetocache">DeliveryOptimization/DOMinFileSizeToCache</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer" id="deliveryoptimization-dominramallowedtopeer">DeliveryOptimization/DOMinRAMAllowedToPeer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive" id="deliveryoptimization-domodifycachedrive">DeliveryOptimization/DOModifyCacheDrive</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap" id="deliveryoptimization-domonthlyuploaddatacap">DeliveryOptimization/DOMonthlyUploadDataCap</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth" id="deliveryoptimization-dopercentagemaxbackgroundbandwidth">DeliveryOptimization/DOPercentageMaxBackgroundBandwidth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth" id="deliveryoptimization-dopercentagemaxdownloadbandwidth">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a> (deprecated)
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth" id="deliveryoptimization-dopercentagemaxforegroundbandwidth">DeliveryOptimization/DOPercentageMaxForegroundBandwidth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby" id="deliveryoptimization-dorestrictpeerselectionby">DeliveryOptimization/DORestrictPeerSelectionBy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth" id="deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth">DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth" id="deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth">DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth</a>
-  </dd>
-</dl>
-
-### Desktop policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders" id="desktop-preventuserredirectionofprofilefolders">Desktop/PreventUserRedirectionOfProfileFolders</a>
-  </dd>
-</dl>
-
-### DesktopAppInstaller policies
-<dl>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources" id="desktopappinstaller-enableadditionalsources">DesktopAppInstaller/EnableAdditionalSources</a>
-  </dd>
-<dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller"id="desktopappinstaller-enableappinstaller">DesktopAppInstaller/EnableAppInstaller</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enabledefaultsource"id="desktopappinstaller-enabledefaultsource">DesktopAppInstaller/EnableDefaultSource</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles"id="desktopappinstaller-enablelocalmanifestfiles">DesktopAppInstaller/EnableLocalManifestFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride"id="desktopappinstaller-enablehashoverride">DesktopAppInstaller/EnableHashOverride</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource"id="desktopappinstaller-enablemicrosoftstoresource">DesktopAppInstaller/EnableMicrosoftStoreSource</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol"id="desktopappinstaller-enablemsappinstallerprotocol">DesktopAppInstaller/EnableMSAppInstallerProtocol</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings"id="desktopappinstaller-enablesettings">DesktopAppInstaller/EnableSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources"id="desktopappinstaller-enableallowedsources">DesktopAppInstaller/EnableAllowedSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures"id="desktopappinstaller-enableexperimentalfeatures">DesktopAppInstaller/EnableExperimentalFeatures</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval"id="desktopappinstaller-sourceautoupdateinterval">DesktopAppInstaller/SourceAutoUpdateInterval</a>
-  </dd>
-</dl>
-
-### DeviceGuard policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch" id="deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity" id="deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceguard.md#deviceguard-lsacfgflags" id="deviceguard-lsacfgflags">DeviceGuard/LsaCfgFlags</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures" id="deviceguard-requireplatformsecurityfeatures">DeviceGuard/RequirePlatformSecurityFeatures</a>
-  </dd>
-</dl>
-
-### DeviceHealthMonitoring policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring" id="devicehealthmonitoring-allowdevicehealthmonitoring">DeviceHealthMonitoring/AllowDeviceHealthMonitoring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope" id="devicehealthmonitoring-configdevicehealthmonitoringscope">DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination" id="devicehealthmonitoring-configdevicehealthmonitoringuploaddestination">DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination</a>
-  </dd>
-</dl>
-
-### DeviceInstallation policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids" id="deviceinstallation-allowinstallationofmatchingdeviceids">DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses" id="deviceinstallation-allowinstallationofmatchingdevicesetupclasses">DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids"id="deviceinstallation-allowinstallationofmatchingdeviceinstanceids">DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork" id="deviceinstallation-preventdevicemetadatafromnetwork">DeviceInstallation/PreventDeviceMetadataFromNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings" id="deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings">DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids" id="deviceinstallation-preventinstallationofmatchingdeviceids">DeviceInstallation/PreventInstallationOfMatchingDeviceIDs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids"id="deviceinstallation-preventinstallationofmatchingdeviceinstanceids">DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses">DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</a>
-  </dd>
-</dl>
-
-### DeviceLock policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword" id="devicelock-allowidlereturnwithoutpassword">DeviceLock/AllowIdleReturnWithoutPassword</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-allowsimpledevicepassword" id="devicelock-allowsimpledevicepassword">DeviceLock/AllowSimpleDevicePassword</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired" id="devicelock-alphanumericdevicepasswordrequired">DeviceLock/AlphanumericDevicePasswordRequired</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-devicepasswordenabled" id="devicelock-devicepasswordenabled">DeviceLock/DevicePasswordEnabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-devicepasswordexpiration" id="devicelock-devicepasswordexpiration">DeviceLock/DevicePasswordExpiration</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-devicepasswordhistory" id="devicelock-devicepasswordhistory">DeviceLock/DevicePasswordHistory</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-enforcelockscreenandlogonimage" id="devicelock-enforcelockscreenandlogonimage">DeviceLock/EnforceLockScreenAndLogonImage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts" id="devicelock-maxdevicepasswordfailedattempts">DeviceLock/MaxDevicePasswordFailedAttempts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock" id="devicelock-maxinactivitytimedevicelock">DeviceLock/MaxInactivityTimeDeviceLock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters" id="devicelock-mindevicepasswordcomplexcharacters">DeviceLock/MinDevicePasswordComplexCharacters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-mindevicepasswordlength" id="devicelock-mindevicepasswordlength">DeviceLock/MinDevicePasswordLength</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-minimumpasswordage" id="devicelock-minimumpasswordage">DeviceLock/MinimumPasswordAge</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera" id="devicelock-preventenablinglockscreencamera">DeviceLock/PreventEnablingLockScreenCamera</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow" id="devicelock-preventlockscreenslideshow">DeviceLock/PreventLockScreenSlideShow</a>
-  </dd>
-</dl>
-
-### Display policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-display.md#display-disableperprocessdpiforapps" id="display-disableperprocessdpiforapps">Display/DisablePerProcessDpiForApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-display.md#display-enableperprocessdpi" id="display-enableperprocessdpi">Display/EnablePerProcessDpi</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-display.md#display-enableperprocessdpiforapps" id="display-enableperprocessdpiforapps">Display/EnablePerProcessDpiForApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-display.md#display-turnoffgdidpiscalingforapps" id="display-turnoffgdidpiscalingforapps">Display/TurnOffGdiDPIScalingForApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-display.md#display-turnongdidpiscalingforapps" id="display-turnongdidpiscalingforapps">Display/TurnOnGdiDPIScalingForApps</a>
-  </dd>
-</dl>
-
-### DmaGuard policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy" id="dmaguard-deviceenumerationpolicy">DmaGuard/DeviceEnumerationPolicy</a>
-  </dd>
-</dl>
-
-### EAP policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-eap.md#eap-allowtls1_3" id="eap-allowtls1_3">EAP/AllowTLS1_3</a>
-  </dd>
-</dl>
-
-### Education policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-education.md#education-allowgraphingcalculator"id="education-allowgraphingcalculator">Education/AllowGraphingCalculator</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-education.md#education-defaultprintername" id="education-defaultprintername">Education/DefaultPrinterName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-education.md#education-preventaddingnewprinters" id="education-preventaddingnewprinters">Education/PreventAddingNewPrinters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-education.md#education-printernames" id="education-printernames">Education/PrinterNames</a>
-  </dd>
-</dl>
-
-### EnterpriseCloudPrint policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-cloudprintoauthauthority" id="enterprisecloudprint-cloudprintoauthauthority">EnterpriseCloudPrint/CloudPrintOAuthAuthority</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-cloudprintoauthclientid" id="enterprisecloudprint-cloudprintoauthclientid">EnterpriseCloudPrint/CloudPrintOAuthClientId</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-cloudprintresourceid" id="enterprisecloudprint-cloudprintresourceid">EnterpriseCloudPrint/CloudPrintResourceId</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-cloudprinterdiscoveryendpoint" id="enterprisecloudprint-cloudprinterdiscoveryendpoint">EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-discoverymaxprinterlimit" id="enterprisecloudprint-discoverymaxprinterlimit">EnterpriseCloudPrint/DiscoveryMaxPrinterLimit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-enterprisecloudprint.md#enterprisecloudprint-mopriadiscoveryresourceid" id="enterprisecloudprint-mopriadiscoveryresourceid">EnterpriseCloudPrint/MopriaDiscoveryResourceId</a>
-  </dd>
-</dl>
-
-### ErrorReporting policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings" id="errorreporting-customizeconsentsettings">ErrorReporting/CustomizeConsentSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting" id="errorreporting-disablewindowserrorreporting">ErrorReporting/DisableWindowsErrorReporting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-errorreporting.md#errorreporting-displayerrornotification" id="errorreporting-displayerrornotification">ErrorReporting/DisplayErrorNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata" id="errorreporting-donotsendadditionaldata">ErrorReporting/DoNotSendAdditionalData</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay" id="errorreporting-preventcriticalerrordisplay">ErrorReporting/PreventCriticalErrorDisplay</a>
-  </dd>
-</dl>
-
-### EventLogService policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior" id="eventlogservice-controleventlogbehavior">EventLogService/ControlEventLogBehavior</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog" id="eventlogservice-specifymaximumfilesizeapplicationlog">EventLogService/SpecifyMaximumFileSizeApplicationLog</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog" id="eventlogservice-specifymaximumfilesizesecuritylog">EventLogService/SpecifyMaximumFileSizeSecurityLog</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog" id="eventlogservice-specifymaximumfilesizesystemlog">EventLogService/SpecifyMaximumFileSizeSystemLog</a>
-  </dd>
-</dl>
-
-### Experience policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowclipboardhistory" id="experience-allowclipboardhistory">Experience/AllowClipboardHistory</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowcortana" id="experience-allowcortana">Experience/AllowCortana</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowdevicediscovery" id="experience-allowdevicediscovery">Experience/AllowDeviceDiscovery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowfindmydevice" id="experience-allowfindmydevice">Experience/AllowFindMyDevice</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowmanualmdmunenrollment" id="experience-allowmanualmdmunenrollment">Experience/AllowManualMDMUnenrollment</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowsaveasofofficefiles" id="experience-allowsaveasofofficefiles">Experience/AllowSaveAsOfOfficeFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowsharingofofficefiles" id="experience-allowsharingofofficefiles">Experience/AllowSharingOfOfficeFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowsyncmysettings" id="experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowspotlightcollection" id="experience-allowspotlightcollection">Experience/AllowSpotlightCollection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata" id="experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight" id="experience-allowthirdpartysuggestionsinwindowsspotlight">Experience/AllowThirdPartySuggestionsInWindowsSpotlight</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowwindowsconsumerfeatures" id="experience-allowwindowsconsumerfeatures">Experience/AllowWindowsConsumerFeatures</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowwindowsspotlight" id="experience-allowwindowsspotlight">Experience/AllowWindowsSpotlight</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter" id="experience-allowwindowsspotlightonactioncenter">Experience/AllowWindowsSpotlightOnActionCenter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowwindowsspotlightonsettings" id="experience-allowwindowsspotlightonsettings">Experience/AllowWindowsSpotlightOnSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience" id="experience-allowwindowsspotlightwindowswelcomeexperience">Experience/AllowWindowsSpotlightWindowsWelcomeExperience</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-allowwindowstips" id="experience-allowwindowstips">Experience/AllowWindowsTips</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen" id="experience-configurewindowsspotlightonlockscreen">Experience/ConfigureWindowsSpotlightOnLockScreen</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-disablecloudoptimizedcontent" id="experience-disablecloudoptimizedcontent">Experience/DisableCloudOptimizedContent</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-donotshowfeedbacknotifications" id="experience-donotshowfeedbacknotifications">Experience/DoNotShowFeedbackNotifications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-donotsyncbrowsersetting" id="experience-donotsyncbrowsersetting">Experience/DoNotSyncBrowserSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing" id="experience-preventusersfromturningonbrowsersyncing">Experience/PreventUsersFromTurningOnBrowserSyncing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-experience.md#experience-showlockonusertile" id="experience-showlockonusertile">Experience/ShowLockOnUserTile</a>
-  </dd>
-</dl>
-
-### ExploitGuard policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings" id="exploitguard-exploitprotectionsettings">ExploitGuard/ExploitProtectionSettings</a>
-  </dd>
-</dl>
-
-### FederatedAuthentication policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-federatedauthentication.md#federatedauthentication-enablewebsigninforprimaryuser" id="federatedauthentication-enablewebsigninforprimaryuser<">FederatedAuthentication/EnableWebSignInForPrimaryUser</a>
-  </dd>
-</dl>
-
-### Feeds policies
-<dl>
-  <dd>
-    <a href="./policy-csp-feeds.md#feeds-feedsenabled" id="feeds-feedsenabled">Feeds/FeedsEnabled</a>
-  </dd>
-</dl>
-
-### FileExplorer policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer" id="fileexplorer-turnoffdataexecutionpreventionforexplorer">FileExplorer/TurnOffDataExecutionPreventionForExplorer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption" id="fileexplorer-turnoffheapterminationoncorruption">FileExplorer/TurnOffHeapTerminationOnCorruption</a>
-  </dd>
-</dl>
-
-### Games policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-games.md#games-allowadvancedgamingservices" id="games-allowadvancedgamingservices">Games/AllowAdvancedGamingServices</a>
-  </dd>
-</dl>
-
-### Handwriting policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked" id="handwriting-paneldefaultmodedocked">Handwriting/PanelDefaultModeDocked</a>
-  </dd>
-</dl>
-
-### HumanPresence policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-humanpresence.md#humanpresence-forceinstantlock" id="humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-humanpresence.md#humanpresence-forceinstantwake" id="humanpresence-forceinstantwake">HumanPresence/ForceInstantWake</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-humanpresence.md#humanpresence-forcelocktimeout" id="humanpresence-forcelocktimeout">HumanPresence/ForceLockTimeout</a>
-  </dd>
-</dl>
-
-### InternetExplorer policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider" id="internetexplorer-addsearchprovider">InternetExplorer/AddSearchProvider</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering" id="internetexplorer-allowactivexfiltering">InternetExplorer/AllowActiveXFiltering</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist" id="internetexplorer-allowaddonlist">InternetExplorer/AllowAddOnList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete" id="internetexplorer-allowautocomplete">InternetExplorer/AllowAutoComplete</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning" id="internetexplorer-allowcertificateaddressmismatchwarning">InternetExplorer/AllowCertificateAddressMismatchWarning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit" id="internetexplorer-allowdeletingbrowsinghistoryonexit">InternetExplorer/AllowDeletingBrowsingHistoryOnExit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode" id="internetexplorer-allowenhancedprotectedmode">InternetExplorer/AllowEnhancedProtectedMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar" id="internetexplorer-allowenhancedsuggestionsinaddressbar">InternetExplorer/AllowEnhancedSuggestionsInAddressBar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu" id="internetexplorer-allowenterprisemodefromtoolsmenu">InternetExplorer/AllowEnterpriseModeFromToolsMenu</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist" id="internetexplorer-allowenterprisemodesitelist">InternetExplorer/AllowEnterpriseModeSiteList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3" id="internetexplorer-allowfallbacktossl3">InternetExplorer/AllowFallbackToSSL3</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist" id="internetexplorer-allowinternetexplorer7policylist">InternetExplorer/AllowInternetExplorer7PolicyList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode" id="internetexplorer-allowinternetexplorerstandardsmode">InternetExplorer/AllowInternetExplorerStandardsMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate" id="internetexplorer-allowinternetzonetemplate">InternetExplorer/AllowInternetZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate" id="internetexplorer-allowintranetzonetemplate">InternetExplorer/AllowIntranetZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate" id="internetexplorer-allowlocalmachinezonetemplate">InternetExplorer/AllowLocalMachineZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate" id="internetexplorer-allowlockeddowninternetzonetemplate">InternetExplorer/AllowLockedDownInternetZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate" id="internetexplorer-allowlockeddownintranetzonetemplate">InternetExplorer/AllowLockedDownIntranetZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate" id="internetexplorer-allowlockeddownlocalmachinezonetemplate">InternetExplorer/AllowLockedDownLocalMachineZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate" id="internetexplorer-allowlockeddownrestrictedsiteszonetemplate">InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry" id="internetexplorer-allowonewordentry">InternetExplorer/AllowOneWordEntry</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist" id="internetexplorer-allowsitetozoneassignmentlist">InternetExplorer/AllowSiteToZoneAssignmentList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid" id="internetexplorer-allowsoftwarewhensignatureisinvalid">InternetExplorer/AllowSoftwareWhenSignatureIsInvalid</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites" id="internetexplorer-allowsuggestedsites">InternetExplorer/AllowSuggestedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate" id="internetexplorer-allowtrustedsiteszonetemplate">InternetExplorer/AllowTrustedSitesZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate" id="internetexplorer-allowslockeddowntrustedsiteszonetemplate">InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate" id="internetexplorer-allowsrestrictedsiteszonetemplate">InternetExplorer/AllowsRestrictedSitesZoneTemplate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation" id="internetexplorer-checkservercertificaterevocation">InternetExplorer/CheckServerCertificateRevocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms" id="internetexplorer-checksignaturesondownloadedprograms">InternetExplorer/CheckSignaturesOnDownloadedPrograms</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses" id="internetexplorer-consistentmimehandlinginternetexplorerprocesses">InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload" id="internetexplorer-disableactivexversionlistautodownload">InternetExplorer/DisableActiveXVersionListAutoDownload</a>
-  </dd><br/>  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash" id="internetexplorer-disableadobeflash">InternetExplorer/DisableAdobeFlash</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings" id="internetexplorer-disablebypassofsmartscreenwarnings">InternetExplorer/DisableBypassOfSmartScreenWarnings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles" id="internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles">InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablecompatview" id="internetexplorer-disablecompatview">InternetExplorer/DisableCompatView</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory" id="internetexplorer-disableconfiguringhistory">InternetExplorer/DisableConfiguringHistory</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection" id="internetexplorer-disablecrashdetection">InternetExplorer/DisableCrashDetection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation" id="internetexplorer-disablecustomerexperienceimprovementprogramparticipation">InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites" id="internetexplorer-disabledeletinguservisitedwebsites">InternetExplorer/DisableDeletingUserVisitedWebsites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading" id="internetexplorer-disableenclosuredownloading">InternetExplorer/DisableEnclosureDownloading</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport" id="internetexplorer-disableencryptionsupport">InternetExplorer/DisableEncryptionSupport</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync" id="internetexplorer-disablefeedsbackgroundsync">InternetExplorer/DisableFeedsBackgroundSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard" id="internetexplorer-disablefirstrunwizard">InternetExplorer/DisableFirstRunWizard</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature" id="internetexplorer-disableflipaheadfeature">InternetExplorer/DisableFlipAheadFeature</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation" id="internetexplorer-disablegeolocation">InternetExplorer/DisableGeolocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange" id="internetexplorer-disablehomepagechange">InternetExplorer/DisableHomePageChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors" id="internetexplorer-disableignoringcertificateerrors">InternetExplorer/DisableIgnoringCertificateErrors</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing" id="internetexplorer-disableinprivatebrowsing">InternetExplorer/DisableInPrivateBrowsing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode" id="internetexplorer-disableprocessesinenhancedprotectedmode">InternetExplorer/DisableProcessesInEnhancedProtectedMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableproxychange" id="internetexplorer-disableproxychange">InternetExplorer/DisableProxyChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange" id="internetexplorer-disablesearchproviderchange">InternetExplorer/DisableSearchProviderChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange" id="internetexplorer-disablesecondaryhomepagechange">InternetExplorer/DisableSecondaryHomePageChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck" id="internetexplorer-disablesecuritysettingscheck">InternetExplorer/DisableSecuritySettingsCheck</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck" id="internetexplorer-disableupdatecheck">InternetExplorer/DisableUpdateCheck</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete" id="internetexplorer-disablewebaddressautocomplete">InternetExplorer/DisableWebAddressAutoComplete</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode" id="internetexplorer-donotallowactivexcontrolsinprotectedmode">InternetExplorer/DoNotAllowActiveXControlsInProtectedMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites" id="internetexplorer-donotallowuserstoaddsites">InternetExplorer/DoNotAllowUsersToAddSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies" id="internetexplorer-donotallowuserstochangepolicies">InternetExplorer/DoNotAllowUsersToChangePolicies</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols" id="internetexplorer-donotblockoutdatedactivexcontrols">InternetExplorer/DoNotBlockOutdatedActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains" id="internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains">InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites" id="internetexplorer-includealllocalsites">InternetExplorer/IncludeAllLocalSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths" id="internetexplorer-includeallnetworkpaths">InternetExplorer/IncludeAllNetworkPaths</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources" id="internetexplorer-internetzoneallowaccesstodatasources">InternetExplorer/InternetZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-internetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript" id="internetexplorer-internetzoneallowcopypasteviascript">InternetExplorer/InternetZoneAllowCopyPasteViaScript</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles" id="internetexplorer-internetzoneallowdraganddropcopyandpastefiles">InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads" id="internetexplorer-internetzoneallowfontdownloads">InternetExplorer/InternetZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites" id="internetexplorer-internetzoneallowlessprivilegedsites">InternetExplorer/InternetZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles" id="internetexplorer-internetzoneallowloadingofxamlfiles">InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents" id="internetexplorer-internetzoneallownetframeworkreliantcomponents">InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols" id="internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols">InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol" id="internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol">InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows" id="internetexplorer-internetzoneallowscriptinitiatedwindows">InternetExplorer/InternetZoneAllowScriptInitiatedWindows</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols" id="internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols">InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets" id="internetexplorer-internetzoneallowscriptlets">InternetExplorer/InternetZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie" id="internetexplorer-internetzoneallowsmartscreenie">InternetExplorer/InternetZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript" id="internetexplorer-internetzoneallowupdatestostatusbarviascript">InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence" id="internetexplorer-internetzoneallowuserdatapersistence">InternetExplorer/InternetZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer" id="internetexplorer-internetzoneallowvbscripttorunininternetexplorer">InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols" id="internetexplorer-internetzonedownloadsignedactivexcontrols">InternetExplorer/InternetZoneDownloadSignedActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols" id="internetexplorer-internetzonedownloadunsignedactivexcontrols">InternetExplorer/InternetZoneDownloadUnsignedActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter" id="internetexplorer-internetzoneenablecrosssitescriptingfilter">InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows">InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows" id="internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows">InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing" id="internetexplorer-internetzoneenablemimesniffing">InternetExplorer/InternetZoneEnableMIMESniffing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode" id="internetexplorer-internetzoneenableprotectedmode">InternetExplorer/InternetZoneEnableProtectedMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver" id="internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver">InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols" id="internetexplorer-internetzoneinitializeandscriptactivexcontrols">InternetExplorer/InternetZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrolsnotmarkedsafe" id="internetexplorer-internetzoneinitializeandscriptactivexcontrolsnotmarkedsafe">InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions" id="internetexplorer-internetzonejavapermissions">InternetExplorer/InternetZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe" id="internetexplorer-internetzonelaunchingapplicationsandfilesiniframe">InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions" id="internetexplorer-internetzonelogonoptions">InternetExplorer/InternetZoneLogonOptions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes" id="internetexplorer-internetzonenavigatewindowsandframes">InternetExplorer/InternetZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode" id="internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode">InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles" id="internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles">InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker" id="internetexplorer-internetzoneusepopupblocker">InternetExplorer/InternetZoneUsePopupBlocker</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources" id="internetexplorer-intranetzoneallowaccesstodatasources">InternetExplorer/IntranetZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads" id="internetexplorer-intranetzoneallowfontdownloads">InternetExplorer/IntranetZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites" id="internetexplorer-intranetzoneallowlessprivilegedsites">InternetExplorer/IntranetZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents" id="internetexplorer-intranetzoneallownetframeworkreliantcomponents">InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets" id="internetexplorer-intranetzoneallowscriptlets">InternetExplorer/IntranetZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie" id="internetexplorer-intranetzoneallowsmartscreenie">InternetExplorer/IntranetZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence" id="internetexplorer-intranetzoneallowuserdatapersistence">InternetExplorer/IntranetZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols" id="internetexplorer-intranetzoneinitializeandscriptactivexcontrols">InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions" id="internetexplorer-intranetzonejavapermissions">InternetExplorer/IntranetZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes" id="internetexplorer-intranetzonenavigatewindowsandframes">InternetExplorer/IntranetZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources" id="internetexplorer-localmachinezoneallowaccesstodatasources">InternetExplorer/LocalMachineZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads" id="internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads">InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads" id="internetexplorer-localmachinezoneallowfontdownloads">InternetExplorer/LocalMachineZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites" id="internetexplorer-localmachinezoneallowlessprivilegedsites">InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents" id="internetexplorer-localmachinezoneallownetframeworkreliantcomponents">InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets" id="internetexplorer-localmachinezoneallowscriptlets">InternetExplorer/LocalMachineZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie" id="internetexplorer-localmachinezoneallowsmartscreenie">InternetExplorer/LocalMachineZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence" id="internetexplorer-localmachinezoneallowuserdatapersistence">InternetExplorer/LocalMachineZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols" id="internetexplorer-localmachinezoneinitializeandscriptactivexcontrols">InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions" id="internetexplorer-localmachinezonejavapermissions">InternetExplorer/LocalMachineZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes" id="internetexplorer-localmachinezonenavigatewindowsandframes">InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources" id="internetexplorer-lockeddowninternetzoneallowaccesstodatasources">InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads" id="internetexplorer-lockeddowninternetzoneallowfontdownloads">InternetExplorer/LockedDownInternetZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites" id="internetexplorer-lockeddowninternetzoneallowlessprivilegedsites">InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets" id="internetexplorer-lockeddowninternetzoneallowscriptlets">InternetExplorer/LockedDownInternetZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie" id="internetexplorer-lockeddowninternetzoneallowsmartscreenie">InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence" id="internetexplorer-lockeddowninternetzoneallowuserdatapersistence">InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions" id="internetexplorer-lockeddowninternetzonejavapermissions">InternetExplorer/LockedDownInternetZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes" id="internetexplorer-lockeddowninternetzonenavigatewindowsandframes">InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions" id="internetexplorer-lockeddownintranetjavapermissions">InternetExplorer/LockedDownIntranetJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources" id="internetexplorer-lockeddownintranetzoneallowaccesstodatasources">InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads" id="internetexplorer-lockeddownintranetzoneallowfontdownloads">InternetExplorer/LockedDownIntranetZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites" id="internetexplorer-lockeddownintranetzoneallowlessprivilegedsites">InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets" id="internetexplorer-lockeddownintranetzoneallowscriptlets">InternetExplorer/LockedDownIntranetZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie" id="internetexplorer-lockeddownintranetzoneallowsmartscreenie">InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence" id="internetexplorer-lockeddownintranetzoneallowuserdatapersistence">InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes" id="internetexplorer-lockeddownintranetzonenavigatewindowsandframes">InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources" id="internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources">InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads" id="internetexplorer-lockeddownlocalmachinezoneallowfontdownloads">InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites" id="internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites">InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets" id="internetexplorer-lockeddownlocalmachinezoneallowscriptlets">InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie" id="internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie">InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence" id="internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence">InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions" id="internetexplorer-lockeddownlocalmachinezonejavapermissions">InternetExplorer/LockedDownLocalMachineZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes" id="internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes">InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources" id="internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources">InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads" id="internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads">InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites" id="internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites">InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets" id="internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets">InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie" id="internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie">InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence" id="internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence">InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions" id="internetexplorer-lockeddownrestrictedsiteszonejavapermissions">InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes" id="internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes">InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources" id="internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources">InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads" id="internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads">InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites" id="internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites">InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets" id="internetexplorer-lockeddowntrustedsiteszoneallowscriptlets">InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie" id="internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie">InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence" id="internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence">InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions" id="internetexplorer-lockeddowntrustedsiteszonejavapermissions">InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes" id="internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes">InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses" id="internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses">InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses" id="internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses">InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage" id="internetexplorer-newtabdefaultpage">InternetExplorer/NewTabDefaultPage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses" id="internetexplorer-notificationbarinternetexplorerprocesses">InternetExplorer/NotificationBarInternetExplorerProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter" id="internetexplorer-preventmanagingsmartscreenfilter">InternetExplorer/PreventManagingSmartScreenFilter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols" id="internetexplorer-preventperuserinstallationofactivexcontrols">InternetExplorer/PreventPerUserInstallationOfActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses" id="internetexplorer-protectionfromzoneelevationinternetexplorerprocesses">InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols" id="internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols">InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses" id="internetexplorer-restrictactivexinstallinternetexplorerprocesses">InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses" id="internetexplorer-restrictfiledownloadinternetexplorerprocesses">InternetExplorer/RestrictFileDownloadInternetExplorerProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources" id="internetexplorer-restrictedsiteszoneallowaccesstodatasources">InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting" id="internetexplorer-restrictedsiteszoneallowactivescripting">InternetExplorer/RestrictedSitesZoneAllowActiveScripting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors" id="internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors">InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript" id="internetexplorer-restrictedsiteszoneallowcopypasteviascript">InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles" id="internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles">InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads" id="internetexplorer-restrictedsiteszoneallowfiledownloads">InternetExplorer/RestrictedSitesZoneAllowFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads" id="internetexplorer-restrictedsiteszoneallowfontdownloads">InternetExplorer/RestrictedSitesZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites" id="internetexplorer-restrictedsiteszoneallowlessprivilegedsites">InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles" id="internetexplorer-restrictedsiteszoneallowloadingofxamlfiles">InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh" id="internetexplorer-restrictedsiteszoneallowmetarefresh">InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols">InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol" id="internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol">InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows" id="internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows">InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols" id="internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols">InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets" id="internetexplorer-restrictedsiteszoneallowscriptlets">InternetExplorer/RestrictedSitesZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie" id="internetexplorer-restrictedsiteszoneallowsmartscreenie">InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript" id="internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript">InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence" id="internetexplorer-restrictedsiteszoneallowuserdatapersistence">InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer" id="internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer">InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols" id="internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols">InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols" id="internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols">InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter" id="internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter">InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows">InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows" id="internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows">InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing" id="internetexplorer-restrictedsiteszoneenablemimesniffing">InternetExplorer/RestrictedSitesZoneEnableMIMESniffing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver" id="internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver">InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions" id="internetexplorer-restrictedsiteszonejavapermissions">InternetExplorer/RestrictedSitesZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe" id="internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe">InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions" id="internetexplorer-restrictedsiteszonelogonoptions">InternetExplorer/RestrictedSitesZoneLogonOptions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes" id="internetexplorer-restrictedsiteszonenavigatewindowsandframes">InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins" id="internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins">InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode" id="internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode">InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting" id="internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting">InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets" id="internetexplorer-restrictedsiteszonescriptingofjavaapplets">InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles" id="internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles">InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode" id="internetexplorer-restrictedsiteszoneturnonprotectedmode">InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker" id="internetexplorer-restrictedsiteszoneusepopupblocker">InternetExplorer/RestrictedSitesZoneUsePopupBlocker</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses" id="internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses">InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist" id="internetexplorer-searchproviderlist">InternetExplorer/SearchProviderList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings" id="internetexplorer-securityzonesuseonlymachinesettings">InternetExplorer/SecurityZonesUseOnlyMachineSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice" id="internetexplorer-specifyuseofactivexinstallerservice">InternetExplorer/SpecifyUseOfActiveXInstallerService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources" id="internetexplorer-trustedsiteszoneallowaccesstodatasources">InternetExplorer/TrustedSitesZoneAllowAccessToDataSources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols">InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads" id="internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads">InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads" id="internetexplorer-trustedsiteszoneallowfontdownloads">InternetExplorer/TrustedSitesZoneAllowFontDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites" id="internetexplorer-trustedsiteszoneallowlessprivilegedsites">InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents" id="internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents">InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets" id="internetexplorer-trustedsiteszoneallowscriptlets">InternetExplorer/TrustedSitesZoneAllowScriptlets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie" id="internetexplorer-trustedsiteszoneallowsmartscreenie">InternetExplorer/TrustedSitesZoneAllowSmartScreenIE</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence" id="internetexplorer-trustedsiteszoneallowuserdatapersistence">InternetExplorer/TrustedSitesZoneAllowUserDataPersistence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols" id="internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols">InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols" id="internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols">InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions" id="internetexplorer-trustedsiteszonejavapermissions">InternetExplorer/TrustedSitesZoneJavaPermissions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes" id="internetexplorer-trustedsiteszonenavigatewindowsandframes">InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames</a>
-  </dd>
-</dl>
-
-### Kerberos policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-kerberos.md#kerberos-allowforestsearchorder" id="kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor" id="kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kerberos.md#kerberos-requirekerberosarmoring" id="kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation" id="kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize" id="kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kerberos.md#kerberos-upnnamehints" id="kerberos-upnnamehints">Kerberos/UPNNameHints</a>
-  </dd>
-</dl>
-
-### KioskBrowser policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-kioskbrowser.md#kioskbrowser-blockedurlexceptions" id="kioskbrowser-blockedurlexceptions">KioskBrowser/BlockedUrlExceptions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kioskbrowser.md#kioskbrowser-blockedurls" id="kioskbrowser-blockedurls">KioskBrowser/BlockedUrls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kioskbrowser.md#kioskbrowser-defaulturl" id="kioskbrowser-defaulturl">KioskBrowser/DefaultURL</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kioskbrowser.md#kioskbrowser-enableendsessionbutton" id="kioskbrowser-enableendsessionbutton">KioskBrowser/EnableEndSessionButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kioskbrowser.md#kioskbrowser-enablehomebutton" id="kioskbrowser-enablehomebutton">KioskBrowser/EnableHomeButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kioskbrowser.md#kioskbrowser-enablenavigationbuttons" id="kioskbrowser-enablenavigationbuttons">KioskBrowser/EnableNavigationButtons</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-kioskbrowser.md#kioskbrowser-restartonidletime" id="kioskbrowser-restartonidletime">KioskBrowser/RestartOnIdleTime</a>
-  </dd>
-</dl>
-
-### LanmanWorkstation policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons" id="lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
-  </dd>
-</dl>
-
-### Language Pack Management CSP policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons" id="lanmanworkstation-enableinsecureguestlogons">LanmanWorkstation/EnableInsecureGuestLogons</a>
-  </dd>
-</dl>
-
-### Licensing policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation" id="licensing-allowwindowsentitlementreactivation">Licensing/AllowWindowsEntitlementReactivation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation" id="licensing-disallowkmsclientonlineavsvalidation">Licensing/DisallowKMSClientOnlineAVSValidation</a>
-  </dd>
-</dl>
-
-### LocalPoliciesSecurityOptions policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount" id="localpoliciessecurityoptions-accounts-renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount" id="localpoliciessecurityoptions-accounts-renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon" id="localpoliciessecurityoptions-devices-allowundockwithouthavingtologon">LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia" id="localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia">LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters" id="localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters">LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly" id="localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior" id="localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior">LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees" id="localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers" id="localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts" id="localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts">LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares" id="localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares">LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares" id="localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares">LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam" id="localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange" id="localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange">LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel" id="localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication" id="localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic" id="localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic" id="localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers" id="localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers">LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile" id="localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile">LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
-  </dd>
-</dl>
-
-### LocalUsersAndGroups policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-localusersandgroups.md#localusersandgroups-configure" id="localusersandgroups-configure">LocalUsersAndGroups/Configure</a>
-  </dd>
-</dl>
-
-### LockDown policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-lockdown.md#lockdown-allowedgeswipe" id="lockdown-allowedgeswipe">LockDown/AllowEdgeSwipe</a>
-  </dd>
-</dl>
-
-### Maps policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-maps.md#maps-allowofflinemapsdownloadovermeteredconnection" id="maps-allowofflinemapsdownloadovermeteredconnection">Maps/AllowOfflineMapsDownloadOverMeteredConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-maps.md#maps-enableofflinemapsautoupdate" id="maps-enableofflinemapsautoupdate">Maps/EnableOfflineMapsAutoUpdate</a>
-  </dd>
-</dl>
-
-### MemoryDump policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-memorydump.md#memorydump-allowcrashdump" id="memorydump-allowcrashdump">MemoryDump/AllowCrashDump</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-memorydump.md#memorydump-allowlivedump" id="memorydump-allowlivedump">MemoryDump/AllowLiveDump</a>
-  </dd>
-</dl>
-
-### Messaging policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-messaging.md#messaging-allowmessagesync" id="messaging-allowmessagesync">Messaging/AllowMessageSync</a>
-  </dd>
-</dl>
-
-### MixedReality policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays" id="mixedreality-aadgroupmembershipcachevalidityindays">MixedReality/AADGroupMembershipCacheValidityInDays</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled" id="mixedreality-brightnessbuttondisabled">MixedReality/BrightnessButtonDisabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics" id="mixedreality-fallbackdiagnostics">MixedReality/FallbackDiagnostics</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mixedreality.md#mixedreality-microphonedisabled" id="mixedreality-microphonedisabled">MixedReality/MicrophoneDisabled</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled" id="mixedreality-volumebuttondisabled">MixedReality/VolumeButtonDisabled</a>
-  </dd>
-</dl>
-
-### MSSecurityGuide policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon" id="mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon">MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver" id="mssecurityguide-configuresmbv1clientdriver">MSSecurityGuide/ConfigureSMBV1ClientDriver</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server" id="mssecurityguide-configuresmbv1server">MSSecurityGuide/ConfigureSMBV1Server</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection" id="mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection">MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications" id="mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications">MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication" id="mssecurityguide-wdigestauthentication">MSSecurityGuide/WDigestAuthentication</a>
-  </dd>
-</dl>
-
-### MSSLegacy policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes" id="msslegacy-allowicmpredirectstooverrideospfgeneratedroutes">MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers" id="msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers">MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel" id="msslegacy-ipsourceroutingprotectionlevel">MSSLegacy/IPSourceRoutingProtectionLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel" id="msslegacy-ipv6sourceroutingprotectionlevel">MSSLegacy/IPv6SourceRoutingProtectionLevel</a>
-  </dd>
-</dl>
-
-### Multitasking policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-multitasking.md#multitasking-browseralttabblowout" id="multitasking-browseralttabblowout">Multitasking/BrowserAltTabBlowout</a>
-  </dd>
- </dl>
-
-### NetworkIsolation policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources" id="networkisolation-enterprisecloudresources">NetworkIsolation/EnterpriseCloudResources</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseiprange" id="networkisolation-enterpriseiprange">NetworkIsolation/EnterpriseIPRange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative" id="networkisolation-enterpriseiprangesareauthoritative">NetworkIsolation/EnterpriseIPRangesAreAuthoritative</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers" id="networkisolation-enterpriseinternalproxyservers">NetworkIsolation/EnterpriseInternalProxyServers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-networkisolation.md#networkisolation-enterprisenetworkdomainnames" id="networkisolation-enterprisenetworkdomainnames">NetworkIsolation/EnterpriseNetworkDomainNames</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers" id="networkisolation-enterpriseproxyservers">NetworkIsolation/EnterpriseProxyServers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative" id="networkisolation-enterpriseproxyserversareauthoritative">NetworkIsolation/EnterpriseProxyServersAreAuthoritative</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-networkisolation.md#networkisolation-neutralresources" id="networkisolation-neutralresources">NetworkIsolation/NeutralResources</a>
-  </dd>
-</dl>
-
-### NetworkListManager policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-networklistmanager.md#networklistmanager-allowedtlsauthenticationendpoints" id="networklistmanager-allowedtlsauthenticationendpoints">NetworkListManager/AllowedTlsAuthenticationEndpoints</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-networklistmanager.md#networklistmanager-configuredtlsauthenticationnetworkname" id="networklistmanager-configuredtlsauthenticationnetworkname">NetworkListManager/ConfiguredTLSAuthenticationNetworkName</a>
-  </dd>
-  <dd>
-</dl>
-
-### NewsAndInterests policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-newsandinterests.md#newsandinterests-allownewsandinterests" id="newsandinterests-allownewsandinterests">NewsAndInterests/AllowNewsAndInterests</a>
-  </dd>
-</dl>
-
-### Notifications policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-notifications.md#notifications-disallowcloudnotification" id="notifications-disallowcloudnotification">Notifications/DisallowCloudNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-notifications.md#notifications-disallownotificationmirroring" id="notifications-disallownotificationmirroring">Notifications/DisallowNotificationMirroring</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-notifications.md#notifications-disallowtilenotification" id="notifications-disallowtilenotification">Notifications/DisallowTileNotification</a>
-  </dd>
-</dl>
-
-### Power policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery" id="power-allowstandbystateswhensleepingonbattery">Power/AllowStandbyStatesWhenSleepingOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-allowstandbywhensleepingpluggedin" id="power-allowstandbywhensleepingpluggedin">Power/AllowStandbyWhenSleepingPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-displayofftimeoutonbattery" id="power-displayofftimeoutonbattery">Power/DisplayOffTimeoutOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-displayofftimeoutpluggedin" id="power-displayofftimeoutpluggedin">Power/DisplayOffTimeoutPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-energysaverbatterythresholdonbattery"
-    id="power-energysaverbatterythresholdonbattery">Power/EnergySaverBatteryThresholdOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-energysaverbatterythresholdpluggedin"
-    id="power-energysaverbatterythresholdpluggedin">Power/EnergySaverBatteryThresholdPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-hibernatetimeoutonbattery" id="power-hibernatetimeoutonbattery">Power/HibernateTimeoutOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-hibernatetimeoutpluggedin" id="power-hibernatetimeoutpluggedin">Power/HibernateTimeoutPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery" id="power-requirepasswordwhencomputerwakesonbattery">Power/RequirePasswordWhenComputerWakesOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin" id="power-requirepasswordwhencomputerwakespluggedin">Power/RequirePasswordWhenComputerWakesPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-selectlidcloseactiononbattery"
-    id="power-selectlidcloseactiononbattery">Power/SelectLidCloseActionOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-selectlidcloseactionpluggedin"
-    id="power-selectlidcloseactionpluggedin">Power/SelectLidCloseActionPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-selectpowerbuttonactiononbattery"
-    id="power-selectpowerbuttonactiononbattery">Power/SelectPowerButtonActionOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-selectpowerbuttonactionpluggedin"
-    id="power-selectpowerbuttonactionpluggedin">Power/SelectPowerButtonActionPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-selectsleepbuttonactiononbattery"
-    id="power-selectsleepbuttonactiononbattery">Power/SelectSleepButtonActionOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-selectsleepbuttonactionpluggedin"
-    id="power-selectsleepbuttonactionpluggedin">Power/SelectSleepButtonActionPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-standbytimeoutonbattery" id="power-standbytimeoutonbattery">Power/StandbyTimeoutOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-standbytimeoutpluggedin" id="power-standbytimeoutpluggedin">Power/StandbyTimeoutPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-turnoffhybridsleeponbattery"
-    id="power-turnoffhybridsleeponbattery">Power/TurnOffHybridSleepOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-turnoffhybridsleeppluggedin"
-    id="power-turnoffhybridsleeppluggedin">Power/TurnOffHybridSleepPluggedIn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-unattendedsleeptimeoutonbattery"
-    id="power-unattendedsleeptimeoutonbattery">Power/UnattendedSleepTimeoutOnBattery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin"
-    id="power-unattendedsleeptimeoutpluggedin">Power/UnattendedSleepTimeoutPluggedIn</a>
-  </dd>
-</dl>
-
-### Printers policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-approvedusbprintdevices" id="printers-approvedusbprintdevices">Printers/ApprovedUsbPrintDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-approvedusbprintdevicesuser" id="printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-configurecopyfilespolicy" id="printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-configuredrivervalidationlevel" id="printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-configureipppagecountspolicy" id="printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-configureredirectionguardpolicy" id="printers-configureredirectionguardpolicy">Printers/ConfigureRedirectionGuardPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-configurerpcconnectionpolicy" id="printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-configurerpclistenerpolicy" id="printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-configurerpctcpport" id="printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-enabledevicecontrol" id="printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-enabledevicecontroluser" id="printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-managedriverexclusionlist" id="printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-pointandprintrestrictions" id="printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-pointandprintrestrictions-user" id="printers-pointandprintrestrictions-user">Printers/PointAndPrintRestrictions_User</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-publishprinters" id="printers-publishprinters">Printers/PublishPrinters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-printers.md#printers-restrictdriverinstallationtoadministrators" id="printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
-  </dd>
-</dl>
-
-### Privacy policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-allowautoacceptpairingandprivacyconsentprompts" id="privacy-allowautoacceptpairingandprivacyconsentprompts">Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard" id="privacy-allowcrossdeviceclipboard">Privacy/AllowCrossDeviceClipboard</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-allowinputpersonalization" id="privacy-allowinputpersonalization">Privacy/AllowInputPersonalization</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-disableadvertisingid" id="privacy-disableadvertisingid">Privacy/DisableAdvertisingId</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-disableprivacyexperience" id="privacy-disableprivacyexperience">Privacy/DisablePrivacyExperience</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-enableactivityfeed" id="privacy-enableactivityfeed">Privacy/EnableActivityFeed</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo" id="privacy-letappsaccessaccountinfo">Privacy/LetAppsAccessAccountInfo</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps" id="privacy-letappsaccessaccountinfo-forceallowtheseapps">Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps" id="privacy-letappsaccessaccountinfo-forcedenytheseapps">Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps" id="privacy-letappsaccessaccountinfo-userincontroloftheseapps">Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception"id="privacy-letappsaccessbackgroundspatialperception">Privacy/LetAppsAccessBackgroundSpatialPerception</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps"id="privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps">Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps"id="privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps">Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps"id="privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps">Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscalendar" id="privacy-letappsaccesscalendar">Privacy/LetAppsAccessCalendar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps" id="privacy-letappsaccesscalendar-forceallowtheseapps">Privacy/LetAppsAccessCalendar_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps" id="privacy-letappsaccesscalendar-forcedenytheseapps">Privacy/LetAppsAccessCalendar_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps" id="privacy-letappsaccesscalendar-userincontroloftheseapps">Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscallhistory" id="privacy-letappsaccesscallhistory">Privacy/LetAppsAccessCallHistory</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps" id="privacy-letappsaccesscallhistory-forceallowtheseapps">Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps" id="privacy-letappsaccesscallhistory-forcedenytheseapps">Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps" id="privacy-letappsaccesscallhistory-userincontroloftheseapps">Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscamera" id="privacy-letappsaccesscamera">Privacy/LetAppsAccessCamera</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps" id="privacy-letappsaccesscamera-forceallowtheseapps">Privacy/LetAppsAccessCamera_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps" id="privacy-letappsaccesscamera-forcedenytheseapps">Privacy/LetAppsAccessCamera_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps" id="privacy-letappsaccesscamera-userincontroloftheseapps">Privacy/LetAppsAccessCamera_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscontacts" id="privacy-letappsaccesscontacts">Privacy/LetAppsAccessContacts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps" id="privacy-letappsaccesscontacts-forceallowtheseapps">Privacy/LetAppsAccessContacts_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps" id="privacy-letappsaccesscontacts-forcedenytheseapps">Privacy/LetAppsAccessContacts_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps" id="privacy-letappsaccesscontacts-userincontroloftheseapps">Privacy/LetAppsAccessContacts_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessemail" id="privacy-letappsaccessemail">Privacy/LetAppsAccessEmail</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps" id="privacy-letappsaccessemail-forceallowtheseapps">Privacy/LetAppsAccessEmail_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps" id="privacy-letappsaccessemail-forcedenytheseapps">Privacy/LetAppsAccessEmail_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps" id="privacy-letappsaccessemail-userincontroloftheseapps">Privacy/LetAppsAccessEmail_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessgazeinput" id="privacy-letappsaccessgazeinput">Privacy/LetAppsAccessGazeInput</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessgazeinput-forceallowtheseapps" id="privacy-letappsaccessgazeinput-forceallowtheseapps">Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessgazeinput-forcedenytheseapps" id="privacy-letappsaccessgazeinput-forcedenytheseapps">Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessgazeinput-userincontroloftheseapps" id="privacy-letappsaccessgazeinput-userincontroloftheseapps">Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesslocation" id="privacy-letappsaccesslocation">Privacy/LetAppsAccessLocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps" id="privacy-letappsaccesslocation-forceallowtheseapps">Privacy/LetAppsAccessLocation_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps" id="privacy-letappsaccesslocation-forcedenytheseapps">Privacy/LetAppsAccessLocation_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps" id="privacy-letappsaccesslocation-userincontroloftheseapps">Privacy/LetAppsAccessLocation_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmessaging" id="privacy-letappsaccessmessaging">Privacy/LetAppsAccessMessaging</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps" id="privacy-letappsaccessmessaging-forceallowtheseapps">Privacy/LetAppsAccessMessaging_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps" id="privacy-letappsaccessmessaging-forcedenytheseapps">Privacy/LetAppsAccessMessaging_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps" id="privacy-letappsaccessmessaging-userincontroloftheseapps">Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmicrophone" id="privacy-letappsaccessmicrophone">Privacy/LetAppsAccessMicrophone</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps" id="privacy-letappsaccessmicrophone-forceallowtheseapps">Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps" id="privacy-letappsaccessmicrophone-forcedenytheseapps">Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps" id="privacy-letappsaccessmicrophone-userincontroloftheseapps">Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmotion" id="privacy-letappsaccessmotion">Privacy/LetAppsAccessMotion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps" id="privacy-letappsaccessmotion-forceallowtheseapps">Privacy/LetAppsAccessMotion_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps" id="privacy-letappsaccessmotion-forcedenytheseapps">Privacy/LetAppsAccessMotion_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps" id="privacy-letappsaccessmotion-userincontroloftheseapps">Privacy/LetAppsAccessMotion_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessnotifications" id="privacy-letappsaccessnotifications">Privacy/LetAppsAccessNotifications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps" id="privacy-letappsaccessnotifications-forceallowtheseapps">Privacy/LetAppsAccessNotifications_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps" id="privacy-letappsaccessnotifications-forcedenytheseapps">Privacy/LetAppsAccessNotifications_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps" id="privacy-letappsaccessnotifications-userincontroloftheseapps">Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessphone" id="privacy-letappsaccessphone">Privacy/LetAppsAccessPhone</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps" id="privacy-letappsaccessphone-forceallowtheseapps">Privacy/LetAppsAccessPhone_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps" id="privacy-letappsaccessphone-forcedenytheseapps">Privacy/LetAppsAccessPhone_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps" id="privacy-letappsaccessphone-userincontroloftheseapps">Privacy/LetAppsAccessPhone_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessradios" id="privacy-letappsaccessradios">Privacy/LetAppsAccessRadios</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps" id="privacy-letappsaccessradios-forceallowtheseapps">Privacy/LetAppsAccessRadios_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps" id="privacy-letappsaccessradios-forcedenytheseapps">Privacy/LetAppsAccessRadios_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps" id="privacy-letappsaccessradios-userincontroloftheseapps">Privacy/LetAppsAccessRadios_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesstasks" id="privacy-letappsaccesstasks">Privacy/LetAppsAccessTasks</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps" id="privacy-letappsaccesstasks-forceallowtheseapps">Privacy/LetAppsAccessTasks_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps" id="privacy-letappsaccesstasks-forcedenytheseapps">Privacy/LetAppsAccessTasks_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps" id="privacy-letappsaccesstasks-userincontroloftheseapps">Privacy/LetAppsAccessTasks_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices" id="privacy-letappsaccesstrusteddevices">Privacy/LetAppsAccessTrustedDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps" id="privacy-letappsaccesstrusteddevices-forceallowtheseapps">Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps" id="privacy-letappsaccesstrusteddevices-forcedenytheseapps">Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps" id="privacy-letappsaccesstrusteddevices-userincontroloftheseapps">Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsactivatewithvoice" id="privacy-letappsactivatewithvoice">Privacy/LetAppsActivateWithVoice</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock" id="privacy-letappsactivatewithvoiceabovelock">Privacy/LetAppsActivateWithVoiceAboveLock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo" id="privacy-letappsgetdiagnosticinfo">Privacy/LetAppsGetDiagnosticInfo</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps" id="privacy-letappsgetdiagnosticinfo-forceallowtheseapps">Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps" id="privacy-letappsgetdiagnosticinfo-forcedenytheseapps">Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps" id="privacy-letappsgetdiagnosticinfo-userincontroloftheseapps">Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsruninbackground" id="privacy-letappsruninbackground">Privacy/LetAppsRunInBackground</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps" id="privacy-letappsruninbackground-forceallowtheseapps">Privacy/LetAppsRunInBackground_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps" id="privacy-letappsruninbackground-forcedenytheseapps">Privacy/LetAppsRunInBackground_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps" id="privacy-letappsruninbackground-userincontroloftheseapps">Privacy/LetAppsRunInBackground_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices" id="privacy-letappssyncwithdevices">Privacy/LetAppsSyncWithDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps" id="privacy-letappssyncwithdevices-forceallowtheseapps">Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps" id="privacy-letappssyncwithdevices-forcedenytheseapps">Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps" id="privacy-letappssyncwithdevices-userincontroloftheseapps">Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-publishuseractivities" id="privacy-publishuseractivities">Privacy/PublishUserActivities</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-privacy.md#privacy-uploaduseractivities" id="privacy-uploaduseractivities">Privacy/UploadUserActivities</a>
-  </dd>
-</dl>
-
-### RemoteAssistance policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages" id="remoteassistance-customizewarningmessages">RemoteAssistance/CustomizeWarningMessages</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteassistance.md#remoteassistance-sessionlogging" id="remoteassistance-sessionlogging">RemoteAssistance/SessionLogging</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance" id="remoteassistance-solicitedremoteassistance">RemoteAssistance/SolicitedRemoteAssistance</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance" id="remoteassistance-unsolicitedremoteassistance">RemoteAssistance/UnsolicitedRemoteAssistance</a>
-  </dd>
-</dl>
-
-### RemoteDesktop policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-remotedesktop.md#remotedesktop-autosubscription" id="remotedesktop-autosubscription">RemoteDesktop/AutoSubscription</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotedesktop.md#remotedesktop-loadaadcredkeyfromprofile" id="remotedesktop-loadaadcredkeyfromprofile">RemoteDesktop/LoadAadCredKeyFromProfile</a>
-  </dd>
-</dl>
-
-### RemoteDesktopServices policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely" id="remotedesktopservices-allowuserstoconnectremotely">RemoteDesktopServices/AllowUsersToConnectRemotely</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel" id="remotedesktopservices-clientconnectionencryptionlevel">RemoteDesktopServices/ClientConnectionEncryptionLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection" id="remotedesktopservices-donotallowdriveredirection">RemoteDesktopServices/DoNotAllowDriveRedirection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving" id="remotedesktopservices-donotallowpasswordsaving">RemoteDesktopServices/DoNotAllowPasswordSaving</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection" id="remotedesktopservices-promptforpassworduponconnection">RemoteDesktopServices/PromptForPasswordUponConnection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication" id="remotedesktopservices-requiresecurerpccommunication">RemoteDesktopServices/RequireSecureRPCCommunication</a>
-  </dd>
-</dl>
-
-### RemoteManagement policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client" id="remotemanagement-allowbasicauthentication-client">RemoteManagement/AllowBasicAuthentication_Client</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service" id="remotemanagement-allowbasicauthentication-service">RemoteManagement/AllowBasicAuthentication_Service</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient" id="remotemanagement-allowcredsspauthenticationclient">RemoteManagement/AllowCredSSPAuthenticationClient</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice" id="remotemanagement-allowcredsspauthenticationservice">RemoteManagement/AllowCredSSPAuthenticationService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement" id="remotemanagement-allowremoteservermanagement">RemoteManagement/AllowRemoteServerManagement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client" id="remotemanagement-allowunencryptedtraffic-client">RemoteManagement/AllowUnencryptedTraffic_Client</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service" id="remotemanagement-allowunencryptedtraffic-service">RemoteManagement/AllowUnencryptedTraffic_Service</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication" id="remotemanagement-disallowdigestauthentication">RemoteManagement/DisallowDigestAuthentication</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient" id="remotemanagement-disallownegotiateauthenticationclient">RemoteManagement/DisallowNegotiateAuthenticationClient</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice" id="remotemanagement-disallownegotiateauthenticationservice">RemoteManagement/DisallowNegotiateAuthenticationService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials" id="remotemanagement-disallowstoringofrunascredentials">RemoteManagement/DisallowStoringOfRunAsCredentials</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel" id="remotemanagement-specifychannelbindingtokenhardeninglevel">RemoteManagement/SpecifyChannelBindingTokenHardeningLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-trustedhosts" id="remotemanagement-trustedhosts">RemoteManagement/TrustedHosts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener" id="remotemanagement-turnoncompatibilityhttplistener">RemoteManagement/TurnOnCompatibilityHTTPListener</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener" id="remotemanagement-turnoncompatibilityhttpslistener">RemoteManagement/TurnOnCompatibilityHTTPSListener</a>
-  </dd>
-</dl>
-
-### RemoteProcedureCall policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication" id="remoteprocedurecall-rpcendpointmapperclientauthentication">RemoteProcedureCall/RPCEndpointMapperClientAuthentication</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients" id="remoteprocedurecall-restrictunauthenticatedrpcclients">RemoteProcedureCall/RestrictUnauthenticatedRPCClients</a>
-  </dd>
-</dl>
-
-### RemoteShell policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess" id="remoteshell-allowremoteshellaccess">RemoteShell/AllowRemoteShellAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers" id="remoteshell-maxconcurrentusers">RemoteShell/MaxConcurrentUsers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteshell.md#remoteshell-specifyidletimeout" id="remoteshell-specifyidletimeout">RemoteShell/SpecifyIdleTimeout</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxmemory" id="remoteshell-specifymaxmemory">RemoteShell/SpecifyMaxMemory</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses" id="remoteshell-specifymaxprocesses">RemoteShell/SpecifyMaxProcesses</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells" id="remoteshell-specifymaxremoteshells">RemoteShell/SpecifyMaxRemoteShells</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout" id="remoteshell-specifyshelltimeout">RemoteShell/SpecifyShellTimeout</a>
-  </dd>
-</dl>
-
-### RestrictedGroups policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership" id="restrictedgroups-configuregroupmembership">RestrictedGroups/ConfigureGroupMembership</a>
-  </dd>
-</dl>
-
-### Search policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-search.md#search-allowcloudsearch" id="search-allowcloudsearch">Search/AllowCloudSearch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-allowfindmyfiles" id="search-allowfindmyfiles">Search/AllowFindMyFiles</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-allowindexingencryptedstoresoritems" id="search-allowindexingencryptedstoresoritems">Search/AllowIndexingEncryptedStoresOrItems</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-allowsearchtouselocation" id="search-allowsearchtouselocation">Search/AllowSearchToUseLocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-allowstoringimagesfromvisionsearch" id="search-allowstoringimagesfromvisionsearch">Search/AllowStoringImagesFromVisionSearch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-allowusingdiacritics" id="search-allowusingdiacritics">Search/AllowUsingDiacritics</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-allowwindowsindexer" id="search-allowwindowsindexer">Search/AllowWindowsIndexer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-alwaysuseautolangdetection" id="search-alwaysuseautolangdetection">Search/AlwaysUseAutoLangDetection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-disablebackoff" id="search-disablebackoff">Search/DisableBackoff</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-disableremovabledriveindexing" id="search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-disablesearch" id="search-disablesearch">Search/DisableSearch</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-donotusewebresults" id="search-donotusewebresults">Search/DoNotUseWebResults</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-preventindexinglowdiskspacemb" id="search-preventindexinglowdiskspacemb">Search/PreventIndexingLowDiskSpaceMB</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-search.md#search-preventremotequeries" id="search-preventremotequeries">Search/PreventRemoteQueries</a>
-  </dd>
-</dl>
-
-### Security policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-security.md#security-allowaddprovisioningpackage" id="security-allowaddprovisioningpackage">Security/AllowAddProvisioningPackage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-allowautomaticdeviceencryptionforazureadjoineddevices" id="security-allowautomaticdeviceencryptionforazureadjoineddevices">Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-allowremoveprovisioningpackage" id="security-allowremoveprovisioningpackage">Security/AllowRemoveProvisioningPackage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-cleartpmifnotready" id="security-cleartpmifnotready">Security/ClearTPMIfNotReady</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-configurewindowspasswords" id="security-configurewindowspasswords">Security/ConfigureWindowsPasswords</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-preventautomaticdeviceencryptionforazureadjoineddevices" id="security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-recoveryenvironmentauthentication" id="security-recoveryenvironmentauthentication">Security/RecoveryEnvironmentAuthentication</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-requiredeviceencryption" id="security-requiredeviceencryption">Security/RequireDeviceEncryption</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-requireprovisioningpackagesignature" id="security-requireprovisioningpackagesignature">Security/RequireProvisioningPackageSignature</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-security.md#security-requireretrievehealthcertificateonboot" id="security-requireretrievehealthcertificateonboot">Security/RequireRetrieveHealthCertificateOnBoot</a>
-  </dd>
-</dl>
-
-### ServiceControlManager policies
-<dl>
-  <dd>
-    <a href="./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation" id="servicecontrolmanager-svchostprocessmitigation">ServiceControlManager/SvchostProcessMitigation</a>
-  </dd>
-</dl>
-
-### Settings policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowautoplay" id="settings-allowautoplay">Settings/AllowAutoPlay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowdatasense" id="settings-allowdatasense">Settings/AllowDataSense</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowdatetime" id="settings-allowdatetime">Settings/AllowDateTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowlanguage" id="settings-allowlanguage">Settings/AllowLanguage</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowonlinetips" id="settings-allowonlinetips">Settings/AllowOnlineTips</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowpowersleep" id="settings-allowpowersleep">Settings/AllowPowerSleep</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowregion" id="settings-allowregion">Settings/AllowRegion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowsigninoptions" id="settings-allowsigninoptions">Settings/AllowSignInOptions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowvpn" id="settings-allowvpn">Settings/AllowVPN</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowworkplace" id="settings-allowworkplace">Settings/AllowWorkplace</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-allowyouraccount" id="settings-allowyouraccount">Settings/AllowYourAccount</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-configuretaskbarcalendar" id="settings-configuretaskbarcalendar">Settings/ConfigureTaskbarCalendar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-settings.md#settings-pagevisibilitylist" id="settings-pagevisibilitylist">Settings/PageVisibilityList</a>
-  </dd>
-</dl>
-
-### Windows Defender SmartScreen policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol" id="smartscreen-enableappinstallcontrol">SmartScreen/EnableAppInstallControl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell" id="smartscreen-enablesmartscreeninshell">SmartScreen/EnableSmartScreenInShell</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell" id="smartscreen-preventoverrideforfilesinshell">SmartScreen/PreventOverrideForFilesInShell</a>
-  </dd>
-</dl>
-
-### Speech policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-speech.md#speech-allowspeechmodelupdate" id="speech-allowspeechmodelupdate">Speech/AllowSpeechModelUpdate</a>
-  </dd>
-</dl>
-
-### Start policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfolderdocuments" id="start-allowpinnedfolderdocuments">Start/AllowPinnedFolderDocuments</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfolderdownloads" id="start-allowpinnedfolderdownloads">Start/AllowPinnedFolderDownloads</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfolderfileexplorer" id="start-allowpinnedfolderfileexplorer">Start/AllowPinnedFolderFileExplorer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfolderhomegroup" id="start-allowpinnedfolderhomegroup">Start/AllowPinnedFolderHomeGroup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfoldermusic" id="start-allowpinnedfoldermusic">Start/AllowPinnedFolderMusic</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfoldernetwork" id="start-allowpinnedfoldernetwork">Start/AllowPinnedFolderNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfolderpersonalfolder" id="start-allowpinnedfolderpersonalfolder">Start/AllowPinnedFolderPersonalFolder</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfolderpictures" id="start-allowpinnedfolderpictures">Start/AllowPinnedFolderPictures</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfoldersettings" id="start-allowpinnedfoldersettings">Start/AllowPinnedFolderSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-allowpinnedfoldervideos" id="start-allowpinnedfoldervideos">Start/AllowPinnedFolderVideos</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-disablecontextmenus" id="start-disablecontextmenus">Start/DisableContextMenus</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-disablecontrolcenter" id="start-disablecontrolcenter">Start/DisableControlCenter</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-disableeditingquicksettings" id="start-disableeditingquicksettings">Start/DisableEditingQuickSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-forcestartsize" id="start-forcestartsize">Start/ForceStartSize</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hideapplist" id="start-hideapplist">Start/HideAppList</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidechangeaccountsettings" id="start-hidechangeaccountsettings">Start/HideChangeAccountSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidefrequentlyusedapps" id="start-hidefrequentlyusedapps">Start/HideFrequentlyUsedApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidehibernate" id="start-hidehibernate">Start/HideHibernate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidelock" id="start-hidelock">Start/HideLock</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidepeoplebar" id="start-hidepeoplebar">Start/HidePeopleBar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidepowerbutton" id="start-hidepowerbutton">Start/HidePowerButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hiderecentjumplists" id="start-hiderecentjumplists">Start/HideRecentJumplists</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hiderecentlyaddedapps" id="start-hiderecentlyaddedapps">Start/HideRecentlyAddedApps</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hiderecommendedsection" id="start-hiderecommendedsection">Start/HideRecommendedSection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hiderestart" id="start-hiderestart">Start/HideRestart</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hideshutdown" id="start-hideshutdown">Start/HideShutDown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidesignout" id="start-hidesignout">Start/HideSignOut</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidesleep" id="start-hidesleep">Start/HideSleep</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hideswitchaccount" id="start-hideswitchaccount">Start/HideSwitchAccount</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hidetaskviewbutton" id="start-hidetaskviewbutton">Start/HideTaskViewButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-hideusertile" id="start-hideusertile">Start/HideUserTile</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-importedgeassets" id="start-importedgeassets">Start/ImportEdgeAssets</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-nopinningtotaskbar" id="start-nopinningtotaskbar">Start/NoPinningToTaskbar</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-simplifyquicksettings" id="start-simplifyquicksettings">Start/SimplifyQuickSettings</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-start.md#start-startlayout" id="start-startlayout">Start/StartLayout</a>
-  </dd>
-</dl>
-
-### Storage policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-allowdiskhealthmodelupdates" id="storage-allowdiskhealthmodelupdates">Storage/AllowDiskHealthModelUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-allowstoragesenseglobal"id="storage-allowstoragesenseglobal">Storage/AllowStorageSenseGlobal</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup"id="storage-allowstoragesensetemporaryfilescleanup">Storage/AllowStorageSenseTemporaryFilesCleanup</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold"id="storage-configstoragesensecloudcontentdehydrationthreshold">Storage/ConfigStorageSenseCloudContentDehydrationThreshold</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold"id="storage-configstoragesensedownloadscleanupthreshold">Storage/ConfigStorageSenseDownloadsCleanupThreshold</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-configstoragesenseglobalcadence"id="storage-configstoragesenseglobalcadence">Storage/ConfigStorageSenseGlobalCadence</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-configstoragesenserecyclebincleanupthreshold"id="storage-configstoragesenserecyclebincleanupthreshold">Storage/ConfigStorageSenseRecycleBinCleanupThreshold</a>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-enhancedstoragedevices" id="storage-enhancedstoragedevices">Storage/EnhancedStorageDevices</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-removablediskdenywriteaccess" id="storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-wpddevicesdenyreadaccessperdevice" id="storage-wpddevicesdenyreadaccessperdevice">Storage/WPDDevicesDenyReadAccessPerDevice</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-wpddevicesdenyreadaccessperuser" id="storage-wpddevicesdenyreadaccessperuser">Storage/WPDDevicesDenyReadAccessPerUser</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-wpddevicesdenywriteaccessperdevice" id="storage-wpddevicesdenywriteaccessperdevice">Storage/WPDDevicesDenyWriteAccessPerDevice</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-storage.md#storage-wpddevicesdenywriteaccessperuser" id="storage-wpddevicesdenywriteaccessperuser">Storage/WPDDevicesDenyWriteAccessPerUser</a>
-  </dd>
-</dl>
-
-### System policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowbuildpreview" id="system-allowbuildpreview">System/AllowBuildPreview</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowcommercialdatapipeline" id="system-allowcommercialdatapipeline">System/AllowCommercialDataPipeline</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowdevicenameindiagnosticdata" id="system-allowdevicenameindiagnosticdata">System/AllowDeviceNameInDiagnosticData</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowembeddedmode" id="system-allowembeddedmode">System/AllowEmbeddedMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowexperimentation" id="system-allowexperimentation">System/AllowExperimentation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowfontproviders" id="system-allowfontproviders">System/AllowFontProviders</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowlocation" id="system-allowlocation">System/AllowLocation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowstoragecard" id="system-allowstoragecard">System/AllowStorageCard</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowtelemetry" id="system-allowtelemetry">System/AllowTelemetry</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-allowusertoresetphone" id="system-allowusertoresetphone">System/AllowUserToResetPhone</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-bootstartdriverinitialization" id="system-bootstartdriverinitialization">System/BootStartDriverInitialization</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-configuremicrosoft365uploadendpoint" id="system-configuremicrosoft365uploadendpoint">System/ConfigureMicrosoft365UploadEndpoint</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-configuretelemetryoptinchangenotification" id="system-configuretelemetryoptinchangenotification">System/ConfigureTelemetryOptInChangeNotification</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-configuretelemetryoptinsettingsux" id="system-configuretelemetryoptinsettingsux">System/ConfigureTelemetryOptInSettingsUx</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-disabledevicedelete" id="system-disabledevicedelete">System/DisableDeviceDelete</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-disablediagnosticdataviewer" id="system-disablediagnosticdataviewer">System/DisableDiagnosticDataViewer</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-disableenterpriseauthproxy" id="system-disableenterpriseauthproxy">System/DisableEnterpriseAuthProxy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-disableonedrivefilesync" id="system-disableonedrivefilesync">System/DisableOneDriveFileSync</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-disablesystemrestore" id="system-disablesystemrestore">System/DisableSystemRestore</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-feedbackhubalwayssavediagnosticslocally" id="system-feedbackhubalwayssavediagnosticslocally">System/FeedbackHubAlwaysSaveDiagnosticsLocally</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-limitdiagnosticlogcollection" id="system-limitdiagnosticlogcollection">System/LimitDiagnosticLogCollection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-limitdumpcollection" id="system-limitdumpcollection">System/LimitDumpCollection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics" id="system-limitenhanceddiagnosticdatawindowsanalytics">System/LimitEnhancedDiagnosticDataWindowsAnalytics</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-telemetryproxy" id="system-telemetryproxy">System/TelemetryProxy</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-system.md#system-turnofffilehistory" id="system-turnofffilehistory">System/TurnOffFileHistory</a>
-  </dd>
-</dl>
-
-### SystemServices policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode" id="systemservices-configurehomegrouplistenerservicestartupmode">SystemServices/ConfigureHomeGroupListenerServiceStartupMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode" id="systemservices-configurehomegroupproviderservicestartupmode">SystemServices/ConfigureHomeGroupProviderServiceStartupMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode" id="systemservices-configurexboxaccessorymanagementservicestartupmode">SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode" id="systemservices-configurexboxliveauthmanagerservicestartupmode">SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode" id="systemservices-configurexboxlivegamesaveservicestartupmode">SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode" id="systemservices-configurexboxlivenetworkingservicestartupmode">SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode</a>
-  </dd>
-</dl>
-
-### TaskManager policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-taskmanager.md#taskmanager-allowendtask" id="taskmanager-allowendtask">TaskManager/AllowEndTask</a>
-  </dd>
-</dl>
-
-### TaskScheduler policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-taskscheduler.md#taskscheduler-enablexboxgamesavetask" id="taskscheduler-enablexboxgamesavetask">TaskScheduler/EnableXboxGameSaveTask</a>
-  </dd>
-</dl>
-
-### TextInput policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowhardwarekeyboardtextsuggestions" id="textinput-allowhardwarekeyboardtextsuggestions">TextInput/AllowHardwareKeyboardTextSuggestions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowimelogging" id="textinput-allowimelogging">TextInput/AllowIMELogging</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowimenetworkaccess" id="textinput-allowimenetworkaccess">TextInput/AllowIMENetworkAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowinputpanel" id="textinput-allowinputpanel">TextInput/AllowInputPanel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters" id="textinput-allowjapaneseimesurrogatepaircharacters">TextInput/AllowJapaneseIMESurrogatePairCharacters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowjapaneseivscharacters" id="textinput-allowjapaneseivscharacters">TextInput/AllowJapaneseIVSCharacters</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph" id="textinput-allowjapanesenonpublishingstandardglyph">TextInput/AllowJapaneseNonPublishingStandardGlyph</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowjapaneseuserdictionary" id="textinput-allowjapaneseuserdictionary">TextInput/AllowJapaneseUserDictionary</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowkeyboardtextsuggestions" id="textinput-allowkeyboardtextsuggestions">TextInput/AllowKeyboardTextSuggestions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowkoreanextendedhanja" id="textinput-allowkoreanextendedhanja">TextInput/AllowKoreanExtendedHanja</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall" id="textinput-allowlanguagefeaturesuninstall">TextInput/AllowLanguageFeaturesUninstall</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowlinguisticdatacollection" id="textinput-allowlinguisticdatacollection">TextInput/AllowLinguisticDataCollection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-allowtextinputsuggestionupdate"id="textinput-allowtextinputsuggestionupdate">TextInput/AllowTextInputSuggestionUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-configurejapaneseimeversion"id="textinput-configurejapaneseimeversion">TextInput/ConfigureJapaneseIMEVersion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion"id="textinput-configuresimplifiedchineseimeversion">TextInput/ConfigureSimplifiedChineseIMEVersion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion"id="textinput-configuretraditionalchineseimeversion">TextInput/ConfigureTraditionalChineseIMEVersion</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-enabletouchkeyboardautoinvokeindesktopmode" id="textinput-enabletouchkeyboardautoinvokeindesktopmode">TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208" id="textinput-excludejapaneseimeexceptjis0208">TextInput/ExcludeJapaneseIMEExceptJIS0208</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc" id="textinput-excludejapaneseimeexceptjis0208andeudc">TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis" id="textinput-excludejapaneseimeexceptshiftjis">TextInput/ExcludeJapaneseIMEExceptShiftJIS</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-forcetouchkeyboarddockedstate" id="textinput-forcetouchkeyboarddockedstate">TextInput/ForceTouchKeyboardDockedState</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-touchkeyboarddictationbuttonavailability" id="textinput-touchkeyboarddictationbuttonavailability">TextInput/TouchKeyboardDictationButtonAvailability</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-touchkeyboardemojibuttonavailability" id="textinput-touchkeyboardemojibuttonavailability">TextInput/TouchKeyboardEmojiButtonAvailability</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-touchkeyboardfullmodeavailability" id="textinput-touchkeyboardfullmodeavailability">TextInput/TouchKeyboardFullModeAvailability</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-touchkeyboardhandwritingmodeavailability" id="textinput-touchkeyboardhandwritingmodeavailability">TextInput/TouchKeyboardHandwritingModeAvailability</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-touchkeyboardnarrowmodeavailability" id="textinput-touchkeyboardnarrowmodeavailability">TextInput/TouchKeyboardNarrowModeAvailability</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-touchkeyboardsplitmodeavailability" id="textinput-touchkeyboardsplitmodeavailability">TextInput/TouchKeyboardSplitModeAvailability</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-textinput.md#textinput-touchkeyboardwidemodeavailability" id="textinput-touchkeyboardwidemodeavailability">TextInput/TouchKeyboardWideModeAvailability</a>
-  </dd>
-</dl>
-
-### TimeLanguageSettings policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks" id="timelanguagesettings-blockcleanupofunusedpreinstalledlangpacks">TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone" id="timelanguagesettings-configuretimezone">TimeLanguageSettings/ConfigureTimeZone</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-machineuilanguageoverwrite" id="timelanguagesettings-machineuilanguageoverwrite">TimeLanguageSettings/MachineUILanguageOverwrite</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-timelanguagesettings.md#timelanguagesettings-restrictlanguagepacksandfeaturesinstall" id="timelanguagesettings-restrictlanguagepacksandfeaturesinstall">TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall</a>
-  </dd>
-</dl>
-
-### Troubleshooting policies
-
-<dl>
-   <dd>
-    <a href="./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations" id="troubleshooting-allowrecommendations">Troubleshooting/AllowRecommendations</a>
-  </dd>
-</dl>
-
-### Update policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-update.md#update-activehoursend" id="update-activehoursend">Update/ActiveHoursEnd</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-activehoursmaxrange" id="update-activehoursmaxrange">Update/ActiveHoursMaxRange</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-activehoursstart" id="update-activehoursstart">Update/ActiveHoursStart</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-allowautoupdate" id="update-allowautoupdate">Update/AllowAutoUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork" id="update-allowautowindowsupdatedownloadovermeterednetwork">Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-allowmuupdateservice" id="update-allowmuupdateservice">Update/AllowMUUpdateService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-allownonmicrosoftsignedupdate" id="update-allownonmicrosoftsignedupdate">Update/AllowNonMicrosoftSignedUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-allowupdateservice" id="update-allowupdateservice">Update/AllowUpdateService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-autorestartdeadlineperiodindays" id="update-autorestartdeadlineperiodindays">Update/AutoRestartDeadlinePeriodInDays</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates" id="update-autorestartdeadlineperiodindaysforfeatureupdates">Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-autorestartnotificationschedule" id="update-autorestartnotificationschedule">Update/AutoRestartNotificationSchedule</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-autorestartrequirednotificationdismissal" id="update-autorestartrequirednotificationdismissal">Update/AutoRestartRequiredNotificationDismissal</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-automaticmaintenancewakeup" id="update-automaticmaintenancewakeup">Update/AutomaticMaintenanceWakeUp</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-branchreadinesslevel" id="update-branchreadinesslevel">Update/BranchReadinessLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-configuredeadlineforfeatureupdates" id="update-configuredeadlineforfeatureupdates">Update/ConfigureDeadlineForFeatureUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-configuredeadlineforqualityupdates" id="update-configuredeadlineforqualityupdates">Update/ConfigureDeadlineForQualityUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-configuredeadlinegraceperiod" id="update-configuredeadlinegraceperiod">Update/ConfigureDeadlineGracePeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-configuredeadlinegraceperiodforfeatureupdates" id="update-configuredeadlinegraceperiodforfeatureupdates">Update/ConfigureDeadlineGracePeriodForFeatureUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-configuredeadlinenoautoreboot" id="update-configuredeadlinenoautoreboot">Update/ConfigureDeadlineNoAutoReboot</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-configurefeatureupdateuninstallperiod" id="update-configurefeatureupdateuninstallperiod">Update/ConfigureFeatureUpdateUninstallPeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-deferfeatureupdatesperiodindays" id="update-deferfeatureupdatesperiodindays">Update/DeferFeatureUpdatesPeriodInDays</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-deferqualityupdatesperiodindays" id="update-deferqualityupdatesperiodindays">Update/DeferQualityUpdatesPeriodInDays</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-deferupdateperiod" id="update-deferupdateperiod">Update/DeferUpdatePeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-deferupgradeperiod" id="update-deferupgradeperiod">Update/DeferUpgradePeriod</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-detectionfrequency" id="update-detectionfrequency">Update/DetectionFrequency</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-disabledualscan" id="update-disabledualscan">Update/DisableDualScan</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-disablewufbsafeguards" id="update-disablewufbsafeguards">Update/DisableWUfBSafeguards</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-donotenforceenterprisetlscertpinningforupdatedetection" id="update-donotenforceenterprisetlscertpinningforupdatedetection">Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates" id="update-engagedrestartdeadlineforfeatureupdates">Update/EngagedRestartDeadlineForFeatureUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-engagedrestartsnoozeschedule" id="update-engagedrestartsnoozeschedule">Update/EngagedRestartSnoozeSchedule</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates" id="update-engagedrestartsnoozescheduleforfeatureupdates">Update/EngagedRestartSnoozeScheduleForFeatureUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-engagedrestarttransitionschedule" id="update-engagedrestarttransitionschedule">Update/EngagedRestartTransitionSchedule</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates" id="update-engagedrestarttransitionscheduleforfeatureupdates">Update/EngagedRestartTransitionScheduleForFeatureUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-excludewudriversinqualityupdate" id="update-excludewudriversinqualityupdate">Update/ExcludeWUDriversInQualityUpdate</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-fillemptycontenturls" id="update-fillemptycontenturls">Update/FillEmptyContentUrls</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-ignoremoappdownloadlimit" id="update-ignoremoappdownloadlimit">Update/IgnoreMOAppDownloadLimit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-ignoremoupdatedownloadlimit" id="update-ignoremoupdatedownloadlimit">Update/IgnoreMOUpdateDownloadLimit</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-managepreviewbuilds" id="update-managepreviewbuilds">Update/ManagePreviewBuilds</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-pausedeferrals" id="update-pausedeferrals">Update/PauseDeferrals</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-pausefeatureupdates" id="update-pausefeatureupdates">Update/PauseFeatureUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-pausefeatureupdatesstarttime" id="update-pausefeatureupdatesstarttime">Update/PauseFeatureUpdatesStartTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-pausequalityupdates" id="update-pausequalityupdates">Update/PauseQualityUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-pausequalityupdatesstarttime" id="update-pausequalityupdatesstarttime">Update/PauseQualityUpdatesStartTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-phoneupdaterestrictions" id="update-phoneupdaterestrictions">Update/PhoneUpdateRestrictions</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-requiredeferupgrade" id="update-requiredeferupgrade">Update/RequireDeferUpgrade</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-requireupdateapproval" id="update-requireupdateapproval">Update/RequireUpdateApproval</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-scheduleimminentrestartwarning" id="update-scheduleimminentrestartwarning">Update/ScheduleImminentRestartWarning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-schedulerestartwarning" id="update-schedulerestartwarning">Update/ScheduleRestartWarning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-scheduledinstallday" id="update-scheduledinstallday">Update/ScheduledInstallDay</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-scheduledinstalleveryweek" id="update-scheduledinstalleveryweek">Update/ScheduledInstallEveryWeek</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-scheduledinstallfirstweek" id="update-scheduledinstallfirstweek">Update/ScheduledInstallFirstWeek</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-scheduledinstallfourthweek" id="update-scheduledinstallfourthweek">Update/ScheduledInstallFourthWeek</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-scheduledinstallsecondweek" id="update-scheduledinstallsecondweek">Update/ScheduledInstallSecondWeek</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-scheduledinstallthirdweek" id="update-scheduledinstallthirdweek">Update/ScheduledInstallThirdWeek</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-scheduledinstalltime" id="update-scheduledinstalltime">Update/ScheduledInstallTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setautorestartnotificationdisable" id="update-setautorestartnotificationdisable">Update/SetAutoRestartNotificationDisable</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setdisablepauseuxaccess" id="update-setdisablepauseuxaccess">Update/SetDisablePauseUXAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setdisableuxwuaccess" id="update-setdisableuxwuaccess">Update/SetDisableUXWUAccess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setedurestart" id="update-setedurestart">Update/SetEDURestart</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setpolicydrivenupdatesourcefordriverupdates" id="update-setpolicydrivenupdatesourcefordriverupdates">Update/SetPolicyDrivenUpdateSourceForDriverUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setpolicydrivenupdatesourceforfeatureupdates" id="update-setpolicydrivenupdatesourceforfeatureupdates">Update/SetPolicyDrivenUpdateSourceForFeatureUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setpolicydrivenupdatesourceforotherupdates" id="update-setpolicydrivenupdatesourceforotherupdates">Update/SetPolicyDrivenUpdateSourceForOtherUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setpolicydrivenupdatesourceforqualityupdates" id="update-setpolicydrivenupdatesourceforqualityupdates">Update/SetPolicyDrivenUpdateSourceForQualityUpdates</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-setproxybehaviorforupdatedetection"id="update-setproxybehaviorforupdatedetection">Update/SetProxyBehaviorForUpdateDetection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-targetreleaseversion"id="update-targetreleaseversion">Update/TargetReleaseVersion</a>
-  </dd>
-  <dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-updatenotificationlevel" id="update-updatenotificationlevel">Update/UpdateNotificationLevel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-updateserviceurl" id="update-updateserviceurl">Update/UpdateServiceUrl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-update.md#update-updateserviceurlalternate" id="update-updateserviceurlalternate">Update/UpdateServiceUrlAlternate</a>
-  </dd>
-</dl>
-
-### UserRights policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller" id="userrights-accesscredentialmanagerastrustedcaller">UserRights/AccessCredentialManagerAsTrustedCaller</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-accessfromnetwork" id="userrights-accessfromnetwork">UserRights/AccessFromNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem" id="userrights-actaspartoftheoperatingsystem">UserRights/ActAsPartOfTheOperatingSystem</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-allowlocallogon" id="userrights-allowlocallogon">UserRights/AllowLocalLogOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-backupfilesanddirectories" id="userrights-backupfilesanddirectories">UserRights/BackupFilesAndDirectories</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-changesystemtime" id="userrights-changesystemtime">UserRights/ChangeSystemTime</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-createglobalobjects" id="userrights-createglobalobjects">UserRights/CreateGlobalObjects</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-createpagefile" id="userrights-createpagefile">UserRights/CreatePageFile</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-createpermanentsharedobjects" id="userrights-createpermanentsharedobjects">UserRights/CreatePermanentSharedObjects</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-createsymboliclinks" id="userrights-createsymboliclinks">UserRights/CreateSymbolicLinks</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-createtoken" id="userrights-createtoken">UserRights/CreateToken</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-debugprograms" id="userrights-debugprograms">UserRights/DebugPrograms</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-denyaccessfromnetwork" id="userrights-denyaccessfromnetwork">UserRights/DenyAccessFromNetwork</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-denylocallogon" id="userrights-denylocallogon">UserRights/DenyLocalLogOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon" id="userrights-denyremotedesktopserviceslogon">UserRights/DenyRemoteDesktopServicesLogOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-enabledelegation" id="userrights-enabledelegation">UserRights/EnableDelegation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-generatesecurityaudits" id="userrights-generatesecurityaudits">UserRights/GenerateSecurityAudits</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-impersonateclient" id="userrights-impersonateclient">UserRights/ImpersonateClient</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-increaseschedulingpriority" id="userrights-increaseschedulingpriority">UserRights/IncreaseSchedulingPriority</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-loadunloaddevicedrivers" id="userrights-loadunloaddevicedrivers">UserRights/LoadUnloadDeviceDrivers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-lockmemory" id="userrights-lockmemory">UserRights/LockMemory</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-manageauditingandsecuritylog" id="userrights-manageauditingandsecuritylog">UserRights/ManageAuditingAndSecurityLog</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-managevolume" id="userrights-managevolume">UserRights/ManageVolume</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-modifyfirmwareenvironment" id="userrights-modifyfirmwareenvironment">UserRights/ModifyFirmwareEnvironment</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-modifyobjectlabel" id="userrights-modifyobjectlabel">UserRights/ModifyObjectLabel</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-profilesingleprocess" id="userrights-profilesingleprocess">UserRights/ProfileSingleProcess</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-remoteshutdown" id="userrights-remoteshutdown">UserRights/RemoteShutdown</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-restorefilesanddirectories" id="userrights-restorefilesanddirectories">UserRights/RestoreFilesAndDirectories</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-userrights.md#userrights-takeownership" id="userrights-takeownership">UserRights/TakeOwnership</a>
-  </dd>
-</dl>
-
-### VirtualizationBasedTechnology policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-virtualizationbasedtechnology.md#virtualizationbasedtechnology-hypervisorenforcedcodeintegrity" id="virtualizationbasedtechnology-hypervisorenforcedcodeintegrity">VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-virtualizationbasedtechnology.md#virtualizationbasedtechnology-requireuefimemoryattributestable" id="virtualizationbasedtechnology-requireuefimemoryattributestable">VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable</a>
-  </dd>
-</dl>
-
-### WebThreatDefense policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-webthreatdefense.md#webthreatdefense-enableservice" id="webthreatdefense-enableservice">WebThreatDefense/EnableService</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifymalicious" id="webthreatdefense-notifymalicious">WebThreatDefense/NotifyMalicious</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifypasswordreuse" id="webthreatdefense-notifypasswordreuse">WebThreatDefense/NotifyPasswordReuse</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifyunsafeapp" id="webthreatdefense-notifyunsafeapp">WebThreatDefense/NotifyUnsafeApp</a>
-  </dd>
-</dl>
-
-### Wifi policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-wifi.md#wifi-allowwifihotspotreporting" id="wifi-allowwifihotspotreporting">WiFi/AllowWiFiHotSpotReporting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots" id="wifi-allowautoconnecttowifisensehotspots">Wifi/AllowAutoConnectToWiFiSenseHotspots</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wifi.md#wifi-allowinternetsharing" id="wifi-allowinternetsharing">Wifi/AllowInternetSharing</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wifi.md#wifi-allowmanualwificonfiguration" id="wifi-allowmanualwificonfiguration">Wifi/AllowManualWiFiConfiguration</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wifi.md#wifi-allowwifi" id="wifi-allowwifi">Wifi/AllowWiFi</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wifi.md#wifi-allowwifidirect" id="wifi-allowwifidirect">Wifi/AllowWiFiDirect</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wifi.md#wifi-wlanscanmode" id="wifi-wlanscanmode">Wifi/WLANScanMode</a>
-  </dd>
-</dl>
-
-### WindowsAutoPilot policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-windowsautopilot.md#windowsautopilot-enableagilitypostenrollment" id="windowsautopilot-enableagilitypostenrollment">WindowsAutoPilot/EnableAgilityPostEnrollment</a>
-  </dd>
-</dl>
-
-### WindowsConnectionManager policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork" id="windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork">WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork</a>
-  </dd>
-</dl>
-
-### WindowsDefenderSecurityCenter policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname" id="windowsdefendersecuritycenter-companyname">WindowsDefenderSecurityCenter/CompanyName</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui" id="windowsdefendersecuritycenter-disableaccountprotectionui">WindowsDefenderSecurityCenter/DisableAccountProtectionUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui" id="windowsdefendersecuritycenter-disableappbrowserui">WindowsDefenderSecurityCenter/DisableAppBrowserUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton" id="windowsdefendersecuritycenter-disablecleartpmbutton">WindowsDefenderSecurityCenter/DisableClearTpmButton</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui" id="windowsdefendersecuritycenter-disabledevicesecurityui">WindowsDefenderSecurityCenter/DisableDeviceSecurityUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications" id="windowsdefendersecuritycenter-disableenhancednotifications">WindowsDefenderSecurityCenter/DisableEnhancedNotifications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui" id="windowsdefendersecuritycenter-disablefamilyui">WindowsDefenderSecurityCenter/DisableFamilyUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui" id="windowsdefendersecuritycenter-disablehealthui">WindowsDefenderSecurityCenter/DisableHealthUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui" id="windowsdefendersecuritycenter-disablenetworkui">WindowsDefenderSecurityCenter/DisableNetworkUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications" id="windowsdefendersecuritycenter-disablenotifications">WindowsDefenderSecurityCenter/DisableNotifications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning" id="windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning">WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui" id="windowsdefendersecuritycenter-disablevirusui">WindowsDefenderSecurityCenter/DisableVirusUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride" id="windowsdefendersecuritycenter-disallowexploitprotectionoverride">WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email" id="windowsdefendersecuritycenter-email">WindowsDefenderSecurityCenter/Email</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts" id="windowsdefendersecuritycenter-enablecustomizedtoasts">WindowsDefenderSecurityCenter/EnableCustomizedToasts</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization" id="windowsdefendersecuritycenter-enableinappcustomization">WindowsDefenderSecurityCenter/EnableInAppCustomization</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery" id="windowsdefendersecuritycenter-hideransomwaredatarecovery">WindowsDefenderSecurityCenter/HideRansomwareDataRecovery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot" id="windowsdefendersecuritycenter-hidesecureboot">WindowsDefenderSecurityCenter/HideSecureBoot</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting" id="windowsdefendersecuritycenter-hidetpmtroubleshooting">WindowsDefenderSecurityCenter/HideTPMTroubleshooting</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol" id="windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol">WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone" id="windowsdefendersecuritycenter-phone">WindowsDefenderSecurityCenter/Phone</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url" id="windowsdefendersecuritycenter-url">WindowsDefenderSecurityCenter/URL</a>
-  </dd>
-</dl>
-
-### WindowsInkWorkspace policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace" id="windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace">WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace" id="windowsinkworkspace-allowwindowsinkworkspace">WindowsInkWorkspace/AllowWindowsInkWorkspace</a>
-  </dd>
-</dl>
-
-### WindowsLogon policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon" id="windowslogon-allowautomaticrestartsignon">WindowsLogon/AllowAutomaticRestartSignOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon" id="windowslogon-configautomaticrestartsignon">WindowsLogon/ConfigAutomaticRestartSignOn</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications" id="windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui" id="windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation" id="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowslogon.md#windowslogon-enablemprnotifications" id="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers" id="windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching" id="windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
-  </dd>
-  </dl>
-
-### WindowsPowerShell policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging" id="windowspowershell-turnonpowershellscriptblocklogging">WindowsPowerShell/TurnOnPowerShellScriptBlockLogging</a>
-  </dd>
-</dl>
-
-### WindowsSandbox policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowaudioinput" id="windowssandbox-allowaudioinput">WindowsSandbox/AllowAudioInput</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection" id="windowssandbox-allowclipboardredirection">WindowsSandbox/AllowClipboardRedirection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowssandbox.md#windowssandbox-allownetworking" id="windowssandbox-allownetworking">WindowsSandbox/AllowNetworking</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection" id="windowssandbox-allowprinterredirection">WindowsSandbox/AllowPrinterRedirection</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowvgpu" id="windowssandbox-allowvgpu">WindowsSandbox/AllowVGPU</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-windowssandbox.md#windowssandbox-allowvideoinput" id="windowssandbox-allowvideoinput">WindowsSandbox/AllowVideoInput</a>
-  </dd>
-</dl>
-
-### WirelessDisplay policies
-
-<dl>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsadvertisement" id="wirelessdisplay-allowmdnsadvertisement">WirelessDisplay/AllowMdnsAdvertisement</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsdiscovery" id="wirelessdisplay-allowmdnsdiscovery">WirelessDisplay/AllowMdnsDiscovery</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowmovementdetectiononinfrastructure" id="wirelessdisplay-allowmovementdetectiononinfrastructure">WirelessDisplay/AllowMovementDetectionOnInfrastructure</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompc" id="wirelessdisplay-allowprojectionfrompc">WirelessDisplay/AllowProjectionFromPC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompcoverinfrastructure" id="wirelessdisplay-allowprojectionfrompcoverinfrastructure">WirelessDisplay/AllowProjectionFromPCOverInfrastructure</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc" id="wirelessdisplay-allowprojectiontopc">WirelessDisplay/AllowProjectionToPC</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopcoverinfrastructure" id="wirelessdisplay-allowprojectiontopcoverinfrastructure">WirelessDisplay/AllowProjectionToPCOverInfrastructure</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver" id="wirelessdisplay-allowuserinputfromwirelessdisplayreceiver">WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver</a>
-  </dd>
-  <dd>
-    <a href="./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing" id="wirelessdisplay-requirepinforpairing">WirelessDisplay/RequirePinForPairing</a>
-  </dd>
-</dl>
-
-
-## Policies in Policy CSP supported by Group Policy and ADMX-backed policies in Policy CSP
-- [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md)
-- [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
-
-> [!NOTE]
-> Not all Policies in Policy CSP supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
-
-## Policies in Policy CSP supported by HoloLens devices
-- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md)
-- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
-- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
-
-## Policies in Policy CSP supported by Windows 10 IoT
-- [Policies in Policy CSP supported by Windows 10 IoT Core](./policies-in-policy-csp-supported-by-iot-core.md)
-
-## Policies in Policy CSP supported by Microsoft Surface Hub
-- [Policies in Policy CSP supported by Microsoft Surface Hub](./policies-in-policy-csp-supported-by-surface-hub.md)
-
-## Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)
-- [Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)](./policies-in-policy-csp-that-can-be-set-using-eas.md)
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
+<!-- Device-ConfigOperations-ADMXInstall-Editable-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+<!-- Device-ConfigOperations-ADMXInstall-DFProperties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-Examples-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Begin -->
+#### Device/ConfigOperations/ADMXInstall/{AppName}
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Applicability-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}
+```
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-OmaUri-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Description-Begin -->
+Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Description-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Editable-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-DFProperties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Examples-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Begin -->
+##### Device/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Applicability-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}
+```
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-OmaUri-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Description-Begin -->
+Setting Type of Win32 App. Policy Or Preference
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Description-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Editable-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: Setting Type of Win32 App. Policy Or Preference |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-DFProperties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-Examples-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Begin -->
+###### Device/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId}
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Applicability-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingsType}/{AdmxFileId}
+```
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-OmaUri-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Description-Begin -->
+Unique ID of ADMX file
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Description-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Editable-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-DFProperties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-Examples-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-{SettingsType}-{AdmxFileId}-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Begin -->
+##### Device/ConfigOperations/ADMXInstall/{AppName}/Properties
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later <br> :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later <br> :heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later <br> :heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later <br> :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Applicability-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties
+```
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-OmaUri-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Description-Begin -->
+Properties of Win32 App ADMX Ingestion
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Description-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Editable-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-DFProperties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-Examples-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Begin -->
+###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later <br> :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later <br> :heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later <br> :heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later <br> :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Applicability-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}
+```
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-OmaUri-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Description-Begin -->
+Setting Type of Win32 App. Policy Or Preference
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Description-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Editable-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | UniqueName: Setting Type of Win32 App. Policy Or Preference |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-DFProperties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-Examples-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Begin -->
+###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later <br> :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later <br> :heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later <br> :heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later <br> :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Applicability-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}
+```
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-OmaUri-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Description-Begin -->
+Unique ID of ADMX file
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Description-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Editable-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-DFProperties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Examples-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Begin -->
+###### Device/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299.1481] and later <br> :heavy_check_mark: Windows 10, version 1803 [10.0.17134.1099] and later <br> :heavy_check_mark: Windows 10, version 1809 [10.0.17763.832] and later <br> :heavy_check_mark: Windows 10, version 1903 [10.0.18362.387] and later <br> :heavy_check_mark: Windows 10, version 1909 [10.0.18363] and later |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Applicability-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/Properties/{SettingsType}/{AdmxFileId}/Version
+```
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-OmaUri-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Description-Begin -->
+Version of ADMX file.  This can be set by the server to keep a record of the versioning of the ADMX file ingested by the device.
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Description-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Editable-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-DFProperties-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-Examples-End -->
+
+<!-- Device-ConfigOperations-ADMXInstall-{AppName}-Properties-{SettingsType}-{AdmxFileId}-Version-End -->
+
+<!-- Device-Result-Begin -->
+## Device/Result
+
+<!-- Device-Result-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- Device-Result-Applicability-End -->
+
+<!-- Device-Result-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Result
+```
+<!-- Device-Result-OmaUri-End -->
+
+<!-- Device-Result-Description-Begin -->
+Groups the evaluated policies from all providers that can be configured.
+<!-- Device-Result-Description-End -->
+
+<!-- Device-Result-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Result-Editable-End -->
+
+<!-- Device-Result-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- Device-Result-DFProperties-End -->
+
+<!-- Device-Result-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Result-Examples-End -->
+
+<!-- Device-Result-End -->
+
+<!-- Device-Result-{AreaName}-Begin -->
+### Device/Result/{AreaName}
+
+<!-- Device-Result-{AreaName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- Device-Result-{AreaName}-Applicability-End -->
+
+<!-- Device-Result-{AreaName}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Result/{AreaName}
+```
+<!-- Device-Result-{AreaName}-OmaUri-End -->
+
+<!-- Device-Result-{AreaName}-Description-Begin -->
+The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
+<!-- Device-Result-{AreaName}-Description-End -->
+
+<!-- Device-Result-{AreaName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Result-{AreaName}-Editable-End -->
+
+<!-- Device-Result-{AreaName}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Result-{AreaName}-DFProperties-End -->
+
+<!-- Device-Result-{AreaName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Result-{AreaName}-Examples-End -->
+
+<!-- Device-Result-{AreaName}-End -->
+
+<!-- Device-Result-{AreaName}-{PolicyName}-Begin -->
+#### Device/Result/{AreaName}/{PolicyName}
+
+<!-- Device-Result-{AreaName}-{PolicyName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- Device-Result-{AreaName}-{PolicyName}-Applicability-End -->
+
+<!-- Device-Result-{AreaName}-{PolicyName}-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName}
+```
+<!-- Device-Result-{AreaName}-{PolicyName}-OmaUri-End -->
+
+<!-- Device-Result-{AreaName}-{PolicyName}-Description-Begin -->
+Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
+<!-- Device-Result-{AreaName}-{PolicyName}-Description-End -->
+
+<!-- Device-Result-{AreaName}-{PolicyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-Result-{AreaName}-{PolicyName}-Editable-End -->
+
+<!-- Device-Result-{AreaName}-{PolicyName}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- Device-Result-{AreaName}-{PolicyName}-DFProperties-End -->
+
+<!-- Device-Result-{AreaName}-{PolicyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-Result-{AreaName}-{PolicyName}-Examples-End -->
+
+<!-- Device-Result-{AreaName}-{PolicyName}-End -->
+
+<!-- User-Config-Begin -->
+## User/Config
+
+<!-- User-Config-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | <!-- Not-Found --> |
+<!-- User-Config-Applicability-End -->
+
+<!-- User-Config-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config
+```
+<!-- User-Config-OmaUri-End -->
+
+<!-- User-Config-Description-Begin -->
+Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
+<!-- User-Config-Description-End -->
+
+<!-- User-Config-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-Config-Editable-End -->
+
+<!-- User-Config-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+<!-- User-Config-DFProperties-End -->
+
+<!-- User-Config-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-Config-Examples-End -->
+
+<!-- User-Config-End -->
+
+<!-- User-Config-{AreaName}-Begin -->
+### User/Config/{AreaName}
+
+<!-- User-Config-{AreaName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | <!-- Not-Found --> |
+<!-- User-Config-{AreaName}-Applicability-End -->
+
+<!-- User-Config-{AreaName}-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/{AreaName}
+```
+<!-- User-Config-{AreaName}-OmaUri-End -->
+
+<!-- User-Config-{AreaName}-Description-Begin -->
+The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.  See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
+<!-- User-Config-{AreaName}-Description-End -->
+
+<!-- User-Config-{AreaName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+The following list shows some tips to help you when configuring policies:
+
+- Separate substring values by Unicode `0xF000` in the XML file.
+    > [!NOTE]
+    > A query from a different caller could provide a different value as each caller could have different values for a named policy.
+- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction.
+- Supported operations are Add, Get, Delete, and Replace.
+- Value type is string.
+<!-- User-Config-{AreaName}-Editable-End -->
+
+<!-- User-Config-{AreaName}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- User-Config-{AreaName}-DFProperties-End -->
+
+<!-- User-Config-{AreaName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-Config-{AreaName}-Examples-End -->
+
+<!-- User-Config-{AreaName}-End -->
+
+<!-- User-Config-{AreaName}-{PolicyName}-Begin -->
+#### User/Config/{AreaName}/{PolicyName}
+
+<!-- User-Config-{AreaName}-{PolicyName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | <!-- Not-Found --> |
+<!-- User-Config-{AreaName}-{PolicyName}-Applicability-End -->
+
+<!-- User-Config-{AreaName}-{PolicyName}-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}
+```
+<!-- User-Config-{AreaName}-{PolicyName}-OmaUri-End -->
+
+<!-- User-Config-{AreaName}-{PolicyName}-Description-Begin -->
+Specifies the name/value pair used in the policy.  See the individual Area DDFs for more information about the policies available to configure.
+<!-- User-Config-{AreaName}-{PolicyName}-Description-End -->
+
+<!-- User-Config-{AreaName}-{PolicyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-Config-{AreaName}-{PolicyName}-Editable-End -->
+
+<!-- User-Config-{AreaName}-{PolicyName}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Add, Delete, Get, Replace |
+| Dynamic Node Naming | ClientInventory |
+<!-- User-Config-{AreaName}-{PolicyName}-DFProperties-End -->
+
+<!-- User-Config-{AreaName}-{PolicyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-Config-{AreaName}-{PolicyName}-Examples-End -->
+
+<!-- User-Config-{AreaName}-{PolicyName}-End -->
+
+<!-- User-Result-Begin -->
+## User/Result
+
+<!-- User-Result-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | <!-- Not-Found --> |
+<!-- User-Result-Applicability-End -->
+
+<!-- User-Result-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Result
+```
+<!-- User-Result-OmaUri-End -->
+
+<!-- User-Result-Description-Begin -->
+Groups the evaluated policies from all providers that can be configured.
+<!-- User-Result-Description-End -->
+
+<!-- User-Result-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-Result-Editable-End -->
+
+<!-- User-Result-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+<!-- User-Result-DFProperties-End -->
+
+<!-- User-Result-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-Result-Examples-End -->
+
+<!-- User-Result-End -->
+
+<!-- User-Result-{AreaName}-Begin -->
+### User/Result/{AreaName}
+
+<!-- User-Result-{AreaName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | <!-- Not-Found --> |
+<!-- User-Result-{AreaName}-Applicability-End -->
+
+<!-- User-Result-{AreaName}-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Result/{AreaName}
+```
+<!-- User-Result-{AreaName}-OmaUri-End -->
+
+<!-- User-Result-{AreaName}-Description-Begin -->
+The area group that can be configured by a single technology independent of the providers. See the individual Area DDFs for Policy CSP for a list of Areas that can be configured.
+<!-- User-Result-{AreaName}-Description-End -->
+
+<!-- User-Result-{AreaName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-Result-{AreaName}-Editable-End -->
+
+<!-- User-Result-{AreaName}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Dynamic Node Naming | ClientInventory |
+<!-- User-Result-{AreaName}-DFProperties-End -->
+
+<!-- User-Result-{AreaName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-Result-{AreaName}-Examples-End -->
+
+<!-- User-Result-{AreaName}-End -->
+
+<!-- User-Result-{AreaName}-{PolicyName}-Begin -->
+#### User/Result/{AreaName}/{PolicyName}
+
+<!-- User-Result-{AreaName}-{PolicyName}-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | <!-- Not-Found --> |
+<!-- User-Result-{AreaName}-{PolicyName}-Applicability-End -->
+
+<!-- User-Result-{AreaName}-{PolicyName}-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Result/{AreaName}/{PolicyName}
+```
+<!-- User-Result-{AreaName}-{PolicyName}-OmaUri-End -->
+
+<!-- User-Result-{AreaName}-{PolicyName}-Description-Begin -->
+Specifies the name/value pair used in the policy. See the individual Area DDFs for more information about the policies available to configure.
+<!-- User-Result-{AreaName}-{PolicyName}-Description-End -->
+
+<!-- User-Result-{AreaName}-{PolicyName}-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-Result-{AreaName}-{PolicyName}-Editable-End -->
+
+<!-- User-Result-{AreaName}-{PolicyName}-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Get |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+<!-- User-Result-{AreaName}-{PolicyName}-DFProperties-End -->
+
+<!-- User-Result-{AreaName}-{PolicyName}-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-Result-{AreaName}-{PolicyName}-Examples-End -->
+
+<!-- User-Result-{AreaName}-{PolicyName}-End -->
+
+## Policy Areas
+
+- [AboveLock](policy-csp-abovelock.md)
+- [Accounts](policy-csp-accounts.md)
+- [ActiveXControls](policy-csp-activexcontrols.md)
+- [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md)
+- [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md)
+- [ADMX_AdmPwd](policy-csp-admx-admpwd.md)
+- [ADMX_AppCompat](policy-csp-admx-appcompat.md)
+- [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md)
+- [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md)
+- [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md)
+- [ADMX_AuditSettings](policy-csp-admx-auditsettings.md)
+- [ADMX_Bits](policy-csp-admx-bits.md)
+- [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md)
+- [ADMX_COM](policy-csp-admx-com.md)
+- [ADMX_ControlPanel](policy-csp-admx-controlpanel.md)
+- [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md)
+- [ADMX_Cpls](policy-csp-admx-cpls.md)
+- [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md)
+- [ADMX_CredSsp](policy-csp-admx-credssp.md)
+- [ADMX_CredUI](policy-csp-admx-credui.md)
+- [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md)
+- [ADMX_DataCollection](policy-csp-admx-datacollection.md)
+- [ADMX_DCOM](policy-csp-admx-dcom.md)
+- [ADMX_Desktop](policy-csp-admx-desktop.md)
+- [ADMX_DeviceCompat](policy-csp-admx-devicecompat.md)
+- [ADMX_DeviceGuard](policy-csp-admx-deviceguard.md)
+- [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md)
+- [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md)
+- [ADMX_DFS](policy-csp-admx-dfs.md)
+- [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md)
+- [ADMX_DiskDiagnostic](policy-csp-admx-diskdiagnostic.md)
+- [ADMX_DiskNVCache](policy-csp-admx-disknvcache.md)
+- [ADMX_DiskQuota](policy-csp-admx-diskquota.md)
+- [ADMX_DistributedLinkTracking](policy-csp-admx-distributedlinktracking.md)
+- [ADMX_DnsClient](policy-csp-admx-dnsclient.md)
+- [ADMX_DWM](policy-csp-admx-dwm.md)
+- [ADMX_EAIME](policy-csp-admx-eaime.md)
+- [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md)
+- [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md)
+- [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md)
+- [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
+- [ADMX_EventLog](policy-csp-admx-eventlog.md)
+- [ADMX_EventLogging](policy-csp-admx-eventlogging.md)
+- [ADMX_EventViewer](policy-csp-admx-eventviewer.md)
+- [ADMX_Explorer](policy-csp-admx-explorer.md)
+- [ADMX_ExternalBoot](policy-csp-admx-externalboot.md)
+- [ADMX_FileRecovery](policy-csp-admx-filerecovery.md)
+- [ADMX_FileRevocation](policy-csp-admx-filerevocation.md)
+- [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md)
+- [ADMX_FileSys](policy-csp-admx-filesys.md)
+- [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md)
+- [ADMX_FramePanes](policy-csp-admx-framepanes.md)
+- [ADMX_fthsvc](policy-csp-admx-fthsvc.md)
+- [ADMX_Globalization](policy-csp-admx-globalization.md)
+- [ADMX_GroupPolicy](policy-csp-admx-grouppolicy.md)
+- [ADMX_Help](policy-csp-admx-help.md)
+- [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md)
+- [ADMX_hotspotauth](policy-csp-admx-hotspotauth.md)
+- [ADMX_ICM](policy-csp-admx-icm.md)
+- [ADMX_IIS](policy-csp-admx-iis.md)
+- [ADMX_iSCSI](policy-csp-admx-iscsi.md)
+- [ADMX_kdc](policy-csp-admx-kdc.md)
+- [ADMX_Kerberos](policy-csp-admx-kerberos.md)
+- [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md)
+- [ADMX_LanmanWorkstation](policy-csp-admx-lanmanworkstation.md)
+- [ADMX_LeakDiagnostic](policy-csp-admx-leakdiagnostic.md)
+- [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md)
+- [ADMX_LocationProviderAdm](policy-csp-admx-locationprovideradm.md)
+- [ADMX_Logon](policy-csp-admx-logon.md)
+- [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md)
+- [ADMX_MMC](policy-csp-admx-mmc.md)
+- [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md)
+- [ADMX_MobilePCMobilityCenter](policy-csp-admx-mobilepcmobilitycenter.md)
+- [ADMX_MobilePCPresentationSettings](policy-csp-admx-mobilepcpresentationsettings.md)
+- [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md)
+- [ADMX_msched](policy-csp-admx-msched.md)
+- [ADMX_MSDT](policy-csp-admx-msdt.md)
+- [ADMX_MSI](policy-csp-admx-msi.md)
+- [ADMX_MsiFileRecovery](policy-csp-admx-msifilerecovery.md)
+- [ADMX_MSS-legacy](policy-csp-admx-mss-legacy.md)
+- [ADMX_nca](policy-csp-admx-nca.md)
+- [ADMX_NCSI](policy-csp-admx-ncsi.md)
+- [ADMX_Netlogon](policy-csp-admx-netlogon.md)
+- [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md)
+- [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md)
+- [ADMX_pca](policy-csp-admx-pca.md)
+- [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md)
+- [ADMX_PenTraining](policy-csp-admx-pentraining.md)
+- [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md)
+- [ADMX_Power](policy-csp-admx-power.md)
+- [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md)
+- [ADMX_PreviousVersions](policy-csp-admx-previousversions.md)
+- [ADMX_Printing](policy-csp-admx-printing.md)
+- [ADMX_Printing2](policy-csp-admx-printing2.md)
+- [ADMX_Programs](policy-csp-admx-programs.md)
+- [ADMX_PushToInstall](policy-csp-admx-pushtoinstall.md)
+- [ADMX_QOS](policy-csp-admx-qos.md)
+- [ADMX_Radar](policy-csp-admx-radar.md)
+- [ADMX_Reliability](policy-csp-admx-reliability.md)
+- [ADMX_RemoteAssistance](policy-csp-admx-remoteassistance.md)
+- [ADMX_RemovableStorage](policy-csp-admx-removablestorage.md)
+- [ADMX_RPC](policy-csp-admx-rpc.md)
+- [ADMX_sam](policy-csp-admx-sam.md)
+- [ADMX_Scripts](policy-csp-admx-scripts.md)
+- [ADMX_sdiageng](policy-csp-admx-sdiageng.md)
+- [ADMX_sdiagschd](policy-csp-admx-sdiagschd.md)
+- [ADMX_Securitycenter](policy-csp-admx-securitycenter.md)
+- [ADMX_Sensors](policy-csp-admx-sensors.md)
+- [ADMX_ServerManager](policy-csp-admx-servermanager.md)
+- [ADMX_Servicing](policy-csp-admx-servicing.md)
+- [ADMX_SettingSync](policy-csp-admx-settingsync.md)
+- [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md)
+- [ADMX_Sharing](policy-csp-admx-sharing.md)
+- [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md)
+- [ADMX_Smartcard](policy-csp-admx-smartcard.md)
+- [ADMX_Snmp](policy-csp-admx-snmp.md)
+- [ADMX_SoundRec](policy-csp-admx-soundrec.md)
+- [ADMX_srmfci](policy-csp-admx-srmfci.md)
+- [ADMX_StartMenu](policy-csp-admx-startmenu.md)
+- [ADMX_SystemRestore](policy-csp-admx-systemrestore.md)
+- [ADMX_TabletPCInputPanel](policy-csp-admx-tabletpcinputpanel.md)
+- [ADMX_TabletShell](policy-csp-admx-tabletshell.md)
+- [ADMX_Taskbar](policy-csp-admx-taskbar.md)
+- [ADMX_tcpip](policy-csp-admx-tcpip.md)
+- [ADMX_TerminalServer](policy-csp-admx-terminalserver.md)
+- [ADMX_Thumbnails](policy-csp-admx-thumbnails.md)
+- [ADMX_TouchInput](policy-csp-admx-touchinput.md)
+- [ADMX_TPM](policy-csp-admx-tpm.md)
+- [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md)
+- [ADMX_UserProfiles](policy-csp-admx-userprofiles.md)
+- [ADMX_W32Time](policy-csp-admx-w32time.md)
+- [ADMX_WCM](policy-csp-admx-wcm.md)
+- [ADMX_WDI](policy-csp-admx-wdi.md)
+- [ADMX_WinCal](policy-csp-admx-wincal.md)
+- [ADMX_WindowsColorSystem](policy-csp-admx-windowscolorsystem.md)
+- [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md)
+- [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md)
+- [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md)
+- [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md)
+- [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md)
+- [ADMX_WindowsStore](policy-csp-admx-windowsstore.md)
+- [ADMX_WinInit](policy-csp-admx-wininit.md)
+- [ADMX_WinLogon](policy-csp-admx-winlogon.md)
+- [ADMX_Winsrv](policy-csp-admx-winsrv.md)
+- [ADMX_wlansvc](policy-csp-admx-wlansvc.md)
+- [ADMX_WordWheel](policy-csp-admx-wordwheel.md)
+- [ADMX_WorkFoldersClient](policy-csp-admx-workfoldersclient.md)
+- [ADMX_WPN](policy-csp-admx-wpn.md)
+- [ApplicationDefaults](policy-csp-applicationdefaults.md)
+- [ApplicationManagement](policy-csp-applicationmanagement.md)
+- [AppRuntime](policy-csp-appruntime.md)
+- [AppVirtualization](policy-csp-appvirtualization.md)
+- [AttachmentManager](policy-csp-attachmentmanager.md)
+- [Audit](policy-csp-audit.md)
+- [Authentication](policy-csp-authentication.md)
+- [Autoplay](policy-csp-autoplay.md)
+- [Bitlocker](policy-csp-bitlocker.md)
+- [BITS](policy-csp-bits.md)
+- [Bluetooth](policy-csp-bluetooth.md)
+- [Browser](policy-csp-browser.md)
+- [Camera](policy-csp-camera.md)
+- [Cellular](policy-csp-cellular.md)
+- [CloudDesktop](policy-csp-clouddesktop.md)
+- [CloudPC](policy-csp-cloudpc.md)
+- [Connectivity](policy-csp-connectivity.md)
+- [ControlPolicyConflict](policy-csp-controlpolicyconflict.md)
+- [CredentialProviders](policy-csp-credentialproviders.md)
+- [CredentialsDelegation](policy-csp-credentialsdelegation.md)
+- [CredentialsUI](policy-csp-credentialsui.md)
+- [Cryptography](policy-csp-cryptography.md)
+- [DataProtection](policy-csp-dataprotection.md)
+- [DataUsage](policy-csp-datausage.md)
+- [Defender](policy-csp-defender.md)
+- [DeliveryOptimization](policy-csp-deliveryoptimization.md)
+- [Desktop](policy-csp-desktop.md)
+- [DesktopAppInstaller](policy-csp-desktopappinstaller.md)
+- [DeviceGuard](policy-csp-deviceguard.md)
+- [DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md)
+- [DeviceInstallation](policy-csp-deviceinstallation.md)
+- [DeviceLock](policy-csp-devicelock.md)
+- [Display](policy-csp-display.md)
+- [DmaGuard](policy-csp-dmaguard.md)
+- [Eap](policy-csp-eap.md)
+- [Education](policy-csp-education.md)
+- [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md)
+- [ErrorReporting](policy-csp-errorreporting.md)
+- [EventLogService](policy-csp-eventlogservice.md)
+- [Experience](policy-csp-experience.md)
+- [ExploitGuard](policy-csp-exploitguard.md)
+- [FederatedAuthentication](policy-csp-federatedauthentication.md)
+- [FileExplorer](policy-csp-fileexplorer.md)
+- [Games](policy-csp-games.md)
+- [Handwriting](policy-csp-handwriting.md)
+- [HumanPresence](policy-csp-humanpresence.md)
+- [InternetExplorer](policy-csp-internetexplorer.md)
+- [Kerberos](policy-csp-kerberos.md)
+- [KioskBrowser](policy-csp-kioskbrowser.md)
+- [LanmanWorkstation](policy-csp-lanmanworkstation.md)
+- [Licensing](policy-csp-licensing.md)
+- [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
+- [LocalSecurityAuthority](policy-csp-lsa.md)
+- [LocalUsersAndGroups](policy-csp-localusersandgroups.md)
+- [LockDown](policy-csp-lockdown.md)
+- [Maps](policy-csp-maps.md)
+- [MemoryDump](policy-csp-memorydump.md)
+- [Messaging](policy-csp-messaging.md)
+- [MixedReality](policy-csp-mixedreality.md)
+- [MSSecurityGuide](policy-csp-mssecurityguide.md)
+- [MSSLegacy](policy-csp-msslegacy.md)
+- [Multitasking](policy-csp-multitasking.md)
+- [NetworkIsolation](policy-csp-networkisolation.md)
+- [NetworkListManager](policy-csp-networklistmanager.md)
+- [NewsAndInterests](policy-csp-newsandinterests.md)
+- [Notifications](policy-csp-notifications.md)
+- [Power](policy-csp-power.md)
+- [Printers](policy-csp-printers.md)
+- [Privacy](policy-csp-privacy.md)
+- [RemoteAssistance](policy-csp-remoteassistance.md)
+- [RemoteDesktop](policy-csp-remotedesktop.md)
+- [RemoteDesktopServices](policy-csp-remotedesktopservices.md)
+- [RemoteManagement](policy-csp-remotemanagement.md)
+- [RemoteProcedureCall](policy-csp-remoteprocedurecall.md)
+- [RemoteShell](policy-csp-remoteshell.md)
+- [RestrictedGroups](policy-csp-restrictedgroups.md)
+- [Search](policy-csp-search.md)
+- [Security](policy-csp-security.md)
+- [ServiceControlManager](policy-csp-servicecontrolmanager.md)
+- [Settings](policy-csp-settings.md)
+- [SettingsSync](policy-csp-settingssync.md)
+- [SmartScreen](policy-csp-smartscreen.md)
+- [Speech](policy-csp-speech.md)
+- [Start](policy-csp-start.md)
+- [Stickers](policy-csp-stickers.md)
+- [Storage](policy-csp-storage.md)
+- [System](policy-csp-system.md)
+- [SystemServices](policy-csp-systemservices.md)
+- [TaskManager](policy-csp-taskmanager.md)
+- [TaskScheduler](policy-csp-taskscheduler.md)
+- [TenantDefinedTelemetry](policy-csp-tenantdefinedtelemetry.md)
+- [TenantRestrictions](policy-csp-tenantrestrictions.md)
+- [TextInput](policy-csp-textinput.md)
+- [TimeLanguageSettings](policy-csp-timelanguagesettings.md)
+- [Troubleshooting](policy-csp-troubleshooting.md)
+- [Update](policy-csp-update.md)
+- [UserRights](policy-csp-userrights.md)
+- [VirtualizationBasedTechnology](policy-csp-virtualizationbasedtechnology.md)
+- [WebThreatDefense](policy-csp-webthreatdefense.md)
+- [Wifi](policy-csp-wifi.md)
+- [WindowsAutopilot](policy-csp-windowsautopilot.md)
+- [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md)
+- [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md)
+- [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
+- [WindowsLogon](policy-csp-windowslogon.md)
+- [WindowsPowerShell](policy-csp-windowspowershell.md)
+- [WindowsSandbox](policy-csp-windowssandbox.md)
+- [WirelessDisplay](policy-csp-wirelessdisplay.md)
+<!-- Policy-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- Policy-CspMoreInfo-End -->
+
+<!-- Policy-End -->
+
+## Related articles
+
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index fb87086127..d0febc03b7 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -4,11 +4,11 @@ description: Learn the various AboveLock Policy configuration service provider (
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 0d954b6ce2..e2ccc30eb8 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -4,11 +4,11 @@ description: Learn about the Accounts policy configuration service provider (CSP
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md
index 1d4622f2a0..02246616a5 100644
--- a/windows/client-management/mdm/policy-csp-activexcontrols.md
+++ b/windows/client-management/mdm/policy-csp-activexcontrols.md
@@ -4,11 +4,11 @@ description: Learn about various Policy configuration service provider (CSP) - A
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
index b662095255..b22227cbb1 100644
--- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
+++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_ActiveXInstallService.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/09/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index b0c02a20be..ea465b599b 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -3,12 +3,12 @@ title: Policy CSP - ADMX_AddRemovePrograms
 description: Learn about the Policy CSP - ADMX_AddRemovePrograms.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 08/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md
index b547275475..10d49435e9 100644
--- a/windows/client-management/mdm/policy-csp-admx-admpwd.md
+++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_AdmPwd.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/09/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index 105ba68dc0..0bb445f4ed 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -3,12 +3,12 @@ title: Policy CSP - ADMX_AppCompat
 description: Policy CSP - ADMX_AppCompat
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 08/20/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
index 5be0699237..5659355a4b 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_AppxPackageManager.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/10/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
index 6945c88082..e021af18bf 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_AppXRuntime.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/10/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
index dc354f8316..f495e736eb 100644
--- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_AttachmentManager.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/10/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
index f5ad2d0813..ba2080b6b3 100644
--- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_AuditSettings.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
index f98c34b660..d60708eecf 100644
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_Bits.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/20/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
index 6132be8c82..8b03be11b7 100644
--- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
+++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_CipherSuiteOrder.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/17/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md
index 6da4cdd113..e98e447d36 100644
--- a/windows/client-management/mdm/policy-csp-admx-com.md
+++ b/windows/client-management/mdm/policy-csp-admx-com.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_COM.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/18/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
index 862fe73075..859b2de089 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_ControlPanel.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/05/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index 8f8832d0ec..059b11b086 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_ControlPanelDisplay.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/05/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md
index 6c4bdbeeff..481b2ebb18 100644
--- a/windows/client-management/mdm/policy-csp-admx-cpls.md
+++ b/windows/client-management/mdm/policy-csp-admx-cpls.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_Cpls.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/26/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
index f6809b9436..ab23b0a57d 100644
--- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_CredentialProviders.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/11/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md
index f1b75f5a96..eb460250a1 100644
--- a/windows/client-management/mdm/policy-csp-admx-credssp.md
+++ b/windows/client-management/mdm/policy-csp-admx-credssp.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_CredSsp.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/12/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md
index 6aa7b55b5a..9aba18f299 100644
--- a/windows/client-management/mdm/policy-csp-admx-credui.md
+++ b/windows/client-management/mdm/policy-csp-admx-credui.md
@@ -4,11 +4,11 @@ description: Learn about  the Policy CSP - ADMX_CredUI.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/09/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
index 73f891da05..80a8a8f0fd 100644
--- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
+++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_CtrlAltDel.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/26/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md
index 8dcae17f39..657cdef18f 100644
--- a/windows/client-management/mdm/policy-csp-admx-datacollection.md
+++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_DataCollection.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/01/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md
index d4623becb6..16739693a2 100644
--- a/windows/client-management/mdm/policy-csp-admx-dcom.md
+++ b/windows/client-management/mdm/policy-csp-admx-dcom.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_DCOM.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/08/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md
index 1320fc35aa..7948964398 100644
--- a/windows/client-management/mdm/policy-csp-admx-desktop.md
+++ b/windows/client-management/mdm/policy-csp-admx-desktop.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Desktop.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/02/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md
index d8991a7af5..4391477405 100644
--- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DeviceCompat.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/09/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
index 423d86f64c..07d87543fe 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DeviceGuard.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/08/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
index b52f76b792..4ec0b160fd 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DeviceInstallation.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/19/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
index f29a552897..75d6ef18bf 100644
--- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DeviceSetup.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/19/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md
index 7a5e7d8921..e40ed73aad 100644
--- a/windows/client-management/mdm/policy-csp-admx-dfs.md
+++ b/windows/client-management/mdm/policy-csp-admx-dfs.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DFS.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/08/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
index d8489566b1..90522018ee 100644
--- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md
+++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DigitalLocker.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/31/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
index f2f068f538..9c83d784c0 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DiskDiagnostic.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/08/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
index d74c45064e..679efe6819 100644
--- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md
+++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DiskNVCache.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/12/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md
index eca5056fc8..35d3111b03 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskquota.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DiskQuota.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/12/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
index d4544fc733..2f3c8c7fb5 100644
--- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
+++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DistributedLinkTracking.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/22/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index 4472593a26..282156487a 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DnsClient.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/12/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md
index 8c02ae060e..0d52811a07 100644
--- a/windows/client-management/mdm/policy-csp-admx-dwm.md
+++ b/windows/client-management/mdm/policy-csp-admx-dwm.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_DWM.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/31/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md
index 3a7ebf1a7f..4463e3732f 100644
--- a/windows/client-management/mdm/policy-csp-admx-eaime.md
+++ b/windows/client-management/mdm/policy-csp-admx-eaime.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_EAIME.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/19/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
index f3b2d488de..3e68fe88f8 100644
--- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
+++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_EncryptFilesonMove.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/02/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
index 6fe53816f6..c8a720e1e6 100644
--- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_EnhancedStorage.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/23/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
index 4179f9e954..3eb7a233ee 100644
--- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_ErrorReporting.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/23/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
index 5e65d7883b..227a9dfb49 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_EventForwarding.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/17/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md
index 67892620cd..c16f154c2f 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlog.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_EventLog.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/01/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md
index 2ab2eeaca2..f4391621bc 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_EventLogging.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/12/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md
index 5745240332..813b284d14 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_EventViewer.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/13/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md
index 010a1a10ef..c4a13d5154 100644
--- a/windows/client-management/mdm/policy-csp-admx-explorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_Explorer.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/08/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md
index 62cc01fcfd..e86fe56c4b 100644
--- a/windows/client-management/mdm/policy-csp-admx-externalboot.md
+++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md
@@ -3,12 +3,12 @@ title: Policy CSP - ADMX_ExternalBoot
 description: Learn about the Policy CSP - ADMX_ExternalBoot.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/13/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
index 8ea5d19c93..88de0a6413 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_FileRecovery.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/24/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
index e35b11f6d0..7707136130 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_FileRevocation.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/13/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
index 19ebcb25d5..ffb6a56824 100644
--- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
+++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_FileServerVSSProvider.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/02/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
index 7cb1659741..89ca799f8e 100644
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_FileSys.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/02/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
index c61d424741..9098d1152d 100644
--- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md
+++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_FolderRedirection.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/02/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md
index af389b9bdc..5e1a31bd4d 100644
--- a/windows/client-management/mdm/policy-csp-admx-framepanes.md
+++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_FramePanes.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/14/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md
index 47dbc15310..6d52f5da19 100644
--- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md
+++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_FTHSVC.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/15/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md
index a16529e681..663d447e5d 100644
--- a/windows/client-management/mdm/policy-csp-admx-globalization.md
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_Globalization.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/14/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
index 63c71fdaa6..cc8dec4cff 100644
--- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_GroupPolicy.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/21/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md
index ede437e273..80b40e5fdd 100644
--- a/windows/client-management/mdm/policy-csp-admx-help.md
+++ b/windows/client-management/mdm/policy-csp-admx-help.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_Help.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/03/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
index 49ba7126b9..f4b99642f1 100644
--- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
+++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_HelpAndSupport.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/03/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
index 4f686073ae..56106a030b 100644
--- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
+++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_HotSpotAuth.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/15/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md
index 50119589b1..757dd29c41 100644
--- a/windows/client-management/mdm/policy-csp-admx-icm.md
+++ b/windows/client-management/mdm/policy-csp-admx-icm.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_ICM.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/17/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md
index 737fc0a2a1..9310adaf97 100644
--- a/windows/client-management/mdm/policy-csp-admx-iis.md
+++ b/windows/client-management/mdm/policy-csp-admx-iis.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_IIS.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/17/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md
index 7fa8e61ea4..44fac81071 100644
--- a/windows/client-management/mdm/policy-csp-admx-iscsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_iSCSI.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/17/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md
index c8acf4a019..c0cab32903 100644
--- a/windows/client-management/mdm/policy-csp-admx-kdc.md
+++ b/windows/client-management/mdm/policy-csp-admx-kdc.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_kdc.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md
index 586d3b63ab..3838c7a105 100644
--- a/windows/client-management/mdm/policy-csp-admx-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_Kerberos.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/12/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
index 38ccfc6a29..4f59845591 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_LanmanServer.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
index 728720ca70..7d6f194bfc 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_LanmanWorkstation.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/08/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
index 08ee559f99..665083e58a 100644
--- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - ADMX_LeakDiagnostic.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/17/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
index f63de1ae5b..2360df199e 100644
--- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_LinkLayerTopologyDiscovery.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/04/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
index 7552129f46..ef3c5aaed0 100644
--- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
+++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_LocationProviderAdm.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/20/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md
index f8a8aefb1f..636ace2a3b 100644
--- a/windows/client-management/mdm/policy-csp-admx-logon.md
+++ b/windows/client-management/mdm/policy-csp-admx-logon.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Logon.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/21/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index f15a6eeac0..db7d591d25 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MicrosoftDefenderAntivirus.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/19/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md
index ceef59b3eb..cde0000329 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmc.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmc.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MMC.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/03/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
index 55e94494f7..ccb7e6b2d6 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MMCSnapins.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
index 3de6bfa7fe..a6dc221389 100644
--- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MobilePCMobilityCenter.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/20/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
index 2fa545031f..1fefcaa209 100644
--- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MobilePCPresentationSettings.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/20/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
index f5dcb18fd2..1c084d9952 100644
--- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MSAPolicy.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/14/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md
index 98fe49b298..8376d30476 100644
--- a/windows/client-management/mdm/policy-csp-admx-msched.md
+++ b/windows/client-management/mdm/policy-csp-admx-msched.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_msched.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/08/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md
index 110b7c8cf8..4b04ef6231 100644
--- a/windows/client-management/mdm/policy-csp-admx-msdt.md
+++ b/windows/client-management/mdm/policy-csp-admx-msdt.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MSDT.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/09/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md
index 6a85538f3e..bb0ca20459 100644
--- a/windows/client-management/mdm/policy-csp-admx-msi.md
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MSI.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/16/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
index 307d2be7cd..12ddc63f8c 100644
--- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_MsiFileRecovery.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/20/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-mss-legacy.md b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
new file mode 100644
index 0000000000..a22c707db1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-mss-legacy.md
@@ -0,0 +1,812 @@
+---
+title: ADMX_MSS-legacy Policy CSP
+description: Learn more about the ADMX_MSS-legacy Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/29/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- ADMX_MSS-legacy-Begin -->
+# Policy CSP - ADMX_MSS-legacy
+
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!-- ADMX_MSS-legacy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ADMX_MSS-legacy-Editable-End -->
+
+<!-- Pol_MSS_AutoAdminLogon-Begin -->
+## Pol_MSS_AutoAdminLogon
+
+<!-- Pol_MSS_AutoAdminLogon-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_AutoAdminLogon-Applicability-End -->
+
+<!-- Pol_MSS_AutoAdminLogon-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoAdminLogon
+```
+<!-- Pol_MSS_AutoAdminLogon-OmaUri-End -->
+
+<!-- Pol_MSS_AutoAdminLogon-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_AutoAdminLogon-Description-End -->
+
+<!-- Pol_MSS_AutoAdminLogon-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Enable Automatic Logon (not recommended).
+<!-- Pol_MSS_AutoAdminLogon-Editable-End -->
+
+<!-- Pol_MSS_AutoAdminLogon-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_AutoAdminLogon-DFProperties-End -->
+
+<!-- Pol_MSS_AutoAdminLogon-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_AutoAdminLogon-AdmxBacked-End -->
+
+<!-- Pol_MSS_AutoAdminLogon-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_AutoAdminLogon-Examples-End -->
+
+<!-- Pol_MSS_AutoAdminLogon-End -->
+
+<!-- Pol_MSS_AutoReboot-Begin -->
+## Pol_MSS_AutoReboot
+
+<!-- Pol_MSS_AutoReboot-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_AutoReboot-Applicability-End -->
+
+<!-- Pol_MSS_AutoReboot-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoReboot
+```
+<!-- Pol_MSS_AutoReboot-OmaUri-End -->
+
+<!-- Pol_MSS_AutoReboot-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_AutoReboot-Description-End -->
+
+<!-- Pol_MSS_AutoReboot-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Allow Windows to automatically restart after a system crash (recommended except for highly secure environments).
+<!-- Pol_MSS_AutoReboot-Editable-End -->
+
+<!-- Pol_MSS_AutoReboot-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_AutoReboot-DFProperties-End -->
+
+<!-- Pol_MSS_AutoReboot-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_AutoReboot-AdmxBacked-End -->
+
+<!-- Pol_MSS_AutoReboot-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_AutoReboot-Examples-End -->
+
+<!-- Pol_MSS_AutoReboot-End -->
+
+<!-- Pol_MSS_AutoShareServer-Begin -->
+## Pol_MSS_AutoShareServer
+
+<!-- Pol_MSS_AutoShareServer-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_AutoShareServer-Applicability-End -->
+
+<!-- Pol_MSS_AutoShareServer-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareServer
+```
+<!-- Pol_MSS_AutoShareServer-OmaUri-End -->
+
+<!-- Pol_MSS_AutoShareServer-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_AutoShareServer-Description-End -->
+
+<!-- Pol_MSS_AutoShareServer-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Enable administrative shares on servers (recommended except for highly secure environments).
+<!-- Pol_MSS_AutoShareServer-Editable-End -->
+
+<!-- Pol_MSS_AutoShareServer-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_AutoShareServer-DFProperties-End -->
+
+<!-- Pol_MSS_AutoShareServer-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_AutoShareServer-AdmxBacked-End -->
+
+<!-- Pol_MSS_AutoShareServer-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_AutoShareServer-Examples-End -->
+
+<!-- Pol_MSS_AutoShareServer-End -->
+
+<!-- Pol_MSS_AutoShareWks-Begin -->
+## Pol_MSS_AutoShareWks
+
+<!-- Pol_MSS_AutoShareWks-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_AutoShareWks-Applicability-End -->
+
+<!-- Pol_MSS_AutoShareWks-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_AutoShareWks
+```
+<!-- Pol_MSS_AutoShareWks-OmaUri-End -->
+
+<!-- Pol_MSS_AutoShareWks-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_AutoShareWks-Description-End -->
+
+<!-- Pol_MSS_AutoShareWks-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Enable administrative shares on workstations (recommended except for highly secure environments).
+<!-- Pol_MSS_AutoShareWks-Editable-End -->
+
+<!-- Pol_MSS_AutoShareWks-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_AutoShareWks-DFProperties-End -->
+
+<!-- Pol_MSS_AutoShareWks-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_AutoShareWks-AdmxBacked-End -->
+
+<!-- Pol_MSS_AutoShareWks-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_AutoShareWks-Examples-End -->
+
+<!-- Pol_MSS_AutoShareWks-End -->
+
+<!-- Pol_MSS_DisableSavePassword-Begin -->
+## Pol_MSS_DisableSavePassword
+
+<!-- Pol_MSS_DisableSavePassword-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_DisableSavePassword-Applicability-End -->
+
+<!-- Pol_MSS_DisableSavePassword-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_DisableSavePassword
+```
+<!-- Pol_MSS_DisableSavePassword-OmaUri-End -->
+
+<!-- Pol_MSS_DisableSavePassword-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_DisableSavePassword-Description-End -->
+
+<!-- Pol_MSS_DisableSavePassword-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Pol_MSS_DisableSavePassword-Editable-End -->
+
+<!-- Pol_MSS_DisableSavePassword-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_DisableSavePassword-DFProperties-End -->
+
+<!-- Pol_MSS_DisableSavePassword-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_DisableSavePassword-AdmxBacked-End -->
+
+<!-- Pol_MSS_DisableSavePassword-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+Prevent the dial-up password from being saved (recommended).
+<!-- Pol_MSS_DisableSavePassword-Examples-End -->
+
+<!-- Pol_MSS_DisableSavePassword-End -->
+
+<!-- Pol_MSS_EnableDeadGWDetect-Begin -->
+## Pol_MSS_EnableDeadGWDetect
+
+<!-- Pol_MSS_EnableDeadGWDetect-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_EnableDeadGWDetect-Applicability-End -->
+
+<!-- Pol_MSS_EnableDeadGWDetect-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_EnableDeadGWDetect
+```
+<!-- Pol_MSS_EnableDeadGWDetect-OmaUri-End -->
+
+<!-- Pol_MSS_EnableDeadGWDetect-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_EnableDeadGWDetect-Description-End -->
+
+<!-- Pol_MSS_EnableDeadGWDetect-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Allow automatic detection of dead network gateways (could lead to DoS).
+<!-- Pol_MSS_EnableDeadGWDetect-Editable-End -->
+
+<!-- Pol_MSS_EnableDeadGWDetect-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_EnableDeadGWDetect-DFProperties-End -->
+
+<!-- Pol_MSS_EnableDeadGWDetect-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_EnableDeadGWDetect-AdmxBacked-End -->
+
+<!-- Pol_MSS_EnableDeadGWDetect-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_EnableDeadGWDetect-Examples-End -->
+
+<!-- Pol_MSS_EnableDeadGWDetect-End -->
+
+<!-- Pol_MSS_HideFromBrowseList-Begin -->
+## Pol_MSS_HideFromBrowseList
+
+<!-- Pol_MSS_HideFromBrowseList-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_HideFromBrowseList-Applicability-End -->
+
+<!-- Pol_MSS_HideFromBrowseList-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_HideFromBrowseList
+```
+<!-- Pol_MSS_HideFromBrowseList-OmaUri-End -->
+
+<!-- Pol_MSS_HideFromBrowseList-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_HideFromBrowseList-Description-End -->
+
+<!-- Pol_MSS_HideFromBrowseList-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Hide Computer From the Browse List (not recommended except for highly secure environments).
+<!-- Pol_MSS_HideFromBrowseList-Editable-End -->
+
+<!-- Pol_MSS_HideFromBrowseList-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_HideFromBrowseList-DFProperties-End -->
+
+<!-- Pol_MSS_HideFromBrowseList-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_HideFromBrowseList-AdmxBacked-End -->
+
+<!-- Pol_MSS_HideFromBrowseList-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_HideFromBrowseList-Examples-End -->
+
+<!-- Pol_MSS_HideFromBrowseList-End -->
+
+<!-- Pol_MSS_KeepAliveTime-Begin -->
+## Pol_MSS_KeepAliveTime
+
+<!-- Pol_MSS_KeepAliveTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_KeepAliveTime-Applicability-End -->
+
+<!-- Pol_MSS_KeepAliveTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_KeepAliveTime
+```
+<!-- Pol_MSS_KeepAliveTime-OmaUri-End -->
+
+<!-- Pol_MSS_KeepAliveTime-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_KeepAliveTime-Description-End -->
+
+<!-- Pol_MSS_KeepAliveTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Define how often keep-alive packets are sent in milliseconds.
+<!-- Pol_MSS_KeepAliveTime-Editable-End -->
+
+<!-- Pol_MSS_KeepAliveTime-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_KeepAliveTime-DFProperties-End -->
+
+<!-- Pol_MSS_KeepAliveTime-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_KeepAliveTime-AdmxBacked-End -->
+
+<!-- Pol_MSS_KeepAliveTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_KeepAliveTime-Examples-End -->
+
+<!-- Pol_MSS_KeepAliveTime-End -->
+
+<!-- Pol_MSS_NoDefaultExempt-Begin -->
+## Pol_MSS_NoDefaultExempt
+
+<!-- Pol_MSS_NoDefaultExempt-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_NoDefaultExempt-Applicability-End -->
+
+<!-- Pol_MSS_NoDefaultExempt-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NoDefaultExempt
+```
+<!-- Pol_MSS_NoDefaultExempt-OmaUri-End -->
+
+<!-- Pol_MSS_NoDefaultExempt-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_NoDefaultExempt-Description-End -->
+
+<!-- Pol_MSS_NoDefaultExempt-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Configure IPSec exemptions for various types of network traffic.
+<!-- Pol_MSS_NoDefaultExempt-Editable-End -->
+
+<!-- Pol_MSS_NoDefaultExempt-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_NoDefaultExempt-DFProperties-End -->
+
+<!-- Pol_MSS_NoDefaultExempt-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_NoDefaultExempt-AdmxBacked-End -->
+
+<!-- Pol_MSS_NoDefaultExempt-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_NoDefaultExempt-Examples-End -->
+
+<!-- Pol_MSS_NoDefaultExempt-End -->
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Begin -->
+## Pol_MSS_NtfsDisable8dot3NameCreation
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Applicability-End -->
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_NtfsDisable8dot3NameCreation
+```
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-OmaUri-End -->
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Description-End -->
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Enable the computer to stop generating 8.3 style filenames.
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Editable-End -->
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-DFProperties-End -->
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-AdmxBacked-End -->
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-Examples-End -->
+
+<!-- Pol_MSS_NtfsDisable8dot3NameCreation-End -->
+
+<!-- Pol_MSS_PerformRouterDiscovery-Begin -->
+## Pol_MSS_PerformRouterDiscovery
+
+<!-- Pol_MSS_PerformRouterDiscovery-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_PerformRouterDiscovery-Applicability-End -->
+
+<!-- Pol_MSS_PerformRouterDiscovery-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_PerformRouterDiscovery
+```
+<!-- Pol_MSS_PerformRouterDiscovery-OmaUri-End -->
+
+<!-- Pol_MSS_PerformRouterDiscovery-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_PerformRouterDiscovery-Description-End -->
+
+<!-- Pol_MSS_PerformRouterDiscovery-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+ Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS).
+<!-- Pol_MSS_PerformRouterDiscovery-Editable-End -->
+
+<!-- Pol_MSS_PerformRouterDiscovery-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_PerformRouterDiscovery-DFProperties-End -->
+
+<!-- Pol_MSS_PerformRouterDiscovery-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_PerformRouterDiscovery-AdmxBacked-End -->
+
+<!-- Pol_MSS_PerformRouterDiscovery-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_PerformRouterDiscovery-Examples-End -->
+
+<!-- Pol_MSS_PerformRouterDiscovery-End -->
+
+<!-- Pol_MSS_SafeDllSearchMode-Begin -->
+## Pol_MSS_SafeDllSearchMode
+
+<!-- Pol_MSS_SafeDllSearchMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_SafeDllSearchMode-Applicability-End -->
+
+<!-- Pol_MSS_SafeDllSearchMode-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SafeDllSearchMode
+```
+<!-- Pol_MSS_SafeDllSearchMode-OmaUri-End -->
+
+<!-- Pol_MSS_SafeDllSearchMode-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_SafeDllSearchMode-Description-End -->
+
+<!-- Pol_MSS_SafeDllSearchMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Enable Safe DLL search mode (recommended).
+<!-- Pol_MSS_SafeDllSearchMode-Editable-End -->
+
+<!-- Pol_MSS_SafeDllSearchMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_SafeDllSearchMode-DFProperties-End -->
+
+<!-- Pol_MSS_SafeDllSearchMode-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_SafeDllSearchMode-AdmxBacked-End -->
+
+<!-- Pol_MSS_SafeDllSearchMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_SafeDllSearchMode-Examples-End -->
+
+<!-- Pol_MSS_SafeDllSearchMode-End -->
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-Begin -->
+## Pol_MSS_ScreenSaverGracePeriod
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_ScreenSaverGracePeriod-Applicability-End -->
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_ScreenSaverGracePeriod
+```
+<!-- Pol_MSS_ScreenSaverGracePeriod-OmaUri-End -->
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_ScreenSaverGracePeriod-Description-End -->
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+he time in seconds before the screen saver grace period expires (0 recommended).
+<!-- Pol_MSS_ScreenSaverGracePeriod-Editable-End -->
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_ScreenSaverGracePeriod-DFProperties-End -->
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_ScreenSaverGracePeriod-AdmxBacked-End -->
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_ScreenSaverGracePeriod-Examples-End -->
+
+<!-- Pol_MSS_ScreenSaverGracePeriod-End -->
+
+<!-- Pol_MSS_SynAttackProtect-Begin -->
+## Pol_MSS_SynAttackProtect
+
+<!-- Pol_MSS_SynAttackProtect-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_SynAttackProtect-Applicability-End -->
+
+<!-- Pol_MSS_SynAttackProtect-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_SynAttackProtect
+```
+<!-- Pol_MSS_SynAttackProtect-OmaUri-End -->
+
+<!-- Pol_MSS_SynAttackProtect-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_SynAttackProtect-Description-End -->
+
+<!-- Pol_MSS_SynAttackProtect-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Syn attack protection level (protects against DoS).
+<!-- Pol_MSS_SynAttackProtect-Editable-End -->
+
+<!-- Pol_MSS_SynAttackProtect-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_SynAttackProtect-DFProperties-End -->
+
+<!-- Pol_MSS_SynAttackProtect-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_SynAttackProtect-AdmxBacked-End -->
+
+<!-- Pol_MSS_SynAttackProtect-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_SynAttackProtect-Examples-End -->
+
+<!-- Pol_MSS_SynAttackProtect-End -->
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Begin -->
+## Pol_MSS_TcpMaxConnectResponseRetransmissions
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Applicability-End -->
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxConnectResponseRetransmissions
+```
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-OmaUri-End -->
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Description-End -->
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+SYN-ACK retransmissions when a connection request is not acknowledged.
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Editable-End -->
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-DFProperties-End -->
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-AdmxBacked-End -->
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-Examples-End -->
+
+<!-- Pol_MSS_TcpMaxConnectResponseRetransmissions-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Begin -->
+## Pol_MSS_TcpMaxDataRetransmissions
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Applicability-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissions
+```
+<!-- Pol_MSS_TcpMaxDataRetransmissions-OmaUri-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Description-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default).
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Editable-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_TcpMaxDataRetransmissions-DFProperties-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_TcpMaxDataRetransmissions-AdmxBacked-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_TcpMaxDataRetransmissions-Examples-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissions-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Begin -->
+## Pol_MSS_TcpMaxDataRetransmissionsIPv6
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Applicability-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_TcpMaxDataRetransmissionsIPv6
+```
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-OmaUri-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Description-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Define how many times unacknowledged data is retransmitted (3 recommended, 5 is default).
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Editable-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-DFProperties-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-AdmxBacked-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-Examples-End -->
+
+<!-- Pol_MSS_TcpMaxDataRetransmissionsIPv6-End -->
+
+<!-- Pol_MSS_WarningLevel-Begin -->
+## Pol_MSS_WarningLevel
+
+<!-- Pol_MSS_WarningLevel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Pol_MSS_WarningLevel-Applicability-End -->
+
+<!-- Pol_MSS_WarningLevel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_MSS-legacy/Pol_MSS_WarningLevel
+```
+<!-- Pol_MSS_WarningLevel-OmaUri-End -->
+
+<!-- Pol_MSS_WarningLevel-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- Pol_MSS_WarningLevel-Description-End -->
+
+<!-- Pol_MSS_WarningLevel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Percentage threshold for the security event log at which the system will generate a warning.
+<!-- Pol_MSS_WarningLevel-Editable-End -->
+
+<!-- Pol_MSS_WarningLevel-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Pol_MSS_WarningLevel-DFProperties-End -->
+
+<!-- Pol_MSS_WarningLevel-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- Pol_MSS_WarningLevel-AdmxBacked-End -->
+
+<!-- Pol_MSS_WarningLevel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Pol_MSS_WarningLevel-Examples-End -->
+
+<!-- Pol_MSS_WarningLevel-End -->
+
+<!-- ADMX_MSS-legacy-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- ADMX_MSS-legacy-CspMoreInfo-End -->
+
+<!-- ADMX_MSS-legacy-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index 0c551f8352..a2a46c2c76 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_nca
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/14/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index 0702a77423..852728fcd1 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_NCSI.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/14/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index 476acdccaf..22d8f1fe5a 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Netlogon.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/15/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
index 036ada6705..c027b216d6 100644
--- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md
+++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_NetworkConnections.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/21/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index 7f67e4fe84..3105a17fd2 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_OfflineFiles.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/21/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md
index 359ce758a3..1efbbae1cd 100644
--- a/windows/client-management/mdm/policy-csp-admx-pca.md
+++ b/windows/client-management/mdm/policy-csp-admx-pca.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_pca.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/20/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
index 8be37f91ec..b3727a7219 100644
--- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
+++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_PeerToPeerCaching.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/16/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md
index 9c80f44388..b097ae7f99 100644
--- a/windows/client-management/mdm/policy-csp-admx-pentraining.md
+++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_PenTraining.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/22/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
index b665754614..e3cb20c6c1 100644
--- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
+++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_PerformanceDiagnostics.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/16/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md
index 072280236a..e43327ec72 100644
--- a/windows/client-management/mdm/policy-csp-admx-power.md
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Power.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/22/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
index 0df72059e5..5659a2f23c 100644
--- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_PowerShellExecutionPolicy.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/26/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md
index 236b8197d1..4f35241526 100644
--- a/windows/client-management/mdm/policy-csp-admx-previousversions.md
+++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_PreviousVersions
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/01/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md
index cd49466b59..3728163906 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Printing.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/15/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md
index 0c9c1071c5..0b8ff6c5be 100644
--- a/windows/client-management/mdm/policy-csp-admx-printing2.md
+++ b/windows/client-management/mdm/policy-csp-admx-printing2.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Printing2.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/15/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md
index 73ecf3f28a..228cd52bf6 100644
--- a/windows/client-management/mdm/policy-csp-admx-programs.md
+++ b/windows/client-management/mdm/policy-csp-admx-programs.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Programs.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/01/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
index c70f47a5c0..3efeeafc81 100644
--- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
+++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_PushToInstall.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/01/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-qos.md b/windows/client-management/mdm/policy-csp-admx-qos.md
new file mode 100644
index 0000000000..615fe1f468
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-qos.md
@@ -0,0 +1,1145 @@
+---
+title: ADMX_QOS Policy CSP
+description: Learn more about the ADMX_QOS Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/29/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- ADMX_QOS-Begin -->
+# Policy CSP - ADMX_QOS
+
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!-- ADMX_QOS-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ADMX_QOS-Editable-End -->
+
+<!-- QosMaxOutstandingSends-Begin -->
+## QosMaxOutstandingSends
+
+<!-- QosMaxOutstandingSends-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosMaxOutstandingSends-Applicability-End -->
+
+<!-- QosMaxOutstandingSends-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosMaxOutstandingSends
+```
+<!-- QosMaxOutstandingSends-OmaUri-End -->
+
+<!-- QosMaxOutstandingSends-Description-Begin -->
+Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets reaches this limit, the Packet Scheduler postpones all submissions to network adapters until the number falls below this limit.
+
+"Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapter for transmission, but which have not yet been sent.
+
+If you enable this setting, you can limit the number of outstanding packets.
+
+If you disable this setting or do not configure it, then the setting has no effect on the system.
+
+Important: If the maximum number of outstanding packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosMaxOutstandingSends-Description-End -->
+
+<!-- QosMaxOutstandingSends-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosMaxOutstandingSends-Editable-End -->
+
+<!-- QosMaxOutstandingSends-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosMaxOutstandingSends-DFProperties-End -->
+
+<!-- QosMaxOutstandingSends-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosMaxOutstandingSends |
+| Friendly Name | Limit outstanding packets |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched |
+| ADMX File Name | QOS.admx |
+<!-- QosMaxOutstandingSends-AdmxBacked-End -->
+
+<!-- QosMaxOutstandingSends-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosMaxOutstandingSends-Examples-End -->
+
+<!-- QosMaxOutstandingSends-End -->
+
+<!-- QosNonBestEffortLimit-Begin -->
+## QosNonBestEffortLimit
+
+<!-- QosNonBestEffortLimit-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosNonBestEffortLimit-Applicability-End -->
+
+<!-- QosNonBestEffortLimit-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosNonBestEffortLimit
+```
+<!-- QosNonBestEffortLimit-OmaUri-End -->
+
+<!-- QosNonBestEffortLimit-Description-Begin -->
+Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth reservations of all programs running on the system.
+
+By default, the Packet Scheduler limits the system to 80 percent of the bandwidth of a connection, but you can use this setting to override the default.
+
+If you enable this setting, you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve.
+
+If you disable this setting or do not configure it, the system uses the default value of 80 percent of the connection.
+
+Important: If a bandwidth limit is set for a particular network adapter in the registry, this setting is ignored when configuring that network adapter.
+<!-- QosNonBestEffortLimit-Description-End -->
+
+<!-- QosNonBestEffortLimit-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosNonBestEffortLimit-Editable-End -->
+
+<!-- QosNonBestEffortLimit-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosNonBestEffortLimit-DFProperties-End -->
+
+<!-- QosNonBestEffortLimit-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosNonBestEffortLimit |
+| Friendly Name | Limit reservable bandwidth |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched |
+| ADMX File Name | QOS.admx |
+<!-- QosNonBestEffortLimit-AdmxBacked-End -->
+
+<!-- QosNonBestEffortLimit-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosNonBestEffortLimit-Examples-End -->
+
+<!-- QosNonBestEffortLimit-End -->
+
+<!-- QosServiceTypeBestEffort_C-Begin -->
+## QosServiceTypeBestEffort_C
+
+<!-- QosServiceTypeBestEffort_C-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeBestEffort_C-Applicability-End -->
+
+<!-- QosServiceTypeBestEffort_C-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_C
+```
+<!-- QosServiceTypeBestEffort_C-OmaUri-End -->
+
+<!-- QosServiceTypeBestEffort_C-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.
+
+If you disable this setting, the system uses the default DSCP value of 0.
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeBestEffort_C-Description-End -->
+
+<!-- QosServiceTypeBestEffort_C-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeBestEffort_C-Editable-End -->
+
+<!-- QosServiceTypeBestEffort_C-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeBestEffort_C-DFProperties-End -->
+
+<!-- QosServiceTypeBestEffort_C-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeBestEffort_C |
+| Friendly Name | Best effort service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeBestEffort_C-AdmxBacked-End -->
+
+<!-- QosServiceTypeBestEffort_C-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeBestEffort_C-Examples-End -->
+
+<!-- QosServiceTypeBestEffort_C-End -->
+
+<!-- QosServiceTypeBestEffort_NC-Begin -->
+## QosServiceTypeBestEffort_NC
+
+<!-- QosServiceTypeBestEffort_NC-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeBestEffort_NC-Applicability-End -->
+
+<!-- QosServiceTypeBestEffort_NC-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_NC
+```
+<!-- QosServiceTypeBestEffort_NC-OmaUri-End -->
+
+<!-- QosServiceTypeBestEffort_NC-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that do not conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Best Effort service type.
+
+If you disable this setting, the system uses the default DSCP value of 0.
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeBestEffort_NC-Description-End -->
+
+<!-- QosServiceTypeBestEffort_NC-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeBestEffort_NC-Editable-End -->
+
+<!-- QosServiceTypeBestEffort_NC-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeBestEffort_NC-DFProperties-End -->
+
+<!-- QosServiceTypeBestEffort_NC-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeBestEffort_NC |
+| Friendly Name | Best effort service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeBestEffort_NC-AdmxBacked-End -->
+
+<!-- QosServiceTypeBestEffort_NC-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeBestEffort_NC-Examples-End -->
+
+<!-- QosServiceTypeBestEffort_NC-End -->
+
+<!-- QosServiceTypeBestEffort_PV-Begin -->
+## QosServiceTypeBestEffort_PV
+
+<!-- QosServiceTypeBestEffort_PV-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeBestEffort_PV-Applicability-End -->
+
+<!-- QosServiceTypeBestEffort_PV-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeBestEffort_PV
+```
+<!-- QosServiceTypeBestEffort_PV-OmaUri-End -->
+
+<!-- QosServiceTypeBestEffort_PV-Description-Begin -->
+Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.
+
+If you enable this setting, you can change the default priority value associated with the Best Effort service type.
+
+If you disable this setting, the system uses the default priority value of 0.
+
+Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeBestEffort_PV-Description-End -->
+
+<!-- QosServiceTypeBestEffort_PV-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeBestEffort_PV-Editable-End -->
+
+<!-- QosServiceTypeBestEffort_PV-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeBestEffort_PV-DFProperties-End -->
+
+<!-- QosServiceTypeBestEffort_PV-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeBestEffort_PV |
+| Friendly Name | Best effort service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > Layer-2 priority value |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeBestEffort_PV-AdmxBacked-End -->
+
+<!-- QosServiceTypeBestEffort_PV-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeBestEffort_PV-Examples-End -->
+
+<!-- QosServiceTypeBestEffort_PV-End -->
+
+<!-- QosServiceTypeControlledLoad_C-Begin -->
+## QosServiceTypeControlledLoad_C
+
+<!-- QosServiceTypeControlledLoad_C-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeControlledLoad_C-Applicability-End -->
+
+<!-- QosServiceTypeControlledLoad_C-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_C
+```
+<!-- QosServiceTypeControlledLoad_C-OmaUri-End -->
+
+<!-- QosServiceTypeControlledLoad_C-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type.
+
+If you disable this setting, the system uses the default DSCP value of 24 (0x18).
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeControlledLoad_C-Description-End -->
+
+<!-- QosServiceTypeControlledLoad_C-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeControlledLoad_C-Editable-End -->
+
+<!-- QosServiceTypeControlledLoad_C-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeControlledLoad_C-DFProperties-End -->
+
+<!-- QosServiceTypeControlledLoad_C-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeControlledLoad_C |
+| Friendly Name | Controlled load service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeControlledLoad_C-AdmxBacked-End -->
+
+<!-- QosServiceTypeControlledLoad_C-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeControlledLoad_C-Examples-End -->
+
+<!-- QosServiceTypeControlledLoad_C-End -->
+
+<!-- QosServiceTypeControlledLoad_NC-Begin -->
+## QosServiceTypeControlledLoad_NC
+
+<!-- QosServiceTypeControlledLoad_NC-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeControlledLoad_NC-Applicability-End -->
+
+<!-- QosServiceTypeControlledLoad_NC-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_NC
+```
+<!-- QosServiceTypeControlledLoad_NC-OmaUri-End -->
+
+<!-- QosServiceTypeControlledLoad_NC-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that do not conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Controlled Load service type.
+
+If you disable this setting, the system uses the default DSCP value of 0.
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeControlledLoad_NC-Description-End -->
+
+<!-- QosServiceTypeControlledLoad_NC-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeControlledLoad_NC-Editable-End -->
+
+<!-- QosServiceTypeControlledLoad_NC-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeControlledLoad_NC-DFProperties-End -->
+
+<!-- QosServiceTypeControlledLoad_NC-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeControlledLoad_NC |
+| Friendly Name | Controlled load service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeControlledLoad_NC-AdmxBacked-End -->
+
+<!-- QosServiceTypeControlledLoad_NC-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeControlledLoad_NC-Examples-End -->
+
+<!-- QosServiceTypeControlledLoad_NC-End -->
+
+<!-- QosServiceTypeControlledLoad_PV-Begin -->
+## QosServiceTypeControlledLoad_PV
+
+<!-- QosServiceTypeControlledLoad_PV-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeControlledLoad_PV-Applicability-End -->
+
+<!-- QosServiceTypeControlledLoad_PV-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeControlledLoad_PV
+```
+<!-- QosServiceTypeControlledLoad_PV-OmaUri-End -->
+
+<!-- QosServiceTypeControlledLoad_PV-Description-Begin -->
+Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.
+
+If you enable this setting, you can change the default priority value associated with the Controlled Load service type.
+
+If you disable this setting, the system uses the default priority value of 0.
+
+Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeControlledLoad_PV-Description-End -->
+
+<!-- QosServiceTypeControlledLoad_PV-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeControlledLoad_PV-Editable-End -->
+
+<!-- QosServiceTypeControlledLoad_PV-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeControlledLoad_PV-DFProperties-End -->
+
+<!-- QosServiceTypeControlledLoad_PV-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeControlledLoad_PV |
+| Friendly Name | Controlled load service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > Layer-2 priority value |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeControlledLoad_PV-AdmxBacked-End -->
+
+<!-- QosServiceTypeControlledLoad_PV-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeControlledLoad_PV-Examples-End -->
+
+<!-- QosServiceTypeControlledLoad_PV-End -->
+
+<!-- QosServiceTypeGuaranteed_C-Begin -->
+## QosServiceTypeGuaranteed_C
+
+<!-- QosServiceTypeGuaranteed_C-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeGuaranteed_C-Applicability-End -->
+
+<!-- QosServiceTypeGuaranteed_C-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_C
+```
+<!-- QosServiceTypeGuaranteed_C-OmaUri-End -->
+
+<!-- QosServiceTypeGuaranteed_C-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type.
+
+If you disable this setting, the system uses the default DSCP value of 40 (0x28).
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeGuaranteed_C-Description-End -->
+
+<!-- QosServiceTypeGuaranteed_C-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeGuaranteed_C-Editable-End -->
+
+<!-- QosServiceTypeGuaranteed_C-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeGuaranteed_C-DFProperties-End -->
+
+<!-- QosServiceTypeGuaranteed_C-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeGuaranteed_C |
+| Friendly Name | Guaranteed service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeGuaranteed_C-AdmxBacked-End -->
+
+<!-- QosServiceTypeGuaranteed_C-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeGuaranteed_C-Examples-End -->
+
+<!-- QosServiceTypeGuaranteed_C-End -->
+
+<!-- QosServiceTypeGuaranteed_NC-Begin -->
+## QosServiceTypeGuaranteed_NC
+
+<!-- QosServiceTypeGuaranteed_NC-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeGuaranteed_NC-Applicability-End -->
+
+<!-- QosServiceTypeGuaranteed_NC-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_NC
+```
+<!-- QosServiceTypeGuaranteed_NC-OmaUri-End -->
+
+<!-- QosServiceTypeGuaranteed_NC-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that do not conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Guaranteed service type.
+
+If you disable this setting, the system uses the default DSCP value of 0.
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeGuaranteed_NC-Description-End -->
+
+<!-- QosServiceTypeGuaranteed_NC-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeGuaranteed_NC-Editable-End -->
+
+<!-- QosServiceTypeGuaranteed_NC-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeGuaranteed_NC-DFProperties-End -->
+
+<!-- QosServiceTypeGuaranteed_NC-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeGuaranteed_NC |
+| Friendly Name | Guaranteed service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeGuaranteed_NC-AdmxBacked-End -->
+
+<!-- QosServiceTypeGuaranteed_NC-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeGuaranteed_NC-Examples-End -->
+
+<!-- QosServiceTypeGuaranteed_NC-End -->
+
+<!-- QosServiceTypeGuaranteed_PV-Begin -->
+## QosServiceTypeGuaranteed_PV
+
+<!-- QosServiceTypeGuaranteed_PV-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeGuaranteed_PV-Applicability-End -->
+
+<!-- QosServiceTypeGuaranteed_PV-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeGuaranteed_PV
+```
+<!-- QosServiceTypeGuaranteed_PV-OmaUri-End -->
+
+<!-- QosServiceTypeGuaranteed_PV-Description-Begin -->
+Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.
+
+If you enable this setting, you can change the default priority value associated with the Guaranteed service type.
+
+If you disable this setting, the system uses the default priority value of 0.
+
+Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeGuaranteed_PV-Description-End -->
+
+<!-- QosServiceTypeGuaranteed_PV-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeGuaranteed_PV-Editable-End -->
+
+<!-- QosServiceTypeGuaranteed_PV-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeGuaranteed_PV-DFProperties-End -->
+
+<!-- QosServiceTypeGuaranteed_PV-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeGuaranteed_PV |
+| Friendly Name | Guaranteed service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > Layer-2 priority value |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeGuaranteed_PV-AdmxBacked-End -->
+
+<!-- QosServiceTypeGuaranteed_PV-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeGuaranteed_PV-Examples-End -->
+
+<!-- QosServiceTypeGuaranteed_PV-End -->
+
+<!-- QosServiceTypeNetworkControl_C-Begin -->
+## QosServiceTypeNetworkControl_C
+
+<!-- QosServiceTypeNetworkControl_C-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeNetworkControl_C-Applicability-End -->
+
+<!-- QosServiceTypeNetworkControl_C-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_C
+```
+<!-- QosServiceTypeNetworkControl_C-OmaUri-End -->
+
+<!-- QosServiceTypeNetworkControl_C-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Network Control service type.
+
+If you disable this setting, the system uses the default DSCP value of 48 (0x30).
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeNetworkControl_C-Description-End -->
+
+<!-- QosServiceTypeNetworkControl_C-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeNetworkControl_C-Editable-End -->
+
+<!-- QosServiceTypeNetworkControl_C-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeNetworkControl_C-DFProperties-End -->
+
+<!-- QosServiceTypeNetworkControl_C-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeNetworkControl_C |
+| Friendly Name | Network control service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeNetworkControl_C-AdmxBacked-End -->
+
+<!-- QosServiceTypeNetworkControl_C-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeNetworkControl_C-Examples-End -->
+
+<!-- QosServiceTypeNetworkControl_C-End -->
+
+<!-- QosServiceTypeNetworkControl_NC-Begin -->
+## QosServiceTypeNetworkControl_NC
+
+<!-- QosServiceTypeNetworkControl_NC-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeNetworkControl_NC-Applicability-End -->
+
+<!-- QosServiceTypeNetworkControl_NC-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_NC
+```
+<!-- QosServiceTypeNetworkControl_NC-OmaUri-End -->
+
+<!-- QosServiceTypeNetworkControl_NC-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that do not conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Network Control service type.
+
+If you disable this setting, the system uses the default DSCP value of 0.
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeNetworkControl_NC-Description-End -->
+
+<!-- QosServiceTypeNetworkControl_NC-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeNetworkControl_NC-Editable-End -->
+
+<!-- QosServiceTypeNetworkControl_NC-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeNetworkControl_NC-DFProperties-End -->
+
+<!-- QosServiceTypeNetworkControl_NC-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeNetworkControl_NC |
+| Friendly Name | Network control service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeNetworkControl_NC-AdmxBacked-End -->
+
+<!-- QosServiceTypeNetworkControl_NC-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeNetworkControl_NC-Examples-End -->
+
+<!-- QosServiceTypeNetworkControl_NC-End -->
+
+<!-- QosServiceTypeNetworkControl_PV-Begin -->
+## QosServiceTypeNetworkControl_PV
+
+<!-- QosServiceTypeNetworkControl_PV-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeNetworkControl_PV-Applicability-End -->
+
+<!-- QosServiceTypeNetworkControl_PV-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNetworkControl_PV
+```
+<!-- QosServiceTypeNetworkControl_PV-OmaUri-End -->
+
+<!-- QosServiceTypeNetworkControl_PV-Description-Begin -->
+Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.
+
+If you enable this setting, you can change the default priority value associated with the Network Control service type.
+
+If you disable this setting, the system uses the default priority value of 0.
+
+Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeNetworkControl_PV-Description-End -->
+
+<!-- QosServiceTypeNetworkControl_PV-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeNetworkControl_PV-Editable-End -->
+
+<!-- QosServiceTypeNetworkControl_PV-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeNetworkControl_PV-DFProperties-End -->
+
+<!-- QosServiceTypeNetworkControl_PV-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeNetworkControl_PV |
+| Friendly Name | Network control service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > Layer-2 priority value |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeNetworkControl_PV-AdmxBacked-End -->
+
+<!-- QosServiceTypeNetworkControl_PV-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeNetworkControl_PV-Examples-End -->
+
+<!-- QosServiceTypeNetworkControl_PV-End -->
+
+<!-- QosServiceTypeNonConforming-Begin -->
+## QosServiceTypeNonConforming
+
+<!-- QosServiceTypeNonConforming-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeNonConforming-Applicability-End -->
+
+<!-- QosServiceTypeNonConforming-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeNonConforming
+```
+<!-- QosServiceTypeNonConforming-OmaUri-End -->
+
+<!-- QosServiceTypeNonConforming-Description-Begin -->
+Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.
+
+If you enable this setting, you can change the default priority value associated with nonconforming packets.
+
+If you disable this setting, the system uses the default priority value of 0.
+
+Important: If the Layer-2 priority value for nonconforming packets is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeNonConforming-Description-End -->
+
+<!-- QosServiceTypeNonConforming-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeNonConforming-Editable-End -->
+
+<!-- QosServiceTypeNonConforming-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeNonConforming-DFProperties-End -->
+
+<!-- QosServiceTypeNonConforming-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeNonConforming |
+| Friendly Name | Non-conforming packets |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > Layer-2 priority value |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeNonConforming-AdmxBacked-End -->
+
+<!-- QosServiceTypeNonConforming-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeNonConforming-Examples-End -->
+
+<!-- QosServiceTypeNonConforming-End -->
+
+<!-- QosServiceTypeQualitative_C-Begin -->
+## QosServiceTypeQualitative_C
+
+<!-- QosServiceTypeQualitative_C-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeQualitative_C-Applicability-End -->
+
+<!-- QosServiceTypeQualitative_C-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_C
+```
+<!-- QosServiceTypeQualitative_C-OmaUri-End -->
+
+<!-- QosServiceTypeQualitative_C-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Qualitative service type.
+
+If you disable this setting, the system uses the default DSCP value of 0.
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeQualitative_C-Description-End -->
+
+<!-- QosServiceTypeQualitative_C-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeQualitative_C-Editable-End -->
+
+<!-- QosServiceTypeQualitative_C-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeQualitative_C-DFProperties-End -->
+
+<!-- QosServiceTypeQualitative_C-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeQualitative_C |
+| Friendly Name | Qualitative service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeQualitative_C-AdmxBacked-End -->
+
+<!-- QosServiceTypeQualitative_C-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeQualitative_C-Examples-End -->
+
+<!-- QosServiceTypeQualitative_C-End -->
+
+<!-- QosServiceTypeQualitative_NC-Begin -->
+## QosServiceTypeQualitative_NC
+
+<!-- QosServiceTypeQualitative_NC-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeQualitative_NC-Applicability-End -->
+
+<!-- QosServiceTypeQualitative_NC-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_NC
+```
+<!-- QosServiceTypeQualitative_NC-OmaUri-End -->
+
+<!-- QosServiceTypeQualitative_NC-Description-Begin -->
+Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.
+
+This setting applies only to packets that do not conform to the flow specification.
+
+If you enable this setting, you can change the default DSCP value associated with the Qualitative service type.
+
+If you disable this setting, the system uses the default DSCP value of 0.
+
+Important: If the DSCP value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeQualitative_NC-Description-End -->
+
+<!-- QosServiceTypeQualitative_NC-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeQualitative_NC-Editable-End -->
+
+<!-- QosServiceTypeQualitative_NC-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeQualitative_NC-DFProperties-End -->
+
+<!-- QosServiceTypeQualitative_NC-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeQualitative_NC |
+| Friendly Name | Qualitative service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > DSCP value of non-conforming packets |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeQualitative_NC-AdmxBacked-End -->
+
+<!-- QosServiceTypeQualitative_NC-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeQualitative_NC-Examples-End -->
+
+<!-- QosServiceTypeQualitative_NC-End -->
+
+<!-- QosServiceTypeQualitative_PV-Begin -->
+## QosServiceTypeQualitative_PV
+
+<!-- QosServiceTypeQualitative_PV-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosServiceTypeQualitative_PV-Applicability-End -->
+
+<!-- QosServiceTypeQualitative_PV-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosServiceTypeQualitative_PV
+```
+<!-- QosServiceTypeQualitative_PV-OmaUri-End -->
+
+<!-- QosServiceTypeQualitative_PV-Description-Begin -->
+Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.
+
+If you enable this setting, you can change the default priority value associated with the Qualitative service type.
+
+If you disable this setting, the system uses the default priority value of 0.
+
+Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter, this setting is ignored when configuring that network adapter.
+<!-- QosServiceTypeQualitative_PV-Description-End -->
+
+<!-- QosServiceTypeQualitative_PV-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosServiceTypeQualitative_PV-Editable-End -->
+
+<!-- QosServiceTypeQualitative_PV-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosServiceTypeQualitative_PV-DFProperties-End -->
+
+<!-- QosServiceTypeQualitative_PV-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosServiceTypeQualitative_PV |
+| Friendly Name | Qualitative service type |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler > Layer-2 priority value |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping |
+| ADMX File Name | QOS.admx |
+<!-- QosServiceTypeQualitative_PV-AdmxBacked-End -->
+
+<!-- QosServiceTypeQualitative_PV-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosServiceTypeQualitative_PV-Examples-End -->
+
+<!-- QosServiceTypeQualitative_PV-End -->
+
+<!-- QosTimerResolution-Begin -->
+## QosTimerResolution
+
+<!-- QosTimerResolution-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- QosTimerResolution-Applicability-End -->
+
+<!-- QosTimerResolution-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_QOS/QosTimerResolution
+```
+<!-- QosTimerResolution-OmaUri-End -->
+
+<!-- QosTimerResolution-Description-Begin -->
+Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry.
+
+If you enable this setting, you can override the default timer resolution established for the system, usually units of 10 microseconds.
+
+If you disable this setting or do not configure it, the setting has no effect on the system.
+
+Important: If a timer resolution is specified in the registry for a particular network adapter, then this setting is ignored when configuring that network adapter.
+<!-- QosTimerResolution-Description-End -->
+
+<!-- QosTimerResolution-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- QosTimerResolution-Editable-End -->
+
+<!-- QosTimerResolution-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- QosTimerResolution-DFProperties-End -->
+
+<!-- QosTimerResolution-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | QosTimerResolution |
+| Friendly Name | Set timer resolution |
+| Location | Computer Configuration |
+| Path | Network > QoS Packet Scheduler |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Psched |
+| ADMX File Name | QOS.admx |
+<!-- QosTimerResolution-AdmxBacked-End -->
+
+<!-- QosTimerResolution-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- QosTimerResolution-Examples-End -->
+
+<!-- QosTimerResolution-End -->
+
+<!-- ADMX_QOS-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- ADMX_QOS-CspMoreInfo-End -->
+
+<!-- ADMX_QOS-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md
index dc4e1233c9..13a94d8fbf 100644
--- a/windows/client-management/mdm/policy-csp-admx-radar.md
+++ b/windows/client-management/mdm/policy-csp-admx-radar.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Radar.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/08/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md
index b1eab7660f..d6f224badc 100644
--- a/windows/client-management/mdm/policy-csp-admx-reliability.md
+++ b/windows/client-management/mdm/policy-csp-admx-reliability.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_Reliability
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
index 14e4979617..bece2eb4d9 100644
--- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_RemoteAssistance.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/14/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
index 9f82c4971d..13c9f54981 100644
--- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_RemovableStorage.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/10/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md
index fa2c673c7b..c2e8188d71 100644
--- a/windows/client-management/mdm/policy-csp-admx-rpc.md
+++ b/windows/client-management/mdm/policy-csp-admx-rpc.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_RPC.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/08/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md
new file mode 100644
index 0000000000..16f8928707
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-sam.md
@@ -0,0 +1,113 @@
+---
+title: ADMX_sam Policy CSP
+description: Learn more about the ADMX_sam Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/29/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- ADMX_sam-Begin -->
+# Policy CSP - ADMX_sam
+
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!-- ADMX_sam-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ADMX_sam-Editable-End -->
+
+<!-- SamNGCKeyROCAValidation-Begin -->
+## SamNGCKeyROCAValidation
+
+<!-- SamNGCKeyROCAValidation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- SamNGCKeyROCAValidation-Applicability-End -->
+
+<!-- SamNGCKeyROCAValidation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_sam/SamNGCKeyROCAValidation
+```
+<!-- SamNGCKeyROCAValidation-OmaUri-End -->
+
+<!-- SamNGCKeyROCAValidation-Description-Begin -->
+This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.
+
+For more information on the ROCA vulnerability, please see:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361
+
+https://en.wikipedia.org/wiki/ROCA_vulnerability
+
+If you enable this policy setting the following options are supported:
+
+Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.
+
+Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed).
+
+Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).
+
+This setting only takes effect on domain controllers.
+
+If not configured, domain controllers will default to using their local configuration. The default local configuration is Audit.
+
+A reboot is not required for changes to this setting to take effect.
+
+Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.
+
+More information is available at https://go.microsoft.com/fwlink/?linkid=2116430.
+<!-- SamNGCKeyROCAValidation-Description-End -->
+
+<!-- SamNGCKeyROCAValidation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SamNGCKeyROCAValidation-Editable-End -->
+
+<!-- SamNGCKeyROCAValidation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- SamNGCKeyROCAValidation-DFProperties-End -->
+
+<!-- SamNGCKeyROCAValidation-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SamNGCKeyROCAValidation |
+| Friendly Name | Configure validation of ROCA-vulnerable WHfB keys during authentication |
+| Location | Computer Configuration |
+| Path | System > Security Account Manager |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM |
+| ADMX File Name | sam.admx |
+<!-- SamNGCKeyROCAValidation-AdmxBacked-End -->
+
+<!-- SamNGCKeyROCAValidation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SamNGCKeyROCAValidation-Examples-End -->
+
+<!-- SamNGCKeyROCAValidation-End -->
+
+<!-- ADMX_sam-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- ADMX_sam-CspMoreInfo-End -->
+
+<!-- ADMX_sam-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md
index 943789cbb8..8fb9f59bb0 100644
--- a/windows/client-management/mdm/policy-csp-admx-scripts.md
+++ b/windows/client-management/mdm/policy-csp-admx-scripts.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Scripts.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/17/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
index 37bf96fbf0..98532868c7 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_sdiageng.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
index fb23412261..6de574029e 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_sdiagschd.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/17/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
index 39be50a3c1..e223bafce2 100644
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Securitycenter.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md
index bb64624c96..95bffd5ac9 100644
--- a/windows/client-management/mdm/policy-csp-admx-sensors.md
+++ b/windows/client-management/mdm/policy-csp-admx-sensors.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Sensors.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/22/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md
index 893b05aac3..24b6080943 100644
--- a/windows/client-management/mdm/policy-csp-admx-servermanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_ServerManager.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md
index 9f50b7554c..719e360bac 100644
--- a/windows/client-management/mdm/policy-csp-admx-servicing.md
+++ b/windows/client-management/mdm/policy-csp-admx-servicing.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Servicing.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md
index 167deff26e..116e79b9a4 100644
--- a/windows/client-management/mdm/policy-csp-admx-settingsync.md
+++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_SettingSync.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/01/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
index c8fb6904dc..1aa619b1dc 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_SharedFolders.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/21/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md
index a1593e1849..7b02e8d272 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharing.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharing.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Sharing.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/21/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
index c13e597795..0329365c45 100644
--- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
+++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_ShellCommandPromptRegEditTools.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index 0109708486..859415fe2f 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Smartcard.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/23/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md
index f836464795..7d3c267de8 100644
--- a/windows/client-management/mdm/policy-csp-admx-snmp.md
+++ b/windows/client-management/mdm/policy-csp-admx-snmp.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Snmp.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/24/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md
index 6fbbe28ec7..9a1a7a7fd8 100644
--- a/windows/client-management/mdm/policy-csp-admx-soundrec.md
+++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_SoundRec.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/01/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md
index c232d02342..d56e6b36ff 100644
--- a/windows/client-management/mdm/policy-csp-admx-srmfci.md
+++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_srmfci.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md
index 2b0f792270..aff23491ae 100644
--- a/windows/client-management/mdm/policy-csp-admx-startmenu.md
+++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_StartMenu.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/20/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
index e99e6c400f..7711aaec84 100644
--- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md
+++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_SystemRestore.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
new file mode 100644
index 0000000000..b8297ea689
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-tabletpcinputpanel.md
@@ -0,0 +1,1038 @@
+---
+title: ADMX_TabletPCInputPanel Policy CSP
+description: Learn more about the ADMX_TabletPCInputPanel Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/29/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- ADMX_TabletPCInputPanel-Begin -->
+# Policy CSP - ADMX_TabletPCInputPanel
+
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!-- ADMX_TabletPCInputPanel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ADMX_TabletPCInputPanel-Editable-End -->
+
+<!-- AutoComplete_2-Begin -->
+## AutoComplete_2
+
+<!-- AutoComplete_2-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AutoComplete_2-Applicability-End -->
+
+<!-- AutoComplete_2-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_2
+```
+<!-- AutoComplete_2-OmaUri-End -->
+
+<!-- AutoComplete_2-Description-Begin -->
+Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options.
+<!-- AutoComplete_2-Description-End -->
+
+<!-- AutoComplete_2-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AutoComplete_2-Editable-End -->
+
+<!-- AutoComplete_2-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AutoComplete_2-DFProperties-End -->
+
+<!-- AutoComplete_2-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AutoComplete |
+| Friendly Name | Turn off AutoComplete integration with Input Panel |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | DisableACIntegration |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- AutoComplete_2-AdmxBacked-End -->
+
+<!-- AutoComplete_2-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AutoComplete_2-Examples-End -->
+
+<!-- AutoComplete_2-End -->
+
+<!-- EdgeTarget_2-Begin -->
+## EdgeTarget_2
+
+<!-- EdgeTarget_2-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- EdgeTarget_2-Applicability-End -->
+
+<!-- EdgeTarget_2-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_2
+```
+<!-- EdgeTarget_2-OmaUri-End -->
+
+<!-- EdgeTarget_2-Description-Begin -->
+Prevents Input Panel tab from appearing on the edge of the Tablet PC screen.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options.
+
+Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel.
+<!-- EdgeTarget_2-Description-End -->
+
+<!-- EdgeTarget_2-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EdgeTarget_2-Editable-End -->
+
+<!-- EdgeTarget_2-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- EdgeTarget_2-DFProperties-End -->
+
+<!-- EdgeTarget_2-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EdgeTarget |
+| Friendly Name | Prevent Input Panel tab from appearing |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | DisableEdgeTarget |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- EdgeTarget_2-AdmxBacked-End -->
+
+<!-- EdgeTarget_2-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EdgeTarget_2-Examples-End -->
+
+<!-- EdgeTarget_2-End -->
+
+<!-- IPTIPTarget_2-Begin -->
+## IPTIPTarget_2
+
+<!-- IPTIPTarget_2-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- IPTIPTarget_2-Applicability-End -->
+
+<!-- IPTIPTarget_2-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_2
+```
+<!-- IPTIPTarget_2-OmaUri-End -->
+
+<!-- IPTIPTarget_2-Description-Begin -->
+Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
+
+Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel.
+<!-- IPTIPTarget_2-Description-End -->
+
+<!-- IPTIPTarget_2-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- IPTIPTarget_2-Editable-End -->
+
+<!-- IPTIPTarget_2-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IPTIPTarget_2-DFProperties-End -->
+
+<!-- IPTIPTarget_2-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IPTIPTarget |
+| Friendly Name | For tablet pen input, don’t show the Input Panel icon |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | HideIPTIPTarget |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- IPTIPTarget_2-AdmxBacked-End -->
+
+<!-- IPTIPTarget_2-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IPTIPTarget_2-Examples-End -->
+
+<!-- IPTIPTarget_2-End -->
+
+<!-- IPTIPTouchTarget_2-Begin -->
+## IPTIPTouchTarget_2
+
+<!-- IPTIPTouchTarget_2-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- IPTIPTouchTarget_2-Applicability-End -->
+
+<!-- IPTIPTouchTarget_2-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_2
+```
+<!-- IPTIPTouchTarget_2-OmaUri-End -->
+
+<!-- IPTIPTouchTarget_2-Description-Begin -->
+Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
+<!-- IPTIPTouchTarget_2-Description-End -->
+
+<!-- IPTIPTouchTarget_2-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- IPTIPTouchTarget_2-Editable-End -->
+
+<!-- IPTIPTouchTarget_2-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IPTIPTouchTarget_2-DFProperties-End -->
+
+<!-- IPTIPTouchTarget_2-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IPTIPTouchTarget |
+| Friendly Name | For touch input, don’t show the Input Panel icon |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | HideIPTIPTouchTarget |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- IPTIPTouchTarget_2-AdmxBacked-End -->
+
+<!-- IPTIPTouchTarget_2-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IPTIPTouchTarget_2-Examples-End -->
+
+<!-- IPTIPTouchTarget_2-End -->
+
+<!-- PasswordSecurity_2-Begin -->
+## PasswordSecurity_2
+
+<!-- PasswordSecurity_2-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- PasswordSecurity_2-Applicability-End -->
+
+<!-- PasswordSecurity_2-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_2
+```
+<!-- PasswordSecurity_2-OmaUri-End -->
+
+<!-- PasswordSecurity_2-Description-Begin -->
+Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password.
+
+Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista.
+
+Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords.
+<!-- PasswordSecurity_2-Description-End -->
+
+<!-- PasswordSecurity_2-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- PasswordSecurity_2-Editable-End -->
+
+<!-- PasswordSecurity_2-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- PasswordSecurity_2-DFProperties-End -->
+
+<!-- PasswordSecurity_2-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PasswordSecurity |
+| Friendly Name | Turn off password security in Input Panel |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | PasswordSecurityState |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- PasswordSecurity_2-AdmxBacked-End -->
+
+<!-- PasswordSecurity_2-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- PasswordSecurity_2-Examples-End -->
+
+<!-- PasswordSecurity_2-End -->
+
+<!-- Prediction_2-Begin -->
+## Prediction_2
+
+<!-- Prediction_2-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Prediction_2-Applicability-End -->
+
+<!-- Prediction_2-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_2
+```
+<!-- Prediction_2-OmaUri-End -->
+
+<!-- Prediction_2-Description-Begin -->
+Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language.
+
+Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista.
+<!-- Prediction_2-Description-End -->
+
+<!-- Prediction_2-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Prediction_2-Editable-End -->
+
+<!-- Prediction_2-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Prediction_2-DFProperties-End -->
+
+<!-- Prediction_2-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnablePrediction |
+| Friendly Name | Disable text prediction |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | DisablePrediction |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- Prediction_2-AdmxBacked-End -->
+
+<!-- Prediction_2-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Prediction_2-Examples-End -->
+
+<!-- Prediction_2-End -->
+
+<!-- RareChar_2-Begin -->
+## RareChar_2
+
+<!-- RareChar_2-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- RareChar_2-Applicability-End -->
+
+<!-- RareChar_2-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_2
+```
+<!-- RareChar_2-OmaUri-End -->
+
+<!-- RareChar_2-Description-Begin -->
+Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed.
+
+Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista).
+<!-- RareChar_2-Description-End -->
+
+<!-- RareChar_2-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RareChar_2-Editable-End -->
+
+<!-- RareChar_2-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- RareChar_2-DFProperties-End -->
+
+<!-- RareChar_2-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RareChar |
+| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | IncludeRareChar |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- RareChar_2-AdmxBacked-End -->
+
+<!-- RareChar_2-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- RareChar_2-Examples-End -->
+
+<!-- RareChar_2-End -->
+
+<!-- ScratchOut_2-Begin -->
+## ScratchOut_2
+
+<!-- ScratchOut_2-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- ScratchOut_2-Applicability-End -->
+
+<!-- ScratchOut_2-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_2
+```
+<!-- ScratchOut_2-OmaUri-End -->
+
+<!-- ScratchOut_2-Description-Begin -->
+Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition.
+
+The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options.
+<!-- ScratchOut_2-Description-End -->
+
+<!-- ScratchOut_2-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ScratchOut_2-Editable-End -->
+
+<!-- ScratchOut_2-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ScratchOut_2-DFProperties-End -->
+
+<!-- ScratchOut_2-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ScratchOut |
+| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures |
+| Location | Computer Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | ScratchOutState |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- ScratchOut_2-AdmxBacked-End -->
+
+<!-- ScratchOut_2-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ScratchOut_2-Examples-End -->
+
+<!-- ScratchOut_2-End -->
+
+<!-- AutoComplete_1-Begin -->
+## AutoComplete_1
+
+<!-- AutoComplete_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- AutoComplete_1-Applicability-End -->
+
+<!-- AutoComplete_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/AutoComplete_1
+```
+<!-- AutoComplete_1-OmaUri-End -->
+
+<!-- AutoComplete_1-Description-Begin -->
+Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, application auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the Text completion tab in Input Panel Options.
+<!-- AutoComplete_1-Description-End -->
+
+<!-- AutoComplete_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AutoComplete_1-Editable-End -->
+
+<!-- AutoComplete_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AutoComplete_1-DFProperties-End -->
+
+<!-- AutoComplete_1-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AutoComplete |
+| Friendly Name | Turn off AutoComplete integration with Input Panel |
+| Location | User Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | DisableACIntegration |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- AutoComplete_1-AdmxBacked-End -->
+
+<!-- AutoComplete_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AutoComplete_1-Examples-End -->
+
+<!-- AutoComplete_1-End -->
+
+<!-- EdgeTarget_1-Begin -->
+## EdgeTarget_1
+
+<!-- EdgeTarget_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- EdgeTarget_1-Applicability-End -->
+
+<!-- EdgeTarget_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/EdgeTarget_1
+```
+<!-- EdgeTarget_1-OmaUri-End -->
+
+<!-- EdgeTarget_1-Description-Begin -->
+Prevents Input Panel tab from appearing on the edge of the Tablet PC screen.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, Input Panel tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options.
+
+Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel.
+<!-- EdgeTarget_1-Description-End -->
+
+<!-- EdgeTarget_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EdgeTarget_1-Editable-End -->
+
+<!-- EdgeTarget_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- EdgeTarget_1-DFProperties-End -->
+
+<!-- EdgeTarget_1-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EdgeTarget |
+| Friendly Name | Prevent Input Panel tab from appearing |
+| Location | User Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | DisableEdgeTarget |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- EdgeTarget_1-AdmxBacked-End -->
+
+<!-- EdgeTarget_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EdgeTarget_1-Examples-End -->
+
+<!-- EdgeTarget_1-End -->
+
+<!-- IPTIPTarget_1-Begin -->
+## IPTIPTarget_1
+
+<!-- IPTIPTarget_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- IPTIPTarget_1-Applicability-End -->
+
+<!-- IPTIPTarget_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTarget_1
+```
+<!-- IPTIPTarget_1-OmaUri-End -->
+
+<!-- IPTIPTarget_1-Description-Begin -->
+Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when using a tablet pen as an input device.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, Input Panel will never appear next to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, Input Panel will appear next to any text entry area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
+
+Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Prevent Input Panel tab from appearing” policy, and disable the “Show Input Panel taskbar icon” policy, the user will then have no way to access Input Panel.
+<!-- IPTIPTarget_1-Description-End -->
+
+<!-- IPTIPTarget_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- IPTIPTarget_1-Editable-End -->
+
+<!-- IPTIPTarget_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IPTIPTarget_1-DFProperties-End -->
+
+<!-- IPTIPTarget_1-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IPTIPTarget |
+| Friendly Name | For tablet pen input, don’t show the Input Panel icon |
+| Location | User Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | HideIPTIPTarget |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- IPTIPTarget_1-AdmxBacked-End -->
+
+<!-- IPTIPTarget_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IPTIPTarget_1-Examples-End -->
+
+<!-- IPTIPTarget_1-End -->
+
+<!-- IPTIPTouchTarget_1-Begin -->
+## IPTIPTouchTarget_1
+
+<!-- IPTIPTouchTarget_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- IPTIPTouchTarget_1-Applicability-End -->
+
+<!-- IPTIPTouchTarget_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/IPTIPTouchTarget_1
+```
+<!-- IPTIPTouchTarget_1-OmaUri-End -->
+
+<!-- IPTIPTouchTarget_1-Description-Begin -->
+Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This policy applies only when a user is using touch input.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, Input Panel will never appear next to any text entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, Input Panel will appear next to text entry areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
+<!-- IPTIPTouchTarget_1-Description-End -->
+
+<!-- IPTIPTouchTarget_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- IPTIPTouchTarget_1-Editable-End -->
+
+<!-- IPTIPTouchTarget_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IPTIPTouchTarget_1-DFProperties-End -->
+
+<!-- IPTIPTouchTarget_1-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IPTIPTouchTarget |
+| Friendly Name | For touch input, don’t show the Input Panel icon |
+| Location | User Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | HideIPTIPTouchTarget |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- IPTIPTouchTarget_1-AdmxBacked-End -->
+
+<!-- IPTIPTouchTarget_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IPTIPTouchTarget_1-Examples-End -->
+
+<!-- IPTIPTouchTarget_1-End -->
+
+<!-- PasswordSecurity_1-Begin -->
+## PasswordSecurity_1
+
+<!-- PasswordSecurity_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- PasswordSecurity_1-Applicability-End -->
+
+<!-- PasswordSecurity_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/PasswordSecurity_1
+```
+<!-- PasswordSecurity_1-OmaUri-End -->
+
+<!-- PasswordSecurity_1-Description-Begin -->
+Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped when entering a password.
+
+Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy and choose “Low” from the drop-down box, password security is set to “Low.” At this setting, all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “Medium-Low” from the drop-down box, password security is set to “Medium-Low.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “Medium” from the drop-down box, password security is set to “Medium.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose to “Medium-High” from the drop-down box, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “High” from the drop-down box, password security is set to “High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is not allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, password security is set to “Medium-High.” At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, password security is set to “Medium-High” by default. At this setting, when users enter passwords from Input Panel they use the on-screen keyboard by default, skin switching is allowed, and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista.
+
+Caution: If you lower password security settings, people who can see the user’s screen might be able to see their passwords.
+<!-- PasswordSecurity_1-Description-End -->
+
+<!-- PasswordSecurity_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- PasswordSecurity_1-Editable-End -->
+
+<!-- PasswordSecurity_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- PasswordSecurity_1-DFProperties-End -->
+
+<!-- PasswordSecurity_1-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PasswordSecurity |
+| Friendly Name | Turn off password security in Input Panel |
+| Location | User Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | PasswordSecurityState |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- PasswordSecurity_1-AdmxBacked-End -->
+
+<!-- PasswordSecurity_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- PasswordSecurity_1-Examples-End -->
+
+<!-- PasswordSecurity_1-End -->
+
+<!-- Prediction_1-Begin -->
+## Prediction_1
+
+<!-- Prediction_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- Prediction_1-Applicability-End -->
+
+<!-- Prediction_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/Prediction_1
+```
+<!-- Prediction_1-OmaUri-End -->
+
+<!-- Prediction_1-Description-Begin -->
+Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when the feature is available for the current input area and input language.
+
+Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, Input Panel will not provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, Input Panel will provide text prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vista.
+<!-- Prediction_1-Description-End -->
+
+<!-- Prediction_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Prediction_1-Editable-End -->
+
+<!-- Prediction_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Prediction_1-DFProperties-End -->
+
+<!-- Prediction_1-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnablePrediction |
+| Friendly Name | Disable text prediction |
+| Location | User Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | DisablePrediction |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- Prediction_1-AdmxBacked-End -->
+
+<!-- Prediction_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Prediction_1-Examples-End -->
+
+<!-- Prediction_1-End -->
+
+<!-- RareChar_1-Begin -->
+## RareChar_1
+
+<!-- RareChar_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- RareChar_1-Applicability-End -->
+
+<!-- RareChar_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/RareChar_1
+```
+<!-- RareChar_1-OmaUri-End -->
+
+<!-- RareChar_1-Description-Begin -->
+Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or keyboards are installed.
+
+Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy, rarely used Chinese, Kanji, and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, rarely used Chinese, Kanji, and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista).
+<!-- RareChar_1-Description-End -->
+
+<!-- RareChar_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RareChar_1-Editable-End -->
+
+<!-- RareChar_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- RareChar_1-DFProperties-End -->
+
+<!-- RareChar_1-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RareChar |
+| Friendly Name | Include rarely used Chinese, Kanji, or Hanja characters |
+| Location | User Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | IncludeRareChar |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- RareChar_1-AdmxBacked-End -->
+
+<!-- RareChar_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- RareChar_1-Examples-End -->
+
+<!-- RareChar_1-End -->
+
+<!-- ScratchOut_1-Begin -->
+## ScratchOut_1
+
+<!-- ScratchOut_1-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- ScratchOut_1-Applicability-End -->
+
+<!-- ScratchOut_1-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_TabletPCInputPanel/ScratchOut_1
+```
+<!-- ScratchOut_1-OmaUri-End -->
+
+<!-- ScratchOut_1-Description-Begin -->
+Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition.
+
+The tolerant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes.
+
+Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts.
+
+If you enable this policy and choose “All” from the drop-down menu, no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “Tolerant," users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you enable this policy and choose “None,” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you disable this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box.
+
+If you do not configure this policy, users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options.
+<!-- ScratchOut_1-Description-End -->
+
+<!-- ScratchOut_1-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ScratchOut_1-Editable-End -->
+
+<!-- ScratchOut_1-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ScratchOut_1-DFProperties-End -->
+
+<!-- ScratchOut_1-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ScratchOut |
+| Friendly Name | Turn off tolerant and Z-shaped scratch-out gestures |
+| Location | User Configuration |
+| Path | WindowsComponents > Tablet PC > Input Panel |
+| Registry Key Name | software\policies\microsoft\TabletTip\1.7 |
+| Registry Value Name | ScratchOutState |
+| ADMX File Name | TabletPCInputPanel.admx |
+<!-- ScratchOut_1-AdmxBacked-End -->
+
+<!-- ScratchOut_1-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ScratchOut_1-Examples-End -->
+
+<!-- ScratchOut_1-End -->
+
+<!-- ADMX_TabletPCInputPanel-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- ADMX_TabletPCInputPanel-CspMoreInfo-End -->
+
+<!-- ADMX_TabletPCInputPanel-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
index 519c161fc4..82eee23e73 100644
--- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md
+++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_TabletShell.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/23/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md
index 1052c71018..107ce3f16c 100644
--- a/windows/client-management/mdm/policy-csp-admx-taskbar.md
+++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Taskbar.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/26/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md
index dfdf0bc374..16255c4155 100644
--- a/windows/client-management/mdm/policy-csp-admx-tcpip.md
+++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_tcpip.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/23/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index bd72791e61..458bfb9ffe 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_TerminalServer.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/21/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
index fe4ac226e4..89ee3b1b5c 100644
--- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md
+++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_Thumbnails.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/25/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md
index dc53725e32..4ca4f12b6f 100644
--- a/windows/client-management/mdm/policy-csp-admx-touchinput.md
+++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_TouchInput.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/23/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md
index 3bc2c09515..a17ffa7fcc 100644
--- a/windows/client-management/mdm/policy-csp-admx-tpm.md
+++ b/windows/client-management/mdm/policy-csp-admx-tpm.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_TPM.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/25/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
index a563dfb775..cc67fba5d3 100644
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_UserExperienceVirtualization.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/30/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
index 4147a72554..67c7143e09 100644
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_UserProfiles.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/11/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md
index 86709f4f7f..550c9e6d4c 100644
--- a/windows/client-management/mdm/policy-csp-admx-w32time.md
+++ b/windows/client-management/mdm/policy-csp-admx-w32time.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_W32Time.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/28/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md
index 7f28dbb59b..4a75b6002b 100644
--- a/windows/client-management/mdm/policy-csp-admx-wcm.md
+++ b/windows/client-management/mdm/policy-csp-admx-wcm.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_WCM.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/22/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md
index 0ecf7ba8f3..97629732ad 100644
--- a/windows/client-management/mdm/policy-csp-admx-wdi.md
+++ b/windows/client-management/mdm/policy-csp-admx-wdi.md
@@ -4,11 +4,11 @@ description: Learn about Policy CSP - ADMX_WDI.
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/09/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md
index ead17d11d3..edc0cee9ca 100644
--- a/windows/client-management/mdm/policy-csp-admx-wincal.md
+++ b/windows/client-management/mdm/policy-csp-admx-wincal.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WinCal
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/28/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
index f84f3fae7a..42a29e7391 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WindowsColorSystem
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/27/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
index 4591005023..046317d948 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WindowsConnectNow
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/28/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index ea9501ebec..f50c1a3948 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WindowsExplorer
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/29/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
index ec4e8d2adf..4528596266 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WindowsMediaDRM
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
index 4780dc6eef..30ea67c939 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WindowsMediaPlayer
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/09/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
index 64095a1e38..636f40127c 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WindowsRemoteManagement
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/16/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
index 58716cdc30..36044d5475 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WindowsStore
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/26/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md
index 73b315b10d..df7be3051f 100644
--- a/windows/client-management/mdm/policy-csp-admx-wininit.md
+++ b/windows/client-management/mdm/policy-csp-admx-wininit.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WinInit
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/29/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md
index a68509b294..b5f0a3c887 100644
--- a/windows/client-management/mdm/policy-csp-admx-winlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WinLogon
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/09/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md
index bf627b853f..50e594e0d2 100644
--- a/windows/client-management/mdm/policy-csp-admx-winsrv.md
+++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_Winsrv
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 02/25/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
index bcb613a6e9..4fc49cd363 100644
--- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md
+++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_wlansvc
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/27/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md
index c899ec246c..07a3a84c12 100644
--- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md
+++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WordWheel
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/22/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
index faf4206757..5bd6d30977 100644
--- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WorkFoldersClient
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/22/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md
index 723dc623f2..2e7baef0be 100644
--- a/windows/client-management/mdm/policy-csp-admx-wpn.md
+++ b/windows/client-management/mdm/policy-csp-admx-wpn.md
@@ -4,11 +4,11 @@ description: Policy CSP - ADMX_WPN
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/13/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 25977a168b..de90f8c39c 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -3,12 +3,12 @@ title: Policy CSP - ApplicationDefaults
 description: Learn about various Policy configuration service providers (CSP) - ApplicationDefaults, including SyncML, for Windows 10.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 3c8b32b9eb..65e5e7915b 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -3,12 +3,12 @@ title: Policy CSP - ApplicationManagement
 description: Learn about various Policy configuration service providers (CSP) - ApplicationManagement, including SyncML, for Windows 10.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 02/11/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md
index d7ccf330a4..2a20687b94 100644
--- a/windows/client-management/mdm/policy-csp-appruntime.md
+++ b/windows/client-management/mdm/policy-csp-appruntime.md
@@ -3,12 +3,12 @@ title: Policy CSP - AppRuntime
 description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index f257399257..9998b990ad 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -3,12 +3,12 @@ title: Policy CSP - AppVirtualization
 description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index bd3a05bc12..8b7af20909 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -3,12 +3,12 @@ title: Policy CSP - AttachmentManager
 description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index f21586fb2d..4d053f554f 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -3,8 +3,8 @@ title: Policy CSP - Audit
 description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't sign in to a computer because the account is locked out.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index e36a54a137..9507fbe7e9 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -3,8 +3,8 @@ title: Policy CSP - Authentication
 description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign-in screen.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.reviewer: bobgil
@@ -465,18 +465,18 @@ Value type is integer. Supported values:
 <!--/Scope-->
 <!--Description-->
 > [!Warning]
-> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time.
+> The Web sign-in feature is intended for recovery purposes in the event a password is not available as an authentication method. Web sign-in only supports Temporary Access Pass as an authentication method for Azure Active Directory, unless it is being used in a limited federated scope. 
 
-"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
+"Web sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
 
 > [!Note]
-> Web Sign-in is only supported on Azure AD Joined PCs.
+> Web sign-in is only supported on Azure AD Joined PCs.
 
 Value type is integer. Supported values:
 
 - 0 - (default) The feature defaults to the existing SKU and device capabilities.
-- 1 - Enabled. Web Credential Provider will be enabled for a sign in.
-- 2 - Disabled. Web Credential Provider won't be enabled for a sign in.
+- 1 - Enabled. Web Credential Provider will be enabled for a sign-in.
+- 2 - Disabled. Web Credential Provider won't be enabled for a sign-in.
 
 <!--/Description-->
 <!--SupportedValues-->
diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md
index 7cd383658f..4404ad9edb 100644
--- a/windows/client-management/mdm/policy-csp-autoplay.md
+++ b/windows/client-management/mdm/policy-csp-autoplay.md
@@ -3,12 +3,12 @@ title: Policy CSP - Autoplay
 description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index ce76b05817..5b9b63de9c 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -3,12 +3,12 @@ title: Policy CSP - BitLocker
 description: Use the Policy configuration service provider (CSP) - BitLocker to manage encryption of PCs and devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 9d95819603..500ed33aa8 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -3,12 +3,12 @@ title: Policy CSP - BITS
 description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index d4cf37c54e..80872eeb7d 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -3,12 +3,12 @@ title: Policy CSP - Bluetooth
 description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 02/12/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index e6f8aa0527..f408ee3d3b 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -2,12 +2,12 @@
 title: Policy CSP - Browser
 description: Learn how to use the Policy CSP - Browser settings so you can configure Microsoft Edge browser, version 45 and earlier.
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.localizationpriority: medium
 ---
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index 50b9bb3e51..8c04fb2ffd 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -3,12 +3,12 @@ title: Policy CSP - Camera
 description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md
index 3167bdccb8..fc801d1859 100644
--- a/windows/client-management/mdm/policy-csp-cellular.md
+++ b/windows/client-management/mdm/policy-csp-cellular.md
@@ -3,12 +3,12 @@ title: Policy CSP - Cellular
 description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
new file mode 100644
index 0000000000..c0907eacb8
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -0,0 +1,80 @@
+---
+title: CloudDesktop Policy CSP
+description: Learn more about the CloudDesktop Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/22/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- CloudDesktop-Begin -->
+# Policy CSP - CloudDesktop
+
+<!-- CloudDesktop-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- CloudDesktop-Editable-End -->
+
+<!-- BootToCloudMode-Begin -->
+## BootToCloudMode
+
+<!-- BootToCloudMode-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- BootToCloudMode-Applicability-End -->
+
+<!-- BootToCloudMode-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode
+```
+<!-- BootToCloudMode-OmaUri-End -->
+
+<!-- BootToCloudMode-Description-Begin -->
+This policy is used by IT admin to set the configuration mode of cloud PC.
+<!-- BootToCloudMode-Description-End -->
+
+<!-- BootToCloudMode-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- BootToCloudMode-Editable-End -->
+
+<!-- BootToCloudMode-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+| Dependency [OverrideShellProgramDependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
+<!-- BootToCloudMode-DFProperties-End -->
+
+<!-- BootToCloudMode-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not Configured |
+| 1 | Enable Boot to Cloud Desktop |
+<!-- BootToCloudMode-AllowedValues-End -->
+
+<!-- BootToCloudMode-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- BootToCloudMode-Examples-End -->
+
+<!-- BootToCloudMode-End -->
+
+<!-- CloudDesktop-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- CloudDesktop-CspMoreInfo-End -->
+
+<!-- CloudDesktop-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-cloudpc.md b/windows/client-management/mdm/policy-csp-cloudpc.md
new file mode 100644
index 0000000000..0c497a0c4e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-cloudpc.md
@@ -0,0 +1,79 @@
+---
+title: CloudPC Policy CSP
+description: Learn more about the CloudPC Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/02/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- CloudPC-Begin -->
+# Policy CSP - CloudPC
+
+<!-- CloudPC-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- CloudPC-Editable-End -->
+
+<!-- CloudPCConfiguration-Begin -->
+## CloudPCConfiguration
+
+<!-- CloudPCConfiguration-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- CloudPCConfiguration-Applicability-End -->
+
+<!-- CloudPCConfiguration-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/CloudPC/CloudPCConfiguration
+```
+<!-- CloudPCConfiguration-OmaUri-End -->
+
+<!-- CloudPCConfiguration-Description-Begin -->
+This policy is used by IT admin to set the configuration mode of cloud PC.
+<!-- CloudPCConfiguration-Description-End -->
+
+<!-- CloudPCConfiguration-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- CloudPCConfiguration-Editable-End -->
+
+<!-- CloudPCConfiguration-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- CloudPCConfiguration-DFProperties-End -->
+
+<!-- CloudPCConfiguration-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Fast Switching Configuration. |
+| 1 | Boot to cloud PC Configuration. |
+<!-- CloudPCConfiguration-AllowedValues-End -->
+
+<!-- CloudPCConfiguration-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- CloudPCConfiguration-Examples-End -->
+
+<!-- CloudPCConfiguration-End -->
+
+<!-- CloudPC-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- CloudPC-CspMoreInfo-End -->
+
+<!-- CloudPC-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 14cdad4c57..e9849f6706 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -3,12 +3,12 @@ title: Policy CSP - Connectivity
 description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 10eebb715f..98923c408a 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -3,11 +3,11 @@ title: Policy CSP - ControlPolicyConflict
 description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -20,25 +20,16 @@ manager: aaroncz
 <!--Policies-->
 ## ControlPolicyConflict policies
 
-<dl>
-  <dd>
-    <a href="#controlpolicyconflict-mdmwinsovergp">ControlPolicyConflict/MDMWinsOverGP</a>
-  </dd>
-</dl>
-
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="controlpolicyconflict-mdmwinsovergp"></a>**ControlPolicyConflict/MDMWinsOverGP**
 
 > [!NOTE]
 > This setting doesn't apply to the following types of group policies:
 >
-> - If they don't map to an MDM policy. For example, firewall policies and account lockout policies.
-> - If they aren't defined by an ADMX. For example, Password policy - minimum password age.
-> - If they're in the Windows Update category.
-> - If they have list entries. For example, the Microsoft Edge CookiesAllowedForUrls policy.
+> - If they don't map to an MDM policy. For example, Windows Settings > Security Settings > Public Key Policies.
+> - If they are group policies that aren't defined by an ADMX template. For example, Windows Settings > Scripts.
+> - If they have list entries. For example, Administrative Templates > Windows Components > ActiveX Installer Service > Approved Installation Sites for ActiveX Controls.
+> - If they are in the Windows Update category.
 
 <!--SupportedSKUs-->
 
diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md
index 2bb4580abc..6b8fff0b9e 100644
--- a/windows/client-management/mdm/policy-csp-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-credentialproviders.md
@@ -3,12 +3,12 @@ title: Policy CSP - CredentialProviders
 description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
index 0a892288b0..1a40f20b82 100644
--- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md
+++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md
@@ -3,12 +3,12 @@ title: Policy CSP - CredentialsDelegation
 description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md
index b25c7b462a..cc614a22ef 100644
--- a/windows/client-management/mdm/policy-csp-credentialsui.md
+++ b/windows/client-management/mdm/policy-csp-credentialsui.md
@@ -3,12 +3,12 @@ title: Policy CSP - CredentialsUI
 description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 7df10140df..709df7bf13 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -3,12 +3,12 @@ title: Policy CSP - Cryptography
 description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 557d7e1a16..5e5484db98 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -3,12 +3,12 @@ title: Policy CSP - DataProtection
 description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index eb466e58e4..da61efc35d 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -3,12 +3,12 @@ title: Policy CSP - DataUsage
 description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index b3684deace..efc7a8a312 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,2439 +1,2794 @@
 ---
-title: Policy CSP - Defender
-description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives.
-ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
+title: Defender Policy CSP
+description: Learn more about the Defender Area in Policy CSP
 author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 05/12/2022
-ms.reviewer:
 manager: aaroncz
-ms.collection: highpri
+ms.author: vinpa
+ms.date: 11/02/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- Defender-Begin -->
 # Policy CSP - Defender
 
+<!-- Defender-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Defender-Editable-End -->
+
+<!-- AllowArchiveScanning-Begin -->
+## AllowArchiveScanning
+
+<!-- AllowArchiveScanning-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowArchiveScanning-Applicability-End -->
+
+<!-- AllowArchiveScanning-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowArchiveScanning
+```
+<!-- AllowArchiveScanning-OmaUri-End -->
+
+<!-- AllowArchiveScanning-Description-Begin -->
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
+
+If you enable or do not configure this setting, archive files will be scanned.
+
+If you disable this setting, archive files will not be scanned. However, archives are always scanned during directed scans.
+<!-- AllowArchiveScanning-Description-End -->
+
+<!-- AllowArchiveScanning-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowArchiveScanning-Editable-End -->
+
+<!-- AllowArchiveScanning-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowArchiveScanning-DFProperties-End -->
+
+<!-- AllowArchiveScanning-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. Turns off scanning on archived files. |
+| 1 (Default) | Allowed. Scans the archive files. |
+<!-- AllowArchiveScanning-AllowedValues-End -->
+
+<!-- AllowArchiveScanning-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_DisableArchiveScanning |
+| Friendly Name | Scan archive files |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | DisableArchiveScanning |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowArchiveScanning-GpMapping-End -->
+
+<!-- AllowArchiveScanning-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowArchiveScanning-Examples-End -->
+
+<!-- AllowArchiveScanning-End -->
+
+<!-- AllowBehaviorMonitoring-Begin -->
+## AllowBehaviorMonitoring
+
+<!-- AllowBehaviorMonitoring-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowBehaviorMonitoring-Applicability-End -->
 
-
-<hr/>
-
-<!--Policies-->
-## Defender policies
-
-<dl>
-  <dd>
-    <a href="#defender-allowarchivescanning">Defender/AllowArchiveScanning</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowbehaviormonitoring">Defender/AllowBehaviorMonitoring</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowcloudprotection">Defender/AllowCloudProtection</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowemailscanning">Defender/AllowEmailScanning</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowfullscanonmappednetworkdrives">Defender/AllowFullScanOnMappedNetworkDrives</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowfullscanremovabledrivescanning">Defender/AllowFullScanRemovableDriveScanning</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowioavprotection">Defender/AllowIOAVProtection</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowonaccessprotection">Defender/AllowOnAccessProtection</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowrealtimemonitoring">Defender/AllowRealtimeMonitoring</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowscanningnetworkfiles">Defender/AllowScanningNetworkFiles</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowscriptscanning">Defender/AllowScriptScanning</a>
-  </dd>
-  <dd>
-    <a href="#defender-allowuseruiaccess">Defender/AllowUserUIAccess</a>
-  </dd>
-  <dd>
-    <a href="#defender-attacksurfacereductiononlyexclusions">Defender/AttackSurfaceReductionOnlyExclusions</a>
-  </dd>
-  <dd>
-    <a href="#defender-attacksurfacereductionrules">Defender/AttackSurfaceReductionRules</a>
-  </dd>
-  <dd>
-    <a href="#defender-avgcpuloadfactor">Defender/AvgCPULoadFactor</a>
-  </dd>
-  <dd>
-    <a href="#defender-checkforsignaturesbeforerunningscan">Defender/CheckForSignaturesBeforeRunningScan</a>
-  </dd>
-  <dd>
-    <a href="#defender-cloudblocklevel">Defender/CloudBlockLevel</a>
-  </dd>
-  <dd>
-    <a href="#defender-cloudextendedtimeout">Defender/CloudExtendedTimeout</a>
-  </dd>
-  <dd>
-    <a href="#defender-controlledfolderaccessallowedapplications">Defender/ControlledFolderAccessAllowedApplications</a>
-  </dd>
-  <dd>
-    <a href="#defender-controlledfolderaccessprotectedfolders">Defender/ControlledFolderAccessProtectedFolders</a>
-  </dd>
-  <dd>
-    <a href="#defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
-  </dd>
-  <dd>
-    <a href="#defender-disablecatchupfullscan">Defender/DisableCatchupFullScan</a>
-  </dd>
-  <dd>
-    <a href="#defender-disablecatchupquickscan">Defender/DisableCatchupQuickScan</a>
-  </dd>
-  <dd>
-    <a href="#defender-enablecontrolledfolderaccess">Defender/EnableControlledFolderAccess</a>
-  </dd>
-  <dd>
-    <a href="#defender-enablelowcpupriority">Defender/EnableLowCPUPriority</a>
-  </dd>
-  <dd>
-    <a href="#defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
-  </dd>
-  <dd>
-    <a href="#defender-excludedextensions">Defender/ExcludedExtensions</a>
-  </dd>
-  <dd>
-    <a href="#defender-excludedpaths">Defender/ExcludedPaths</a>
-  </dd>
-  <dd>
-    <a href="#defender-excludedprocesses">Defender/ExcludedProcesses</a>
-  </dd>
-  <dd>
-    <a href="#defender-puaprotection">Defender/PUAProtection</a>
-  </dd>
-  <dd>
-    <a href="#defender-realtimescandirection">Defender/RealTimeScanDirection</a>
-  </dd>
-  <dd>
-    <a href="#defender-scanparameter">Defender/ScanParameter</a>
-  </dd>
-  <dd>
-    <a href="#defender-schedulequickscantime">Defender/ScheduleQuickScanTime</a>
-  </dd>
-  <dd>
-    <a href="#defender-schedulescanday">Defender/ScheduleScanDay</a>
-  </dd>
-  <dd>
-    <a href="#defender-schedulescantime">Defender/ScheduleScanTime</a>
-  </dd>
-  <dd>
-    <a href="#defender-securityintelligencelocation">Defender/SecurityIntelligenceLocation</a>
-  </dd>
-  <dd>
-    <a href="#defender-signatureupdatefallbackorder">Defender/SignatureUpdateFallbackOrder</a>
-  </dd>
-  <dd>
-    <a href="#defender-signatureupdatefilesharessources">Defender/SignatureUpdateFileSharesSources</a>
-  </dd>
-  <dd>
-    <a href="#defender-signatureupdateinterval">Defender/SignatureUpdateInterval</a>
-  </dd>
-  <dd>
-    <a href="#defender-submitsamplesconsent">Defender/SubmitSamplesConsent</a>
-  </dd>
-  <dd>
-    <a href="#defender-threatseveritydefaultaction">Defender/ThreatSeverityDefaultAction</a>
-  </dd>
-</dl>
-
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowarchivescanning"></a>**Defender/AllowArchiveScanning**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows scanning of archives.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Scan archive files*
--   GP name: *Scan_DisableArchiveScanning*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed. Turns off scanning on archived files.
--   1 (default) – Allowed. Scans the archive files.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowbehaviormonitoring"></a>**Defender/AllowBehaviorMonitoring**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Allows or disallows Windows Defender Behavior Monitoring functionality.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Turn on behavior monitoring*
--   GP name: *RealtimeProtection_DisableBehaviorMonitoring*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed. Turns off behavior monitoring.
--   1 (default) – Allowed. Turns on real-time behavior monitoring.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowcloudprotection"></a>**Defender/AllowCloudProtection**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Join Microsoft MAPS*
--   GP name: *SpynetReporting*
--   GP element: *SpynetReporting*
--   GP path: *Windows Components/Microsoft Defender Antivirus/MAPS*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed. Turns off the Microsoft Active Protection Service.
--   1 (default) – Allowed. Turns on the Microsoft Active Protection Service.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowemailscanning"></a>**Defender/AllowEmailScanning**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows or disallows scanning of email.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Turn on e-mail scanning*
--   GP name: *Scan_DisableEmailScanning*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 (default) – Not allowed. Turns off email scanning.
--   1 – Allowed. Turns on email scanning.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowfullscanonmappednetworkdrives"></a>**Defender/AllowFullScanOnMappedNetworkDrives**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows or disallows a full scan of mapped network drives.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Run full scan on mapped network drives*
--   GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 (default) – Not allowed. Disables scanning on mapped network drives.
--   1 – Allowed. Scans mapped network drives.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowfullscanremovabledrivescanning"></a>**Defender/AllowFullScanRemovableDriveScanning**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Scan removable drives*
--   GP name: *Scan_DisableRemovableDriveScanning*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed. Turns off scanning on removable drives.
--   1 (default) – Allowed. Scans removable drives.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowioavprotection"></a>**Defender/AllowIOAVProtection**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows or disallows Windows Defender IOAVP Protection functionality.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Scan all downloaded files and attachments*
--   GP name: *RealtimeProtection_DisableIOAVProtection*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowonaccessprotection"></a>**Defender/AllowOnAccessProtection**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows or disallows Windows Defender On Access Protection functionality.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Monitor file and program activity on your computer*
--   GP name: *RealtimeProtection_DisableOnAccessProtection*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-> [!IMPORTANT]
-> AllowOnAccessProtection is officially being deprecated.
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowrealtimemonitoring"></a>**Defender/AllowRealtimeMonitoring**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows or disallows Windows Defender real-time Monitoring functionality.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Turn off real-time protection*
--   GP name: *DisableRealtimeMonitoring*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed. Turns off the real-time monitoring service.
--   1 (default) – Allowed. Turns on and runs the real-time monitoring service.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowscanningnetworkfiles"></a>**Defender/AllowScanningNetworkFiles**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows or disallows a scanning of network files.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Scan network files*
--   GP name: *Scan_DisableScanningNetworkFiles*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed. Turns off scanning of network files.
--   1 (default) – Allowed. Scans network files.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowscriptscanning"></a>**Defender/AllowScriptScanning**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
+<!-- AllowBehaviorMonitoring-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowBehaviorMonitoring
+```
+<!-- AllowBehaviorMonitoring-OmaUri-End -->
+
+<!-- AllowBehaviorMonitoring-Description-Begin -->
+This policy setting allows you to configure behavior monitoring.
+
+If you enable or do not configure this setting, behavior monitoring will be enabled.
+
+If you disable this setting, behavior monitoring will be disabled.
+<!-- AllowBehaviorMonitoring-Description-End -->
+
+<!-- AllowBehaviorMonitoring-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowBehaviorMonitoring-Editable-End -->
+
+<!-- AllowBehaviorMonitoring-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowBehaviorMonitoring-DFProperties-End -->
+
+<!-- AllowBehaviorMonitoring-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. Turns off behavior monitoring. |
+| 1 (Default) | Allowed. Turns on real-time behavior monitoring. |
+<!-- AllowBehaviorMonitoring-AllowedValues-End -->
+
+<!-- AllowBehaviorMonitoring-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RealtimeProtection_DisableBehaviorMonitoring |
+| Friendly Name | Turn on behavior monitoring |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection |
+| Registry Value Name | DisableBehaviorMonitoring |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowBehaviorMonitoring-GpMapping-End -->
+
+<!-- AllowBehaviorMonitoring-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowBehaviorMonitoring-Examples-End -->
+
+<!-- AllowBehaviorMonitoring-End -->
+
+<!-- AllowCloudProtection-Begin -->
+## AllowCloudProtection
+
+<!-- AllowCloudProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- AllowCloudProtection-Applicability-End -->
+
+<!-- AllowCloudProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowCloudProtection
+```
+<!-- AllowCloudProtection-OmaUri-End -->
+
+<!-- AllowCloudProtection-Description-Begin -->
+This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
+
+You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.
+
+Possible options are:
+(0x0) Disabled (default)
+(0x1) Basic membership
+(0x2) Advanced membership
+
+Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful.
+
+Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer.
+
+If you enable this setting, you will join Microsoft MAPS with the membership specified.
+
+If you disable or do not configure this setting, you will not join Microsoft MAPS.
+
+In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership.
+<!-- AllowCloudProtection-Description-End -->
+
+<!-- AllowCloudProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowCloudProtection-Editable-End -->
+
+<!-- AllowCloudProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowCloudProtection-DFProperties-End -->
+
+<!-- AllowCloudProtection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. Turns off the Microsoft Active Protection Service. |
+| 1 (Default) | Allowed. Turns on the Microsoft Active Protection Service. |
+<!-- AllowCloudProtection-AllowedValues-End -->
+
+<!-- AllowCloudProtection-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SpynetReporting |
+| Friendly Name | Join Microsoft MAPS |
+| Element Name | Join Microsoft MAPS |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > MAPS |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet |
+| Registry Value Name | SpynetReporting |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowCloudProtection-GpMapping-End -->
+
+<!-- AllowCloudProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowCloudProtection-Examples-End -->
+
+<!-- AllowCloudProtection-End -->
+
+<!-- AllowEmailScanning-Begin -->
+## AllowEmailScanning
+
+<!-- AllowEmailScanning-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowEmailScanning-Applicability-End -->
+
+<!-- AllowEmailScanning-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowEmailScanning
+```
+<!-- AllowEmailScanning-OmaUri-End -->
+
+<!-- AllowEmailScanning-Description-Begin -->
+This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). Email scanning is not supported on modern email clients.
+
+If you enable this setting, e-mail scanning will be enabled.
+
+If you disable or do not configure this setting, e-mail scanning will be disabled.
+<!-- AllowEmailScanning-Description-End -->
+
+<!-- AllowEmailScanning-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowEmailScanning-Editable-End -->
+
+<!-- AllowEmailScanning-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AllowEmailScanning-DFProperties-End -->
+
+<!-- AllowEmailScanning-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not allowed. Turns off email scanning. |
+| 1 | Allowed. Turns on email scanning. |
+<!-- AllowEmailScanning-AllowedValues-End -->
+
+<!-- AllowEmailScanning-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_DisableEmailScanning |
+| Friendly Name | Turn on e-mail scanning |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | DisableEmailScanning |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowEmailScanning-GpMapping-End -->
+
+<!-- AllowEmailScanning-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowEmailScanning-Examples-End -->
+
+<!-- AllowEmailScanning-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-Begin -->
+## AllowFullScanOnMappedNetworkDrives
+
+<!-- AllowFullScanOnMappedNetworkDrives-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowFullScanOnMappedNetworkDrives-Applicability-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowFullScanOnMappedNetworkDrives
+```
+<!-- AllowFullScanOnMappedNetworkDrives-OmaUri-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-Description-Begin -->
+This policy setting allows you to configure scanning mapped network drives.
+
+If you enable this setting, mapped network drives will be scanned.
+
+If you disable or do not configure this setting, mapped network drives will not be scanned.
+<!-- AllowFullScanOnMappedNetworkDrives-Description-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowFullScanOnMappedNetworkDrives-Editable-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AllowFullScanOnMappedNetworkDrives-DFProperties-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not allowed. Disables scanning on mapped network drives. |
+| 1 | Allowed. Scans mapped network drives. |
+<!-- AllowFullScanOnMappedNetworkDrives-AllowedValues-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_DisableScanningMappedNetworkDrivesForFullScan |
+| Friendly Name | Run full scan on mapped network drives |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | DisableScanningMappedNetworkDrivesForFullScan |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowFullScanOnMappedNetworkDrives-GpMapping-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowFullScanOnMappedNetworkDrives-Examples-End -->
+
+<!-- AllowFullScanOnMappedNetworkDrives-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-Begin -->
+## AllowFullScanRemovableDriveScanning
+
+<!-- AllowFullScanRemovableDriveScanning-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowFullScanRemovableDriveScanning-Applicability-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowFullScanRemovableDriveScanning
+```
+<!-- AllowFullScanRemovableDriveScanning-OmaUri-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-Description-Begin -->
+This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
+
+If you enable this setting, removable drives will be scanned during any type of scan.
+
+If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
+<!-- AllowFullScanRemovableDriveScanning-Description-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowFullScanRemovableDriveScanning-Editable-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowFullScanRemovableDriveScanning-DFProperties-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. Turns off scanning on removable drives. |
+| 1 (Default) | Allowed. Scans removable drives. |
+<!-- AllowFullScanRemovableDriveScanning-AllowedValues-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_DisableRemovableDriveScanning |
+| Friendly Name | Scan removable drives |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | DisableRemovableDriveScanning |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowFullScanRemovableDriveScanning-GpMapping-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowFullScanRemovableDriveScanning-Examples-End -->
+
+<!-- AllowFullScanRemovableDriveScanning-End -->
+
+<!-- AllowIntrusionPreventionSystem-Begin -->
+## AllowIntrusionPreventionSystem
+
+<!-- AllowIntrusionPreventionSystem-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowIntrusionPreventionSystem-Applicability-End -->
+
+<!-- AllowIntrusionPreventionSystem-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowIntrusionPreventionSystem
+```
+<!-- AllowIntrusionPreventionSystem-OmaUri-End -->
+
+<!-- AllowIntrusionPreventionSystem-Description-Begin -->
+Allows or disallows Windows Defender Intrusion Prevention functionality.
+<!-- AllowIntrusionPreventionSystem-Description-End -->
+
+<!-- AllowIntrusionPreventionSystem-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowIntrusionPreventionSystem-Editable-End -->
+
+<!-- AllowIntrusionPreventionSystem-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowIntrusionPreventionSystem-DFProperties-End -->
+
+<!-- AllowIntrusionPreventionSystem-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowIntrusionPreventionSystem-AllowedValues-End -->
+
+<!-- AllowIntrusionPreventionSystem-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowIntrusionPreventionSystem-Examples-End -->
+
+<!-- AllowIntrusionPreventionSystem-End -->
+
+<!-- AllowIOAVProtection-Begin -->
+## AllowIOAVProtection
+
+<!-- AllowIOAVProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowIOAVProtection-Applicability-End -->
+
+<!-- AllowIOAVProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowIOAVProtection
+```
+<!-- AllowIOAVProtection-OmaUri-End -->
+
+<!-- AllowIOAVProtection-Description-Begin -->
+This policy setting allows you to configure scanning for all downloaded files and attachments.
+
+If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.
+
+If you disable this setting, scanning for all downloaded files and attachments will be disabled.
+<!-- AllowIOAVProtection-Description-End -->
+
+<!-- AllowIOAVProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowIOAVProtection-Editable-End -->
+
+<!-- AllowIOAVProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowIOAVProtection-DFProperties-End -->
+
+<!-- AllowIOAVProtection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowIOAVProtection-AllowedValues-End -->
+
+<!-- AllowIOAVProtection-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RealtimeProtection_DisableIOAVProtection |
+| Friendly Name | Scan all downloaded files and attachments |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection |
+| Registry Value Name | DisableIOAVProtection |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowIOAVProtection-GpMapping-End -->
+
+<!-- AllowIOAVProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowIOAVProtection-Examples-End -->
+
+<!-- AllowIOAVProtection-End -->
+
+<!-- AllowOnAccessProtection-Begin -->
+## AllowOnAccessProtection
+
+<!-- AllowOnAccessProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowOnAccessProtection-Applicability-End -->
+
+<!-- AllowOnAccessProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowOnAccessProtection
+```
+<!-- AllowOnAccessProtection-OmaUri-End -->
+
+<!-- AllowOnAccessProtection-Description-Begin -->
+This policy setting allows you to configure monitoring for file and program activity.
+
+If you enable or do not configure this setting, monitoring for file and program activity will be enabled.
+
+If you disable this setting, monitoring for file and program activity will be disabled.
+<!-- AllowOnAccessProtection-Description-End -->
+
+<!-- AllowOnAccessProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowOnAccessProtection-Editable-End -->
+
+<!-- AllowOnAccessProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowOnAccessProtection-DFProperties-End -->
+
+<!-- AllowOnAccessProtection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowOnAccessProtection-AllowedValues-End -->
+
+<!-- AllowOnAccessProtection-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RealtimeProtection_DisableOnAccessProtection |
+| Friendly Name | Monitor file and program activity on your computer |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection |
+| Registry Value Name | DisableOnAccessProtection |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowOnAccessProtection-GpMapping-End -->
+
+<!-- AllowOnAccessProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowOnAccessProtection-Examples-End -->
+
+<!-- AllowOnAccessProtection-End -->
+
+<!-- AllowRealtimeMonitoring-Begin -->
+## AllowRealtimeMonitoring
+
+<!-- AllowRealtimeMonitoring-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowRealtimeMonitoring-Applicability-End -->
+
+<!-- AllowRealtimeMonitoring-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowRealtimeMonitoring
+```
+<!-- AllowRealtimeMonitoring-OmaUri-End -->
+
+<!-- AllowRealtimeMonitoring-Description-Begin -->
+This policy turns off real-time protection in Microsoft Defender Antivirus.
+
+Real-time protection consists of always-on scanning with file and process behavior monitoring and heuristics. When real-time protection is on, Microsoft Defender Antivirus detects malware and potentially unwanted software that attempts to install itself or run on your device, and prompts you to take action on malware detections.
+
+If you enable this policy setting, real-time protection is turned off.
+
+If you either disable or do not configure this policy setting, real-time protection is turned on.
+<!-- AllowRealtimeMonitoring-Description-End -->
+
+<!-- AllowRealtimeMonitoring-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowRealtimeMonitoring-Editable-End -->
+
+<!-- AllowRealtimeMonitoring-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowRealtimeMonitoring-DFProperties-End -->
+
+<!-- AllowRealtimeMonitoring-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. Turns off the real-time monitoring service. |
+| 1 (Default) | Allowed. Turns on and runs the real-time monitoring service. |
+<!-- AllowRealtimeMonitoring-AllowedValues-End -->
+
+<!-- AllowRealtimeMonitoring-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableRealtimeMonitoring |
+| Friendly Name | Turn off real-time protection |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection |
+| Registry Value Name | DisableRealtimeMonitoring |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowRealtimeMonitoring-GpMapping-End -->
+
+<!-- AllowRealtimeMonitoring-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowRealtimeMonitoring-Examples-End -->
+
+<!-- AllowRealtimeMonitoring-End -->
+
+<!-- AllowScanningNetworkFiles-Begin -->
+## AllowScanningNetworkFiles
+
+<!-- AllowScanningNetworkFiles-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowScanningNetworkFiles-Applicability-End -->
+
+<!-- AllowScanningNetworkFiles-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowScanningNetworkFiles
+```
+<!-- AllowScanningNetworkFiles-OmaUri-End -->
+
+<!-- AllowScanningNetworkFiles-Description-Begin -->
+This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
+
+If you enable this setting, network files will be scanned.
+
+If you disable or do not configure this setting, network files will not be scanned.
+<!-- AllowScanningNetworkFiles-Description-End -->
+
+<!-- AllowScanningNetworkFiles-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowScanningNetworkFiles-Editable-End -->
+
+<!-- AllowScanningNetworkFiles-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AllowScanningNetworkFiles-DFProperties-End -->
+
+<!-- AllowScanningNetworkFiles-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not allowed. Turns off scanning of network files. |
+| 1 | Allowed. Scans network files. |
+<!-- AllowScanningNetworkFiles-AllowedValues-End -->
+
+<!-- AllowScanningNetworkFiles-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_DisableScanningNetworkFiles |
+| Friendly Name | Scan network files |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | DisableScanningNetworkFiles |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowScanningNetworkFiles-GpMapping-End -->
+
+<!-- AllowScanningNetworkFiles-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowScanningNetworkFiles-Examples-End -->
+
+<!-- AllowScanningNetworkFiles-End -->
+
+<!-- AllowScriptScanning-Begin -->
+## AllowScriptScanning
+
+<!-- AllowScriptScanning-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowScriptScanning-Applicability-End -->
+
+<!-- AllowScriptScanning-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowScriptScanning
+```
+<!-- AllowScriptScanning-OmaUri-End -->
+
+<!-- AllowScriptScanning-Description-Begin -->
 Allows or disallows Windows Defender Script Scanning functionality.
-
-<!--/Description-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed.
--   1 (default) – Allowed.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-allowuseruiaccess"></a>**Defender/AllowUserUIAccess**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Enable headless UI mode*
--   GP name: *UX_Configuration_UILockdown*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Client Interface*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Not allowed. Prevents users from accessing UI.
--   1 (default) – Allowed. Lets users access UI.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-attacksurfacereductiononlyexclusions"></a>**Defender/AttackSurfaceReductionOnlyExclusions**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-This policy setting allows you to prevent Attack Surface reduction rules from matching on files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe".
-
-Value type is string.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules*
--   GP name: *ExploitGuard_ASR_ASROnlyExclusions*
--   GP element: *ExploitGuard_ASR_ASROnlyExclusions*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-attacksurfacereductionrules"></a>**Defender/AttackSurfaceReductionRules**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-This policy setting enables setting the state (Block/Audit/Off) for each attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule.
-
-For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction).
-
-Value type is string.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure Attack Surface Reduction rules*
--   GP name: *ExploitGuard_ASR_Rules*
--   GP element: *ExploitGuard_ASR_Rules*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Attack Surface Reduction*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-avgcpuloadfactor"></a>**Defender/AvgCPULoadFactor**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Represents the average CPU load factor for the Windows Defender scan (in percent).
-
-The default value is 50.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Specify the maximum percentage of CPU utilization during a scan*
--   GP name: *Scan_AvgCPULoadFactor*
--   GP element: *Scan_AvgCPULoadFactor*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-Valid values: 0–100
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-checkforsignaturesbeforerunningscan"></a>**Defender/CheckForSignaturesBeforeRunningScan**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.
-
-This setting applies to scheduled scans and the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.
-
-If you enable this setting, a check for new definitions will occur before running a scan.
-
-If you disable this setting or don't configure this setting, the scan will start using the existing definitions.
-
-Supported values:
-
-- 0 (default) - Disabled
-- 1 - Enabled
-
-OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Check for the latest virus and spyware definitions before running a scheduled scan*
--   GP name: *CheckForSignaturesBeforeRunningScan*
--   GP element: *CheckForSignaturesBeforeRunningScan*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-cloudblocklevel"></a>**Defender/CloudBlockLevel**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
-
-If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
-
-For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site.
-
-> [!NOTE]
-> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Select cloud protection level*
--   GP name: *MpEngine_MpCloudBlockLevel*
--   GP element: *MpCloudBlockLevel*
--   GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
-- 0x0 - Default windows defender blocking level
-- 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)      
-- 0x4 - High+ blocking level – aggressively block unknowns and apply more protection measures (may impact  client performance)
-- 0x6 - Zero tolerance blocking level – block all unknown executables
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-cloudextendedtimeout"></a>**Defender/CloudExtendedTimeout**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
-
-The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an extra 50 seconds.
-
-For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
-
-> [!NOTE]
-> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure extended cloud check*
--   GP name: *MpEngine_MpBafsExtendedTimeout*
--   GP element: *MpBafsExtendedTimeout*
--   GP path: *Windows Components/Microsoft Defender Antivirus/MpEngine*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-controlledfolderaccessallowedapplications"></a>**Defender/ControlledFolderAccessAllowedApplications**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
-
-Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it won't be necessary to add entries. Microsoft Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure allowed applications*
--   GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
--   GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-controlledfolderaccessprotectedfolders"></a>**Defender/ControlledFolderAccessProtectedFolders**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
-
-This policy setting allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can't be changed. Value type is string. Use the | as the substring separator.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure protected folders*
--   GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
--   GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-daystoretaincleanedmalware"></a>**Defender/DaysToRetainCleanedMalware**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Time period (in days) that quarantine items will be stored on the system.
-
-The default value is 0, which keeps items in quarantine, and doesn't automatically remove them.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure removal of items from Quarantine folder*
--   GP name: *Quarantine_PurgeItemsAfterDelay*
--   GP element: *Quarantine_PurgeItemsAfterDelay*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Quarantine*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-Valid values: 0–90
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-disablecatchupfullscan"></a>**Defender/DisableCatchupFullScan**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
+<!-- AllowScriptScanning-Description-End -->
+
+<!-- AllowScriptScanning-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowScriptScanning-Editable-End -->
+
+<!-- AllowScriptScanning-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowScriptScanning-DFProperties-End -->
+
+<!-- AllowScriptScanning-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowScriptScanning-AllowedValues-End -->
+
+<!-- AllowScriptScanning-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowScriptScanning-Examples-End -->
+
+<!-- AllowScriptScanning-End -->
+
+<!-- AllowUserUIAccess-Begin -->
+## AllowUserUIAccess
+
+<!-- AllowUserUIAccess-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- AllowUserUIAccess-Applicability-End -->
+
+<!-- AllowUserUIAccess-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AllowUserUIAccess
+```
+<!-- AllowUserUIAccess-OmaUri-End -->
+
+<!-- AllowUserUIAccess-Description-Begin -->
+This policy setting allows you to configure whether or not to display AM UI to the users.
+If you enable this setting AM UI won't be available to users.
+<!-- AllowUserUIAccess-Description-End -->
+
+<!-- AllowUserUIAccess-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowUserUIAccess-Editable-End -->
+
+<!-- AllowUserUIAccess-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowUserUIAccess-DFProperties-End -->
+
+<!-- AllowUserUIAccess-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. Prevents users from accessing UI. |
+| 1 (Default) | Allowed. Lets users access UI. |
+<!-- AllowUserUIAccess-AllowedValues-End -->
+
+<!-- AllowUserUIAccess-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | UX_Configuration_UILockdown |
+| Friendly Name | Enable headless UI mode |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Client Interface |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\UX Configuration |
+| Registry Value Name | UILockdown |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AllowUserUIAccess-GpMapping-End -->
+
+<!-- AllowUserUIAccess-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowUserUIAccess-Examples-End -->
+
+<!-- AllowUserUIAccess-End -->
+
+<!-- AttackSurfaceReductionOnlyExclusions-Begin -->
+## AttackSurfaceReductionOnlyExclusions
+
+<!-- AttackSurfaceReductionOnlyExclusions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- AttackSurfaceReductionOnlyExclusions-Applicability-End -->
+
+<!-- AttackSurfaceReductionOnlyExclusions-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
+```
+<!-- AttackSurfaceReductionOnlyExclusions-OmaUri-End -->
+
+<!-- AttackSurfaceReductionOnlyExclusions-Description-Begin -->
+Exclude files and paths from Attack Surface Reduction (ASR) rules.
+
+Enabled:
+Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
+Enter each rule on a new line as a name-value pair:
+- Name column: Enter a folder path or a fully qualified resource name. For example, ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder
+- Value column: Enter ""0"" for each item
+
+Disabled:
+No exclusions will be applied to the ASR rules.
+
+Not configured:
+Same as Disabled.
+
+You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
+<!-- AttackSurfaceReductionOnlyExclusions-Description-End -->
+
+<!-- AttackSurfaceReductionOnlyExclusions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AttackSurfaceReductionOnlyExclusions-Editable-End -->
+
+<!-- AttackSurfaceReductionOnlyExclusions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- AttackSurfaceReductionOnlyExclusions-DFProperties-End -->
+
+<!-- AttackSurfaceReductionOnlyExclusions-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ExploitGuard_ASR_ASROnlyExclusions |
+| Friendly Name | Exclude files and paths from Attack Surface Reduction Rules |
+| Element Name | Exclusions from ASR rules |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR |
+| Registry Value Name | ExploitGuard_ASR_ASROnlyExclusions |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AttackSurfaceReductionOnlyExclusions-GpMapping-End -->
+
+<!-- AttackSurfaceReductionOnlyExclusions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AttackSurfaceReductionOnlyExclusions-Examples-End -->
+
+<!-- AttackSurfaceReductionOnlyExclusions-End -->
+
+<!-- AttackSurfaceReductionRules-Begin -->
+## AttackSurfaceReductionRules
+
+<!-- AttackSurfaceReductionRules-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- AttackSurfaceReductionRules-Applicability-End -->
+
+<!-- AttackSurfaceReductionRules-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
+```
+<!-- AttackSurfaceReductionRules-OmaUri-End -->
+
+<!-- AttackSurfaceReductionRules-Description-Begin -->
+Set the state for each Attack Surface Reduction (ASR) rule.
+
+After enabling this setting, you can set each rule to the following in the Options section:
+- Block: the rule will be applied
+- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
+- Off: the rule will not be applied
+- Not Configured: the rule is enabled with default values
+- Warn: the rule will be applied and the end-user will have the option to bypass the block
+
+Unless the ASR rule is disabled, a subsample of audit events are collected for ASR rules will the value of not configured.
+
+Enabled:
+Specify the state for each ASR rule under the Options section for this setting.
+Enter each rule on a new line as a name-value pair:
+- Name column: Enter a valid ASR rule ID
+- Value column: Enter the status ID that relates to state you want to specify for the associated rule
+
+The following status IDs are permitted under the value column:
+- 1 (Block)
+- 0 (Off)
+- 2 (Audit)
+- 5 (Not Configured)
+- 6 (Warn)
+
+
+Example:
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx            0
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx            1
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx            2
+
+Disabled:
+No ASR rules will be configured.
+
+Not configured:
+Same as Disabled.
+
+You can exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting.
+<!-- AttackSurfaceReductionRules-Description-End -->
+
+<!-- AttackSurfaceReductionRules-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AttackSurfaceReductionRules-Editable-End -->
+
+<!-- AttackSurfaceReductionRules-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AttackSurfaceReductionRules-DFProperties-End -->
+
+<!-- AttackSurfaceReductionRules-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ExploitGuard_ASR_Rules |
+| Friendly Name | Configure Attack Surface Reduction rules |
+| Element Name | Set the state for each ASR rule |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR |
+| Registry Value Name | ExploitGuard_ASR_Rules |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AttackSurfaceReductionRules-GpMapping-End -->
+
+<!-- AttackSurfaceReductionRules-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AttackSurfaceReductionRules-Examples-End -->
+
+<!-- AttackSurfaceReductionRules-End -->
+
+<!-- AvgCPULoadFactor-Begin -->
+## AvgCPULoadFactor
+
+<!-- AvgCPULoadFactor-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AvgCPULoadFactor-Applicability-End -->
+
+<!-- AvgCPULoadFactor-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/AvgCPULoadFactor
+```
+<!-- AvgCPULoadFactor-OmaUri-End -->
+
+<!-- AvgCPULoadFactor-Description-Begin -->
+This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50.
+
+If you enable this setting, CPU utilization will not exceed the percentage specified.
+
+If you disable or do not configure this setting, CPU utilization will not exceed the default value.
+<!-- AvgCPULoadFactor-Description-End -->
+
+<!-- AvgCPULoadFactor-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AvgCPULoadFactor-Editable-End -->
+
+<!-- AvgCPULoadFactor-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-100]` |
+| Default Value  | 50 |
+<!-- AvgCPULoadFactor-DFProperties-End -->
+
+<!-- AvgCPULoadFactor-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_AvgCPULoadFactor |
+| Friendly Name | Specify the maximum percentage of CPU utilization during a scan |
+| Element Name | Specify the maximum percentage of CPU utilization during a scan |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | AvgCPULoadFactor |
+| ADMX File Name | WindowsDefender.admx |
+<!-- AvgCPULoadFactor-GpMapping-End -->
+
+<!-- AvgCPULoadFactor-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AvgCPULoadFactor-Examples-End -->
+
+<!-- AvgCPULoadFactor-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-Begin -->
+## CheckForSignaturesBeforeRunningScan
+
+<!-- CheckForSignaturesBeforeRunningScan-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- CheckForSignaturesBeforeRunningScan-Applicability-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan
+```
+<!-- CheckForSignaturesBeforeRunningScan-OmaUri-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-Description-Begin -->
+This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan.
+
+This setting applies to scheduled scans, but it has no effect on scans initiated manually from the user interface or to the ones started from the command line using "mpcmdrun -Scan".
+
+If you enable this setting, a check for new security intelligence will occur before running a scan.
+
+If you disable this setting or do not configure this setting, the scan will start using the existing security intelligence.
+<!-- CheckForSignaturesBeforeRunningScan-Description-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- CheckForSignaturesBeforeRunningScan-Editable-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- CheckForSignaturesBeforeRunningScan-DFProperties-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled |
+| 1 | Enabled |
+<!-- CheckForSignaturesBeforeRunningScan-AllowedValues-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | CheckForSignaturesBeforeRunningScan |
+| Friendly Name | Check for the latest virus and spyware security intelligence before running a scheduled scan |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | CheckForSignaturesBeforeRunningScan |
+| ADMX File Name | WindowsDefender.admx |
+<!-- CheckForSignaturesBeforeRunningScan-GpMapping-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- CheckForSignaturesBeforeRunningScan-Examples-End -->
+
+<!-- CheckForSignaturesBeforeRunningScan-End -->
+
+<!-- CloudBlockLevel-Begin -->
+## CloudBlockLevel
+
+<!-- CloudBlockLevel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- CloudBlockLevel-Applicability-End -->
+
+<!-- CloudBlockLevel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/CloudBlockLevel
+```
+<!-- CloudBlockLevel-OmaUri-End -->
+
+<!-- CloudBlockLevel-Description-Begin -->
+This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. NoteThis feature requires the Join Microsoft MAPS setting enabled in order to function.
+<!-- CloudBlockLevel-Description-End -->
+
+<!-- CloudBlockLevel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- CloudBlockLevel-Editable-End -->
+
+<!-- CloudBlockLevel-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- CloudBlockLevel-DFProperties-End -->
+
+<!-- CloudBlockLevel-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | NotConfigured |
+| 2 | High |
+| 4 | HighPlus |
+| 6 | ZeroTolerance |
+<!-- CloudBlockLevel-AllowedValues-End -->
+
+<!-- CloudBlockLevel-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | MpCloudBlockLevel |
+| Friendly Name | Select cloud protection level |
+| Element Name | Select cloud blocking level |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > MpEngine |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine |
+| Registry Value Name | MpCloudBlockLevel |
+| ADMX File Name | WindowsDefender.admx |
+<!-- CloudBlockLevel-GpMapping-End -->
+
+<!-- CloudBlockLevel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- CloudBlockLevel-Examples-End -->
+
+<!-- CloudBlockLevel-End -->
+
+<!-- CloudExtendedTimeout-Begin -->
+## CloudExtendedTimeout
+
+<!-- CloudExtendedTimeout-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- CloudExtendedTimeout-Applicability-End -->
+
+<!-- CloudExtendedTimeout-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/CloudExtendedTimeout
+```
+<!-- CloudExtendedTimeout-OmaUri-End -->
+
+<!-- CloudExtendedTimeout-Description-Begin -->
+This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. NoteThis feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required.
+<!-- CloudExtendedTimeout-Description-End -->
+
+<!-- CloudExtendedTimeout-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- CloudExtendedTimeout-Editable-End -->
+
+<!-- CloudExtendedTimeout-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-50]` |
+| Default Value  | 0 |
+<!-- CloudExtendedTimeout-DFProperties-End -->
+
+<!-- CloudExtendedTimeout-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | MpBafsExtendedTimeout |
+| Friendly Name | Configure extended cloud check |
+| Element Name | Specify the extended cloud check time in seconds |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > MpEngine |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\MpEngine |
+| Registry Value Name | MpBafsExtendedTimeout |
+| ADMX File Name | WindowsDefender.admx |
+<!-- CloudExtendedTimeout-GpMapping-End -->
+
+<!-- CloudExtendedTimeout-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- CloudExtendedTimeout-Examples-End -->
+
+<!-- CloudExtendedTimeout-End -->
+
+<!-- ControlledFolderAccessAllowedApplications-Begin -->
+## ControlledFolderAccessAllowedApplications
+
+<!-- ControlledFolderAccessAllowedApplications-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- ControlledFolderAccessAllowedApplications-Applicability-End -->
+
+<!-- ControlledFolderAccessAllowedApplications-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessAllowedApplications
+```
+<!-- ControlledFolderAccessAllowedApplications-OmaUri-End -->
+
+<!-- ControlledFolderAccessAllowedApplications-Description-Begin -->
+Add additional applications that should be considered "trusted" by controlled folder access.
+
+These applications are allowed to modify or delete files in controlled folder access folders.
+
+Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications.
+
+Enabled:
+Specify additional allowed applications in the Options section..
+
+Disabled:
+No additional applications will be added to the trusted list.
+
+Not configured:
+Same as Disabled.
+
+You can enable controlled folder access in the Configure controlled folder access GP setting.
+
+Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
+<!-- ControlledFolderAccessAllowedApplications-Description-End -->
+
+<!-- ControlledFolderAccessAllowedApplications-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ControlledFolderAccessAllowedApplications-Editable-End -->
+
+<!-- ControlledFolderAccessAllowedApplications-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- ControlledFolderAccessAllowedApplications-DFProperties-End -->
+
+<!-- ControlledFolderAccessAllowedApplications-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ExploitGuard_ControlledFolderAccess_AllowedApplications |
+| Friendly Name | Configure allowed applications |
+| Element Name | Enter the applications that should be trusted |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
+| Registry Value Name | ExploitGuard_ControlledFolderAccess_AllowedApplications |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ControlledFolderAccessAllowedApplications-GpMapping-End -->
+
+<!-- ControlledFolderAccessAllowedApplications-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ControlledFolderAccessAllowedApplications-Examples-End -->
+
+<!-- ControlledFolderAccessAllowedApplications-End -->
+
+<!-- ControlledFolderAccessProtectedFolders-Begin -->
+## ControlledFolderAccessProtectedFolders
+
+<!-- ControlledFolderAccessProtectedFolders-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- ControlledFolderAccessProtectedFolders-Applicability-End -->
+
+<!-- ControlledFolderAccessProtectedFolders-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ControlledFolderAccessProtectedFolders
+```
+<!-- ControlledFolderAccessProtectedFolders-OmaUri-End -->
+
+<!-- ControlledFolderAccessProtectedFolders-Description-Begin -->
+Specify additional folders that should be guarded by the Controlled folder access feature.
+
+Files in these folders cannot be modified or deleted by untrusted applications.
+
+Default system folders are automatically protected. You can configure this setting to add additional folders.
+The list of default system folders that are protected is shown in Windows Security.
+
+Enabled:
+Specify additional folders that should be protected in the Options section.
+
+Disabled:
+No additional folders will be protected.
+
+Not configured:
+Same as Disabled.
+
+You can enable controlled folder access in the Configure controlled folder access GP setting.
+
+Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
+<!-- ControlledFolderAccessProtectedFolders-Description-End -->
+
+<!-- ControlledFolderAccessProtectedFolders-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ControlledFolderAccessProtectedFolders-Editable-End -->
+
+<!-- ControlledFolderAccessProtectedFolders-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- ControlledFolderAccessProtectedFolders-DFProperties-End -->
+
+<!-- ControlledFolderAccessProtectedFolders-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders |
+| Friendly Name | Configure protected folders |
+| Element Name | Enter the folders that should be guarded |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
+| Registry Value Name | ExploitGuard_ControlledFolderAccess_ProtectedFolders |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ControlledFolderAccessProtectedFolders-GpMapping-End -->
+
+<!-- ControlledFolderAccessProtectedFolders-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ControlledFolderAccessProtectedFolders-Examples-End -->
+
+<!-- ControlledFolderAccessProtectedFolders-End -->
+
+<!-- DaysToRetainCleanedMalware-Begin -->
+## DaysToRetainCleanedMalware
+
+<!-- DaysToRetainCleanedMalware-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- DaysToRetainCleanedMalware-Applicability-End -->
+
+<!-- DaysToRetainCleanedMalware-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/DaysToRetainCleanedMalware
+```
+<!-- DaysToRetainCleanedMalware-OmaUri-End -->
+
+<!-- DaysToRetainCleanedMalware-Description-Begin -->
+This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
+
+If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.
+
+If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
+<!-- DaysToRetainCleanedMalware-Description-End -->
+
+<!-- DaysToRetainCleanedMalware-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DaysToRetainCleanedMalware-Editable-End -->
+
+<!-- DaysToRetainCleanedMalware-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-90]` |
+| Default Value  | 0 |
+<!-- DaysToRetainCleanedMalware-DFProperties-End -->
+
+<!-- DaysToRetainCleanedMalware-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Quarantine_PurgeItemsAfterDelay |
+| Friendly Name | Configure removal of items from Quarantine folder |
+| Element Name | Configure removal of items from Quarantine folder |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Quarantine |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Quarantine |
+| Registry Value Name | PurgeItemsAfterDelay |
+| ADMX File Name | WindowsDefender.admx |
+<!-- DaysToRetainCleanedMalware-GpMapping-End -->
+
+<!-- DaysToRetainCleanedMalware-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DaysToRetainCleanedMalware-Examples-End -->
+
+<!-- DaysToRetainCleanedMalware-End -->
+
+<!-- DisableCatchupFullScan-Begin -->
+## DisableCatchupFullScan
+
+<!-- DisableCatchupFullScan-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- DisableCatchupFullScan-Applicability-End -->
+
+<!-- DisableCatchupFullScan-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan
+```
+<!-- DisableCatchupFullScan-OmaUri-End -->
+
+<!-- DisableCatchupFullScan-Description-Begin -->
 This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed.  Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
 
-If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer.  If there's no scheduled scan configured, there will be no catch-up scan run.
+If you enable this setting, catch-up scans for scheduled full scans will be turned on.  If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer.  If there is no scheduled scan configured, there will be no catch-up scan run.
 
-If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned off.
+If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
+<!-- DisableCatchupFullScan-Description-End -->
 
-Supported values:
+<!-- DisableCatchupFullScan-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisableCatchupFullScan-Editable-End -->
 
-- 1 - Disabled (default)
-- 0 - Enabled
+<!-- DisableCatchupFullScan-DFProperties-Begin -->
+**Description framework properties**:
 
-OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- DisableCatchupFullScan-DFProperties-End -->
 
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Turn on catch-up full scan*
--   GP name: *Scan_DisableCatchupFullScan*
--   GP element: *Scan_DisableCatchupFullScan*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
+<!-- DisableCatchupFullScan-AllowedValues-Begin -->
+**Allowed values**:
 
-<!--/ADMXMapped-->
-<!--SupportedValues-->
+| Value | Description |
+|:--|:--|
+| 0 | Enabled |
+| 1 (Default) | Disabled |
+<!-- DisableCatchupFullScan-AllowedValues-End -->
 
-<!--/SupportedValues-->
-<!--Example-->
+<!-- DisableCatchupFullScan-GpMapping-Begin -->
+**Group policy mapping**:
 
-<!--/Example-->
-<!--Validation-->
+| Name | Value |
+|:--|:--|
+| Name | Scan_DisableCatchupFullScan |
+| Friendly Name | Turn on catch-up full scan |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | DisableCatchupFullScan |
+| ADMX File Name | WindowsDefender.admx |
+<!-- DisableCatchupFullScan-GpMapping-End -->
 
-<!--/Validation-->
-<!--/Policy-->
+<!-- DisableCatchupFullScan-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DisableCatchupFullScan-Examples-End -->
 
-<hr/>
+<!-- DisableCatchupFullScan-End -->
 
-<!--Policy-->
-<a href="" id="defender-disablecatchupquickscan"></a>**Defender/DisableCatchupQuickScan**
+<!-- DisableCatchupQuickScan-Begin -->
+## DisableCatchupQuickScan
 
-<!--SupportedSKUs-->
+<!-- DisableCatchupQuickScan-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- DisableCatchupQuickScan-Applicability-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- DisableCatchupQuickScan-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan
+```
+<!-- DisableCatchupQuickScan-OmaUri-End -->
+
+<!-- DisableCatchupQuickScan-Description-Begin -->
+This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed.  Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
+
+If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer.  If there is no scheduled scan configured, there will be no catch-up scan run.
+
+If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
+<!-- DisableCatchupQuickScan-Description-End -->
+
+<!-- DisableCatchupQuickScan-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisableCatchupQuickScan-Editable-End -->
+
+<!-- DisableCatchupQuickScan-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- DisableCatchupQuickScan-DFProperties-End -->
+
+<!-- DisableCatchupQuickScan-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Enabled |
+| 1 (Default) | Disabled |
+<!-- DisableCatchupQuickScan-AllowedValues-End -->
+
+<!-- DisableCatchupQuickScan-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_DisableCatchupQuickScan |
+| Friendly Name | Turn on catch-up quick scan |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | DisableCatchupQuickScan |
+| ADMX File Name | WindowsDefender.admx |
+<!-- DisableCatchupQuickScan-GpMapping-End -->
+
+<!-- DisableCatchupQuickScan-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DisableCatchupQuickScan-Examples-End -->
+
+<!-- DisableCatchupQuickScan-End -->
+
+<!-- EnableControlledFolderAccess-Begin -->
+## EnableControlledFolderAccess
+
+<!-- EnableControlledFolderAccess-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- EnableControlledFolderAccess-Applicability-End -->
+
+<!-- EnableControlledFolderAccess-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/EnableControlledFolderAccess
+```
+<!-- EnableControlledFolderAccess-OmaUri-End -->
+
+<!-- EnableControlledFolderAccess-Description-Begin -->
+Enable or disable controlled folder access for untrusted applications. You can choose to block, audit, or allow attempts by untrusted apps to:
+- Modify or delete files in protected folders, such as the Documents folder
+- Write to disk sectors
+
+You can also choose to only block or audit writes to disk sectors while still allowing the modification or deletion of files in protected folders.
+
+Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
+Default system folders are automatically protected, but you can add folders in the Configure protected folders GP setting.
+
+Block:
+The following will be blocked:
+- Attempts by untrusted apps to modify or delete files in protected folders
+- Attempts by untrusted apps to write to disk sectors
+The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
 
 
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-
-If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run.
-
-If you disable or don't configure this setting, catch-up scans for scheduled quick scans will be turned off.
-
-Supported values:
-
-- 1 - Disabled (default)
-- 0 - Enabled
-
-OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Turn on catch-up quick scan*
--   GP name: *Scan_DisableCatchupQuickScan*
--   GP element: *Scan_DisableCatchupQuickScan*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-enablecontrolledfolderaccess"></a>**Defender/EnableControlledFolderAccess**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+Disabled:
+The following will not be blocked and will be allowed to run:
+- Attempts by untrusted apps to modify or delete files in protected folders
+- Attempts by untrusted apps to write to disk sectors
+These attempts will not be recorded in the Windows event log.
 
 
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders  and changed to EnableControlledFolderAccess.
-
-This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure Controlled folder access*
--   GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
--   GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Controlled Folder Access*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
-- 0 (default) - Disabled
-- 1 - Enabled
-- 2 - Audit Mode
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-enablelowcpupriority"></a>**Defender/EnableLowCPUPriority**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+Audit Mode:
+The following will not be blocked and will be allowed to run:
+- Attempts by untrusted apps to modify or delete files in protected folders
+- Attempts by untrusted apps to write to disk sectors
+The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124.
 
 
-<!--/SupportedSKUs-->
-<hr/>
+Block disk modification only:
+The following will be blocked:
+- Attempts by untrusted apps to write to disk sectors
+The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123.
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+The following will not be blocked and will be allowed to run:
+- Attempts by untrusted apps to modify or delete files in protected folders
+These attempts will not be recorded in the Windows event log.
 
-> [!div class = "checklist"]
-> * Device
 
-<hr/>
+Audit disk modification only:
+The following will not be blocked and will be allowed to run:
+- Attempts by untrusted apps to write to disk sectors
+- Attempts by untrusted apps to modify or delete files in protected folders
+Only attempts to write to protected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124).
+Attempts to modify or delete files in protected folders will not be recorded.
 
-<!--/Scope-->
-<!--Description-->
+Not configured:
+Same as Disabled.
+<!-- EnableControlledFolderAccess-Description-End -->
+
+<!-- EnableControlledFolderAccess-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableControlledFolderAccess-Editable-End -->
+
+<!-- EnableControlledFolderAccess-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- EnableControlledFolderAccess-DFProperties-End -->
+
+<!-- EnableControlledFolderAccess-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled |
+| 1 | Enabled |
+| 2 | Audit Mode |
+<!-- EnableControlledFolderAccess-AllowedValues-End -->
+
+<!-- EnableControlledFolderAccess-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess |
+| Friendly Name | Configure Controlled folder access |
+| Element Name | Configure the guard my folders feature |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled Folder Access |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access |
+| Registry Value Name | EnableControlledFolderAccess |
+| ADMX File Name | WindowsDefender.admx |
+<!-- EnableControlledFolderAccess-GpMapping-End -->
+
+<!-- EnableControlledFolderAccess-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableControlledFolderAccess-Examples-End -->
+
+<!-- EnableControlledFolderAccess-End -->
+
+<!-- EnableLowCPUPriority-Begin -->
+## EnableLowCPUPriority
+
+<!-- EnableLowCPUPriority-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- EnableLowCPUPriority-Applicability-End -->
+
+<!-- EnableLowCPUPriority-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/EnableLowCPUPriority
+```
+<!-- EnableLowCPUPriority-OmaUri-End -->
+
+<!-- EnableLowCPUPriority-Description-Begin -->
 This policy setting allows you to enable or disable low CPU priority for scheduled scans.
 
 If you enable this setting, low CPU priority will be used during scheduled scans.
 
-If you disable or don't configure this setting, no changes will be made to CPU priority for scheduled scans.
-
-Supported values:
-
-- 0 - Disabled (default)
-- 1 - Enabled
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure low CPU priority for scheduled scans*
--   GP name: *Scan_LowCpuPriority*
--   GP element: *Scan_LowCpuPriority*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-enablenetworkprotection"></a>**Defender/EnableNetworkProtection**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-This policy allows you to turn on network protection (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This protection includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
-
-If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
-If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You'll be able to see this activity in Windows Defender Security Center.
-If you enable this policy with the ""Audit"" option, users/apps won't be blocked from connecting to dangerous domains. However, you'll still see this activity in Windows Defender Security Center.
-If you disable this policy, users/apps won't be blocked from connecting to dangerous domains. You'll not see any network activity in Windows Defender Security Center.
-If you don't configure this policy, network blocking will be disabled by default.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Prevent users and apps from accessing dangerous websites*
--   GP name: *ExploitGuard_EnableNetworkProtection*
--   GP element: *ExploitGuard_EnableNetworkProtection*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender Exploit Guard/Network Protection*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
-- 0 (default) - Disabled
-- 1 - Enabled (block mode)
-- 2 - Enabled (audit mode)
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-excludedextensions"></a>**Defender/ExcludedExtensions**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Path Exclusions*
--   GP name: *Exclusions_Paths*
--   GP element: *Exclusions_PathsList*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-excludedpaths"></a>**Defender/ExcludedPaths**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1".
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Extension Exclusions*
--   GP name: *Exclusions_Extensions*
--   GP element: *Exclusions_ExtensionsList*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-excludedprocesses"></a>**Defender/ExcludedProcesses**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows an administrator to specify a list of files opened by processes to ignore during a scan.
-
-> [!IMPORTANT]
-> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path.
-
-Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe".
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Process Exclusions*
--   GP name: *Exclusions_Processes*
--   GP element: *Exclusions_ProcessesList*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Exclusions*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-puaprotection"></a>**Defender/PUAProtection**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-
-Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer.
-
-> [!NOTE]
-> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure detection for potentially unwanted applications*
--   GP name: *Root_PUAProtection*
--   GP element: *Root_PUAProtection*
--   GP path: *Windows Components/Microsoft Defender Antivirus*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 (default) – PUA Protection off. Windows Defender won't protect against potentially unwanted applications.
--   1 – PUA Protection on. Detected items are blocked. They'll show in history along with other threats.
--   2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-realtimescandirection"></a>**Defender/RealTimeScanDirection**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Controls which sets of files should be monitored.
-
-> [!NOTE]
-> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Configure monitoring for incoming and outgoing file and program activity*
--   GP name: *RealtimeProtection_RealtimeScanDirection*
--   GP element: *RealtimeProtection_RealtimeScanDirection*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 (default) – Monitor all files (bi-directional).
--   1 – Monitor incoming files.
--   2 – Monitor outgoing files.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-scanparameter"></a>**Defender/ScanParameter**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Selects whether to perform a quick scan or full scan.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Specify the scan type to use for a scheduled scan*
--   GP name: *Scan_ScanParameters*
--   GP element: *Scan_ScanParameters*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   1 (default) – Quick scan
--   2 – Full scan
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-schedulequickscantime"></a>**Defender/ScheduleQuickScanTime**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Selects the time of day that the Windows Defender quick scan should run. The Windows Defender quick scan runs daily if a time is specified.
-
-
-
-For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
-The default value is 120
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Specify the time for a daily quick scan*
--   GP name: *Scan_ScheduleQuickScantime*
--   GP element: *Scan_ScheduleQuickScantime*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-Valid values: 0–1380
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-schedulescanday"></a>**Defender/ScheduleScanDay**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Selects the day that the Windows Defender scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Specify the day of the week to run a scheduled scan*
--   GP name: *Scan_ScheduleDay*
--   GP element: *Scan_ScheduleDay*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
-- 0 (default) – Every day
-- 1 – Sunday
-- 2 – Monday
-- 3 – Tuesday
-- 4 – Wednesday
-- 5 – Thursday
-- 6 – Friday
-- 7 – Saturday
-- 8 – No scheduled scan
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-schedulescantime"></a>**Defender/ScheduleScanTime**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Selects the time of day that the Windows Defender scan should run.
-
-> [!NOTE]
-> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
-
-For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
-
-The default value is 120.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Specify the time of day to run a scheduled scan*
--   GP name: *Scan_ScheduleTime*
--   GP element: *Scan_ScheduleTime*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-Valid values: 0–1380.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-securityintelligencelocation"></a>**Defender/SecurityIntelligenceLocation**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
+If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
+<!-- EnableLowCPUPriority-Description-End -->
+
+<!-- EnableLowCPUPriority-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableLowCPUPriority-Editable-End -->
+
+<!-- EnableLowCPUPriority-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- EnableLowCPUPriority-DFProperties-End -->
+
+<!-- EnableLowCPUPriority-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled |
+| 1 | Enabled |
+<!-- EnableLowCPUPriority-AllowedValues-End -->
+
+<!-- EnableLowCPUPriority-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_LowCpuPriority |
+| Friendly Name | Configure low CPU priority for scheduled scans |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | LowCpuPriority |
+| ADMX File Name | WindowsDefender.admx |
+<!-- EnableLowCPUPriority-GpMapping-End -->
+
+<!-- EnableLowCPUPriority-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableLowCPUPriority-Examples-End -->
+
+<!-- EnableLowCPUPriority-End -->
+
+<!-- EnableNetworkProtection-Begin -->
+## EnableNetworkProtection
+
+<!-- EnableNetworkProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
+<!-- EnableNetworkProtection-Applicability-End -->
+
+<!-- EnableNetworkProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection
+```
+<!-- EnableNetworkProtection-OmaUri-End -->
+
+<!-- EnableNetworkProtection-Description-Begin -->
+Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet.
+
+Enabled:
+Specify the mode in the Options section:
+-Block: Users and applications will not be able to access dangerous domains
+-Audit Mode: Users and applications can connect to dangerous domains, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs.
+
+Disabled:
+Users and applications will not be blocked from connecting to dangerous domains.
+
+Not configured:
+Same as Disabled.
+<!-- EnableNetworkProtection-Description-End -->
+
+<!-- EnableNetworkProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableNetworkProtection-Editable-End -->
+
+<!-- EnableNetworkProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- EnableNetworkProtection-DFProperties-End -->
+
+<!-- EnableNetworkProtection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled |
+| 1 | Enabled (block mode) |
+| 2 | Enabled (audit mode) |
+<!-- EnableNetworkProtection-AllowedValues-End -->
+
+<!-- EnableNetworkProtection-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ExploitGuard_EnableNetworkProtection |
+| Friendly Name | Prevent users and apps from accessing dangerous websites |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection |
+| Registry Value Name | EnableNetworkProtection |
+| ADMX File Name | WindowsDefender.admx |
+<!-- EnableNetworkProtection-GpMapping-End -->
+
+<!-- EnableNetworkProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableNetworkProtection-Examples-End -->
+
+<!-- EnableNetworkProtection-End -->
+
+<!-- ExcludedExtensions-Begin -->
+## ExcludedExtensions
+
+<!-- ExcludedExtensions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- ExcludedExtensions-Applicability-End -->
+
+<!-- ExcludedExtensions-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedExtensions
+```
+<!-- ExcludedExtensions-OmaUri-End -->
+
+<!-- ExcludedExtensions-Description-Begin -->
+Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj.
+<!-- ExcludedExtensions-Description-End -->
+
+<!-- ExcludedExtensions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ExcludedExtensions-Editable-End -->
+
+<!-- ExcludedExtensions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- ExcludedExtensions-DFProperties-End -->
+
+<!-- ExcludedExtensions-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Exclusions_Extensions |
+| Friendly Name | Extension Exclusions |
+| Element Name | Extension Exclusions |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
+| Registry Value Name | Exclusions_Extensions |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ExcludedExtensions-GpMapping-End -->
+
+<!-- ExcludedExtensions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ExcludedExtensions-Examples-End -->
+
+<!-- ExcludedExtensions-End -->
+
+<!-- ExcludedPaths-Begin -->
+## ExcludedPaths
+
+<!-- ExcludedPaths-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- ExcludedPaths-Applicability-End -->
+
+<!-- ExcludedPaths-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedPaths
+```
+<!-- ExcludedPaths-OmaUri-End -->
+
+<!-- ExcludedPaths-Description-Begin -->
+Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1.
+<!-- ExcludedPaths-Description-End -->
+
+<!-- ExcludedPaths-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ExcludedPaths-Editable-End -->
+
+<!-- ExcludedPaths-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- ExcludedPaths-DFProperties-End -->
+
+<!-- ExcludedPaths-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Exclusions_Paths |
+| Friendly Name | Path Exclusions |
+| Element Name | Path Exclusions |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
+| Registry Value Name | Exclusions_Paths |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ExcludedPaths-GpMapping-End -->
+
+<!-- ExcludedPaths-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ExcludedPaths-Examples-End -->
+
+<!-- ExcludedPaths-End -->
+
+<!-- ExcludedProcesses-Begin -->
+## ExcludedProcesses
+
+<!-- ExcludedProcesses-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- ExcludedProcesses-Applicability-End -->
+
+<!-- ExcludedProcesses-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ExcludedProcesses
+```
+<!-- ExcludedProcesses-OmaUri-End -->
+
+<!-- ExcludedProcesses-Description-Begin -->
+Allows an administrator to specify a list of files opened by processes to ignore during a scan. ImportantThe process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe.
+<!-- ExcludedProcesses-Description-End -->
+
+<!-- ExcludedProcesses-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ExcludedProcesses-Editable-End -->
+
+<!-- ExcludedProcesses-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- ExcludedProcesses-DFProperties-End -->
+
+<!-- ExcludedProcesses-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Exclusions_Processes |
+| Friendly Name | Process Exclusions |
+| Element Name | Process Exclusions |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Exclusions |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Exclusions |
+| Registry Value Name | Exclusions_Processes |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ExcludedProcesses-GpMapping-End -->
+
+<!-- ExcludedProcesses-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ExcludedProcesses-Examples-End -->
+
+<!-- ExcludedProcesses-End -->
+
+<!-- PUAProtection-Begin -->
+## PUAProtection
+
+<!-- PUAProtection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- PUAProtection-Applicability-End -->
+
+<!-- PUAProtection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/PUAProtection
+```
+<!-- PUAProtection-OmaUri-End -->
+
+<!-- PUAProtection-Description-Begin -->
+Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer.
+
+Enabled:
+Specify the mode in the Options section:
+-Block: Potentially unwanted software will be blocked.
+-Audit Mode: Potentially unwanted software will not be blocked, however if this feature would have blocked access if it were set to Block, then a record of the event will be in the event logs.
+
+Disabled:
+Potentially unwanted software will not be blocked.
+
+Not configured:
+Same as Disabled.
+<!-- PUAProtection-Description-End -->
+
+<!-- PUAProtection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- PUAProtection-Editable-End -->
+
+<!-- PUAProtection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- PUAProtection-DFProperties-End -->
+
+<!-- PUAProtection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | PUA Protection off. Windows Defender will not protect against potentially unwanted applications. |
+| 1 | PUA Protection on. Detected items are blocked. They will show in history along with other threats. |
+| 2 | Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. |
+<!-- PUAProtection-AllowedValues-End -->
+
+<!-- PUAProtection-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Root_PUAProtection |
+| Friendly Name | Configure detection for potentially unwanted applications |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender |
+| Registry Value Name | PUAProtection |
+| ADMX File Name | WindowsDefender.admx |
+<!-- PUAProtection-GpMapping-End -->
+
+<!-- PUAProtection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- PUAProtection-Examples-End -->
+
+<!-- PUAProtection-End -->
+
+<!-- RealTimeScanDirection-Begin -->
+## RealTimeScanDirection
+
+<!-- RealTimeScanDirection-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- RealTimeScanDirection-Applicability-End -->
+
+<!-- RealTimeScanDirection-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/RealTimeScanDirection
+```
+<!-- RealTimeScanDirection-OmaUri-End -->
+
+<!-- RealTimeScanDirection-Description-Begin -->
+This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role.
+
+Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes.
+
+The options for this setting are mutually exclusive:
+0 = Scan incoming and outgoing files (default)
+1 = Scan incoming files only
+2 = Scan outgoing files only
+
+Any other value, or if the value does not exist, resolves to the default (0).
+
+If you enable this setting, the specified type of monitoring will be enabled.
+
+If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled.
+<!-- RealTimeScanDirection-Description-End -->
+
+<!-- RealTimeScanDirection-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- RealTimeScanDirection-Editable-End -->
+
+<!-- RealTimeScanDirection-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- RealTimeScanDirection-DFProperties-End -->
+
+<!-- RealTimeScanDirection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Monitor all files (bi-directional). |
+| 1 | Monitor incoming files. |
+| 2 | Monitor outgoing files. |
+<!-- RealTimeScanDirection-AllowedValues-End -->
+
+<!-- RealTimeScanDirection-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RealtimeProtection_RealtimeScanDirection |
+| Friendly Name | Configure monitoring for incoming and outgoing file and program activity |
+| Element Name | Configure monitoring for incoming and outgoing file and program activity |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Real-time Protection |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Real-Time Protection |
+| Registry Value Name | RealtimeScanDirection |
+| ADMX File Name | WindowsDefender.admx |
+<!-- RealTimeScanDirection-GpMapping-End -->
+
+<!-- RealTimeScanDirection-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- RealTimeScanDirection-Examples-End -->
+
+<!-- RealTimeScanDirection-End -->
+
+<!-- ScanParameter-Begin -->
+## ScanParameter
+
+<!-- ScanParameter-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- ScanParameter-Applicability-End -->
+
+<!-- ScanParameter-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ScanParameter
+```
+<!-- ScanParameter-OmaUri-End -->
+
+<!-- ScanParameter-Description-Begin -->
+This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are:
+1 = Quick Scan (default)
+2 = Full Scan
+
+If you enable this setting, the scan type will be set to the specified value.
+
+If you disable or do not configure this setting, the default scan type will used.
+<!-- ScanParameter-Description-End -->
+
+<!-- ScanParameter-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ScanParameter-Editable-End -->
+
+<!-- ScanParameter-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- ScanParameter-DFProperties-End -->
+
+<!-- ScanParameter-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 (Default) | Quick scan |
+| 2 | Full scan |
+<!-- ScanParameter-AllowedValues-End -->
+
+<!-- ScanParameter-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_ScanParameters |
+| Friendly Name | Specify the scan type to use for a scheduled scan |
+| Element Name | Specify the scan type to use for a scheduled scan |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | ScanParameters |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ScanParameter-GpMapping-End -->
+
+<!-- ScanParameter-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ScanParameter-Examples-End -->
+
+<!-- ScanParameter-End -->
+
+<!-- ScheduleQuickScanTime-Begin -->
+## ScheduleQuickScanTime
+
+<!-- ScheduleQuickScanTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- ScheduleQuickScanTime-Applicability-End -->
+
+<!-- ScheduleQuickScanTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleQuickScanTime
+```
+<!-- ScheduleQuickScanTime-OmaUri-End -->
+
+<!-- ScheduleQuickScanTime-Description-Begin -->
+This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00).  For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing.
+
+If you enable this setting, a daily quick scan will run at the time of day specified.
+
+If you disable or do not configure this setting, daily quick scan controlled by this config will not be run.
+<!-- ScheduleQuickScanTime-Description-End -->
+
+<!-- ScheduleQuickScanTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ScheduleQuickScanTime-Editable-End -->
+
+<!-- ScheduleQuickScanTime-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1380]` |
+| Default Value  | 120 |
+<!-- ScheduleQuickScanTime-DFProperties-End -->
+
+<!-- ScheduleQuickScanTime-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_ScheduleQuickScantime |
+| Friendly Name | Specify the time for a daily quick scan |
+| Element Name | Specify the time for a daily quick scan |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | ScheduleQuickScanTime |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ScheduleQuickScanTime-GpMapping-End -->
+
+<!-- ScheduleQuickScanTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ScheduleQuickScanTime-Examples-End -->
+
+<!-- ScheduleQuickScanTime-End -->
+
+<!-- ScheduleScanDay-Begin -->
+## ScheduleScanDay
+
+<!-- ScheduleScanDay-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- ScheduleScanDay-Applicability-End -->
+
+<!-- ScheduleScanDay-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleScanDay
+```
+<!-- ScheduleScanDay-OmaUri-End -->
+
+<!-- ScheduleScanDay-Description-Begin -->
+This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.
+
+This setting can be configured with the following ordinal number values:
+(0x0) Every Day
+(0x1) Sunday
+(0x2) Monday
+(0x3) Tuesday
+(0x4) Wednesday
+(0x5) Thursday
+(0x6) Friday
+(0x7) Saturday
+(0x8) Never (default)
+
+If you enable this setting, a scheduled scan will run at the frequency specified.
+
+If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
+<!-- ScheduleScanDay-Description-End -->
+
+<!-- ScheduleScanDay-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ScheduleScanDay-Editable-End -->
+
+<!-- ScheduleScanDay-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ScheduleScanDay-DFProperties-End -->
+
+<!-- ScheduleScanDay-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Every day |
+| 1 | Sunday |
+| 2 | Monday |
+| 3 | Tuesday |
+| 4 | Wednesday |
+| 5 | Thursday |
+| 6 | Friday |
+| 7 | Saturday |
+| 8 | No scheduled scan |
+<!-- ScheduleScanDay-AllowedValues-End -->
+
+<!-- ScheduleScanDay-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_ScheduleDay |
+| Friendly Name | Specify the day of the week to run a scheduled scan |
+| Element Name | Specify the day of the week to run a scheduled scan |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | ScheduleDay |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ScheduleScanDay-GpMapping-End -->
+
+<!-- ScheduleScanDay-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ScheduleScanDay-Examples-End -->
+
+<!-- ScheduleScanDay-End -->
+
+<!-- ScheduleScanTime-Begin -->
+## ScheduleScanTime
+
+<!-- ScheduleScanTime-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- ScheduleScanTime-Applicability-End -->
+
+<!-- ScheduleScanTime-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ScheduleScanTime
+```
+<!-- ScheduleScanTime-OmaUri-End -->
+
+<!-- ScheduleScanTime-Description-Begin -->
+This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00).  For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to  a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
+
+If you enable this setting, a scheduled scan will run at the time of day specified.
+
+If you disable or do not configure this setting, a scheduled scan will run at a default time.
+<!-- ScheduleScanTime-Description-End -->
+
+<!-- ScheduleScanTime-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ScheduleScanTime-Editable-End -->
+
+<!-- ScheduleScanTime-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1380]` |
+| Default Value  | 120 |
+<!-- ScheduleScanTime-DFProperties-End -->
+
+<!-- ScheduleScanTime-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Scan_ScheduleTime |
+| Friendly Name | Specify the time of day to run a scheduled scan |
+| Element Name | Specify the time of day to run a scheduled scan |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Scan |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Scan |
+| Registry Value Name | ScheduleTime |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ScheduleScanTime-GpMapping-End -->
+
+<!-- ScheduleScanTime-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ScheduleScanTime-Examples-End -->
+
+<!-- ScheduleScanTime-End -->
+
+<!-- SecurityIntelligenceLocation-Begin -->
+## SecurityIntelligenceLocation
+
+<!-- SecurityIntelligenceLocation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- SecurityIntelligenceLocation-Applicability-End -->
+
+<!-- SecurityIntelligenceLocation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/SecurityIntelligenceLocation
+```
+<!-- SecurityIntelligenceLocation-OmaUri-End -->
+
+<!-- SecurityIntelligenceLocation-Description-Begin -->
 This policy setting allows you to define the security intelligence location for VDI-configured computers.
 
-If you disable or don't configure this setting, security intelligence will be referred from the default local source.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments*
--   GP name: *SecurityIntelligenceLocation*
--   GP element: *SecurityIntelligenceLocation*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-
-- Empty string - no policy is set
-- Non-empty string - the policy is set and security intelligence is gathered from the location.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-signatureupdatefallbackorder"></a>**Defender/SignatureUpdateFallbackOrder**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order.
-
-Possible values are:
-
-- InternalDefinitionUpdateServer
-- MicrosoftUpdateServer
-- MMPC
-- FileShares
-
-For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC
-
-If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
-
-If you disable or don't configure this setting, definition update sources will be contacted in a default order.
-
-OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Define the order of sources for downloading definition updates*
--   GP name: *SignatureUpdate_FallbackOrder*
--   GP element: *SignatureUpdate_FallbackOrder*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-signatureupdatefilesharessources"></a>**Defender/SignatureUpdateFileSharesSources**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources.
-
-For example: \\unc1\Signatures | \\unc2\Signatures
-
-The list is empty by default.
-
-If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
-
-If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted.
-
-OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Define file shares for downloading definition updates*
--   GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources*
--   GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-
-<!--/SupportedValues-->
-<!--Example-->
-
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-signatureupdateinterval"></a>**Defender/SignatureUpdateInterval**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval.
-
-A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day.
-
-The default value is 8.
-
-OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateInterval
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Specify the interval to check for definition updates*
--   GP name: *SignatureUpdate_SignatureUpdateInterval*
--   GP element: *SignatureUpdate_SignatureUpdateInterval*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Signature Updates*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-Valid values: 0–24.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-submitsamplesconsent"></a>**Defender/SubmitSamplesConsent**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Send file samples when further analysis is required*
--   GP name: *SubmitSamplesConsent*
--   GP element: *SubmitSamplesConsent*
--   GP path: *Windows Components/Microsoft Defender Antivirus/MAPS*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 – Always prompt.
--   1 (default) – Send safe samples automatically.
--   2 – Never send.
--   3 – Send all samples automatically.
-
-<!--/SupportedValues-->
-<!--/Policy-->
-
-<hr/>
-
-<!--Policy-->
-<a href="" id="defender-threatseveritydefaultaction"></a>**Defender/ThreatSeverityDefaultAction**
-
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-> [!NOTE]
-> This policy is only enforced in Windows 10 for desktop.
-
-Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
-
-This value is a list of threat severity level IDs and corresponding actions, separated by a <strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example, "1=6|2=2|4=10|5=3".
-
-The following list shows the supported values for threat severity levels:
-
--   1 – Low severity threats
--   2 – Moderate severity threats
--   4 – High severity threats
--   5 – Severe threats
-
-The following list shows the supported values for possible actions:
-
--   1 – Clean. Service tries to recover files and try to disinfect.
--   2 – Quarantine. Moves files to quarantine.
--   3 – Remove. Removes files from system.
--   6 – Allow. Allows file/does none of the above actions.
--   8 – User defined. Requires user to make a decision on which action to take.
--   10 – Block. Blocks file execution.
-
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Specify threat alert levels at which default action should not be taken when detected*
--   GP name: *Threats_ThreatSeverityDefaultAction*
--   GP element: *Threats_ThreatSeverityDefaultActionList*
--   GP path: *Windows Components/Microsoft Defender Antivirus/Threats*
--   GP ADMX file name: *WindowsDefender.admx*
-
-<!--/ADMXMapped-->
-<!--/Policy-->
-<hr/>
-
-
-
-<!--/Policies-->
-
-## Related topics
+If you disable or do not configure this setting, security intelligence will be referred from the default local source.
+<!-- SecurityIntelligenceLocation-Description-End -->
+
+<!-- SecurityIntelligenceLocation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SecurityIntelligenceLocation-Editable-End -->
+
+<!-- SecurityIntelligenceLocation-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- SecurityIntelligenceLocation-DFProperties-End -->
+
+<!-- SecurityIntelligenceLocation-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SignatureUpdate_SharedSignaturesLocation |
+| Friendly Name | Define security intelligence location for VDI clients. |
+| Element Name | Define file share for downloading security intelligence updates in virtual environments |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
+| ADMX File Name | WindowsDefender.admx |
+<!-- SecurityIntelligenceLocation-GpMapping-End -->
+
+<!-- SecurityIntelligenceLocation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SecurityIntelligenceLocation-Examples-End -->
+
+<!-- SecurityIntelligenceLocation-End -->
+
+<!-- SignatureUpdateFallbackOrder-Begin -->
+## SignatureUpdateFallbackOrder
+
+<!-- SignatureUpdateFallbackOrder-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- SignatureUpdateFallbackOrder-Applicability-End -->
+
+<!-- SignatureUpdateFallbackOrder-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder
+```
+<!-- SignatureUpdateFallbackOrder-OmaUri-End -->
+
+<!-- SignatureUpdateFallbackOrder-Description-Begin -->
+This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”
+
+For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
+
+If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+
+If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order.
+<!-- SignatureUpdateFallbackOrder-Description-End -->
+
+<!-- SignatureUpdateFallbackOrder-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SignatureUpdateFallbackOrder-Editable-End -->
+
+<!-- SignatureUpdateFallbackOrder-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- SignatureUpdateFallbackOrder-DFProperties-End -->
+
+<!-- SignatureUpdateFallbackOrder-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SignatureUpdate_FallbackOrder |
+| Friendly Name | Define the order of sources for downloading security intelligence updates |
+| Element Name | Define the order of sources for downloading security intelligence updates |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
+| ADMX File Name | WindowsDefender.admx |
+<!-- SignatureUpdateFallbackOrder-GpMapping-End -->
+
+<!-- SignatureUpdateFallbackOrder-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SignatureUpdateFallbackOrder-Examples-End -->
+
+<!-- SignatureUpdateFallbackOrder-End -->
+
+<!-- SignatureUpdateFileSharesSources-Begin -->
+## SignatureUpdateFileSharesSources
+
+<!-- SignatureUpdateFileSharesSources-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
+<!-- SignatureUpdateFileSharesSources-Applicability-End -->
+
+<!-- SignatureUpdateFileSharesSources-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSources
+```
+<!-- SignatureUpdateFileSharesSources-OmaUri-End -->
+
+<!-- SignatureUpdateFileSharesSources-Description-Begin -->
+This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default.
+
+If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+
+If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
+<!-- SignatureUpdateFileSharesSources-Description-End -->
+
+<!-- SignatureUpdateFileSharesSources-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SignatureUpdateFileSharesSources-Editable-End -->
+
+<!-- SignatureUpdateFileSharesSources-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `|`) |
+<!-- SignatureUpdateFileSharesSources-DFProperties-End -->
+
+<!-- SignatureUpdateFileSharesSources-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SignatureUpdate_DefinitionUpdateFileSharesSources |
+| Friendly Name | Define file shares for downloading security intelligence updates |
+| Element Name | Define file shares for downloading security intelligence updates |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
+| ADMX File Name | WindowsDefender.admx |
+<!-- SignatureUpdateFileSharesSources-GpMapping-End -->
+
+<!-- SignatureUpdateFileSharesSources-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SignatureUpdateFileSharesSources-Examples-End -->
+
+<!-- SignatureUpdateFileSharesSources-End -->
+
+<!-- SignatureUpdateInterval-Begin -->
+## SignatureUpdateInterval
+
+<!-- SignatureUpdateInterval-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- SignatureUpdateInterval-Applicability-End -->
+
+<!-- SignatureUpdateInterval-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/SignatureUpdateInterval
+```
+<!-- SignatureUpdateInterval-OmaUri-End -->
+
+<!-- SignatureUpdateInterval-Description-Begin -->
+This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).
+
+If you enable this setting, checks for security intelligence updates will occur at the interval specified.
+
+If you disable or do not configure this setting, checks for security intelligence updates will occur at the default interval.
+<!-- SignatureUpdateInterval-Description-End -->
+
+<!-- SignatureUpdateInterval-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SignatureUpdateInterval-Editable-End -->
+
+<!-- SignatureUpdateInterval-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-24]` |
+| Default Value  | 8 |
+<!-- SignatureUpdateInterval-DFProperties-End -->
+
+<!-- SignatureUpdateInterval-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SignatureUpdate_SignatureUpdateInterval |
+| Friendly Name | Specify the interval to check for security intelligence updates |
+| Element Name | Specify the interval to check for security intelligence updates |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Signature Updates |
+| Registry Value Name | SignatureUpdateInterval |
+| ADMX File Name | WindowsDefender.admx |
+<!-- SignatureUpdateInterval-GpMapping-End -->
+
+<!-- SignatureUpdateInterval-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SignatureUpdateInterval-Examples-End -->
+
+<!-- SignatureUpdateInterval-End -->
+
+<!-- SubmitSamplesConsent-Begin -->
+## SubmitSamplesConsent
+
+<!-- SubmitSamplesConsent-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1507 [10.0.10240] and later |
+<!-- SubmitSamplesConsent-Applicability-End -->
+
+<!-- SubmitSamplesConsent-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/SubmitSamplesConsent
+```
+<!-- SubmitSamplesConsent-OmaUri-End -->
+
+<!-- SubmitSamplesConsent-Description-Begin -->
+This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set.
+
+Possible options are:
+(0x0) Always prompt
+(0x1) Send safe samples automatically
+(0x2) Never send
+(0x3) Send all samples automatically
+<!-- SubmitSamplesConsent-Description-End -->
+
+<!-- SubmitSamplesConsent-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SubmitSamplesConsent-Editable-End -->
+
+<!-- SubmitSamplesConsent-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- SubmitSamplesConsent-DFProperties-End -->
+
+<!-- SubmitSamplesConsent-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Always prompt. |
+| 1 (Default) | Send safe samples automatically. |
+| 2 | Never send. |
+| 3 | Send all samples automatically. |
+<!-- SubmitSamplesConsent-AllowedValues-End -->
+
+<!-- SubmitSamplesConsent-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SubmitSamplesConsent |
+| Friendly Name | Send file samples when further analysis is required |
+| Element Name | Send file samples when further analysis is required |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > MAPS |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Spynet |
+| Registry Value Name | SubmitSamplesConsent |
+| ADMX File Name | WindowsDefender.admx |
+<!-- SubmitSamplesConsent-GpMapping-End -->
+
+<!-- SubmitSamplesConsent-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SubmitSamplesConsent-Examples-End -->
+
+<!-- SubmitSamplesConsent-End -->
+
+<!-- ThreatSeverityDefaultAction-Begin -->
+## ThreatSeverityDefaultAction
+
+<!-- ThreatSeverityDefaultAction-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- ThreatSeverityDefaultAction-Applicability-End -->
+
+<!-- ThreatSeverityDefaultAction-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Defender/ThreatSeverityDefaultAction
+```
+<!-- ThreatSeverityDefaultAction-OmaUri-End -->
+
+<!-- ThreatSeverityDefaultAction-Description-Begin -->
+Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. This value is a list of threat severity level IDs and corresponding actions, separated by a | using the format threat level=action|threat level=action. For example, 1=6|2=2|4=10|5=3. The following list shows the supported values for threat severity levels:1 – Low severity threats2 – Moderate severity threats4 – High severity threats5 – Severe threatsThe following list shows the supported values for possible actions:1 – Clean. Service tries to recover files and try to disinfect. 2 – Quarantine. Moves files to quarantine. 3 – Remove. Removes files from system. 6 – Allow. Allows file/does none of the above actions. 8 – User defined. Requires user to make a decision on which action to take. 10 – Block. Blocks file execution.
+<!-- ThreatSeverityDefaultAction-Description-End -->
+
+<!-- ThreatSeverityDefaultAction-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ThreatSeverityDefaultAction-Editable-End -->
+
+<!-- ThreatSeverityDefaultAction-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ThreatSeverityDefaultAction-DFProperties-End -->
+
+<!-- ThreatSeverityDefaultAction-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Threats_ThreatSeverityDefaultAction |
+| Friendly Name | Specify threat alert levels at which default action should not be taken when detected |
+| Element Name | Specify threat alert levels at which default action should not be taken when detected |
+| Location | Computer Configuration |
+| Path | Windows Components > Microsoft Defender Antivirus > Threats |
+| Registry Key Name | Software\Policies\Microsoft\Windows Defender\Threats |
+| Registry Value Name | Threats_ThreatSeverityDefaultAction |
+| ADMX File Name | WindowsDefender.admx |
+<!-- ThreatSeverityDefaultAction-GpMapping-End -->
+
+<!-- ThreatSeverityDefaultAction-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ThreatSeverityDefaultAction-Examples-End -->
+
+<!-- ThreatSeverityDefaultAction-End -->
+
+<!-- Defender-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- Defender-CspMoreInfo-End -->
+
+<!-- Defender-End -->
+
+## Related articles
 
 [Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 598a852163..828657eada 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -3,12 +3,12 @@ title: Policy CSP - DeliveryOptimization
 description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 06/09/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -1457,9 +1457,11 @@ ADMX Info:
 <!--/Scope-->
 <!--Description-->
 Set this policy to restrict peer selection via selected option.
-Options available are: 1=Subnet mask (more options will be added in a future release).
+In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently, the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore it means that there is no peering between subnets. The default value in Windows 11 is set to "Local Peer Discovery".
 
-Option 1 (Subnet mask) applies to both Download Mode LAN (1) and Group (2).
+If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID).
+
+The Local Peer Discovery (DNS-SD) option can only be set via MDM delivered policies on Windows 11 builds.
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -1474,7 +1476,9 @@ ADMX Info:
 <!--SupportedValues-->
 The following list shows the supported values:
 
--   1 - Subnet mask.
+-   0 - NAT
+-   1 - Subnet mask
+-   2 - Local Peer Discovery
 
 <!--/SupportedValues-->
 <!--/Policy-->
diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md
index fd509329c0..1cd8888461 100644
--- a/windows/client-management/mdm/policy-csp-desktop.md
+++ b/windows/client-management/mdm/policy-csp-desktop.md
@@ -3,12 +3,12 @@ title: Policy CSP - Desktop
 description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index ec1ffd2363..f6f865422e 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -4,11 +4,11 @@ description: Learn about the Policy CSP - DesktopAppInstaller.
 ms.author: v-aljupudi
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: alekyaj
 ms.date: 08/24/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index af7a4fe34d..c7f637d5a7 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -3,12 +3,12 @@ title: Policy CSP - DeviceGuard
 description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -74,7 +74,7 @@ Secure Launch configuration:
 - 1 - Enables Secure Launch if supported by hardware
 - 2 - Disables Secure Launch.
 
-For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
+For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
 
 <!--/Description-->
 <!--ADMXMapped-->
@@ -256,4 +256,4 @@ The following list shows the supported values:
 
 ## Related topics
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index 5b5ba2a9dd..9b12315551 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -3,12 +3,12 @@ title: Policy CSP - DeviceHealthMonitoring
 description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 7f9b3b951f..de68aa4b4e 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -1,13 +1,13 @@
 ---
 title: Policy CSP - DeviceInstallation
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 description: Use the Policy CSP - DeviceInstallation setting to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install.
 ms.author: vinpa
 ms.date: 09/27/2019
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ---
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index f5162cc9b6..fc07d7068e 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -3,12 +3,12 @@ title: Policy CSP - DeviceLock
 description: Learn how to use the Policy CSP - DeviceLock setting to specify whether the user must input a PIN or password when the device resumes from an idle state.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 05/16/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index e8d522f6ec..8e0295af7e 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -3,12 +3,12 @@ title: Policy CSP - Display
 description: Learn how to use the Policy CSP - Display setting to disable Per-Process System DPI for a semicolon-separated list of applications.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index e9343f71e2..8de9e8a848 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -3,12 +3,12 @@ title: Policy CSP - DmaGuard
 description: Learn how to use the Policy CSP - DmaGuard setting to provide more security against external DMA capable devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md
index e90f5b26f7..4088b37c80 100644
--- a/windows/client-management/mdm/policy-csp-eap.md
+++ b/windows/client-management/mdm/policy-csp-eap.md
@@ -3,12 +3,12 @@ title: Policy CSP - EAP
 description: Learn how to use the Policy CSP - Education setting to control graphing functionality in the Windows Calculator app.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index f24efbe205..10da71d3b4 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -3,12 +3,12 @@ title: Policy CSP - Education
 description: Learn how to use the Policy CSP - Education setting to control the graphing functionality in the Windows Calculator app.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 53254a0dbb..ebe04d9e51 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -3,12 +3,12 @@ title: Policy CSP - EnterpriseCloudPrint
 description: Use the Policy CSP - EnterpriseCloudPrint setting to define the maximum number of printers that should be queried from a discovery end point.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md
index 57fcbe6b64..3e4f4435e7 100644
--- a/windows/client-management/mdm/policy-csp-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-errorreporting.md
@@ -3,12 +3,12 @@ title: Policy CSP - ErrorReporting
 description: Learn how to use the Policy CSP - ErrorReporting setting to determine the consent behavior of Windows Error Reporting for specific event types.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 44732f7313..2062c3c59d 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -3,12 +3,12 @@ title: Policy CSP - EventLogService
 description: Learn how to use the Policy CSP - EventLogService setting to control Event Log behavior when the log file reaches its maximum size.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index b49e98aa9f..bb1fe34831 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -3,12 +3,12 @@ title: Policy CSP - Experience
 description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 11/02/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 6153aac0a4..9f1639a0ed 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -3,12 +3,12 @@ title: Policy CSP - ExploitGuard
 description: Use the Policy CSP - ExploitGuard setting to push out the desired system configuration and application mitigation options to all the devices in the organization.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md
index 6933fd3afe..fd8823c506 100644
--- a/windows/client-management/mdm/policy-csp-federatedauthentication.md
+++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md
@@ -3,8 +3,8 @@ title: Policy CSP - FederatedAuthentication
 description: Use the Policy CSP - Represents the enablement state of the Web Sign-in Credential Provider for device sign-in.
 ms.author: v-nsatapathy
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: nimishasatapathy
 ms.localizationpriority: medium
 ms.date: 09/07/2022
diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md
index 202470f2e2..58d44e12de 100644
--- a/windows/client-management/mdm/policy-csp-feeds.md
+++ b/windows/client-management/mdm/policy-csp-feeds.md
@@ -3,12 +3,12 @@ title: Policy CSP - Feeds
 description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/17/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md
index a29f7ef42e..e4dfc521d7 100644
--- a/windows/client-management/mdm/policy-csp-fileexplorer.md
+++ b/windows/client-management/mdm/policy-csp-fileexplorer.md
@@ -3,12 +3,12 @@ title: Policy CSP - FileExplorer
 description: Use the Policy CSP - FileExplorer setting so you can allow certain legacy plug-in applications to function without terminating Explorer.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 05806d474a..d2d17d4b28 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -3,12 +3,12 @@ title: Policy CSP - Games
 description: Learn to use the Policy CSP - Games setting so that you can specify whether advanced gaming services can be used.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index c696d4a83f..21b975f9b1 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -3,12 +3,12 @@ title: Policy CSP - Handwriting
 description: Use the Policy CSP - Handwriting setting to allow an enterprise to configure the default mode for the handwriting panel.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md
index 3edb7515e1..103060ecab 100644
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@@ -3,12 +3,12 @@ title: Policy CSP - HumanPresence
 description: Use the Policy CSP - HumanPresence setting allows wake on approach and lock on leave that can be managed from MDM.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index aa01d3410e..ee0b9dac66 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -3,11 +3,11 @@ title: Policy CSP - InternetExplorer
 description: Use the Policy CSP - InternetExplorer setting to add a specific list of search providers to the user's default list of search providers.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -4426,7 +4426,7 @@ The following list shows the supported values:
 ADMX Info:
 -   GP Friendly name: *Enable extended hot keys in Internet Explorer mode*
 -   GP name: *EnableExtendedIEModeHotkeys*
--   GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
+-   GP path: *Windows Components/Internet Explorer/Main*
 -   GP ADMX file name: *inetres.admx*
 
 <!--/ADMXBacked-->
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 3cd88f2125..0950cd842a 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -3,12 +3,12 @@ title: Policy CSP - Kerberos
 description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index e205b4485b..693f130feb 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -3,12 +3,12 @@ title: Policy CSP - KioskBrowser
 description: Use the Policy CSP - KioskBrowser setting to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -113,7 +113,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol
 
 <!--/Scope-->
 <!--Description-->
-List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to.
+List of blocked website URLs (with wildcard support). This policy is used to configure blocked URLs kiosk browsers can't navigate to. The delimiter for the URLs is "\uF000" character.
 
 > [!NOTE]
 > This policy only applies to the Kiosk Browser app in Microsoft Store.
@@ -310,4 +310,4 @@ The value is an int 1-1440 that specifies the number of minutes the session is i
 
 ## Related topics
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index bbe9307e31..6e47698868 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -3,12 +3,12 @@ title: Policy CSP - LanmanWorkstation
 description: Use the Policy CSP - LanmanWorkstation setting to determine if the SMB client will allow insecure guest sign ins to an SMB server.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index effa809a71..4e778754ce 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -3,12 +3,12 @@ title: Policy CSP - Licensing
 description: Use the Policy CSP - Licensing setting to enable or disable Windows license reactivation on managed devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index cda8035487..73346cab09 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -3,12 +3,12 @@ title: Policy CSP - LocalPoliciesSecurityOptions
 description: These settings prevent users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 12/16/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index 8f9a5ef4cd..10e2076e07 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -3,12 +3,12 @@ title: Policy CSP - LocalUsersAndGroups
 description: Policy CSP - LocalUsersAndGroups
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 10/14/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -104,11 +104,11 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura
 
 Example 1: Azure Active Directory focused.
 
-The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
+The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
 
 ```xml
 <GroupConfiguration>
-    <accessgroup desc = "Administrators">
+    <accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500">
         <group action = "U" />
         <add member = "AzureAD\bob@contoso.com"/>
         <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
@@ -119,12 +119,12 @@ The following example updates the built-in administrators group with Azure AD ac
 Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account.
 
 > [!NOTE]
-> When using ‘R’ replace option to configure the built-in ‘Administrators’ group. It is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group.
+> When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group.
 
 Example:
 ```xml
 <GroupConfiguration>
-    <accessgroup desc = "Administrators">
+    <accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500">
         <group action = "R" />
         <add member = "AzureAD\bob@contoso.com"/>
         <add member = "Administrator"/>
@@ -134,11 +134,11 @@ Example:
 
 Example 3: Update action for adding and removing group members on a hybrid joined machine.
 
-The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
+The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
 
 ```xml
 <GroupConfiguration>
-    <accessgroup desc = "Administrators">
+    <accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500">
         <group action = "U" />
         <add member = "Contoso\ITAdmins"/>
         <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index e81ef5bdbd..fd60ffcbaa 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -3,12 +3,12 @@ title: Policy CSP - LockDown
 description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md
index fc0a4d5cb4..89702a9f64 100644
--- a/windows/client-management/mdm/policy-csp-lsa.md
+++ b/windows/client-management/mdm/policy-csp-lsa.md
@@ -3,7 +3,7 @@ title: Policy CSP - LocalSecurityAuthority
 description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS).
 ms.author: vinpa
 author: vinaypamnani-msft
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.topic: reference
 ms.prod: windows-client
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index 81e6388586..be48625372 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -3,12 +3,12 @@ title: Policy CSP - Maps
 description: Use the Policy CSP - Maps setting to allow the download and update of map data over metered connections.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md
index 55f2821dc5..a1ced538a9 100644
--- a/windows/client-management/mdm/policy-csp-memorydump.md
+++ b/windows/client-management/mdm/policy-csp-memorydump.md
@@ -3,12 +3,12 @@ title: Policy CSP - MemoryDump
 description: Use the Policy CSP
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index af0864c827..167c581829 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -3,12 +3,12 @@ title: Policy CSP - Messaging
 description: Enable, and disable, text message backup and restore as well as Messaging Everywhere by using the Policy CSP for messaging.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 7b39f0c1f7..7f72869d59 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -4,10 +4,10 @@ description: Policy CSP - MixedReality
 ms.author: vinpa
 ms.localizationpriority: medium
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -113,8 +113,7 @@ Steps to use this policy correctly:
 |HoloLens (first gen) Commercial Suite|No|
 |HoloLens 2|Yes|
 
-> [!NOTE]
-> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
+
 
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
@@ -160,7 +159,7 @@ Int value
 <hr/>
 
 <!--Description-->
-This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-fi.
+This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-Fi.
 
 By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
 
@@ -341,10 +340,7 @@ Supported value is Integer.
 <!--/Scope-->
 <!--Description-->
 
-> [!NOTE]
-> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
-
-You may want to configure a different time server for your device fleet. IT admins can use thi policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy.
+You may want to configure a different time server for your device fleet. IT admins can use this policy to configure certain aspects of NTP client with following policies. In the Settings app, the Time/Language page will show the time server after a time sync has occurred. E.g. `time.windows.com` or another if another value is configured via MDM policy.
 
 This policy setting specifies a set of parameters for controlling the Windows NTP Client. Refer to [Policy CSP - ADMX_W32Time - Windows Client Management](/windows/client-management/mdm/policy-csp-admx-w32time#admx-w32time-policy-configure-ntpclient) for supported configuration parameters.
 
@@ -394,9 +390,6 @@ value="0"/>
 
 <!--/SupportedSKUs-->
 
-> [!NOTE]
-> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
-
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 
@@ -609,8 +602,6 @@ The following list shows the supported values:
 
 <!--/Scope-->
 <!--Description-->
-> [!NOTE]
-> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
 
 This policy setting specifies whether the Windows NTP Client is enabled.
 
@@ -642,9 +633,6 @@ This policy setting specifies whether the Windows NTP Client is enabled.
 
 <!--/SupportedSKUs-->
 
-> [!NOTE]
-> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
-
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 
@@ -678,8 +666,7 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Skip
 
 <!--/SupportedSKUs-->
 
-> [!NOTE]
-> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds.
+
 
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index 790df8eb85..690864628e 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -3,12 +3,12 @@ title: Policy CSP - MSSecurityGuide
 description: Learn how Policy CSP - MSSecurityGuide, an ADMX-backed policy, requires a special SyncML format to enable or disable.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md
index 5be1cd6495..c7e71ee0cf 100644
--- a/windows/client-management/mdm/policy-csp-msslegacy.md
+++ b/windows/client-management/mdm/policy-csp-msslegacy.md
@@ -1,211 +1,210 @@
 ---
-title: Policy CSP - MSSLegacy
-description: Learn how Policy CSP - MSSLegacy, an ADMX-backed policy, requires a special SyncML format to enable or disable.
-ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
+title: MSSLegacy Policy CSP
+description: Learn more about the MSSLegacy Area in Policy CSP
 author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
 manager: aaroncz
+ms.author: vinpa
+ms.date: 11/29/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- MSSLegacy-Begin -->
 # Policy CSP - MSSLegacy
 
-<hr/>
-
-<!--Policies-->
-## MSSLegacy policies
-
-<dl>
-  <dd>
-    <a href="#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes">MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes</a>
-  </dd>
-  <dd>
-    <a href="#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers">MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers</a>
-  </dd>
-  <dd>
-    <a href="#msslegacy-ipsourceroutingprotectionlevel">MSSLegacy/IPSourceRoutingProtectionLevel</a>
-  </dd>
-  <dd>
-    <a href="#msslegacy-ipv6sourceroutingprotectionlevel">MSSLegacy/IPv6SourceRoutingProtectionLevel</a>
-  </dd>
-</dl>
-
 > [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 >
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
-<hr/>
+<!-- MSSLegacy-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- MSSLegacy-Editable-End -->
 
-<!--Policy-->
-<a href="" id="msslegacy-allowicmpredirectstooverrideospfgeneratedroutes"></a>**MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes**
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Begin -->
+## AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
 
-<!--SupportedSKUs-->
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Applicability-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes
+```
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-OmaUri-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Description-End -->
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Allow ICMP redirects to override OSPF generated routes.
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Editable-End -->
 
-> [!div class = "checklist"]
-> * Device
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-DFProperties-Begin -->
+**Description framework properties**:
 
-<hr/>
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-DFProperties-End -->
 
-<!--/Scope-->
-<!--Description-->
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-AdmxBacked-End -->
 
-<!--/Description-->
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-Examples-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP name: *Pol_MSS_EnableICMPRedirect*
--   GP ADMX file name: *mss-legacy.admx*
+<!-- AllowICMPRedirectsToOverrideOSPFGeneratedRoutes-End -->
 
-<!--/ADMXBacked-->
-<!--/Policy-->
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Begin -->
+## AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
 
-<hr/>
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Applicability-End -->
 
-<!--Policy-->
-<a href="" id="msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers"></a>**MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers**
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
+```
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-OmaUri-End -->
 
-<!--SupportedSKUs-->
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Description-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+Allow the computer to ignore NetBIOS name release requests except from WINS servers.
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Editable-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-DFProperties-End -->
 
-> [!div class = "checklist"]
-> * Device
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-AdmxBacked-End -->
 
-<hr/>
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-Examples-End -->
 
-<!--/Scope-->
-<!--Description-->
+<!-- AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers-End -->
 
-<!--/Description-->
+<!-- IPSourceRoutingProtectionLevel-Begin -->
+## IPSourceRoutingProtectionLevel
 
+<!-- IPSourceRoutingProtectionLevel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- IPSourceRoutingProtectionLevel-Applicability-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP name: *Pol_MSS_NoNameReleaseOnDemand*
--   GP ADMX file name: *mss-legacy.admx*
+<!-- IPSourceRoutingProtectionLevel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel
+```
+<!-- IPSourceRoutingProtectionLevel-OmaUri-End -->
 
-<!--/ADMXBacked-->
-<!--/Policy-->
+<!-- IPSourceRoutingProtectionLevel-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- IPSourceRoutingProtectionLevel-Description-End -->
 
-<hr/>
+<!-- IPSourceRoutingProtectionLevel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+IP source routing protection level (protects against packet spoofing).
+<!-- IPSourceRoutingProtectionLevel-Editable-End -->
 
-<!--Policy-->
-<a href="" id="msslegacy-ipsourceroutingprotectionlevel"></a>**MSSLegacy/IPSourceRoutingProtectionLevel**
+<!-- IPSourceRoutingProtectionLevel-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--SupportedSKUs-->
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IPSourceRoutingProtectionLevel-DFProperties-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- IPSourceRoutingProtectionLevel-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- IPSourceRoutingProtectionLevel-AdmxBacked-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
+<!-- IPSourceRoutingProtectionLevel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IPSourceRoutingProtectionLevel-Examples-End -->
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- IPSourceRoutingProtectionLevel-End -->
 
-> [!div class = "checklist"]
-> * Device
+<!-- IPv6SourceRoutingProtectionLevel-Begin -->
+## IPv6SourceRoutingProtectionLevel
 
-<hr/>
+<!-- IPv6SourceRoutingProtectionLevel-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- IPv6SourceRoutingProtectionLevel-Applicability-End -->
 
-<!--/Scope-->
-<!--Description-->
+<!-- IPv6SourceRoutingProtectionLevel-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel
+```
+<!-- IPv6SourceRoutingProtectionLevel-OmaUri-End -->
 
-<!--/Description-->
+<!-- IPv6SourceRoutingProtectionLevel-Description-Begin -->
+<!-- Description-Not-Found -->
+<!-- IPv6SourceRoutingProtectionLevel-Description-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP name: *Pol_MSS_DisableIPSourceRouting*
--   GP ADMX file name: *mss-legacy.admx*
+<!-- IPv6SourceRoutingProtectionLevel-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+IPv6 source routing protection level (protects against packet spoofing).
+<!-- IPv6SourceRoutingProtectionLevel-Editable-End -->
 
-<!--/ADMXBacked-->
-<!--/Policy-->
+<!-- IPv6SourceRoutingProtectionLevel-DFProperties-Begin -->
+**Description framework properties**:
 
-<hr/>
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- IPv6SourceRoutingProtectionLevel-DFProperties-End -->
 
-<!--Policy-->
-<a href="" id="msslegacy-ipv6sourceroutingprotectionlevel"></a>**MSSLegacy/IPv6SourceRoutingProtectionLevel**
+<!-- IPv6SourceRoutingProtectionLevel-AdmxBacked-Begin -->
+<!-- Unknown -->
+<!-- IPv6SourceRoutingProtectionLevel-AdmxBacked-End -->
 
-<!--SupportedSKUs-->
+<!-- IPv6SourceRoutingProtectionLevel-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- IPv6SourceRoutingProtectionLevel-Examples-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- IPv6SourceRoutingProtectionLevel-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
+<!-- MSSLegacy-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- MSSLegacy-CspMoreInfo-End -->
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- MSSLegacy-End -->
 
-> [!div class = "checklist"]
-> * Device
+## Related articles
 
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-
-<!--/Description-->
-
-<!--ADMXBacked-->
-ADMX Info:
--   GP name: *Pol_MSS_DisableIPSourceRoutingIPv6*
--   GP ADMX file name: *mss-legacy.admx*
-
-<!--/ADMXBacked-->
-<!--/Policy-->
-<hr/>
-
-
-<!--/Policies-->
-
-## Related topics
-
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md
index d309cdb01f..8893e13ac4 100644
--- a/windows/client-management/mdm/policy-csp-multitasking.md
+++ b/windows/client-management/mdm/policy-csp-multitasking.md
@@ -3,12 +3,12 @@ title: Policy CSP - Multitasking
 description: Policy CSP - Multitasking
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 10/30/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index 53c14116f6..9acf0b9394 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -3,12 +3,12 @@ title: Policy CSP - NetworkIsolation
 description: Learn how Policy CSP - NetworkIsolation contains a list of Enterprise resource domains hosted in the cloud that need to be protected.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index 60a664f65e..27b86f10fb 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -3,12 +3,12 @@ title: Policy CSP - NetworkListManager
 description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 12/16/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -59,7 +59,7 @@ manager: aaroncz
 <!--Description-->
 This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
 
-When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI:
+When entering a list of TLS endpoints in Microsoft Intune, you must follow this format, even in the UI:
 
 `<![CDATA[https://nls.corp.contoso.com&#xF000;https://nls.corp.fabricam.com]]>`
 
@@ -107,6 +107,6 @@ This policy setting provides the string that is to be used to name a network. Th
 
 <!--/Policies-->
 
-## Related topics
+## Related articles
 
 [Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 4f5672eead..280fdbcd41 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -3,12 +3,12 @@ title: Policy CSP - NewsAndInterests
 description: Learn how Policy CSP - NewsandInterests contains a list of news and interests.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index f8ed9bde43..3025afae1b 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -3,12 +3,12 @@ title: Policy CSP - Notifications
 description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index 5783522033..03b40b79a6 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -3,12 +3,12 @@ title: Policy CSP - Power
 description: Learn how the Policy CSP - Power setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md
index aaf5b33fb5..7cb6c243fb 100644
--- a/windows/client-management/mdm/policy-csp-printers.md
+++ b/windows/client-management/mdm/policy-csp-printers.md
@@ -3,12 +3,12 @@ title: Policy CSP - Printers
 description: Use this policy setting to control the client Point and Print behavior, including  security prompts for Windows Vista computers.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index de522351e1..124dfb9fc1 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -3,12 +3,12 @@ title: Policy CSP - Privacy
 description: Learn how the Policy CSP - Privacy setting allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md
index 759c8f09bc..28e5beb835 100644
--- a/windows/client-management/mdm/policy-csp-remoteassistance.md
+++ b/windows/client-management/mdm/policy-csp-remoteassistance.md
@@ -3,12 +3,12 @@ title: Policy CSP - RemoteAssistance
 description: Learn how the Policy CSP - RemoteAssistance setting allows you to specify a custom message to display.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md
index 04d874a3fe..364443eae5 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktop.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktop.md
@@ -3,12 +3,12 @@ title: Policy CSP - RemoteDesktop
 description: Learn how the Policy CSP - RemoteDesktop setting allows you to specify a custom message to display.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index ac94cd4ed8..20e9afc122 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -3,12 +3,12 @@ title: Policy CSP - RemoteDesktopServices
 description: Learn how the Policy CSP - RemoteDesktopServices setting allows you to configure remote access to computers by using Remote Desktop Services.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md
index 8fb52d169d..357f2c463f 100644
--- a/windows/client-management/mdm/policy-csp-remotemanagement.md
+++ b/windows/client-management/mdm/policy-csp-remotemanagement.md
@@ -3,12 +3,12 @@ title: Policy CSP - RemoteManagement
 description: Learn how the Policy CSP - RemoteManagement setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 8f74fbe899..2b7d68dc7e 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -3,12 +3,12 @@ title: Policy CSP - RemoteProcedureCall
 description: The Policy CSP - RemoteProcedureCall setting controls whether RPC clients authenticate when the call they're making contains authentication information.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md
index 9a058da639..dcb0d50872 100644
--- a/windows/client-management/mdm/policy-csp-remoteshell.md
+++ b/windows/client-management/mdm/policy-csp-remoteshell.md
@@ -3,12 +3,12 @@ title: Policy CSP - RemoteShell
 description: Learn details about the Policy CSP - RemoteShell setting so that you can configure access to remote shells.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 2e2a8c86b5..7606c9d786 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -3,12 +3,12 @@ title: Policy CSP - RestrictedGroups
 description: Learn how the Policy CSP - RestrictedGroups setting allows an administrator to define the members that are part of a security-sensitive (restricted) group.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 04/07/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 6f50b43ffa..e6872c41dc 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -3,12 +3,12 @@ title: Policy CSP - Search
 description: Learn how the Policy CSP - Search setting allows search and Cortana to search cloud sources like OneDrive and SharePoint.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 02/12/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 7dc26a67b2..f5585b9b4e 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -3,12 +3,12 @@ title: Policy CSP - Security
 description: Learn how the Policy CSP - Security setting can specify whether to allow the runtime configuration agent to install provisioning packages.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 72a2fa4349..0601509035 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -3,8 +3,8 @@ title: Policy CSP - ServiceControlManager
 description: Learn how the Policy CSP - ServiceControlManager setting enables process mitigation options on svchost.exe processes.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: Heidilohr
 ms.localizationpriority: medium
 ms.date: 09/27/2019
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 0cc8ab89e0..10a0628e8d 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -3,12 +3,12 @@ title: Policy CSP - Settings
 description: Learn how to use the Policy CSP - Settings setting so that you can allow the user to change Auto Play settings.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-settingssync.md b/windows/client-management/mdm/policy-csp-settingssync.md
new file mode 100644
index 0000000000..3be0b76457
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-settingssync.md
@@ -0,0 +1,96 @@
+---
+title: SettingsSync Policy CSP
+description: Learn more about the SettingsSync Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/29/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- SettingsSync-Begin -->
+# Policy CSP - SettingsSync
+
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!-- SettingsSync-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SettingsSync-Editable-End -->
+
+<!-- DisableAccessibilitySettingSync-Begin -->
+## DisableAccessibilitySettingSync
+
+<!-- DisableAccessibilitySettingSync-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- DisableAccessibilitySettingSync-Applicability-End -->
+
+<!-- DisableAccessibilitySettingSync-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/SettingsSync/DisableAccessibilitySettingSync
+```
+<!-- DisableAccessibilitySettingSync-OmaUri-End -->
+
+<!-- DisableAccessibilitySettingSync-Description-Begin -->
+Prevent the "accessibility" group from syncing to and from this PC. This turns off and disables the "accessibility" group on the "Windows backup" settings page in PC settings.
+
+If you enable this policy setting, the "accessibility", group will not be synced.
+
+Use the option "Allow users to turn accessibility syncing on" so that syncing is turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "accessibility" group is on by default and configurable by the user.
+<!-- DisableAccessibilitySettingSync-Description-End -->
+
+<!-- DisableAccessibilitySettingSync-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisableAccessibilitySettingSync-Editable-End -->
+
+<!-- DisableAccessibilitySettingSync-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- DisableAccessibilitySettingSync-DFProperties-End -->
+
+<!-- DisableAccessibilitySettingSync-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableAccessibilitySettingSync |
+| Friendly Name | Do not sync accessibility settings |
+| Location | Computer Configuration |
+| Path | Windows Components > Sync your settings |
+| Registry Key Name | Software\Policies\Microsoft\Windows\SettingSync |
+| Registry Value Name | DisableAccessibilitySettingSync |
+| ADMX File Name | SettingSync.admx |
+<!-- DisableAccessibilitySettingSync-AdmxBacked-End -->
+
+<!-- DisableAccessibilitySettingSync-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DisableAccessibilitySettingSync-Examples-End -->
+
+<!-- DisableAccessibilitySettingSync-End -->
+
+<!-- SettingsSync-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- SettingsSync-CspMoreInfo-End -->
+
+<!-- SettingsSync-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 0f0f324cc7..d736b16a60 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -3,12 +3,12 @@ title: Policy CSP - SmartScreen
 description: Use the Policy CSP - SmartScreen setting to allow IT Admins to control whether users are allowed to install apps from places other than the Store.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index ea98f581cb..7375101c7d 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -3,12 +3,12 @@ title: Policy CSP - Speech
 description: Learn how the Policy CSP - Speech setting specifies whether the device will receive updates to the speech recognition and speech synthesis models.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index b0fbf583d5..92dac37002 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -3,12 +3,12 @@ title: Policy CSP - Start
 description: Use the Policy CSP - Start setting to control the visibility of the Documents shortcut on the Start menu.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md
new file mode 100644
index 0000000000..9b2eeee68c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-stickers.md
@@ -0,0 +1,79 @@
+---
+title: Stickers Policy CSP
+description: Learn more about the Stickers Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/02/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- Stickers-Begin -->
+# Policy CSP - Stickers
+
+<!-- Stickers-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Stickers-Editable-End -->
+
+<!-- EnableStickers-Begin -->
+## EnableStickers
+
+<!-- EnableStickers-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+<!-- EnableStickers-Applicability-End -->
+
+<!-- EnableStickers-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Stickers/EnableStickers
+```
+<!-- EnableStickers-OmaUri-End -->
+
+<!-- EnableStickers-Description-Begin -->
+This policy setting allows you to control whether you want to allow stickers to be edited and placed on Desktop
+<!-- EnableStickers-Description-End -->
+
+<!-- EnableStickers-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableStickers-Editable-End -->
+
+<!-- EnableStickers-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- EnableStickers-DFProperties-End -->
+
+<!-- EnableStickers-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. |
+| 1 | Enabled. |
+<!-- EnableStickers-AllowedValues-End -->
+
+<!-- EnableStickers-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableStickers-Examples-End -->
+
+<!-- EnableStickers-End -->
+
+<!-- Stickers-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- Stickers-CspMoreInfo-End -->
+
+<!-- Stickers-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md
index e4a8b1ec6b..787eee3961 100644
--- a/windows/client-management/mdm/policy-csp-storage.md
+++ b/windows/client-management/mdm/policy-csp-storage.md
@@ -3,12 +3,12 @@ title: Policy CSP - Storage
 description: Learn to use the Policy CSP - Storage settings to automatically clean some of the user’s files to free up disk space.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 03/25/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 9ce3e09e66..939f3e2ac9 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -3,12 +3,12 @@ title: Policy CSP - System
 description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 08/26/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 9138227f47..750cb5bad8 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -3,12 +3,12 @@ title: Policy CSP - SystemServices
 description: Learn how to use the Policy CSP - SystemServices setting to determine whether the service's start type is Automatic(2), Manual(3), Disabled(4).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 19193cea93..0ee8b53c39 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -3,12 +3,12 @@ title: Policy CSP - TaskManager
 description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index eb016f3e4f..a333e1450f 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -3,12 +3,12 @@ title: Policy CSP - TaskScheduler
 description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
new file mode 100644
index 0000000000..0ab6c560aa
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-tenantdefinedtelemetry.md
@@ -0,0 +1,80 @@
+---
+title: TenantDefinedTelemetry Policy CSP
+description: Learn more about the TenantDefinedTelemetry Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/02/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- TenantDefinedTelemetry-Begin -->
+# Policy CSP - TenantDefinedTelemetry
+
+<!-- TenantDefinedTelemetry-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TenantDefinedTelemetry-Editable-End -->
+
+<!-- CustomTelemetryId-Begin -->
+## CustomTelemetryId
+
+<!-- CustomTelemetryId-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+<!-- CustomTelemetryId-Applicability-End -->
+
+<!-- CustomTelemetryId-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/TenantDefinedTelemetry/CustomTelemetryId
+```
+<!-- CustomTelemetryId-OmaUri-End -->
+
+<!-- CustomTelemetryId-Description-Begin -->
+This policy is used to let mission control what type of Edition we are currently in.
+<!-- CustomTelemetryId-Description-End -->
+
+<!-- CustomTelemetryId-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- CustomTelemetryId-Editable-End -->
+
+<!-- CustomTelemetryId-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- CustomTelemetryId-DFProperties-End -->
+
+<!-- CustomTelemetryId-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Base |
+| 1 | Education |
+| 2 | Commercial |
+<!-- CustomTelemetryId-AllowedValues-End -->
+
+<!-- CustomTelemetryId-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- CustomTelemetryId-Examples-End -->
+
+<!-- CustomTelemetryId-End -->
+
+<!-- TenantDefinedTelemetry-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- TenantDefinedTelemetry-CspMoreInfo-End -->
+
+<!-- TenantDefinedTelemetry-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
new file mode 100644
index 0000000000..936808277a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md
@@ -0,0 +1,98 @@
+---
+title: TenantRestrictions Policy CSP
+description: Learn more about the TenantRestrictions Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
+ms.author: vinpa
+ms.date: 11/29/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
+---
+
+<!-- Auto-Generated CSP Document -->
+
+<!-- TenantRestrictions-Begin -->
+# Policy CSP - TenantRestrictions
+
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+<!-- TenantRestrictions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TenantRestrictions-Editable-End -->
+
+<!-- ConfigureTenantRestrictions-Begin -->
+## ConfigureTenantRestrictions
+
+<!-- ConfigureTenantRestrictions-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later <br> :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later <br> :heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+<!-- ConfigureTenantRestrictions-Applicability-End -->
+
+<!-- ConfigureTenantRestrictions-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/TenantRestrictions/ConfigureTenantRestrictions
+```
+<!-- ConfigureTenantRestrictions-OmaUri-End -->
+
+<!-- ConfigureTenantRestrictions-Description-Begin -->
+This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.
+
+When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.
+
+Note: Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.
+
+https://go.microsoft.com/fwlink/?linkid=2148762
+
+Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information.
+For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230
+<!-- ConfigureTenantRestrictions-Description-End -->
+
+<!-- ConfigureTenantRestrictions-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ConfigureTenantRestrictions-Editable-End -->
+
+<!-- ConfigureTenantRestrictions-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ConfigureTenantRestrictions-DFProperties-End -->
+
+<!-- ConfigureTenantRestrictions-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | trv2_payload |
+| Friendly Name | Cloud Policy Details |
+| Location | Computer Configuration |
+| Path | Windows Components > Tenant Restrictions |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload |
+| ADMX File Name | TenantRestrictions.admx |
+<!-- ConfigureTenantRestrictions-AdmxBacked-End -->
+
+<!-- ConfigureTenantRestrictions-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ConfigureTenantRestrictions-Examples-End -->
+
+<!-- ConfigureTenantRestrictions-End -->
+
+<!-- TenantRestrictions-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- TenantRestrictions-CspMoreInfo-End -->
+
+<!-- TenantRestrictions-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index a643b71697..f4cb783c7e 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -3,12 +3,12 @@ title: Policy CSP - TextInput
 description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 03/03/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 7487a19698..77496a13ff 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -3,12 +3,12 @@ title: Policy CSP - TimeLanguageSettings
 description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/28/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index a57ac594c1..22fbd1c4fc 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -3,8 +3,8 @@ title: Policy CSP - Troubleshooting
 description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index e384c8beed..7c1858edb3 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3,12 +3,12 @@ title: Policy CSP - Update
 description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 06/15/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.collection: highpri
 ---
@@ -2988,6 +2988,9 @@ The table below shows the applicability of Windows:
 
 <!--/Scope-->
 <!--Description-->
+> [!NOTE]
+> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
+
 Enables the IT admin to schedule the day of the update installation.
 
 Supported data type is an integer.
@@ -3049,6 +3052,9 @@ The table below shows the applicability of Windows:
 
 <!--/Scope-->
 <!--Description-->
+> [!NOTE]
+> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
+
 Enables the IT admin to schedule the update installation on every week.
 
 Supported Value type is integer.
@@ -3100,6 +3106,9 @@ The table below shows the applicability of Windows:
 
 <!--/Scope-->
 <!--Description-->
+> [!NOTE]
+> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
+
 Enables the IT admin to schedule the update installation on the first week of the month.
 
 Supported value type is integer.
@@ -3151,6 +3160,9 @@ The table below shows the applicability of Windows:
 
 <!--/Scope-->
 <!--Description-->
+> [!NOTE]
+> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
+
 Enables the IT admin to schedule the update installation on the fourth week of the month.
 
 Supported value type is integer.
@@ -3202,9 +3214,12 @@ The table below shows the applicability of Windows:
 
 <!--/Scope-->
 <!--Description-->
+> [!NOTE]
+> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
+
 Enables the IT admin to schedule the update installation on the second week of the month.
 
-Supported vlue type is integer.
+Supported value type is integer.
 
 Supported values:
 
@@ -3254,6 +3269,9 @@ The table below shows the applicability of Windows:
 
 <!--/Scope-->
 <!--Description-->
+> [!NOTE]
+> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
+
 Enables the IT admin to schedule the update installation on the third week of the month.
 
 Supported value type is integer.
@@ -3305,6 +3323,9 @@ The table below shows the applicability of Windows:
 
 <!--/Scope-->
 <!--Description-->
+> [!NOTE]
+> This policy will only take effect if <a href="#update-allowautoupdate">Update/AllowAutoUpdate</a> has been configured to option 3 or 4 for scheduled installation.
+
 Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation.
 
 The supported data type is an integer.
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index a4779f0075..9359f7ab9e 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -3,12 +3,12 @@ title: Policy CSP - UserRights
 description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 11/24/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
index 11630b2ae4..cfbe252574 100644
--- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
+++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
@@ -3,12 +3,12 @@ title: Policy CSP - VirtualizationBasedTechnology
 description: Learn to use the Policy CSP - VirtualizationBasedTechnology setting to control the state of Hypervisor-protected Code Integrity (HVCI) on devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 11/25/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index 5dc80b41a1..95465df853 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -3,12 +3,12 @@ title: Policy CSP - WebThreatDefense
 description: Learn about the Policy CSP - WebThreatDefense.
 ms.author: v-aljupudi
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: alekyaj
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 6c4a95d9d8..09a9eb148e 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -3,12 +3,12 @@ title: Policy CSP - Wifi
 description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md
index 9ced4af382..01a6430be0 100644
--- a/windows/client-management/mdm/policy-csp-windowsautopilot.md
+++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md
@@ -3,12 +3,12 @@ title: Policy CSP - WindowsAutoPilot
 description: Learn to use the Policy CSP - WindowsAutoPilot setting to enable or disable Autopilot Agility feature.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 11/25/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
index 1365e72a03..803dc874b5 100644
--- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
+++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md
@@ -3,12 +3,12 @@ title: Policy CSP - WindowsConnectionManager
 description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain-based network and a non-domain-based network simultaneously.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index cac7ae5d62..106c5f63e4 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -3,12 +3,12 @@ title: Policy CSP - WindowsDefenderSecurityCenter
 description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index 97e61809eb..403b33ba76 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -3,12 +3,12 @@ title: Policy CSP - WindowsInkWorkspace
 description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 0c5e572c58..33e709f97a 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,267 +1,264 @@
 ---
-title: Policy CSP - WindowsLogon
-description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts.
-ms.author: vinpa
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
+title: WindowsLogon Policy CSP
+description: Learn more about the WindowsLogon Area in Policy CSP
 author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
 manager: aaroncz
+ms.author: vinpa
+ms.date: 11/29/2022
+ms.localizationpriority: medium
+ms.prod: windows-client
+ms.technology: itpro-manage
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- WindowsLogon-Begin -->
 # Policy CSP - WindowsLogon
 
-<hr/>
-
-<!--Policies-->
-## WindowsLogon policies
-
-<dl>
-  <dd>
-    <a href="#windowslogon-allowautomaticrestartsignon">WindowsLogon/AllowAutomaticRestartSignOn</a>
-  </dd>
-  <dd>
-    <a href="#windowslogon-configautomaticrestartsignon">WindowsLogon/ConfigAutomaticRestartSignOn</a>
-  </dd>
-  <dd>
-    <a href="#windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
-  </dd>
-  <dd>
-    <a href="#windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
-  </dd>
-  <dd>
-    <a href="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
-  </dd>
-  <dd>
-    <a href="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
-  </dd>
-  <dd>
-    <a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
-  </dd>
-  <dd>
-    <a href="#windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
-  </dd>
-</dl>
-
 > [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 >
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
-<hr/>
+<!-- WindowsLogon-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- WindowsLogon-Editable-End -->
 
-<!--Policy-->
-<a href="" id="windowslogon-allowautomaticrestartsignon"></a>**WindowsLogon/AllowAutomaticRestartSignOn**
+<!-- AllowAutomaticRestartSignOn-Begin -->
+## AllowAutomaticRestartSignOn
 
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
+<!-- AllowAutomaticRestartSignOn-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- AllowAutomaticRestartSignOn-Applicability-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- AllowAutomaticRestartSignOn-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn
+```
+<!-- AllowAutomaticRestartSignOn-OmaUri-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
+<!-- AllowAutomaticRestartSignOn-Description-Begin -->
+This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot.
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+This only occurs if the last interactive user didn’t sign out before the restart or shutdown.​
 
-> [!div class = "checklist"]
-> * Device
+If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.​
 
-<hr/>
+If you don’t configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​
 
-<!--/Scope-->
-<!--Description-->
-This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot.
+After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​.
 
-This scenario occurs only if the last interactive user didn't sign out before the restart or shutdown.​
+If you disable this policy setting, the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts.
+<!-- AllowAutomaticRestartSignOn-Description-End -->
 
-If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.​
+<!-- AllowAutomaticRestartSignOn-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowAutomaticRestartSignOn-Editable-End -->
 
-If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.​
+<!-- AllowAutomaticRestartSignOn-DFProperties-Begin -->
+**Description framework properties**:
 
-After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot​.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AllowAutomaticRestartSignOn-DFProperties-End -->
 
-If you disable this policy setting, the device doesn't configure automatic sign in. The user’s lock screen apps aren't restarted after the system restarts.
+<!-- AllowAutomaticRestartSignOn-AdmxBacked-Begin -->
+**ADMX mapping**:
 
-<!--/Description-->
+| Name | Value |
+|:--|:--|
+| Name | AutomaticRestartSignOnDescription |
+| Friendly Name | Sign-in and lock last interactive user automatically after a restart |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Logon Options |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | DisableAutomaticRestartSignOn |
+| ADMX File Name | WinLogon.admx |
+<!-- AllowAutomaticRestartSignOn-AdmxBacked-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP Friendly name: *Sign-in and lock last interactive user automatically after a restart*
--   GP name: *AutomaticRestartSignOn*
--   GP path: *Windows Components/Windows Logon Options*
--   GP ADMX file name: *WinLogon.admx*
+<!-- AllowAutomaticRestartSignOn-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowAutomaticRestartSignOn-Examples-End -->
 
-<!--/ADMXBacked-->
-<!--SupportedValues-->
+<!-- AllowAutomaticRestartSignOn-End -->
 
-<!--/SupportedValues-->
-<!--Example-->
+<!-- ConfigAutomaticRestartSignOn-Begin -->
+## ConfigAutomaticRestartSignOn
 
-<!--/Example-->
-<!--Validation-->
+<!-- ConfigAutomaticRestartSignOn-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- ConfigAutomaticRestartSignOn-Applicability-End -->
 
-<!--/Validation-->
-<!--/Policy-->
+<!-- ConfigAutomaticRestartSignOn-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/ConfigAutomaticRestartSignOn
+```
+<!-- ConfigAutomaticRestartSignOn-OmaUri-End -->
 
-<hr/>
-
-<!--Policy-->
-<a href="" id="windowslogon-configautomaticrestartsignon"></a>**WindowsLogon/ConfigAutomaticRestartSignOn**
-
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting controls the configuration under which an automatic restart, sign in, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign in doesn't occur and this policy need not be configured.
+<!-- ConfigAutomaticRestartSignOn-Description-Begin -->
+This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured.
 
 If you enable this policy setting, you can choose one of the following two options:
 
-- Enabled if BitLocker is on and not suspended: Specifies that automatic sign in and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
+1. “Enabled if BitLocker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
 BitLocker is suspended during updates if:
-    - The device doesn't have TPM 2.0 and PCR7
-    - The device doesn't use a TPM-only protector
-- Always Enabled: Specifies that automatic sign in happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign in should only be run under this condition if you're confident that the configured device is in a secure physical location.
+- The device doesn’t have TPM 2.0 and PCR7, or
+- The device doesn’t use a TPM-only protector
+2. “Always Enabled” specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.
 
-If you disable or don't configure this setting, automatic sign in defaults to the “Enabled if BitLocker is on and not suspended” behavior.
+If you disable or don’t configure this setting, automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior.
+<!-- ConfigAutomaticRestartSignOn-Description-End -->
 
-<!--/Description-->
+<!-- ConfigAutomaticRestartSignOn-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ConfigAutomaticRestartSignOn-Editable-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP Friendly name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot*
--   GP name: *ConfigAutomaticRestartSignOn*
--   GP path: *Windows Components/Windows Logon Options*
--   GP ADMX file name: *WinLogon.admx*
+<!-- ConfigAutomaticRestartSignOn-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--/ADMXBacked-->
-<!--SupportedValues-->
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- ConfigAutomaticRestartSignOn-DFProperties-End -->
 
-<!--/SupportedValues-->
-<!--Example-->
+<!-- ConfigAutomaticRestartSignOn-AdmxBacked-Begin -->
+**ADMX mapping**:
 
-<!--/Example-->
-<!--Validation-->
+| Name | Value |
+|:--|:--|
+| Name | ConfigAutomaticRestartSignOnDescription |
+| Friendly Name | Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Logon Options |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| ADMX File Name | WinLogon.admx |
+<!-- ConfigAutomaticRestartSignOn-AdmxBacked-End -->
 
-<!--/Validation-->
-<!--/Policy-->
+<!-- ConfigAutomaticRestartSignOn-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ConfigAutomaticRestartSignOn-Examples-End -->
 
-<hr/>
+<!-- ConfigAutomaticRestartSignOn-End -->
 
-<!--Policy-->
-<a href="" id="windowslogon-disablelockscreenappnotifications"></a>**WindowsLogon/DisableLockScreenAppNotifications**
+<!-- DisableLockScreenAppNotifications-Begin -->
+## DisableLockScreenAppNotifications
 
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
+<!-- DisableLockScreenAppNotifications-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- DisableLockScreenAppNotifications-Applicability-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- DisableLockScreenAppNotifications-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DisableLockScreenAppNotifications
+```
+<!-- DisableLockScreenAppNotifications-OmaUri-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
+<!-- DisableLockScreenAppNotifications-Description-Begin -->
 This policy setting allows you to prevent app notifications from appearing on the lock screen.
 
 If you enable this policy setting, no app notifications are displayed on the lock screen.
 
-If you disable or don't configure this policy setting, users can choose which apps display notifications on the lock screen.
+If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.
+<!-- DisableLockScreenAppNotifications-Description-End -->
 
-<!--/Description-->
+<!-- DisableLockScreenAppNotifications-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisableLockScreenAppNotifications-Editable-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP Friendly name: *Turn off app notifications on the lock screen*
--   GP name: *DisableLockScreenAppNotifications*
--   GP path: *System/Logon*
--   GP ADMX file name: *logon.admx*
+<!-- DisableLockScreenAppNotifications-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--/ADMXBacked-->
-<!--/Policy-->
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- DisableLockScreenAppNotifications-DFProperties-End -->
 
-<hr/>
+<!-- DisableLockScreenAppNotifications-AdmxBacked-Begin -->
+**ADMX mapping**:
 
-<!--Policy-->
-<a href="" id="windowslogon-dontdisplaynetworkselectionui"></a>**WindowsLogon/DontDisplayNetworkSelectionUI**
+| Name | Value |
+|:--|:--|
+| Name | DisableLockScreenAppNotifications |
+| Friendly Name | Turn off app notifications on the lock screen |
+| Location | Computer Configuration |
+| Path | System > Logon |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | DisableLockScreenAppNotifications |
+| ADMX File Name | Logon.admx |
+<!-- DisableLockScreenAppNotifications-AdmxBacked-End -->
 
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
+<!-- DisableLockScreenAppNotifications-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DisableLockScreenAppNotifications-Examples-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- DisableLockScreenAppNotifications-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
+<!-- DontDisplayNetworkSelectionUI-Begin -->
+## DontDisplayNetworkSelectionUI
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- DontDisplayNetworkSelectionUI-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- DontDisplayNetworkSelectionUI-Applicability-End -->
 
-> [!div class = "checklist"]
-> * Device
+<!-- DontDisplayNetworkSelectionUI-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI
+```
+<!-- DontDisplayNetworkSelectionUI-OmaUri-End -->
 
-<hr/>
+<!-- DontDisplayNetworkSelectionUI-Description-Begin -->
+This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
 
-<!--/Scope-->
-<!--Description-->
-This policy setting allows you to control whether anyone can interact with available networks UI on the sign-in screen.
-
-If you enable this policy setting, the PC's network connectivity state can't be changed without signing into Windows.
+If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
 
 If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
+<!-- DontDisplayNetworkSelectionUI-Description-End -->
+
+<!-- DontDisplayNetworkSelectionUI-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DontDisplayNetworkSelectionUI-Editable-End -->
+
+<!-- DontDisplayNetworkSelectionUI-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- DontDisplayNetworkSelectionUI-DFProperties-End -->
+
+<!-- DontDisplayNetworkSelectionUI-AdmxBacked-Begin -->
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DontDisplayNetworkSelectionUI |
+| Friendly Name | Do not display network selection UI |
+| Location | Computer Configuration |
+| Path | System > Logon |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | DontDisplayNetworkSelectionUI |
+| ADMX File Name | Logon.admx |
+<!-- DontDisplayNetworkSelectionUI-AdmxBacked-End -->
+
+<!-- DontDisplayNetworkSelectionUI-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
 
 Here's an example to enable this policy:
 
@@ -287,236 +284,314 @@ Here's an example to enable this policy:
   </SyncBody>
 </SyncML>
 ```
+<!-- DontDisplayNetworkSelectionUI-Examples-End -->
 
-<!--/Description-->
+<!-- DontDisplayNetworkSelectionUI-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP Friendly name: *Do not display network selection UI*
--   GP name: *DontDisplayNetworkSelectionUI*
--   GP path: *System/Logon*
--   GP ADMX file name: *logon.admx*
+<!-- EnableFirstLogonAnimation-Begin -->
+## EnableFirstLogonAnimation
 
-<!--/ADMXBacked-->
-<!--/Policy-->
+<!-- EnableFirstLogonAnimation-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
+<!-- EnableFirstLogonAnimation-Applicability-End -->
 
-<hr/>
+<!-- EnableFirstLogonAnimation-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation
+```
+<!-- EnableFirstLogonAnimation-OmaUri-End -->
 
-<!--Policy-->
-<a href="" id="windowslogon-enablefirstlogonanimation"></a>**WindowsLogon/EnableFirstLogonAnimation**
+<!-- EnableFirstLogonAnimation-Description-Begin -->
+This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time.  This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later.  It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in.
 
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
+If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation.
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+If you disable this policy setting, users will not see the animation and Microsoft account users will not see the opt-in prompt for services.
 
-<!--/SupportedSKUs-->
-<hr/>
+If you do not configure this policy setting, the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer will not see the animation.
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+Note: The first sign-in animation will not be shown on Server, so this policy will have no effect.
+<!-- EnableFirstLogonAnimation-Description-End -->
 
-> [!div class = "checklist"]
-> * Device
+<!-- EnableFirstLogonAnimation-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableFirstLogonAnimation-Editable-End -->
 
-<hr/>
+<!-- EnableFirstLogonAnimation-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--/Scope-->
-<!--Description-->
-This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This view applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- EnableFirstLogonAnimation-DFProperties-End -->
 
-If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation.
+<!-- EnableFirstLogonAnimation-AllowedValues-Begin -->
+**Allowed values**:
 
-If you disable this policy setting, users don't see the animation and Microsoft account users don't see the opt-in prompt for services.
+| Value | Description |
+|:--|:--|
+| 0 | Disabled. |
+| 1 (Default) | Enabled. |
+<!-- EnableFirstLogonAnimation-AllowedValues-End -->
 
-If you don't configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting isn't configured, users new to this computer don't see the animation.
+<!-- EnableFirstLogonAnimation-GpMapping-Begin -->
+**Group policy mapping**:
 
-> [!NOTE]
-> The first sign-in animation isn't displayed on Server, so this policy has no effect.
+| Name | Value |
+|:--|:--|
+| Name | EnableFirstLogonAnimation |
+| Friendly Name | Show first sign-in animation  |
+| Location | Computer Configuration |
+| Path | System > Logon |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | EnableFirstLogonAnimation |
+| ADMX File Name | Logon.admx |
+<!-- EnableFirstLogonAnimation-GpMapping-End -->
 
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Show first sign-in animation*
--   GP name: *EnableFirstLogonAnimation*
--   GP path: *System/Logon*
--   GP ADMX file name: *Logon.admx*
+<!-- EnableFirstLogonAnimation-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableFirstLogonAnimation-Examples-End -->
 
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-Supported values:
--   0 - disabled
--   1 - enabled
-<!--/SupportedValues-->
-<!--Example-->
+<!-- EnableFirstLogonAnimation-End -->
 
-<!--/Example-->
-<!--Validation-->
+<!-- EnableMPRNotifications-Begin -->
+## EnableMPRNotifications
 
-<!--/Validation-->
-<!--/Policy-->
+<!-- EnableMPRNotifications-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+<!-- EnableMPRNotifications-Applicability-End -->
 
-<hr/>
+<!-- EnableMPRNotifications-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableMPRNotifications
+```
+<!-- EnableMPRNotifications-OmaUri-End -->
 
-<!--Policy-->
-<a href="" id="windowslogon-enablemprnotifications"></a>**WindowsLogon/EnableMPRNotifications**
+<!-- EnableMPRNotifications-Description-Begin -->
+This policy controls the configuration under which winlogon sends MPR notifications in the system.
 
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
+If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured.
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+If you disable this setting, winlogon does not send MPR notifications.
+<!-- EnableMPRNotifications-Description-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
+<!-- EnableMPRNotifications-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnableMPRNotifications-Editable-End -->
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- EnableMPRNotifications-DFProperties-Begin -->
+**Description framework properties**:
 
-> [!div class = "checklist"]
-> * Device
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- EnableMPRNotifications-DFProperties-End -->
 
-<hr/>
+<!-- EnableMPRNotifications-AdmxBacked-Begin -->
+**ADMX mapping**:
 
-<!--/Scope-->
-<!--Description-->
-This policy allows winlogon to send MPR notifications in the system if a credential manager is configured.
+| Name | Value |
+|:--|:--|
+| Name | EnableMPRNotifications |
+| Friendly Name | Enable MPR notifications for the system |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Logon Options |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | EnableMPR |
+| ADMX File Name | WinLogon.admx |
+<!-- EnableMPRNotifications-AdmxBacked-End -->
 
-If you disable (0), MPR notifications will not be sent by winlogon.
+<!-- EnableMPRNotifications-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnableMPRNotifications-Examples-End -->
 
-If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon.
+<!-- EnableMPRNotifications-End -->
 
-<!--/Description-->
-<!--SupportedValues-->
-Supported values:
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Begin -->
+## EnumerateLocalUsersOnDomainJoinedComputers
 
--   0 - disabled
--   1 (default)- enabled
-<!--/SupportedValues-->
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1803 [10.0.17134] and later |
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Applicability-End -->
 
-<!--/Policy-->
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
+```
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-OmaUri-End -->
 
-<hr/>
-
-<!--Policy-->
-<a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**
-
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Description-Begin -->
 This policy setting allows local users to be enumerated on domain-joined computers.
 
 If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers.
 
-If you disable or don't configure this policy setting, the Logon UI won't enumerate local users on domain-joined computers.
+If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Description-End -->
 
-<!--/Description-->
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Editable-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP Friendly name: *Enumerate local users on domain-joined computers*
--   GP name: *EnumerateLocalUsers*
--   GP path: *System/Logon*
--   GP ADMX file name: *logon.admx*
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--/ADMXBacked-->
-<!--/Policy-->
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-DFProperties-End -->
 
-<hr/>
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-AdmxBacked-Begin -->
+**ADMX mapping**:
 
-<!--Policy-->
-<a href="" id="windowslogon-hidefastuserswitching"></a>**WindowsLogon/HideFastUserSwitching**
+| Name | Value |
+|:--|:--|
+| Name | EnumerateLocalUsers |
+| Friendly Name | Enumerate local users on domain-joined computers |
+| Location | Computer Configuration |
+| Path | System > Logon |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | EnumerateLocalUsers |
+| ADMX File Name | Logon.admx |
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-AdmxBacked-End -->
 
-<!--SupportedSKUs-->
-The table below shows the applicability of Windows:
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-Examples-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- EnumerateLocalUsersOnDomainJoinedComputers-End -->
 
-<!--/SupportedSKUs-->
-<hr/>
+<!-- HideFastUserSwitching-Begin -->
+## HideFastUserSwitching
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+<!-- HideFastUserSwitching-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+<!-- HideFastUserSwitching-Applicability-End -->
 
-> [!div class = "checklist"]
-> * Device
+<!-- HideFastUserSwitching-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching
+```
+<!-- HideFastUserSwitching-OmaUri-End -->
 
-<hr/>
+<!-- HideFastUserSwitching-Description-Begin -->
+This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager.
 
-<!--/Scope-->
-<!--Description-->
-This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or don't configure this policy setting, the Switch account button is accessible to the user in the three locations.
+If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied.
 
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Hide entry points for Fast User Switching*
--   GP name: *HideFastUserSwitching*
--   GP path: *System/Logon*
--   GP ADMX file name: *Logon.admx*
+The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager.
 
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
+If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations.
+<!-- HideFastUserSwitching-Description-End -->
 
--   0 (default) - Disabled (visible).
--   1 - Enabled (hidden).
+<!-- HideFastUserSwitching-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- HideFastUserSwitching-Editable-End -->
 
-<!--/SupportedValues-->
-<!--Validation-->
-To validate on Desktop, do the following steps:
+<!-- HideFastUserSwitching-DFProperties-Begin -->
+**Description framework properties**:
 
-1.   Enable policy.
-2.   Verify that the Switch account button in Start is hidden.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- HideFastUserSwitching-DFProperties-End -->
 
-<!--/Validation-->
-<!--/Policy-->
-<hr/>
+<!-- HideFastUserSwitching-AllowedValues-Begin -->
+**Allowed values**:
 
-<!--/Policies-->
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled (visible). |
+| 1 | Enabled (hidden). |
+<!-- HideFastUserSwitching-AllowedValues-End -->
 
-## Related topics
+<!-- HideFastUserSwitching-GpMapping-Begin -->
+**Group policy mapping**:
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+| Name | Value |
+|:--|:--|
+| Name | HideFastUserSwitching |
+| Friendly Name | Hide entry points for Fast User Switching |
+| Location | Computer Configuration |
+| Path | System > Logon |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideFastUserSwitching |
+| ADMX File Name | Logon.admx |
+<!-- HideFastUserSwitching-GpMapping-End -->
+
+<!-- HideFastUserSwitching-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- HideFastUserSwitching-Examples-End -->
+
+<!-- HideFastUserSwitching-End -->
+
+<!-- OverrideShellProgram-Begin -->
+## OverrideShellProgram
+
+<!-- OverrideShellProgram-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
+<!-- OverrideShellProgram-Applicability-End -->
+
+<!-- OverrideShellProgram-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram
+```
+<!-- OverrideShellProgram-OmaUri-End -->
+
+<!-- OverrideShellProgram-Description-Begin -->
+This policy is used by IT admin to override the registry based shell program.
+<!-- OverrideShellProgram-Description-End -->
+
+<!-- OverrideShellProgram-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- OverrideShellProgram-Editable-End -->
+
+<!-- OverrideShellProgram-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- OverrideShellProgram-DFProperties-End -->
+
+<!-- OverrideShellProgram-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not Configured |
+| 1 | Apply Lightweight shell |
+<!-- OverrideShellProgram-AllowedValues-End -->
+
+<!-- OverrideShellProgram-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- OverrideShellProgram-Examples-End -->
+
+<!-- OverrideShellProgram-End -->
+
+<!-- WindowsLogon-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- WindowsLogon-CspMoreInfo-End -->
+
+<!-- WindowsLogon-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md
index 97687279b6..259cea10dc 100644
--- a/windows/client-management/mdm/policy-csp-windowspowershell.md
+++ b/windows/client-management/mdm/policy-csp-windowspowershell.md
@@ -3,12 +3,12 @@ title: Policy CSP - WindowsPowerShell
 description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index 614d5d9496..c6271913c6 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -3,8 +3,8 @@ title: Policy CSP - WindowsSandbox
 description: Policy CSP - WindowsSandbox
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 10/14/2020
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index b290aca34c..854f98de60 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -3,12 +3,12 @@ title: Policy CSP - WirelessDisplay
 description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 8bd3586113..07c6ded973 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: Policy DDF file
 description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 10/28/2020
diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md
index 2462a7dcbb..dfa0ed323d 100644
--- a/windows/client-management/mdm/provisioning-csp.md
+++ b/windows/client-management/mdm/provisioning-csp.md
@@ -1,12 +1,12 @@
 ---
 title: Provisioning CSP
 description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index abed3e7963..82b9629e4d 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -1,12 +1,12 @@
 ---
 title: PXLOGICAL configuration service provider
 description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index 42e06b3bc0..1f1ced6498 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -1,12 +1,12 @@
 ---
 title: Reboot CSP
 description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index 25c6107ae8..0b5f03a5ba 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: Reboot DDF file
 description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md
index 5d7e167612..8430142ede 100644
--- a/windows/client-management/mdm/remotefind-csp.md
+++ b/windows/client-management/mdm/remotefind-csp.md
@@ -1,12 +1,12 @@
 ---
 title: RemoteFind CSP
 description: The RemoteFind configuration service provider retrieves the location information for a particular device.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md
index 1b391b32f9..b0a282ba66 100644
--- a/windows/client-management/mdm/remotefind-ddf-file.md
+++ b/windows/client-management/mdm/remotefind-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: RemoteFind DDF file
 description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
index fc8e8d1044..16c44fd50b 100644
--- a/windows/client-management/mdm/remotering-csp.md
+++ b/windows/client-management/mdm/remotering-csp.md
@@ -1,12 +1,12 @@
 ---
 title: RemoteRing CSP
 description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 73d74f2f2f..f1ad46c81f 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -1,12 +1,12 @@
 ---
 title: RemoteWipe CSP
 description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2018
 ---
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index cb8b212a60..26bd073966 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: RemoteWipe DDF file
 description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2018
 ---
diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md
index 690823bd91..7921654d92 100644
--- a/windows/client-management/mdm/reporting-csp.md
+++ b/windows/client-management/mdm/reporting-csp.md
@@ -1,12 +1,12 @@
 ---
 title: Reporting CSP
 description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md
index f69c53b09e..1681b2d8c2 100644
--- a/windows/client-management/mdm/reporting-ddf-file.md
+++ b/windows/client-management/mdm/reporting-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: Reporting DDF file
 description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 7c02b4278c..13ec3d35cc 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -1,12 +1,12 @@
 ---
 title: RootCATrustedCertificates CSP
 description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/06/2018
 ---
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index 6d2e87da05..9f73b6023a 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: RootCATrustedCertificates DDF file
 description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/07/2018
 ---
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index 6a0f58509c..196eff5292 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -1,12 +1,12 @@
 ---
 title: SecureAssessment CSP
 description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md
index 7302a11288..4225ec9c51 100644
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: SecureAssessment DDF file
 description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 72474375fb..3ca90e30a3 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -1,12 +1,12 @@
 ---
 title: SecurityPolicy CSP
 description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md
index 89e0c49e59..9ec9fb7703 100644
--- a/windows/client-management/mdm/sharedpc-csp.md
+++ b/windows/client-management/mdm/sharedpc-csp.md
@@ -1,12 +1,12 @@
 ---
 title: SharedPC CSP
 description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/23/2022
 ---
diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md
index 87ee1da106..764d14a202 100644
--- a/windows/client-management/mdm/sharedpc-ddf-file.md
+++ b/windows/client-management/mdm/sharedpc-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: SharedPC DDF file
 description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md
index 53182c42d1..e1e42f6685 100644
--- a/windows/client-management/mdm/storage-csp.md
+++ b/windows/client-management/mdm/storage-csp.md
@@ -1,12 +1,12 @@
 ---
 title: Storage CSP
 description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md
index aba4222037..508dfb3f66 100644
--- a/windows/client-management/mdm/storage-ddf-file.md
+++ b/windows/client-management/mdm/storage-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: Storage DDF file
 description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 32fc177aa9..a14b9afd32 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,12 +1,12 @@
 ---
 title: SUPL CSP
 description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/12/2019
 ---
diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index 6ddf560abe..ce35649aaf 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: SUPL DDF file
 description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/03/2020
 ---
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 60c07c552b..9ddb730b42 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -1,12 +1,12 @@
 ---
 title: SurfaceHub CSP
 description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/28/2017
 ---
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index 19363a0c32..b641ecada1 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: SurfaceHub DDF file
 description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index e44dd9087b..615cdfaa7a 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -3,11 +3,11 @@ title: TenantLockdown CSP
 description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index 20ef115f73..788ba62e5c 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -3,11 +3,11 @@ title: TenantLockdown DDF file
 description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/13/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 888db084cb..d1d4e1f569 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -1,920 +1,940 @@
 items:
-  - name: Configuration service provider reference
-    href: index.yml
+- name: Configuration service provider reference
+  href: index.yml
+  expanded: true
+  items:
+  - name: Device description framework (DDF) files
+    href: configuration-service-provider-ddf.md
+  - name: Support scenarios
+    href: configuration-service-provider-support.md
+  - name: WMI Bridge provider
+    items:
+    - name: Using PowerShell scripting with the WMI Bridge Provider
+      href: ../using-powershell-scripting-with-the-wmi-bridge-provider.md
+    - name: WMI providers supported in Windows 10
+      href: ../wmi-providers-supported-in-windows.md
+  - name: Understanding ADMX policies
+    href: ../understanding-admx-backed-policies.md
+    items:
+    - name: Enable ADMX policies in MDM
+      href: ../enable-admx-backed-policies-in-mdm.md
+    - name: Win32 and Desktop Bridge app policy configuration
+      href: ../win32-and-centennial-app-policy-configuration.md
+  - name: OMA DM protocol support
+    href: ../oma-dm-protocol-support.md
+    items:
+    - name: Structure of OMA DM provisioning files
+      href: ../structure-of-oma-dm-provisioning-files.md
+    - name: Server requirements for OMA DM
+      href: ../server-requirements-windows-mdm.md
+  - name: Configuration service providers (CSPs)
     expanded: true
     items:
-    - name: Device description framework (DDF) files
-      href: configuration-service-provider-ddf.md
-    - name: Support scenarios
-      href: configuration-service-provider-support.md
-    - name: WMI Bridge provider
+    - name: Policy
+      href: policy-configuration-service-provider.md
       items:
-      - name: Using PowerShell scripting with the WMI Bridge Provider
-        href: ../using-powershell-scripting-with-the-wmi-bridge-provider.md
-      - name: WMI providers supported in Windows 10
-        href: ../wmi-providers-supported-in-windows.md
-    - name: Understanding ADMX policies
-      href: ../understanding-admx-backed-policies.md
+      - name: Policy CSP DDF file
+        href: policy-ddf-file.md
+      - name: Policy CSP support scenarios
+        items:
+        - name: ADMX policies in Policy CSP
+          href: policies-in-policy-csp-admx-backed.md
+        - name: Policies in Policy CSP supported by Group Policy
+          href: policies-in-policy-csp-supported-by-group-policy.md
+        - name: Policies in Policy CSP supported by HoloLens 2
+          href: policies-in-policy-csp-supported-by-hololens2.md
+        - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
+          href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
+        - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
+          href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
+        - name: Policies in Policy CSP supported by Windows 10 IoT Core
+          href: policies-in-policy-csp-supported-by-iot-core.md
+        - name: Policies in Policy CSP supported by Microsoft Surface Hub
+          href: policies-in-policy-csp-supported-by-surface-hub.md
+        - name: Policy CSPs that can be set using Exchange Active Sync (EAS)
+          href: policies-in-policy-csp-that-can-be-set-using-eas.md
+      - name: Policy CSP areas
+        expanded: true
+        items:
+        - name: AboveLock
+          href: policy-csp-abovelock.md
+        - name: Accounts
+          href: policy-csp-accounts.md
+        - name: ActiveXControls
+          href: policy-csp-activexcontrols.md
+        - name: ADMX_ActiveXInstallService
+          href: policy-csp-admx-activexinstallservice.md
+        - name: ADMX_AddRemovePrograms
+          href: policy-csp-admx-addremoveprograms.md
+        - name: ADMX_AdmPwd
+          href: policy-csp-admx-admpwd.md
+        - name: ADMX_AppCompat
+          href: policy-csp-admx-appcompat.md
+        - name: ADMX_AppxPackageManager
+          href: policy-csp-admx-appxpackagemanager.md
+        - name: ADMX_AppXRuntime
+          href: policy-csp-admx-appxruntime.md
+        - name: ADMX_AttachmentManager
+          href: policy-csp-admx-attachmentmanager.md
+        - name: ADMX_AuditSettings
+          href: policy-csp-admx-auditsettings.md
+        - name: ADMX_Bits
+          href: policy-csp-admx-bits.md
+        - name: ADMX_CipherSuiteOrder
+          href: policy-csp-admx-ciphersuiteorder.md
+        - name: ADMX_COM
+          href: policy-csp-admx-com.md
+        - name: ADMX_ControlPanel
+          href: policy-csp-admx-controlpanel.md
+        - name: ADMX_ControlPanelDisplay
+          href: policy-csp-admx-controlpaneldisplay.md
+        - name: ADMX_Cpls
+          href: policy-csp-admx-cpls.md
+        - name: ADMX_CredentialProviders
+          href: policy-csp-admx-credentialproviders.md
+        - name: ADMX_CredSsp
+          href: policy-csp-admx-credssp.md
+        - name: ADMX_CredUI
+          href: policy-csp-admx-credui.md
+        - name: ADMX_CtrlAltDel
+          href: policy-csp-admx-ctrlaltdel.md
+        - name: ADMX_DataCollection
+          href: policy-csp-admx-datacollection.md
+        - name: ADMX_DCOM
+          href: policy-csp-admx-dcom.md
+        - name: ADMX_Desktop
+          href: policy-csp-admx-desktop.md
+        - name: ADMX_DeviceCompat
+          href: policy-csp-admx-devicecompat.md
+        - name: ADMX_DeviceGuard
+          href: policy-csp-admx-deviceguard.md
+        - name: ADMX_DeviceInstallation
+          href: policy-csp-admx-deviceinstallation.md
+        - name: ADMX_DeviceSetup
+          href: policy-csp-admx-devicesetup.md
+        - name: ADMX_DFS
+          href: policy-csp-admx-dfs.md
+        - name: ADMX_DigitalLocker
+          href: policy-csp-admx-digitallocker.md
+        - name: ADMX_DiskDiagnostic
+          href: policy-csp-admx-diskdiagnostic.md
+        - name: ADMX_DistributedLinkTracking
+          href: policy-csp-admx-distributedlinktracking.md
+        - name: ADMX_DnsClient
+          href: policy-csp-admx-dnsclient.md
+        - name: ADMX_DWM
+          href: policy-csp-admx-dwm.md
+        - name: ADMX_EAIME
+          href: policy-csp-admx-eaime.md
+        - name: ADMX_EncryptFilesonMove
+          href: policy-csp-admx-encryptfilesonmove.md
+        - name: ADMX_EnhancedStorage
+          href: policy-csp-admx-enhancedstorage.md
+        - name: ADMX_ErrorReporting
+          href: policy-csp-admx-errorreporting.md
+        - name: ADMX_EventForwarding
+          href: policy-csp-admx-eventforwarding.md
+        - name: ADMX_EventLog
+          href: policy-csp-admx-eventlog.md
+        - name: ADMX_EventLogging
+          href: policy-csp-admx-eventlogging.md
+        - name: ADMX_EventViewer
+          href: policy-csp-admx-eventviewer.md
+        - name: ADMX_Explorer
+          href: policy-csp-admx-explorer.md
+        - name: ADMX_ExternalBoot
+          href: policy-csp-admx-externalboot.md
+        - name: ADMX_FileRecovery
+          href: policy-csp-admx-filerecovery.md
+        - name: ADMX_FileRevocation
+          href: policy-csp-admx-filerevocation.md
+        - name: ADMX_FileServerVSSProvider
+          href: policy-csp-admx-fileservervssprovider.md
+        - name: ADMX_FileSys
+          href: policy-csp-admx-filesys.md
+        - name: ADMX_FolderRedirection
+          href: policy-csp-admx-folderredirection.md
+        - name: ADMX_FramePanes
+          href: policy-csp-admx-framepanes.md
+        - name: ADMX_FTHSVC
+          href: policy-csp-admx-fthsvc.md
+        - name: ADMX_Globalization
+          href: policy-csp-admx-globalization.md
+        - name: ADMX_GroupPolicy
+          href: policy-csp-admx-grouppolicy.md
+        - name: ADMX_Help
+          href: policy-csp-admx-help.md
+        - name: ADMX_HelpAndSupport
+          href: policy-csp-admx-helpandsupport.md
+        - name: ADMX_HotSpotAuth
+          href: policy-csp-admx-hotspotauth.md
+        - name: ADMX_ICM
+          href: policy-csp-admx-icm.md
+        - name: ADMX_IIS
+          href: policy-csp-admx-iis.md
+        - name: ADMX_iSCSI
+          href: policy-csp-admx-iscsi.md
+        - name: ADMX_kdc
+          href: policy-csp-admx-kdc.md
+        - name: ADMX_Kerberos
+          href: policy-csp-admx-kerberos.md
+        - name: ADMX_LanmanServer
+          href: policy-csp-admx-lanmanserver.md
+        - name: ADMX_LanmanWorkstation
+          href: policy-csp-admx-lanmanworkstation.md
+        - name: ADMX_LeakDiagnostic
+          href: policy-csp-admx-leakdiagnostic.md
+        - name: ADMX_LinkLayerTopologyDiscovery
+          href: policy-csp-admx-linklayertopologydiscovery.md
+        - name: ADMX_LocationProviderAdm
+          href: policy-csp-admx-locationprovideradm.md
+        - name: ADMX_Logon
+          href: policy-csp-admx-logon.md
+        - name: ADMX_MicrosoftDefenderAntivirus
+          href: policy-csp-admx-microsoftdefenderantivirus.md
+        - name: ADMX_MMC
+          href: policy-csp-admx-mmc.md
+        - name: ADMX_MMCSnapins
+          href: policy-csp-admx-mmcsnapins.md
+        - name: ADMX_MobilePCMobilityCenter
+          href: policy-csp-admx-mobilepcmobilitycenter.md
+        - name: ADMX_MobilePCPresentationSettings
+          href: policy-csp-admx-mobilepcpresentationsettings.md
+        - name: ADMX_MSAPolicy
+          href: policy-csp-admx-msapolicy.md
+        - name: ADMX_msched
+          href: policy-csp-admx-msched.md
+        - name: ADMX_MSDT
+          href: policy-csp-admx-msdt.md
+        - name: ADMX_MSI
+          href: policy-csp-admx-msi.md
+        - name: ADMX_MsiFileRecovery
+          href: policy-csp-admx-msifilerecovery.md
+        - name: ADMX_MSS-legacy
+          href: policy-csp-admx-mss-legacy.md
+        - name: ADMX_nca
+          href: policy-csp-admx-nca.md
+        - name: ADMX_NCSI
+          href: policy-csp-admx-ncsi.md
+        - name: ADMX_Netlogon
+          href: policy-csp-admx-netlogon.md
+        - name: ADMX_NetworkConnections
+          href: policy-csp-admx-networkconnections.md
+        - name: ADMX_OfflineFiles
+          href: policy-csp-admx-offlinefiles.md
+        - name: ADMX_pca
+          href: policy-csp-admx-pca.md
+        - name: ADMX_PeerToPeerCaching
+          href: policy-csp-admx-peertopeercaching.md
+        - name: ADMX_PenTraining
+          href: policy-csp-admx-pentraining.md
+        - name: ADMX_PerformanceDiagnostics
+          href: policy-csp-admx-performancediagnostics.md
+        - name: ADMX_Power
+          href: policy-csp-admx-power.md
+        - name: ADMX_PowerShellExecutionPolicy
+          href: policy-csp-admx-powershellexecutionpolicy.md
+        - name: ADMX_PreviousVersions
+          href: policy-csp-admx-previousversions.md
+        - name: ADMX_Printing
+          href: policy-csp-admx-printing.md
+        - name: ADMX_Printing2
+          href: policy-csp-admx-printing2.md
+        - name: ADMX_Programs
+          href: policy-csp-admx-programs.md
+        - name: ADMX_QOS
+          href: policy-csp-admx-qos.md
+        - name: ADMX_Reliability
+          href: policy-csp-admx-reliability.md
+        - name: ADMX_RemoteAssistance
+          href: policy-csp-admx-remoteassistance.md
+        - name: ADMX_RemovableStorage
+          href: policy-csp-admx-removablestorage.md
+        - name: ADMX_RPC
+          href: policy-csp-admx-rpc.md
+        - name: ADMX_sam
+          href: policy-csp-admx-sam.md
+        - name: ADMX_Scripts
+          href: policy-csp-admx-scripts.md
+        - name: ADMX_sdiageng
+          href: policy-csp-admx-sdiageng.md
+        - name: ADMX_sdiagschd
+          href: policy-csp-admx-sdiagschd.md
+        - name: ADMX_Securitycenter
+          href: policy-csp-admx-securitycenter.md
+        - name: ADMX_Sensors
+          href: policy-csp-admx-sensors.md
+        - name: ADMX_ServerManager
+          href: policy-csp-admx-servermanager.md
+        - name: ADMX_Servicing
+          href: policy-csp-admx-servicing.md
+        - name: ADMX_SettingSync
+          href: policy-csp-admx-settingsync.md
+        - name: ADMX_SharedFolders
+          href: policy-csp-admx-sharedfolders.md
+        - name: ADMX_Sharing
+          href: policy-csp-admx-sharing.md
+        - name: ADMX_ShellCommandPromptRegEditTools
+          href: policy-csp-admx-shellcommandpromptregedittools.md
+        - name: ADMX_Smartcard
+          href: policy-csp-admx-smartcard.md
+        - name: ADMX_Snmp
+          href: policy-csp-admx-snmp.md
+        - name: ADMX_StartMenu
+          href: policy-csp-admx-startmenu.md
+        - name: ADMX_SystemRestore
+          href: policy-csp-admx-systemrestore.md
+        - name: ADMX_TabletPCInputPanel
+          href: policy-csp-admx-tabletpcinputpanel.md
+        - name: ADMX_TabletShell
+          href: policy-csp-admx-tabletshell.md
+        - name: ADMX_Taskbar
+          href: policy-csp-admx-taskbar.md
+        - name: ADMX_tcpip
+          href: policy-csp-admx-tcpip.md
+        - name: ADMX_TerminalServer
+          href: policy-csp-admx-terminalserver.md
+        - name: ADMX_Thumbnails
+          href: policy-csp-admx-thumbnails.md
+        - name: ADMX_TouchInput
+          href: policy-csp-admx-touchinput.md
+        - name: ADMX_TPM
+          href: policy-csp-admx-tpm.md
+        - name: ADMX_UserExperienceVirtualization
+          href: policy-csp-admx-userexperiencevirtualization.md
+        - name: ADMX_UserProfiles
+          href: policy-csp-admx-userprofiles.md
+        - name: ADMX_W32Time
+          href: policy-csp-admx-w32time.md
+        - name: ADMX_WCM
+          href: policy-csp-admx-wcm.md
+        - name: ADMX_WDI
+          href: policy-csp-admx-wdi.md
+        - name: ADMX_WinCal
+          href: policy-csp-admx-wincal.md
+        - name: ADMX_WindowsConnectNow
+          href: policy-csp-admx-windowsconnectnow.md
+        - name: ADMX_WindowsExplorer
+          href: policy-csp-admx-windowsexplorer.md
+        - name: ADMX_WindowsMediaDRM
+          href: policy-csp-admx-windowsmediadrm.md
+        - name: ADMX_WindowsMediaPlayer
+          href: policy-csp-admx-windowsmediaplayer.md
+        - name: ADMX_WindowsRemoteManagement
+          href: policy-csp-admx-windowsremotemanagement.md
+        - name: ADMX_WindowsStore
+          href: policy-csp-admx-windowsstore.md
+        - name: ADMX_WinInit
+          href: policy-csp-admx-wininit.md
+        - name: ADMX_WinLogon
+          href: policy-csp-admx-winlogon.md
+        - name: ADMX_wlansvc
+          href: policy-csp-admx-wlansvc.md
+        - name: ADMX_WordWheel
+          href: policy-csp-admx-wordwheel.md
+        - name: ADMX_WorkFoldersClient
+          href: policy-csp-admx-workfoldersclient.md
+        - name: ADMX_WPN
+          href: policy-csp-admx-wpn.md
+        - name: ADMX-Winsrv
+          href: policy-csp-admx-winsrv.md
+        - name: ApplicationDefaults
+          href: policy-csp-applicationdefaults.md
+        - name: ApplicationManagement
+          href: policy-csp-applicationmanagement.md
+        - name: AppRuntime
+          href: policy-csp-appruntime.md
+        - name: AppVirtualization
+          href: policy-csp-appvirtualization.md
+        - name: AttachmentManager
+          href: policy-csp-attachmentmanager.md
+        - name: Audit
+          href: policy-csp-audit.md
+        - name: Authentication
+          href: policy-csp-authentication.md
+        - name: Autoplay
+          href: policy-csp-autoplay.md
+        - name: BitLocker
+          href: policy-csp-bitlocker.md
+        - name: BITS
+          href: policy-csp-bits.md
+        - name: Bluetooth
+          href: policy-csp-bluetooth.md
+        - name: Browser
+          href: policy-csp-browser.md
+        - name: Camera
+          href: policy-csp-camera.md
+        - name: Cellular
+          href: policy-csp-cellular.md
+        - name: CloudDesktop
+          href: policy-csp-clouddesktop.md
+        - name: CloudPC
+          href: policy-csp-cloudpc.md
+        - name: Connectivity
+          href: policy-csp-connectivity.md
+        - name: ControlPolicyConflict
+          href: policy-csp-controlpolicyconflict.md
+        - name: CredentialProviders
+          href: policy-csp-credentialproviders.md
+        - name: CredentialsDelegation
+          href: policy-csp-credentialsdelegation.md
+        - name: CredentialsUI
+          href: policy-csp-credentialsui.md
+        - name: Cryptography
+          href: policy-csp-cryptography.md
+        - name: DataProtection
+          href: policy-csp-dataprotection.md
+        - name: DataUsage
+          href: policy-csp-datausage.md
+        - name: Defender
+          href: policy-csp-defender.md
+        - name: DeliveryOptimization
+          href: policy-csp-deliveryoptimization.md
+        - name: Desktop
+          href: policy-csp-desktop.md
+        - name: DesktopAppInstaller
+          href: policy-csp-desktopappinstaller.md
+        - name: DeviceGuard
+          href: policy-csp-deviceguard.md
+        - name: DeviceHealthMonitoring
+          href: policy-csp-devicehealthmonitoring.md
+        - name: DeviceInstallation
+          href: policy-csp-deviceinstallation.md
+        - name: DeviceLock
+          href: policy-csp-devicelock.md
+        - name: Display
+          href: policy-csp-display.md
+        - name: DmaGuard
+          href: policy-csp-dmaguard.md
+        - name: EAP
+          href: policy-csp-eap.md
+        - name: Education
+          href: policy-csp-education.md
+        - name: EnterpriseCloudPrint
+          href: policy-csp-enterprisecloudprint.md
+        - name: ErrorReporting
+          href: policy-csp-errorreporting.md
+        - name: EventLogService
+          href: policy-csp-eventlogservice.md
+        - name: Experience
+          href: policy-csp-experience.md
+        - name: ExploitGuard
+          href: policy-csp-exploitguard.md
+        - name: Federated Authentication
+          href: policy-csp-federatedauthentication.md
+        - name: Feeds
+          href: policy-csp-feeds.md
+        - name: FileExplorer
+          href: policy-csp-fileexplorer.md
+        - name: Games
+          href: policy-csp-games.md
+        - name: Handwriting
+          href: policy-csp-handwriting.md
+        - name: HumanPresence
+          href: policy-csp-humanpresence.md
+        - name: InternetExplorer
+          href: policy-csp-internetexplorer.md
+        - name: Kerberos
+          href: policy-csp-kerberos.md
+        - name: KioskBrowser
+          href: policy-csp-kioskbrowser.md
+        - name: LanmanWorkstation
+          href: policy-csp-lanmanworkstation.md
+        - name: Licensing
+          href: policy-csp-licensing.md
+        - name: LocalPoliciesSecurityOptions
+          href: policy-csp-localpoliciessecurityoptions.md
+        - name: LocalSecurityAuthority
+          href: policy-csp-lsa.md
+        - name: LocalUsersAndGroups
+          href: policy-csp-localusersandgroups.md
+        - name: LockDown
+          href: policy-csp-lockdown.md
+        - name: Maps
+          href: policy-csp-maps.md
+        - name: MemoryDump
+          href: policy-csp-memorydump.md
+        - name: Messaging
+          href: policy-csp-messaging.md
+        - name: MixedReality
+          href: policy-csp-mixedreality.md
+        - name: MSSecurityGuide
+          href: policy-csp-mssecurityguide.md
+        - name: MSSLegacy
+          href: policy-csp-msslegacy.md
+        - name: Multitasking
+          href: policy-csp-multitasking.md
+        - name: NetworkIsolation
+          href: policy-csp-networkisolation.md
+        - name: NetworkListManager
+          href: policy-csp-networklistmanager.md
+        - name: NewsAndInterests
+          href: policy-csp-newsandinterests.md
+        - name: Notifications
+          href: policy-csp-notifications.md
+        - name: Power
+          href: policy-csp-power.md
+        - name: Printers
+          href: policy-csp-printers.md
+        - name: Privacy
+          href: policy-csp-privacy.md
+        - name: RemoteAssistance
+          href: policy-csp-remoteassistance.md
+        - name: RemoteDesktop
+          href: policy-csp-remotedesktop.md
+        - name: RemoteDesktopServices
+          href: policy-csp-remotedesktopservices.md
+        - name: RemoteManagement
+          href: policy-csp-remotemanagement.md
+        - name: RemoteProcedureCall
+          href: policy-csp-remoteprocedurecall.md
+        - name: RemoteShell
+          href: policy-csp-remoteshell.md
+        - name: RestrictedGroups
+          href: policy-csp-restrictedgroups.md
+        - name: Search
+          href: policy-csp-search.md
+        - name: Security
+          href: policy-csp-security.md
+        - name: ServiceControlManager
+          href: policy-csp-servicecontrolmanager.md
+        - name: Settings
+          href: policy-csp-settings.md
+        - name: SettingsSync
+          href: policy-csp-settingssync.md
+        - name: Speech
+          href: policy-csp-speech.md
+        - name: Start
+          href: policy-csp-start.md
+        - name: Stickers
+          href: policy-csp-stickers.md
+        - name: Storage
+          href: policy-csp-storage.md
+        - name: System
+          href: policy-csp-system.md
+        - name: SystemServices
+          href: policy-csp-systemservices.md
+        - name: TaskManager
+          href: policy-csp-taskmanager.md
+        - name: TaskScheduler
+          href: policy-csp-taskscheduler.md
+        - name: TenantDefinedTelemetry
+          href: policy-csp-tenantdefinedtelemetry.md
+        - name: TenantRestrictions
+          href: policy-csp-tenantrestrictions.md
+        - name: TextInput
+          href: policy-csp-textinput.md
+        - name: TimeLanguageSettings
+          href: policy-csp-timelanguagesettings.md
+        - name: Troubleshooting
+          href: policy-csp-troubleshooting.md
+        - name: Update
+          href: policy-csp-update.md
+        - name: UserRights
+          href: policy-csp-userrights.md
+        - name: VirtualizationBasedTechnology
+          href: policy-csp-virtualizationbasedtechnology.md
+        - name: WebThreatDefense
+          href: policy-csp-webthreatdefense.md
+        - name: Wifi
+          href: policy-csp-wifi.md
+        - name: WindowsAutoPilot
+          href: policy-csp-windowsautopilot.md
+        - name: WindowsConnectionManager
+          href: policy-csp-windowsconnectionmanager.md
+        - name: WindowsDefenderSecurityCenter
+          href: policy-csp-windowsdefendersecuritycenter.md
+        - name: WindowsDefenderSmartScreen
+          href: policy-csp-smartscreen.md
+        - name: WindowsInkWorkspace
+          href: policy-csp-windowsinkworkspace.md
+        - name: WindowsLogon
+          href: policy-csp-windowslogon.md
+        - name: WindowsPowerShell
+          href: policy-csp-windowspowershell.md
+        - name: WindowsSandbox
+          href: policy-csp-windowssandbox.md
+        - name: WirelessDisplay
+          href: policy-csp-wirelessdisplay.md
+    - name: AccountManagement
+      href: accountmanagement-csp.md
       items:
-        - name: Enable ADMX policies in MDM
-          href: ../enable-admx-backed-policies-in-mdm.md
-        - name: Win32 and Desktop Bridge app policy configuration
-          href: ../win32-and-centennial-app-policy-configuration.md
-    - name: OMA DM protocol support
-      href: ../oma-dm-protocol-support.md
+      - name: AccountManagement DDF file
+        href: accountmanagement-ddf.md
+    - name: Accounts
+      href: accounts-csp.md
       items:
-        - name: Structure of OMA DM provisioning files
-          href: ../structure-of-oma-dm-provisioning-files.md
-        - name: Server requirements for OMA DM
-          href: ../server-requirements-windows-mdm.md
-    - name: Configuration service providers (CSPs)
-      expanded: true
+      - name: Accounts DDF file
+        href: accounts-ddf-file.md
+    - name: ActiveSync
+      href: activesync-csp.md
       items:
-      - name: Policy
-        href: policy-configuration-service-provider.md
-        items:
-          - name: Policy CSP DDF file
-            href: policy-ddf-file.md
-          - name: Policy CSP support scenarios
-            items:
-            - name: ADMX policies in Policy CSP
-              href: policies-in-policy-csp-admx-backed.md
-            - name: Policies in Policy CSP supported by Group Policy
-              href: policies-in-policy-csp-supported-by-group-policy.md
-            - name: Policies in Policy CSP supported by HoloLens 2
-              href: policies-in-policy-csp-supported-by-hololens2.md
-            - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
-              href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
-            - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
-              href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
-            - name: Policies in Policy CSP supported by Windows 10 IoT Core
-              href: policies-in-policy-csp-supported-by-iot-core.md
-            - name: Policies in Policy CSP supported by Microsoft Surface Hub
-              href: policies-in-policy-csp-supported-by-surface-hub.md
-            - name: Policy CSPs that can be set using Exchange Active Sync (EAS)
-              href: policies-in-policy-csp-that-can-be-set-using-eas.md
-          - name: Policy CSP areas
-            expanded: true
-            items:
-            - name: AboveLock
-              href: policy-csp-abovelock.md
-            - name: Accounts
-              href: policy-csp-accounts.md
-            - name: ActiveXControls
-              href: policy-csp-activexcontrols.md
-            - name: ADMX_ActiveXInstallService
-              href: policy-csp-admx-activexinstallservice.md
-            - name: ADMX_AddRemovePrograms
-              href: policy-csp-admx-addremoveprograms.md
-            - name: ADMX_AdmPwd
-              href: policy-csp-admx-admpwd.md
-            - name: ADMX_AppCompat
-              href: policy-csp-admx-appcompat.md
-            - name: ADMX_AppxPackageManager
-              href: policy-csp-admx-appxpackagemanager.md
-            - name: ADMX_AppXRuntime
-              href: policy-csp-admx-appxruntime.md
-            - name: ADMX_AttachmentManager
-              href: policy-csp-admx-attachmentmanager.md
-            - name: ADMX_AuditSettings
-              href: policy-csp-admx-auditsettings.md
-            - name: ADMX_Bits
-              href: policy-csp-admx-bits.md
-            - name: ADMX_CipherSuiteOrder
-              href: policy-csp-admx-ciphersuiteorder.md
-            - name: ADMX_COM
-              href: policy-csp-admx-com.md
-            - name: ADMX_ControlPanel
-              href: policy-csp-admx-controlpanel.md
-            - name: ADMX_ControlPanelDisplay
-              href: policy-csp-admx-controlpaneldisplay.md
-            - name: ADMX_Cpls
-              href: policy-csp-admx-cpls.md
-            - name: ADMX_CredentialProviders
-              href: policy-csp-admx-credentialproviders.md
-            - name: ADMX_CredSsp
-              href: policy-csp-admx-credssp.md
-            - name: ADMX_CredUI
-              href: policy-csp-admx-credui.md
-            - name: ADMX_CtrlAltDel
-              href: policy-csp-admx-ctrlaltdel.md
-            - name: ADMX_DataCollection
-              href: policy-csp-admx-datacollection.md
-            - name: ADMX_DCOM
-              href: policy-csp-admx-dcom.md
-            - name: ADMX_Desktop
-              href: policy-csp-admx-desktop.md
-            - name: ADMX_DeviceCompat
-              href: policy-csp-admx-devicecompat.md
-            - name: ADMX_DeviceGuard
-              href: policy-csp-admx-deviceguard.md
-            - name: ADMX_DeviceInstallation
-              href: policy-csp-admx-deviceinstallation.md
-            - name: ADMX_DeviceSetup
-              href: policy-csp-admx-devicesetup.md
-            - name: ADMX_DFS
-              href: policy-csp-admx-dfs.md
-            - name: ADMX_DigitalLocker
-              href: policy-csp-admx-digitallocker.md
-            - name: ADMX_DiskDiagnostic
-              href: policy-csp-admx-diskdiagnostic.md
-            - name: ADMX_DistributedLinkTracking
-              href: policy-csp-admx-distributedlinktracking.md
-            - name: ADMX_DnsClient
-              href: policy-csp-admx-dnsclient.md
-            - name: ADMX_DWM
-              href: policy-csp-admx-dwm.md
-            - name: ADMX_EAIME
-              href: policy-csp-admx-eaime.md
-            - name: ADMX_EncryptFilesonMove
-              href: policy-csp-admx-encryptfilesonmove.md
-            - name: ADMX_EventLogging
-              href: policy-csp-admx-eventlogging.md
-            - name: ADMX_EnhancedStorage
-              href: policy-csp-admx-enhancedstorage.md
-            - name: ADMX_ErrorReporting
-              href: policy-csp-admx-errorreporting.md
-            - name: ADMX_EventForwarding
-              href: policy-csp-admx-eventforwarding.md
-            - name: ADMX_EventLog
-              href: policy-csp-admx-eventlog.md
-            - name: ADMX_EventViewer
-              href: policy-csp-admx-eventviewer.md
-            - name: ADMX_Explorer
-              href: policy-csp-admx-explorer.md
-            - name: ADMX_ExternalBoot
-              href: policy-csp-admx-externalboot.md
-            - name: ADMX_FileRecovery
-              href: policy-csp-admx-filerecovery.md
-            - name: ADMX_FileRevocation
-              href: policy-csp-admx-filerevocation.md
-            - name: ADMX_FileServerVSSProvider
-              href: policy-csp-admx-fileservervssprovider.md
-            - name: ADMX_FileSys
-              href: policy-csp-admx-filesys.md
-            - name: ADMX_FolderRedirection
-              href: policy-csp-admx-folderredirection.md
-            - name: ADMX_FramePanes
-              href: policy-csp-admx-framepanes.md
-            - name: ADMX_FTHSVC
-              href: policy-csp-admx-fthsvc.md
-            - name: ADMX_Globalization
-              href: policy-csp-admx-globalization.md
-            - name: ADMX_GroupPolicy
-              href: policy-csp-admx-grouppolicy.md
-            - name: ADMX_Help
-              href: policy-csp-admx-help.md
-            - name: ADMX_HelpAndSupport
-              href: policy-csp-admx-helpandsupport.md
-            - name: ADMX_HotSpotAuth
-              href: policy-csp-admx-hotspotauth.md
-            - name: ADMX_ICM
-              href: policy-csp-admx-icm.md
-            - name: ADMX_IIS
-              href: policy-csp-admx-iis.md
-            - name: ADMX_iSCSI
-              href: policy-csp-admx-iscsi.md
-            - name: ADMX_kdc
-              href: policy-csp-admx-kdc.md
-            - name: ADMX_Kerberos
-              href: policy-csp-admx-kerberos.md
-            - name: ADMX_LanmanServer
-              href: policy-csp-admx-lanmanserver.md
-            - name: ADMX_LanmanWorkstation
-              href: policy-csp-admx-lanmanworkstation.md
-            - name: ADMX_LeakDiagnostic
-              href: policy-csp-admx-leakdiagnostic.md
-            - name: ADMX_LinkLayerTopologyDiscovery
-              href: policy-csp-admx-linklayertopologydiscovery.md
-            - name: ADMX_LocationProviderAdm
-              href: policy-csp-admx-locationprovideradm.md
-            - name: ADMX_Logon
-              href: policy-csp-admx-logon.md
-            - name: ADMX_MicrosoftDefenderAntivirus
-              href: policy-csp-admx-microsoftdefenderantivirus.md
-            - name: ADMX_MMC
-              href: policy-csp-admx-mmc.md
-            - name: ADMX_MMCSnapins
-              href: policy-csp-admx-mmcsnapins.md
-            - name: ADMX_MobilePCMobilityCenter
-              href: policy-csp-admx-mobilepcmobilitycenter.md
-            - name: ADMX_MobilePCPresentationSettings
-              href: policy-csp-admx-mobilepcpresentationsettings.md
-            - name: ADMX_MSAPolicy
-              href: policy-csp-admx-msapolicy.md
-            - name: ADMX_msched
-              href: policy-csp-admx-msched.md
-            - name: ADMX_MSDT
-              href: policy-csp-admx-msdt.md
-            - name: ADMX_MSI
-              href: policy-csp-admx-msi.md
-            - name: ADMX_MsiFileRecovery
-              href: policy-csp-admx-msifilerecovery.md
-            - name: ADMX_nca
-              href: policy-csp-admx-nca.md
-            - name: ADMX_NCSI
-              href: policy-csp-admx-ncsi.md
-            - name: ADMX_Netlogon
-              href: policy-csp-admx-netlogon.md
-            - name: ADMX_NetworkConnections
-              href: policy-csp-admx-networkconnections.md
-            - name: ADMX_OfflineFiles
-              href: policy-csp-admx-offlinefiles.md
-            - name: ADMX_pca
-              href: policy-csp-admx-pca.md
-            - name: ADMX_PeerToPeerCaching
-              href: policy-csp-admx-peertopeercaching.md
-            - name: ADMX_PenTraining
-              href: policy-csp-admx-pentraining.md
-            - name: ADMX_PerformanceDiagnostics
-              href: policy-csp-admx-performancediagnostics.md
-            - name: ADMX_Power
-              href: policy-csp-admx-power.md
-            - name: ADMX_PowerShellExecutionPolicy
-              href: policy-csp-admx-powershellexecutionpolicy.md
-            - name: ADMX_PreviousVersions
-              href: policy-csp-admx-previousversions.md
-            - name: ADMX_Printing
-              href: policy-csp-admx-printing.md
-            - name: ADMX_Printing2
-              href: policy-csp-admx-printing2.md
-            - name: ADMX_Programs
-              href: policy-csp-admx-programs.md
-            - name: ADMX_Reliability
-              href: policy-csp-admx-reliability.md
-            - name: ADMX_RemoteAssistance
-              href: policy-csp-admx-remoteassistance.md
-            - name: ADMX_RemovableStorage
-              href: policy-csp-admx-removablestorage.md
-            - name: ADMX_RPC
-              href: policy-csp-admx-rpc.md
-            - name: ADMX_Scripts
-              href: policy-csp-admx-scripts.md
-            - name: ADMX_sdiageng
-              href: policy-csp-admx-sdiageng.md
-            - name: ADMX_sdiagschd
-              href: policy-csp-admx-sdiagschd.md
-            - name: ADMX_Securitycenter
-              href: policy-csp-admx-securitycenter.md
-            - name: ADMX_Sensors
-              href: policy-csp-admx-sensors.md
-            - name: ADMX_ServerManager
-              href: policy-csp-admx-servermanager.md
-            - name: ADMX_Servicing
-              href: policy-csp-admx-servicing.md
-            - name: ADMX_SettingSync
-              href: policy-csp-admx-settingsync.md
-            - name: ADMX_SharedFolders
-              href: policy-csp-admx-sharedfolders.md
-            - name: ADMX_Sharing
-              href: policy-csp-admx-sharing.md
-            - name: ADMX_ShellCommandPromptRegEditTools
-              href: policy-csp-admx-shellcommandpromptregedittools.md
-            - name: ADMX_Smartcard
-              href: policy-csp-admx-smartcard.md
-            - name: ADMX_Snmp
-              href: policy-csp-admx-snmp.md
-            - name: ADMX_StartMenu
-              href: policy-csp-admx-startmenu.md
-            - name: ADMX_SystemRestore
-              href: policy-csp-admx-systemrestore.md
-            - name: ADMX_TabletShell
-              href: policy-csp-admx-tabletshell.md
-            - name: ADMX_Taskbar
-              href: policy-csp-admx-taskbar.md
-            - name: ADMX_tcpip
-              href: policy-csp-admx-tcpip.md
-            - name: ADMX_TerminalServer
-              href: policy-csp-admx-terminalserver.md
-            - name: ADMX_Thumbnails
-              href: policy-csp-admx-thumbnails.md
-            - name: ADMX_TouchInput
-              href: policy-csp-admx-touchinput.md
-            - name: ADMX_TPM
-              href: policy-csp-admx-tpm.md
-            - name: ADMX_UserExperienceVirtualization
-              href: policy-csp-admx-userexperiencevirtualization.md
-            - name: ADMX_UserProfiles
-              href: policy-csp-admx-userprofiles.md
-            - name: ADMX_W32Time
-              href: policy-csp-admx-w32time.md
-            - name: ADMX_WCM
-              href: policy-csp-admx-wcm.md
-            - name: ADMX_WDI
-              href: policy-csp-admx-wdi.md
-            - name: ADMX_WinCal
-              href: policy-csp-admx-wincal.md
-            - name: ADMX_WindowsConnectNow
-              href: policy-csp-admx-windowsconnectnow.md
-            - name: ADMX_WindowsExplorer
-              href: policy-csp-admx-windowsexplorer.md
-            - name: ADMX_WindowsMediaDRM
-              href: policy-csp-admx-windowsmediadrm.md
-            - name: ADMX_WindowsMediaPlayer
-              href: policy-csp-admx-windowsmediaplayer.md
-            - name: ADMX_WindowsRemoteManagement
-              href: policy-csp-admx-windowsremotemanagement.md
-            - name: ADMX_WindowsStore
-              href: policy-csp-admx-windowsstore.md
-            - name: ADMX_WinInit
-              href: policy-csp-admx-wininit.md
-            - name: ADMX_WinLogon
-              href: policy-csp-admx-winlogon.md
-            - name: ADMX-Winsrv
-              href: policy-csp-admx-winsrv.md
-            - name: ADMX_wlansvc
-              href: policy-csp-admx-wlansvc.md
-            - name: ADMX_WordWheel
-              href: policy-csp-admx-wordwheel.md
-            - name: ADMX_WorkFoldersClient
-              href: policy-csp-admx-workfoldersclient.md
-            - name: ADMX_WPN
-              href: policy-csp-admx-wpn.md
-            - name: ApplicationDefaults
-              href: policy-csp-applicationdefaults.md
-            - name: ApplicationManagement
-              href: policy-csp-applicationmanagement.md
-            - name: AppRuntime
-              href: policy-csp-appruntime.md
-            - name: AppVirtualization
-              href: policy-csp-appvirtualization.md
-            - name: AttachmentManager
-              href: policy-csp-attachmentmanager.md
-            - name: Audit
-              href: policy-csp-audit.md
-            - name: Authentication
-              href: policy-csp-authentication.md
-            - name: Autoplay
-              href: policy-csp-autoplay.md
-            - name: BitLocker
-              href: policy-csp-bitlocker.md
-            - name: BITS
-              href: policy-csp-bits.md
-            - name: Bluetooth
-              href: policy-csp-bluetooth.md
-            - name: Browser
-              href: policy-csp-browser.md
-            - name: Camera
-              href: policy-csp-camera.md
-            - name: Cellular
-              href: policy-csp-cellular.md
-            - name: Connectivity
-              href: policy-csp-connectivity.md
-            - name: ControlPolicyConflict
-              href: policy-csp-controlpolicyconflict.md
-            - name: CredentialsDelegation
-              href: policy-csp-credentialsdelegation.md
-            - name: CredentialProviders
-              href: policy-csp-credentialproviders.md
-            - name: CredentialsUI
-              href: policy-csp-credentialsui.md
-            - name: Cryptography
-              href: policy-csp-cryptography.md
-            - name: DataProtection
-              href: policy-csp-dataprotection.md
-            - name: DataUsage
-              href: policy-csp-datausage.md
-            - name: Defender
-              href: policy-csp-defender.md
-            - name: DeliveryOptimization
-              href: policy-csp-deliveryoptimization.md
-            - name: Desktop
-              href: policy-csp-desktop.md
-            - name: DesktopAppInstaller
-              href: policy-csp-desktopappinstaller.md
-            - name: DeviceGuard
-              href: policy-csp-deviceguard.md
-            - name: DeviceHealthMonitoring
-              href: policy-csp-devicehealthmonitoring.md
-            - name: DeviceInstallation
-              href: policy-csp-deviceinstallation.md
-            - name: DeviceLock
-              href: policy-csp-devicelock.md
-            - name: Display
-              href: policy-csp-display.md
-            - name: DmaGuard
-              href: policy-csp-dmaguard.md
-            - name: EAP
-              href: policy-csp-eap.md
-            - name: Education
-              href: policy-csp-education.md
-            - name: EnterpriseCloudPrint
-              href: policy-csp-enterprisecloudprint.md
-            - name: ErrorReporting
-              href: policy-csp-errorreporting.md
-            - name: EventLogService
-              href: policy-csp-eventlogservice.md
-            - name: Experience
-              href: policy-csp-experience.md
-            - name: ExploitGuard
-              href: policy-csp-exploitguard.md
-            - name: Federated Authentication
-              href: policy-csp-federatedauthentication.md
-            - name: Feeds
-              href: policy-csp-feeds.md
-            - name: FileExplorer
-              href: policy-csp-fileexplorer.md
-            - name: Games
-              href: policy-csp-games.md
-            - name: Handwriting
-              href: policy-csp-handwriting.md
-            - name: HumanPresence
-              href: policy-csp-humanpresence.md
-            - name: InternetExplorer
-              href: policy-csp-internetexplorer.md
-            - name: Kerberos
-              href: policy-csp-kerberos.md
-            - name: KioskBrowser
-              href: policy-csp-kioskbrowser.md
-            - name: LanmanWorkstation
-              href: policy-csp-lanmanworkstation.md
-            - name: Licensing
-              href: policy-csp-licensing.md
-            - name: LocalPoliciesSecurityOptions
-              href: policy-csp-localpoliciessecurityoptions.md
-            - name: LocalSecurityAuthority
-              href: policy-csp-lsa.md
-            - name: LocalUsersAndGroups
-              href: policy-csp-localusersandgroups.md
-            - name: LockDown
-              href: policy-csp-lockdown.md
-            - name: Maps
-              href: policy-csp-maps.md
-            - name: MemoryDump
-              href: policy-csp-memorydump.md
-            - name: Messaging
-              href: policy-csp-messaging.md
-            - name: MixedReality
-              href: policy-csp-mixedreality.md
-            - name: MSSecurityGuide
-              href: policy-csp-mssecurityguide.md
-            - name: MSSLegacy
-              href: policy-csp-msslegacy.md
-            - name: Multitasking
-              href: policy-csp-multitasking.md
-            - name: NetworkIsolation
-              href: policy-csp-networkisolation.md
-            - name: NetworkListManager
-              href: policy-csp-networklistmanager.md
-            - name: NewsAndInterests
-              href: policy-csp-newsandinterests.md
-            - name: Notifications
-              href: policy-csp-notifications.md
-            - name: Power
-              href: policy-csp-power.md
-            - name: Printers
-              href: policy-csp-printers.md
-            - name: Privacy
-              href: policy-csp-privacy.md
-            - name: RemoteAssistance
-              href: policy-csp-remoteassistance.md
-            - name: RemoteDesktop
-              href: policy-csp-remotedesktop.md
-            - name: RemoteDesktopServices
-              href: policy-csp-remotedesktopservices.md
-            - name: RemoteManagement
-              href: policy-csp-remotemanagement.md
-            - name: RemoteProcedureCall
-              href: policy-csp-remoteprocedurecall.md
-            - name: RemoteShell
-              href: policy-csp-remoteshell.md
-            - name: RestrictedGroups
-              href: policy-csp-restrictedgroups.md
-            - name: Search
-              href: policy-csp-search.md
-            - name: Security
-              href: policy-csp-security.md
-            - name: ServiceControlManager
-              href: policy-csp-servicecontrolmanager.md
-            - name: Settings
-              href: policy-csp-settings.md
-            - name: Speech
-              href: policy-csp-speech.md
-            - name: Start
-              href: policy-csp-start.md
-            - name: Storage
-              href: policy-csp-storage.md
-            - name: System
-              href: policy-csp-system.md
-            - name: SystemServices
-              href: policy-csp-systemservices.md
-            - name: TaskManager
-              href: policy-csp-taskmanager.md
-            - name: TaskScheduler
-              href: policy-csp-taskscheduler.md
-            - name: TextInput
-              href: policy-csp-textinput.md
-            - name: TimeLanguageSettings
-              href: policy-csp-timelanguagesettings.md
-            - name: Troubleshooting
-              href: policy-csp-troubleshooting.md
-            - name: Update
-              href: policy-csp-update.md
-            - name: UserRights
-              href: policy-csp-userrights.md
-            - name: VirtualizationBasedTechnology
-              href: policy-csp-virtualizationbasedtechnology.md
-            - name: WebThreatDefense
-              href: policy-csp-webthreatdefense.md
-            - name: Wifi
-              href: policy-csp-wifi.md
-            - name: WindowsAutoPilot
-              href: policy-csp-windowsautopilot.md
-            - name: WindowsConnectionManager
-              href: policy-csp-windowsconnectionmanager.md
-            - name: WindowsDefenderSecurityCenter
-              href: policy-csp-windowsdefendersecuritycenter.md
-            - name: WindowsDefenderSmartScreen
-              href: policy-csp-smartscreen.md
-            - name: WindowsInkWorkspace
-              href: policy-csp-windowsinkworkspace.md
-            - name: WindowsLogon
-              href: policy-csp-windowslogon.md
-            - name: WindowsPowerShell
-              href: policy-csp-windowspowershell.md
-            - name: WindowsSandbox
-              href: policy-csp-windowssandbox.md
-            - name: WirelessDisplay
-              href: policy-csp-wirelessdisplay.md
-      - name: AccountManagement
-        href: accountmanagement-csp.md
-        items:
-          - name: AccountManagement DDF file
-            href: accountmanagement-ddf.md
-      - name: Accounts
-        href: accounts-csp.md
-        items:
-          - name: Accounts DDF file
-            href: accounts-ddf-file.md
-      - name: ActiveSync
-        href: activesync-csp.md
-        items:
-          - name: ActiveSync DDF file
-            href: activesync-ddf-file.md
-      - name: AllJoynManagement
-        href: alljoynmanagement-csp.md
-        items:
-          - name: AllJoynManagement DDF
-            href: alljoynmanagement-ddf.md
-      - name: APPLICATION
-        href: application-csp.md
-      - name: ApplicationControl
-        href: applicationcontrol-csp.md
-        items:
-          - name: ApplicationControl DDF file
-            href: applicationcontrol-csp-ddf.md
-      - name: AppLocker
-        href: applocker-csp.md
-        items:
-          - name: AppLocker DDF file
-            href: applocker-ddf-file.md
-          - name: AppLocker XSD
-            href: applocker-xsd.md
-      - name: AssignedAccess
-        href: assignedaccess-csp.md
-        items:
-          - name: AssignedAccess DDF file
-            href: assignedaccess-ddf.md
-      - name: BitLocker
-        href: bitlocker-csp.md
-        items:
-          - name: BitLocker DDF file
-            href: bitlocker-ddf-file.md
-      - name: CellularSettings
-        href: cellularsettings-csp.md
-      - name: CertificateStore
-        href: certificatestore-csp.md
-        items:
-          - name: CertificateStore DDF file
-            href: certificatestore-ddf-file.md
-      - name: CleanPC
-        href: cleanpc-csp.md
-        items:
-          - name: CleanPC DDF
-            href: cleanpc-ddf.md
-      - name: ClientCertificateInstall
-        href: clientcertificateinstall-csp.md
-        items:
-          - name: ClientCertificateInstall DDF file
-            href: clientcertificateinstall-ddf-file.md
-      - name: CM_CellularEntries
-        href: cm-cellularentries-csp.md
-      - name: CMPolicy
-        href: cmpolicy-csp.md
-      - name: CMPolicyEnterprise
-        href: cmpolicyenterprise-csp.md
-        items:
-          - name: CMPolicyEnterprise DDF file
-            href: cmpolicyenterprise-ddf-file.md
-      - name: CustomDeviceUI
-        href: customdeviceui-csp.md
-        items:
-          - name: CustomDeviceUI DDF file
-            href: customdeviceui-ddf.md
-      - name: Defender
-        href: defender-csp.md
-        items:
-          - name: Defender DDF file
-            href: defender-ddf.md
-      - name: DevDetail
-        href: devdetail-csp.md
-        items:
-          - name: DevDetail DDF file
-            href: devdetail-ddf-file.md
-      - name: DeveloperSetup
-        href: developersetup-csp.md
-        items:
-          - name: DeveloperSetup DDF
-            href: developersetup-ddf.md
-      - name: DeviceLock
-        href: devicelock-csp.md
-        items:
-          - name: DeviceLock DDF file
-            href: devicelock-ddf-file.md
-      - name: DeviceManageability
-        href: devicemanageability-csp.md
-        items:
-          - name: DeviceManageability DDF
-            href: devicemanageability-ddf.md
-      - name: DeviceStatus
-        href: devicestatus-csp.md
-        items:
-          - name: DeviceStatus DDF
-            href: devicestatus-ddf.md
-      - name: DevInfo
-        href: devinfo-csp.md
-        items:
-          - name: DevInfo DDF file
-            href: devinfo-ddf-file.md
-      - name: DiagnosticLog
-        href: diagnosticlog-csp.md
-        items:
-          - name: DiagnosticLog DDF file
-            href: diagnosticlog-ddf.md
-      - name: DMAcc
-        href: dmacc-csp.md
-        items:
-          - name: DMAcc DDF file
-            href: dmacc-ddf-file.md
-      - name: DMClient
-        href: dmclient-csp.md
-        items:
-          - name: DMClient DDF file
-            href: dmclient-ddf-file.md
-      - name: DMSessionActions
-        href: dmsessionactions-csp.md
-        items:
-          - name: DMSessionActions DDF file
-            href: dmsessionactions-ddf.md
-      - name: DynamicManagement
-        href: dynamicmanagement-csp.md
-        items:
-          - name: DynamicManagement DDF file
-            href: dynamicmanagement-ddf.md
-      - name: EMAIL2
-        href: email2-csp.md
-        items:
-          - name: EMAIL2 DDF file
-            href: email2-ddf-file.md
-      - name: EnrollmentStatusTracking
-        href: enrollmentstatustracking-csp.md
-        items:
-          - name: EnrollmentStatusTracking DDF file
-            href: enrollmentstatustracking-csp-ddf.md
-      - name: EnterpriseAPN
-        href: enterpriseapn-csp.md
-        items:
-          - name: EnterpriseAPN DDF
-            href: enterpriseapn-ddf.md
-      - name: EnterpriseAppVManagement
-        href: enterpriseappvmanagement-csp.md
-        items:
-          - name: EnterpriseAppVManagement DDF file
-            href: enterpriseappvmanagement-ddf.md
-      - name: EnterpriseDataProtection
-        href: enterprisedataprotection-csp.md
-        items:
-          - name: EnterpriseDataProtection DDF file
-            href: enterprisedataprotection-ddf-file.md
-      - name: EnterpriseDesktopAppManagement
-        href: enterprisedesktopappmanagement-csp.md
-        items:
-          - name: EnterpriseDesktopAppManagement DDF
-            href: enterprisedesktopappmanagement-ddf-file.md
-          - name: EnterpriseDesktopAppManagement XSD
-            href: enterprisedesktopappmanagement2-xsd.md
-      - name: EnterpriseModernAppManagement
-        href: enterprisemodernappmanagement-csp.md
-        items:
-          - name: EnterpriseModernAppManagement DDF
-            href: enterprisemodernappmanagement-ddf.md
-          - name: EnterpriseModernAppManagement XSD
-            href: enterprisemodernappmanagement-xsd.md
-      - name: eUICCs
-        href: euiccs-csp.md
-        items:
-          - name: eUICCs DDF file
-            href: euiccs-ddf-file.md
-      - name: Firewall
-        href: firewall-csp.md
-        items:
-          - name: Firewall DDF file
-            href: firewall-ddf-file.md
-      - name: HealthAttestation
-        href: healthattestation-csp.md
-        items:
-          - name: HealthAttestation DDF
-            href: healthattestation-ddf.md
-      - name: Local Administrator Password Solution
-        href: laps-csp.md
-        items:
-          - name: Local Administrator Password Solution DDF
-            href: laps-ddf-file.md
-      - name: MultiSIM
-        href: multisim-csp.md
-        items:
-          - name: MultiSIM DDF file
-            href: multisim-ddf.md
-      - name: NAP
-        href: nap-csp.md
-      - name: NAPDEF
-        href: napdef-csp.md
-      - name: NetworkProxy
-        href: networkproxy-csp.md
-        items:
-          - name: NetworkProxy DDF file
-            href: networkproxy-ddf.md
-      - name: NetworkQoSPolicy
-        href: networkqospolicy-csp.md
-        items:
-          - name: NetworkQoSPolicy DDF file
-            href: networkqospolicy-ddf.md
-      - name: NodeCache
-        href: nodecache-csp.md
-        items:
-          - name: NodeCache DDF file
-            href: nodecache-ddf-file.md
-      - name: Office
-        href: office-csp.md
-        items:
-          - name: Office DDF
-            href: office-ddf.md
-      - name: PassportForWork
-        href: passportforwork-csp.md
-        items:
-          - name: PassportForWork DDF file
-            href: passportforwork-ddf.md
-      - name: PersonalDataEncryption
-        href: personaldataencryption-csp.md
-        items:
-          - name: PersonalDataEncryption DDF file
-            href: personaldataencryption-ddf-file.md
-      - name: Personalization
-        href: personalization-csp.md
-        items:
-          - name: Personalization DDF file
-            href: personalization-ddf.md
-      - name: Provisioning
-        href: provisioning-csp.md
-      - name: PXLOGICAL
-        href: pxlogical-csp.md
-      - name: Reboot
-        href: reboot-csp.md
-        items:
-          - name: Reboot DDF file
-            href: reboot-ddf-file.md
-      - name: RemoteFind
-        href: remotefind-csp.md
-        items:
-          - name: RemoteFind DDF file
-            href: remotefind-ddf-file.md
-      - name: RemoteWipe
-        href: remotewipe-csp.md
-        items:
-          - name: RemoteWipe DDF file
-            href: remotewipe-ddf-file.md
-      - name: Reporting
-        href: reporting-csp.md
-        items:
-          - name: Reporting DDF file
-            href: reporting-ddf-file.md
-      - name: RootCATrustedCertificates
-        href: rootcacertificates-csp.md
-        items:
-          - name: RootCATrustedCertificates DDF file
-            href: rootcacertificates-ddf-file.md
-      - name: SecureAssessment
-        href: secureassessment-csp.md
-        items:
-          - name: SecureAssessment DDF file
-            href: secureassessment-ddf-file.md
-      - name: SecurityPolicy
-        href: securitypolicy-csp.md
-      - name: SharedPC
-        href: sharedpc-csp.md
-        items:
-          - name: SharedPC DDF file
-            href: sharedpc-ddf-file.md
-      - name: Storage
-        href: storage-csp.md
-        items:
-          - name: Storage DDF file
-            href: storage-ddf-file.md
-      - name: SUPL
-        href: supl-csp.md
-        items:
-          - name: SUPL DDF file
-            href: supl-ddf-file.md
-      - name: SurfaceHub
-        href: surfacehub-csp.md
-        items:
-          - name: SurfaceHub DDF file
-            href: surfacehub-ddf-file.md
-      - name: TenantLockdown
-        href: tenantlockdown-csp.md
-        items:
-          - name: TenantLockdown DDF file
-            href: tenantlockdown-ddf.md
-      - name: TPMPolicy
-        href: tpmpolicy-csp.md
-        items:
-          - name: TPMPolicy DDF file
-            href: tpmpolicy-ddf-file.md
-      - name: UEFI
-        href: uefi-csp.md
-        items:
-          - name: UEFI DDF file
-            href: uefi-ddf.md
-      - name: UnifiedWriteFilter
-        href: unifiedwritefilter-csp.md
-        items:
-          - name: UnifiedWriteFilter DDF file
-            href: unifiedwritefilter-ddf.md
-      - name: UniversalPrint
-        href: universalprint-csp.md
-        items:
-          - name: UniversalPrint DDF file
-            href: universalprint-ddf-file.md
-      - name: Update
-        href: update-csp.md
-        items:
-          - name: Update DDF file
-            href: update-ddf-file.md
-      - name: VPN
-        href: vpn-csp.md
-        items:
-          - name: VPN DDF file
-            href: vpn-ddf-file.md
-      - name: VPNv2
-        href: vpnv2-csp.md
-        items:
-          - name: VPNv2 DDF file
-            href: vpnv2-ddf-file.md
-          - name: ProfileXML XSD
-            href: vpnv2-profile-xsd.md
-          - name: EAP configuration
-            href: eap-configuration.md
-      - name: w4 APPLICATION
-        href: w4-application-csp.md
-      - name: w7 APPLICATION
-        href: w7-application-csp.md
-      - name: WiFi
-        href: wifi-csp.md
-        items:
-          - name: WiFi DDF file
-            href: wifi-ddf-file.md
-      - name: Win32AppInventory
-        href: win32appinventory-csp.md
-        items:
-          - name: Win32AppInventory DDF file
-            href: win32appinventory-ddf-file.md
-      - name: Win32CompatibilityAppraiser
-        href: win32compatibilityappraiser-csp.md
-        items:
-          - name: Win32CompatibilityAppraiser DDF file
-            href: win32compatibilityappraiser-ddf.md
-      - name: WindowsAdvancedThreatProtection
-        href: windowsadvancedthreatprotection-csp.md
-        items:
-          - name: WindowsAdvancedThreatProtection DDF file
-            href: windowsadvancedthreatprotection-ddf.md
-      - name: WindowsAutopilot
-        href: windowsautopilot-csp.md
-        items:
-          - name: WindowsAutopilot DDF file
-            href: windowsautopilot-ddf-file.md
-      - name: WindowsDefenderApplicationGuard
-        href: windowsdefenderapplicationguard-csp.md
-        items:
-          - name: WindowsDefenderApplicationGuard DDF file
-            href: windowsdefenderapplicationguard-ddf-file.md
-      - name: WindowsLicensing
-        href: windowslicensing-csp.md
-        items:
-          - name: WindowsLicensing DDF file
-            href: windowslicensing-ddf-file.md
-      - name: WiredNetwork
-        href: wirednetwork-csp.md
-        items:
-          - name: WiredNetwork DDF file
-            href: wirednetwork-ddf-file.md
+      - name: ActiveSync DDF file
+        href: activesync-ddf-file.md
+    - name: AllJoynManagement
+      href: alljoynmanagement-csp.md
+      items:
+      - name: AllJoynManagement DDF
+        href: alljoynmanagement-ddf.md
+    - name: APPLICATION
+      href: application-csp.md
+    - name: ApplicationControl
+      href: applicationcontrol-csp.md
+      items:
+      - name: ApplicationControl DDF file
+        href: applicationcontrol-csp-ddf.md
+    - name: AppLocker
+      href: applocker-csp.md
+      items:
+      - name: AppLocker DDF file
+        href: applocker-ddf-file.md
+      - name: AppLocker XSD
+        href: applocker-xsd.md
+    - name: AssignedAccess
+      href: assignedaccess-csp.md
+      items:
+      - name: AssignedAccess DDF file
+        href: assignedaccess-ddf.md
+    - name: BitLocker
+      href: bitlocker-csp.md
+      items:
+      - name: BitLocker DDF file
+        href: bitlocker-ddf-file.md
+    - name: CellularSettings
+      href: cellularsettings-csp.md
+    - name: CertificateStore
+      href: certificatestore-csp.md
+      items:
+      - name: CertificateStore DDF file
+        href: certificatestore-ddf-file.md
+    - name: CleanPC
+      href: cleanpc-csp.md
+      items:
+      - name: CleanPC DDF
+        href: cleanpc-ddf.md
+    - name: ClientCertificateInstall
+      href: clientcertificateinstall-csp.md
+      items:
+      - name: ClientCertificateInstall DDF file
+        href: clientcertificateinstall-ddf-file.md
+    - name: CM_CellularEntries
+      href: cm-cellularentries-csp.md
+    - name: CMPolicy
+      href: cmpolicy-csp.md
+    - name: CMPolicyEnterprise
+      href: cmpolicyenterprise-csp.md
+      items:
+      - name: CMPolicyEnterprise DDF file
+        href: cmpolicyenterprise-ddf-file.md
+    - name: CustomDeviceUI
+      href: customdeviceui-csp.md
+      items:
+      - name: CustomDeviceUI DDF file
+        href: customdeviceui-ddf.md
+    - name: Defender
+      href: defender-csp.md
+      items:
+      - name: Defender DDF file
+        href: defender-ddf.md
+    - name: DevDetail
+      href: devdetail-csp.md
+      items:
+      - name: DevDetail DDF file
+        href: devdetail-ddf-file.md
+    - name: DeveloperSetup
+      href: developersetup-csp.md
+      items:
+      - name: DeveloperSetup DDF
+        href: developersetup-ddf.md
+    - name: DeviceLock
+      href: devicelock-csp.md
+      items:
+      - name: DeviceLock DDF file
+        href: devicelock-ddf-file.md
+    - name: DeviceManageability
+      href: devicemanageability-csp.md
+      items:
+      - name: DeviceManageability DDF
+        href: devicemanageability-ddf.md
+    - name: DeviceStatus
+      href: devicestatus-csp.md
+      items:
+      - name: DeviceStatus DDF
+        href: devicestatus-ddf.md
+    - name: DevInfo
+      href: devinfo-csp.md
+      items:
+      - name: DevInfo DDF file
+        href: devinfo-ddf-file.md
+    - name: DiagnosticLog
+      href: diagnosticlog-csp.md
+      items:
+      - name: DiagnosticLog DDF file
+        href: diagnosticlog-ddf.md
+    - name: DMAcc
+      href: dmacc-csp.md
+      items:
+      - name: DMAcc DDF file
+        href: dmacc-ddf-file.md
+    - name: DMClient
+      href: dmclient-csp.md
+      items:
+      - name: DMClient DDF file
+        href: dmclient-ddf-file.md
+    - name: DMSessionActions
+      href: dmsessionactions-csp.md
+      items:
+      - name: DMSessionActions DDF file
+        href: dmsessionactions-ddf.md
+    - name: DynamicManagement
+      href: dynamicmanagement-csp.md
+      items:
+      - name: DynamicManagement DDF file
+        href: dynamicmanagement-ddf.md
+    - name: EMAIL2
+      href: email2-csp.md
+      items:
+      - name: EMAIL2 DDF file
+        href: email2-ddf-file.md
+    - name: EnrollmentStatusTracking
+      href: enrollmentstatustracking-csp.md
+      items:
+      - name: EnrollmentStatusTracking DDF file
+        href: enrollmentstatustracking-csp-ddf.md
+    - name: EnterpriseAPN
+      href: enterpriseapn-csp.md
+      items:
+      - name: EnterpriseAPN DDF
+        href: enterpriseapn-ddf.md
+    - name: EnterpriseAppVManagement
+      href: enterpriseappvmanagement-csp.md
+      items:
+      - name: EnterpriseAppVManagement DDF file
+        href: enterpriseappvmanagement-ddf.md
+    - name: EnterpriseDataProtection
+      href: enterprisedataprotection-csp.md
+      items:
+      - name: EnterpriseDataProtection DDF file
+        href: enterprisedataprotection-ddf-file.md
+    - name: EnterpriseDesktopAppManagement
+      href: enterprisedesktopappmanagement-csp.md
+      items:
+      - name: EnterpriseDesktopAppManagement DDF
+        href: enterprisedesktopappmanagement-ddf-file.md
+      - name: EnterpriseDesktopAppManagement XSD
+        href: enterprisedesktopappmanagement2-xsd.md
+    - name: EnterpriseModernAppManagement
+      href: enterprisemodernappmanagement-csp.md
+      items:
+      - name: EnterpriseModernAppManagement DDF
+        href: enterprisemodernappmanagement-ddf.md
+      - name: EnterpriseModernAppManagement XSD
+        href: enterprisemodernappmanagement-xsd.md
+    - name: eUICCs
+      href: euiccs-csp.md
+      items:
+      - name: eUICCs DDF file
+        href: euiccs-ddf-file.md
+    - name: Firewall
+      href: firewall-csp.md
+      items:
+      - name: Firewall DDF file
+        href: firewall-ddf-file.md
+    - name: HealthAttestation
+      href: healthattestation-csp.md
+      items:
+      - name: HealthAttestation DDF
+        href: healthattestation-ddf.md
+    - name: Local Administrator Password Solution
+      href: laps-csp.md
+      items:
+      - name: Local Administrator Password Solution DDF
+        href: laps-ddf-file.md
+    - name: MultiSIM
+      href: multisim-csp.md
+      items:
+      - name: MultiSIM DDF file
+        href: multisim-ddf.md
+    - name: NAP
+      href: nap-csp.md
+    - name: NAPDEF
+      href: napdef-csp.md
+    - name: NetworkProxy
+      href: networkproxy-csp.md
+      items:
+      - name: NetworkProxy DDF file
+        href: networkproxy-ddf.md
+    - name: NetworkQoSPolicy
+      href: networkqospolicy-csp.md
+      items:
+      - name: NetworkQoSPolicy DDF file
+        href: networkqospolicy-ddf.md
+    - name: NodeCache
+      href: nodecache-csp.md
+      items:
+      - name: NodeCache DDF file
+        href: nodecache-ddf-file.md
+    - name: Office
+      href: office-csp.md
+      items:
+      - name: Office DDF
+        href: office-ddf.md
+    - name: PassportForWork
+      href: passportforwork-csp.md
+      items:
+      - name: PassportForWork DDF file
+        href: passportforwork-ddf.md
+    - name: PersonalDataEncryption
+      href: personaldataencryption-csp.md
+      items:
+      - name: PersonalDataEncryption DDF file
+        href: personaldataencryption-ddf-file.md
+    - name: Personalization
+      href: personalization-csp.md
+      items:
+      - name: Personalization DDF file
+        href: personalization-ddf.md
+    - name: Provisioning
+      href: provisioning-csp.md
+    - name: PXLOGICAL
+      href: pxlogical-csp.md
+    - name: Reboot
+      href: reboot-csp.md
+      items:
+      - name: Reboot DDF file
+        href: reboot-ddf-file.md
+    - name: RemoteFind
+      href: remotefind-csp.md
+      items:
+      - name: RemoteFind DDF file
+        href: remotefind-ddf-file.md
+    - name: RemoteWipe
+      href: remotewipe-csp.md
+      items:
+      - name: RemoteWipe DDF file
+        href: remotewipe-ddf-file.md
+    - name: Reporting
+      href: reporting-csp.md
+      items:
+      - name: Reporting DDF file
+        href: reporting-ddf-file.md
+    - name: RootCATrustedCertificates
+      href: rootcacertificates-csp.md
+      items:
+      - name: RootCATrustedCertificates DDF file
+        href: rootcacertificates-ddf-file.md
+    - name: SecureAssessment
+      href: secureassessment-csp.md
+      items:
+      - name: SecureAssessment DDF file
+        href: secureassessment-ddf-file.md
+    - name: SecurityPolicy
+      href: securitypolicy-csp.md
+    - name: SharedPC
+      href: sharedpc-csp.md
+      items:
+      - name: SharedPC DDF file
+        href: sharedpc-ddf-file.md
+    - name: Storage
+      href: storage-csp.md
+      items:
+      - name: Storage DDF file
+        href: storage-ddf-file.md
+    - name: SUPL
+      href: supl-csp.md
+      items:
+      - name: SUPL DDF file
+        href: supl-ddf-file.md
+    - name: SurfaceHub
+      href: surfacehub-csp.md
+      items:
+      - name: SurfaceHub DDF file
+        href: surfacehub-ddf-file.md
+    - name: TenantLockdown
+      href: tenantlockdown-csp.md
+      items:
+      - name: TenantLockdown DDF file
+        href: tenantlockdown-ddf.md
+    - name: TPMPolicy
+      href: tpmpolicy-csp.md
+      items:
+      - name: TPMPolicy DDF file
+        href: tpmpolicy-ddf-file.md
+    - name: UEFI
+      href: uefi-csp.md
+      items:
+      - name: UEFI DDF file
+        href: uefi-ddf.md
+    - name: UnifiedWriteFilter
+      href: unifiedwritefilter-csp.md
+      items:
+      - name: UnifiedWriteFilter DDF file
+        href: unifiedwritefilter-ddf.md
+    - name: UniversalPrint
+      href: universalprint-csp.md
+      items:
+      - name: UniversalPrint DDF file
+        href: universalprint-ddf-file.md
+    - name: Update
+      href: update-csp.md
+      items:
+      - name: Update DDF file
+        href: update-ddf-file.md
+    - name: VPN
+      href: vpn-csp.md
+      items:
+      - name: VPN DDF file
+        href: vpn-ddf-file.md
+    - name: VPNv2
+      href: vpnv2-csp.md
+      items:
+      - name: VPNv2 DDF file
+        href: vpnv2-ddf-file.md
+      - name: ProfileXML XSD
+        href: vpnv2-profile-xsd.md
+      - name: EAP configuration
+        href: eap-configuration.md
+    - name: w4 APPLICATION
+      href: w4-application-csp.md
+    - name: w7 APPLICATION
+      href: w7-application-csp.md
+    - name: WiFi
+      href: wifi-csp.md
+      items:
+      - name: WiFi DDF file
+        href: wifi-ddf-file.md
+    - name: Win32AppInventory
+      href: win32appinventory-csp.md
+      items:
+      - name: Win32AppInventory DDF file
+        href: win32appinventory-ddf-file.md
+    - name: Win32CompatibilityAppraiser
+      href: win32compatibilityappraiser-csp.md
+      items:
+      - name: Win32CompatibilityAppraiser DDF file
+        href: win32compatibilityappraiser-ddf.md
+    - name: WindowsAdvancedThreatProtection
+      href: windowsadvancedthreatprotection-csp.md
+      items:
+      - name: WindowsAdvancedThreatProtection DDF file
+        href: windowsadvancedthreatprotection-ddf.md
+    - name: WindowsAutopilot
+      href: windowsautopilot-csp.md
+      items:
+      - name: WindowsAutopilot DDF file
+        href: windowsautopilot-ddf-file.md
+    - name: WindowsDefenderApplicationGuard
+      href: windowsdefenderapplicationguard-csp.md
+      items:
+      - name: WindowsDefenderApplicationGuard DDF file
+        href: windowsdefenderapplicationguard-ddf-file.md
+    - name: WindowsLicensing
+      href: windowslicensing-csp.md
+      items:
+      - name: WindowsLicensing DDF file
+        href: windowslicensing-ddf-file.md
+    - name: WiredNetwork
+      href: wirednetwork-csp.md
+      items:
+      - name: WiredNetwork DDF file
+        href: wirednetwork-ddf-file.md
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 7ed88086de..ceee66f4b0 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -3,11 +3,11 @@ title: TPMPolicy CSP
 description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/01/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
index fa01f620af..b4bcb92ce0 100644
--- a/windows/client-management/mdm/tpmpolicy-ddf-file.md
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -3,11 +3,11 @@ title: TPMPolicy DDF file
 description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index aa2b3b9ef4..6b3389617f 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -3,11 +3,11 @@ title: UEFI CSP
 description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/02/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
index 8a5ce332a6..89a1f72465 100644
--- a/windows/client-management/mdm/uefi-ddf.md
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -3,11 +3,11 @@ title: UEFI DDF file
 description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/02/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index 001fc121c8..b4e14b056c 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -1,12 +1,12 @@
 ---
 title: UnifiedWriteFilter CSP
 description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md
index 72f53c6d59..c44499af11 100644
--- a/windows/client-management/mdm/unifiedwritefilter-ddf.md
+++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md
@@ -1,12 +1,12 @@
 ---
 title: UnifiedWriteFilter DDF File
 description: UnifiedWriteFilter DDF File
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md
index 5feb529511..c004954f59 100644
--- a/windows/client-management/mdm/universalprint-csp.md
+++ b/windows/client-management/mdm/universalprint-csp.md
@@ -3,8 +3,8 @@ title: UniversalPrint CSP
 description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/02/2022
 ms.reviewer: jimwu
diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md
index a3c8a08811..86b77653c2 100644
--- a/windows/client-management/mdm/universalprint-ddf-file.md
+++ b/windows/client-management/mdm/universalprint-ddf-file.md
@@ -3,8 +3,8 @@ title: UniversalPrint DDF file
 description: UniversalPrint DDF file
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/02/2022
 ms.reviewer: jimwu
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index e027f8aa00..fa7376a759 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -1,12 +1,12 @@
 ---
 title: Update CSP
 description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 02/23/2018
 ---
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index ea83f69b30..3e5be4786d 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: Update DDF file
 description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 02/23/2018
 ---
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 4c6e172346..0ef20477a4 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -1,12 +1,12 @@
 ---
 title: VPN CSP
 description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 04/02/2017
 ---
diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md
index e44a34731e..db77d0704f 100644
--- a/windows/client-management/mdm/vpn-ddf-file.md
+++ b/windows/client-management/mdm/vpn-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: VPN DDF file
 description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 31356e2621..ea73b10265 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -5,8 +5,8 @@ ms.reviewer: pesmith
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/21/2021
 ---
@@ -411,7 +411,7 @@ Supported operations include Get, Add, Replace, and Delete.
 Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:
 
 - FQDN - Fully qualified domain name
-- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend.**.** to the DNS suffix.
+- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend .**.** to the DNS suffix.
 
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 3446055b9a..66de42bf56 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -5,8 +5,8 @@ ms.reviewer: pesmith
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 10/30/2020
 ---
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index 6398ed6e10..bfca5ab7aa 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -1,12 +1,12 @@
 ---
 title: ProfileXML XSD
 description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/14/2020
 ---
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index e0fd9b6275..dea054addd 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -1,12 +1,12 @@
 ---
 title: w4 APPLICATION CSP
 description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 0c88306677..e58f0e5922 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -1,12 +1,12 @@
 ---
 title: w7 APPLICATION CSP
 description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index c025bf6ec4..0df64e0109 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,12 +1,12 @@
 ---
 title: WiFi CSP
 description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/18/2019
 ---
@@ -54,7 +54,7 @@ WiFi
 The following list shows the characteristics and parameters.
 
 <a href="" id="wifi"></a>**Device or User profile**
-For user profile, use .`/User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path.
+For user profile, use `./User/Vendor/MSFT/Wifi` path and for device profile, use `./Device/Vendor/MSFT/Wifi` path.
 
 <a href="" id="profile"></a>**Profile**
 Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase if there's WEP or WPA2 networks.
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index f2a53dc84b..a6b9b70daf 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: WiFi DDF file
 description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/28/2018
 ---
diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md
index 0cc696cfdb..c0862b854f 100644
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@@ -1,12 +1,12 @@
 ---
 title: Win32AppInventory CSP
 description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md
index 9f2d2298b4..8825199231 100644
--- a/windows/client-management/mdm/win32appinventory-ddf-file.md
+++ b/windows/client-management/mdm/win32appinventory-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: Win32AppInventory DDF file
 description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index 07fdbf9364..9f3d0f3181 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -3,11 +3,11 @@ title: Win32CompatibilityAppraiser CSP
 description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/19/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -109,7 +109,7 @@ Value type is integer.
 Supported operation is Get.
 
 <a href="" id="compatibilityappraiser-appraiserconfigurationdiagnosis-rebootpending"></a>**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending**
-A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
+A boolean value representing whether a reboot is pending on this computer. A newly installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
 
 Value type is bool.
 
@@ -682,4 +682,4 @@ For the report XML schema, see [Windows Error Reporting connection report](#wind
 
 ## Related topics
 
-[Configuration service provider reference](index.yml)
\ No newline at end of file
+[Configuration service provider reference](index.yml)
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
index 59b68ae164..9fec57ce5d 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
@@ -3,11 +3,11 @@ title: Win32CompatibilityAppraiser DDF file
 description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/19/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index af34c66886..917d96da7b 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -1,12 +1,12 @@
 ---
 title: WindowsAdvancedThreatProtection CSP
 description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/01/2017
 ---
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index 88f7963c28..b1cbacd77d 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -2,12 +2,12 @@
 title: WindowsAdvancedThreatProtection DDF file
 description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
 ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 12/05/2017
 ---
diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md
index b92231671c..34d9296f84 100644
--- a/windows/client-management/mdm/windowsautopilot-csp.md
+++ b/windows/client-management/mdm/windowsautopilot-csp.md
@@ -1,12 +1,12 @@
 ---
 title: WindowsAutopilot CSP
 description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 05/09/2022
 ---
diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md
index 551d857ce8..8d6ee2e942 100644
--- a/windows/client-management/mdm/windowsautopilot-ddf-file.md
+++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md
@@ -1,13 +1,13 @@
 ---
 title: WindowsAutopilot DDF file
-description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, for the WindowsAutopilot DDF file configuration service provider (CSP) .
+description: Learn how, without the ability to mark a device as remediation required, the device will remain in a broken state for the WindowsAutopilot DDF file configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 02/07/2022
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
@@ -77,4 +77,4 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
 
 ## Related topics
 
-[WindowsAutopilot configuration service provider](windowsautopilot-csp.md)
\ No newline at end of file
+[WindowsAutopilot configuration service provider](windowsautopilot-csp.md)
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 184b0bbad8..32799b0ffd 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -3,11 +3,11 @@ title: WindowsDefenderApplicationGuard CSP
 description: Configure the settings in Microsoft Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 11/02/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index 393b8c0a28..1c659fd2d1 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -3,11 +3,11 @@ title: WindowsDefenderApplicationGuard DDF file
 description: Learn about the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider (CSP).
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/10/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index c418d82de4..1b912a214a 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,12 +1,12 @@
 ---
 title: WindowsLicensing CSP
 description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/15/2018
 ---
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index 07afe1f8ae..00f97205ee 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -1,12 +1,12 @@
 ---
 title: WindowsLicensing DDF file
 description: Learn about the OMA DM device description framework (DDF) for the WindowsLicensing configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 07/16/2017
 ---
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index 509a6c9f68..ecbdc67678 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -3,11 +3,11 @@ title: WiredNetwork CSP
 description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that don't have GP. Learn how it works.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/27/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md
index f2d38e308a..95d8425592 100644
--- a/windows/client-management/mdm/wirednetwork-ddf-file.md
+++ b/windows/client-management/mdm/wirednetwork-ddf-file.md
@@ -3,11 +3,11 @@ title: WiredNetwork DDF file
 description: This topic shows the OMA DM device description framework (DDF) for the WiredNetwork configuration service provider.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/28/2018
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md
index b161e96c13..93b93d3872 100644
--- a/windows/client-management/mobile-device-enrollment.md
+++ b/windows/client-management/mobile-device-enrollment.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 08/11/2017
 ms.collection: highpri
diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md
index d94df5a96f..74ca04fcc6 100644
--- a/windows/client-management/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md
@@ -1,15 +1,15 @@
 ---
 title: What's new in MDM enrollment and management
 description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
-MS-HAID:
+MS-HAID: 
   - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview'
   - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management'
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/16/2022
@@ -348,9 +348,9 @@ No. Only one MDM is allowed.
 
 Entry | Description
 --------------- | --------------------
-What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
-What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service doesn't send telemetry.|
-How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this service is a component part of the OS and  required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
+What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
+What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.|
+How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and  required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.|
 
 
 ## Change history for MDM documentation
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 5bc9aad966..0adc1b4483 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -4,11 +4,12 @@ description: Learn how Windows 10 includes new policies for management, like Gro
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.prod: w10
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.localizationpriority: medium
 ms.date: 09/15/2021
 ms.topic: reference
+ms.technology: itpro-manage
 ---
 
 # New policies for Windows 10
diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md
index 4c825aaa5f..d87cd9db0c 100644
--- a/windows/client-management/oma-dm-protocol-support.md
+++ b/windows/client-management/oma-dm-protocol-support.md
@@ -1,12 +1,12 @@
 ---
 title: OMA DM protocol support
 description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md
index 129f2a8aae..daf5a628d7 100644
--- a/windows/client-management/on-premise-authentication-device-enrollment.md
+++ b/windows/client-management/on-premise-authentication-device-enrollment.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md
index 318cb768bb..712795c303 100644
--- a/windows/client-management/push-notification-windows-mdm.md
+++ b/windows/client-management/push-notification-windows-mdm.md
@@ -1,15 +1,15 @@
 ---
 title: Push notification support for device management
 description: The DMClient CSP supports the ability to configure push-initiated device management sessions.
-MS-HAID:
+MS-HAID: 
   - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management'
   - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm'
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/22/2017
 ---
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index 0b4918cbd6..475721a37f 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -1,9 +1,9 @@
 ---
 title: Use Quick Assist to help users
 description: How IT Pros can use Quick Assist to help users.
-ms.prod: w10
+ms.prod: windows-client
 ms.topic: article
-ms.technology: windows
+ms.technology: itpro-manage
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
@@ -30,30 +30,27 @@ The helper can authenticate when they sign in by using a Microsoft account (MSA)
 
 ### Network considerations
 
-Quick Assist communicates over port 443 (https) and connects to the Remote Assistance Service at `https://remoteassistance.support.services.microsoft.com` by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2.
-
-Both the helper and sharer must be able to reach these endpoints over port 443:
+Quick Assist communicates over port 443 (https) and connects to the Remote Assistance Service at `https://remoteassistance.support.services.microsoft.com` by using the Remote Desktop Protocol (RDP). The traffic is encrypted with TLS 1.2. Both the helper and sharer must be able to reach these endpoints over port 443:
 
 | Domain/Name | Description |
 |--|--|
-| `*.api.support.microsoft.com` | API access for Quick Assist |
-| `*.aria.microsoft.com` | Used for accessibility features within the app |
-| `*.cc.skype.com` | Azure Communication Service for chat and connection between parties |
-| `*.channelservices.microsoft.com` | Required for chat services within Quick Assist |
-| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist |
-| `*.edgeassetservice.azureedge.net` | Used for diagnostic data |
-| `*.flightproxy.skype.com` | Azure Communication Service for chat and connection between parties |
-| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) |
-| `*.monitor.azure.com` | Service Performance Monitoring |
-| `*.registrar.skype.com` | Azure Communication Service for chat and connection between parties. |
-| `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. |
+| `*.aria.microsoft.com` | Accessible Rich Internet Applications (ARIA) service for providing accessible experiences to users. |
+| `*.cc.skype.com` | Required for Azure Communication Service. |
+| `*.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `*.flightproxy.skype.com` | Required for Azure Communication Service. |
+| `*.live.com` | Required for logging in to the application (MSA). |
+| `*.monitor.azure.com` | Required for telemetry and remote service initialization. |
+| `*.registrar.skype.com` | Required for Azure Communication Service. |
 | `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application |
-| `*.trouter.skype.com` | Azure Communication Service for chat and connection between parties. |
-| `*.turn.azure.com` | Protocol used to help endpoint. |
-| `*.vortex.data.microsoft.com` | Used for diagnostic data |
-| `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
-| `edge.skype.com` | Azure Communication Service for chat and connection between parties. |
-| `events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. |
+| `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
+| `aadcdn.msauth.net` | Required for logging in to the application (AAD). |
+| `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. |
+| `login.microsoftonline.com` | Required for Microsoft login service. |
+| `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. |
+| `turn.azure.com` | Required for Azure Communication Service. |
+
+> [!IMPORTANT]
+> Quick Assist uses Edge WebView2 browser control. For a list of domain URLs that you need to add to the allow list to ensure that the Edge WebView2 browser control can be installed and updated, see [Allow list for Microsoft Edge endpoints](/deployedge/microsoft-edge-security-endpoints).
 
 ## How it works
 
@@ -123,13 +120,13 @@ For more information, visit [Install Quick Assist](https://support.microsoft.com
 
 Before installing Quick Assist, you'll need to set up synchronization between Intune and Microsoft Store for Business. If you've already set up sync, log into [Microsoft Store for Business](https://businessstore.microsoft.com) and skip to step 5.
 
-1. Go to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) and navigate to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
+1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant administration** / **Connectors and tokens** / **Microsoft Store for Business** and verify that **Microsoft Store for Business sync** is set to **Enable**.
 1. Using your Global Admin account, log into [Microsoft Store for Business](https://businessstore.microsoft.com).
 1. Select **Manage** / **Settings** and turn on **Show offline apps**.
 1. Choose the **Distribute** tab and verify that **Microsoft Intune** is **Active**. You may need to use the **+Add management tool** link if it's not.
 1. Search for **Quick Assist** and select it from the Search results.
 1. Choose the **Offline** license and select **Get the app**
-1. From the Intune portal (Endpoint Manager admin center) choose **Sync**.
+1. In the Endpoint Manager admin center, choose **Sync**.
 1. Navigate to **Apps** / **Windows** and you should see **Quick Assist (Offline)** in the list.
 1. Select it to view its properties. By default, the app won't be assigned to anyone or any devices, select the **Edit** link.
 1. Assign the app to the required group of devices and choose **Review + save** to complete the application install.
diff --git a/windows/client-management/reclaim-seat-from-user.md b/windows/client-management/reclaim-seat-from-user.md
index bdd37fcbbe..f6508be544 100644
--- a/windows/client-management/reclaim-seat-from-user.md
+++ b/windows/client-management/reclaim-seat-from-user.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 05/05/2020
 ---
diff --git a/windows/client-management/register-your-free-azure-active-directory-subscription.md b/windows/client-management/register-your-free-azure-active-directory-subscription.md
index c73053417b..2d326ac269 100644
--- a/windows/client-management/register-your-free-azure-active-directory-subscription.md
+++ b/windows/client-management/register-your-free-azure-active-directory-subscription.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/rest-api-reference-windows-store-for-business.md b/windows/client-management/rest-api-reference-windows-store-for-business.md
index 3dc28440bd..526f7f8c83 100644
--- a/windows/client-management/rest-api-reference-windows-store-for-business.md
+++ b/windows/client-management/rest-api-reference-windows-store-for-business.md
@@ -8,8 +8,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 09/18/2017
 ---
diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md
index 1f89f971a0..c0a307103f 100644
--- a/windows/client-management/server-requirements-windows-mdm.md
+++ b/windows/client-management/server-requirements-windows-mdm.md
@@ -8,8 +8,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md
index 790d0e2e79..5e5008f0eb 100644
--- a/windows/client-management/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md
@@ -1,12 +1,12 @@
 ---
 title: Structure of OMA DM provisioning files
 description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md
index f61c7698e1..4a730f6508 100644
--- a/windows/client-management/understanding-admx-backed-policies.md
+++ b/windows/client-management/understanding-admx-backed-policies.md
@@ -3,11 +3,11 @@ title: Understanding ADMX policies
 description: In Windows 10, you can use ADMX policies for Windows 10 mobile device management (MDM) across Windows 10 devices.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/23/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
index d42e777b93..5c5b946138 100644
--- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
+++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
@@ -5,8 +5,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md
index e64d03da7e..830640d4c2 100644
--- a/windows/client-management/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md
@@ -3,11 +3,11 @@ title: Win32 and Desktop Bridge app ADMX policy Ingestion
 description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps.
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 03/23/2020
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ---
 
diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md
index 2ec424585c..89b5f46cfd 100644
--- a/windows/client-management/windows-libraries.md
+++ b/windows/client-management/windows-libraries.md
@@ -2,10 +2,10 @@
 ms.reviewer: 
 manager: aaroncz
 title: Windows Libraries
-ms.prod: windows-server-threshold
+ms.prod: windows-client
 ms.author: vinpa
 ms.manager: dongill
-ms.technology: storage
+ms.technology: itpro-manage
 ms.topic: article
 author: vinaypamnani-msft
 description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md
index b9eadf5502..c773fbc2ea 100644
--- a/windows/client-management/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/windows-mdm-enterprise-settings.md
@@ -1,15 +1,15 @@
 ---
 title: Enterprise settings, policies, and app management
 description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow.
-MS-HAID:
+MS-HAID: 
   - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management'
   - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings'
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md
index 939d36455a..0ca2a86f1e 100644
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@@ -2,7 +2,7 @@
 title: What version of Windows am I running?
 description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
 keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build
-ms.prod: w10
+ms.prod: windows-client
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: vinaypamnani-msft
@@ -11,6 +11,7 @@ ms.date: 04/30/2018
 ms.reviewer: 
 manager: aaroncz
 ms.topic: troubleshooting
+ms.technology: itpro-manage
 ---
 
 # What version of Windows am I running?
diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md
index d4efdf99e2..3d701812c0 100644
--- a/windows/client-management/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/wmi-providers-supported-in-windows.md
@@ -1,15 +1,15 @@
 ---
 title: WMI providers supported in Windows 10
 description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI).
-MS-HAID:
+MS-HAID: 
   - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview'
   - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows'
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.topic: article
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-manage
 author: vinaypamnani-msft
 ms.date: 06/26/2017
 ---
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 177b63d3e2..979f7648a6 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -37,7 +37,7 @@
         - name: Use mobile device management (MDM)
           href: customize-windows-10-start-screens-by-using-mobile-device-management.md
         - name: Troubleshoot Start menu errors
-          href: start-layout-troubleshoot.md
+          href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors
         - name: Changes to Start policies in Windows 10
           href: changes-to-start-policies-in-windows-10.md
     - name: Accessibility settings
@@ -89,7 +89,7 @@
         - name: Use MDM Bridge WMI Provider to create a Windows client kiosk
           href: kiosk-mdm-bridge.md
         - name: Troubleshoot kiosk mode issues
-          href: kiosk-troubleshoot.md
+          href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting
 
 - name: Configure multi-user and guest devices 
   items:
@@ -327,7 +327,7 @@
                   href: ue-v/uev-manage-configurations.md
                 - name: Configuring UE-V with Group Policy Objects
                   href: ue-v/uev-configuring-uev-with-group-policy-objects.md
-                - name: Configuring UE-V with Microsoft Endpoint Configuration Manager
+                - name: Configuring UE-V with Microsoft Configuration Manager
                   href: ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
                 - name: Administering UE-V with Windows PowerShell and WMI
                   href: ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md
index 350a9ffd87..d41be6da7b 100644
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@@ -3,12 +3,13 @@ title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10)
 description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 11/28/2017
+ms.technology: itpro-configure
 ---
 
 # Changes to Group Policy settings for Windows 10 Start
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 53a58baf77..a90fd2bb19 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -2,7 +2,7 @@
 title: Configure Windows 10 taskbar (Windows 10)
 description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
 keywords: [taskbar layout, pin apps]
-ms.prod: w10
+ms.prod: windows-client
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: lizgt2000
@@ -13,6 +13,7 @@ ms.date: 01/18/2018
 ms.reviewer: 
 manager: aaroncz
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 # Configure Windows 10 taskbar
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 3790905b51..404702922b 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -1,13 +1,14 @@
 ---
 title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in Windows
 description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
index 0f3bf0b348..c40796bd2a 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md
@@ -1,13 +1,14 @@
 ---
 title: Send feedback about Cortana at work back to Microsoft
-description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues..
-ms.prod: w10
+description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues.
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Send feedback about Cortana back to Microsoft
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
index 1d18b8d49d..ad09a7c543 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md
@@ -1,7 +1,7 @@
 ---
 title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
 description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings.
-ms.prod: w10
+ms.prod: windows-client
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: aczechowski
@@ -10,6 +10,7 @@ ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
@@ -29,7 +30,7 @@ There are a few things to be aware of before you start using Cortana in Windows
 
 - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn&#39;t a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy).
 
-- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution.
+- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Configuration Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution.
 
 - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana).
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 81cc7d9dff..f19e425791 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -3,10 +3,11 @@ title: Configure Cortana in Windows 10 and Windows 11
 ms.reviewer: 
 manager: dougeby
 description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Configure Cortana in Windows 10 and Windows 11
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 97966260a0..479f178665 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -1,12 +1,13 @@
 ---
 title: Configure Cortana with Group Policy and MDM settings (Windows)
 description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index fd81d85f3a..daec3595bb 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -1,13 +1,14 @@
 ---
 title: Set up and test Cortana for Power BI in your organization (Windows)
 description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Set up and test Cortana for Power BI in your organization
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index f19d6c310d..9d10404c6d 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,12 +1,13 @@
 ---
 title: Sign into Azure AD, enable the wake word, and try a voice query
 description: A test scenario walking you through signing in and managing the notebook.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index 32d197bae2..d31430c312 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -1,13 +1,14 @@
 ---
 title: Perform a quick search with Cortana at work (Windows)
 description: This scenario is a test scenario about how to perform a quick search with Cortana at work.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 2 – Perform a Bing search with Cortana
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index f6d46feb8f..48b5bfd328 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -1,13 +1,14 @@
 ---
 title: Set a reminder for a location with Cortana at work (Windows)
 description: A test scenario about how to set a location-based reminder using Cortana at work.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 3 - Set a reminder
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index 582e780d1f..0ce5972f23 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -1,13 +1,14 @@
 ---
 title: Use Cortana at work to find your upcoming meetings (Windows)
 description: A test scenario on how to use Cortana at work to find your upcoming meetings.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 4 - Use Cortana to find free time on your calendar for your upcoming meetings.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index 5085f7608d..0111aba809 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -1,13 +1,14 @@
 ---
 title: Use Cortana to send email to a co-worker (Windows)
 description: A test scenario about how to use Cortana at work to send email to a co-worker.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 5 - Test scenario 5 – Find out about a person
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index dcc810fb0f..a6c2d4c3bb 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -1,13 +1,14 @@
 ---
 title: Review a reminder suggested by Cortana (Windows)
 description: A test scenario on how to use Cortana with the Suggested reminders feature.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 6 – Change your language and perform a quick search with Cortana
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 942d908f2b..e8caaf8cf3 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -1,13 +1,14 @@
 ---
 title: Help protect data with Cortana and WIP (Windows)
 description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index 55023907da..19dce90d45 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -1,13 +1,14 @@
 ---
 title: Cortana at work testing scenarios
 description: Suggested testing scenarios that you can use to test Cortana in your organization.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 06/28/2021
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Cortana at work testing scenarios
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index d38268d716..26f401808e 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -1,13 +1,14 @@
 ---
 title: Set up and test custom voice commands in Cortana for your organization (Windows)
 description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Set up and test custom voice commands in Cortana for your organization
@@ -30,27 +31,27 @@ To enable voice commands in Cortana
 
     - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
 
-2.	**Install the VCD file on employees' devices**. You can use Microsoft Endpoint Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
+2.	**Install the VCD file on employees' devices**. You can use Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
 
 ## Test scenario: Use voice commands in a Microsoft Store app
 While these apps aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization.
 
 **To get a Microsoft Store app**
-1. Go to the Microsoft Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**.
+1. Go to the Microsoft Store, scroll down to the **Collections** area, select **Show All**, and then select **Better with Cortana**.
 
-2. Click **Uber**, and then click **Install**.
+2. Select **Uber**, and then select **Install**.
 
 3. Open Uber, create an account or sign in, and then close the app.
 
 **To set up the app with Cortana**
-1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon.
+1. Select on the **Cortana** search box in the taskbar, and then select the **Notebook** icon.
 
-2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
+2. Select on **Connected Services**, select **Uber**, and then select **Connect**.
 
     ![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png)
 
 **To use the voice-enabled commands with Cortana**
-1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
+1. Select on the **Cortana** icon in the taskbar, and then select the **Microphone** icon (to the right of the **Search** box).
 
 2. Say _Uber get me a taxi_.
 
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index 2a50408b60..53ab837468 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -3,10 +3,11 @@ title: Set up and test Cortana in Windows 10, version 2004 and later
 ms.reviewer: 
 manager: dougeby
 description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Set up and test Cortana in Windows 10, version 2004 and later
diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md
index d11ddd9fbf..c3456c0ae6 100644
--- a/windows/configuration/cortana-at-work/test-scenario-1.md
+++ b/windows/configuration/cortana-at-work/test-scenario-1.md
@@ -1,13 +1,14 @@
 ---
 title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook
 description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook
diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md
index f9128ac53e..2a7d33cdbf 100644
--- a/windows/configuration/cortana-at-work/test-scenario-2.md
+++ b/windows/configuration/cortana-at-work/test-scenario-2.md
@@ -1,13 +1,14 @@
 ---
 title: Test scenario 2 - Perform a quick search with Cortana at work
 description: A test scenario about how to perform a quick search with Cortana at work.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 2 – Perform a quick search with Cortana at work
diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md
index 0bef2a7ad9..1724baee87 100644
--- a/windows/configuration/cortana-at-work/test-scenario-3.md
+++ b/windows/configuration/cortana-at-work/test-scenario-3.md
@@ -1,13 +1,14 @@
 ---
 title: Test scenario 3 - Set a reminder for a specific location using Cortana at work
 description: A test scenario about how to set up, review, and edit a reminder based on a location.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 3 - Set a reminder for a specific location using Cortana at work
diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md
index 45d2df199c..8cad2a9dab 100644
--- a/windows/configuration/cortana-at-work/test-scenario-4.md
+++ b/windows/configuration/cortana-at-work/test-scenario-4.md
@@ -1,13 +1,14 @@
 ---
 title: Use Cortana to find your upcoming meetings at work (Windows)
 description: A test scenario about how to use Cortana at work to find your upcoming meetings.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 4 - Use Cortana to find your upcoming meetings at work
diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md
index 4a890aca59..d3b93dd8a0 100644
--- a/windows/configuration/cortana-at-work/test-scenario-5.md
+++ b/windows/configuration/cortana-at-work/test-scenario-5.md
@@ -1,13 +1,14 @@
 ---
 title: Use Cortana to send an email to co-worker (Windows)
 description: A test scenario on how to use Cortana at work to send email to a co-worker.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 5 - Use Cortana to send an email to co-worker
diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md
index 8a9d2fec64..fbd5290713 100644
--- a/windows/configuration/cortana-at-work/test-scenario-6.md
+++ b/windows/configuration/cortana-at-work/test-scenario-6.md
@@ -1,13 +1,14 @@
 ---
 title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
 description: A test scenario about how to use Cortana with the Suggested reminders feature.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
index b62794ff0f..701b2f4f58 100644
--- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
+++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
@@ -1,13 +1,14 @@
 ---
 title: Testing scenarios using Cortana in your business or organization
 description: A list of suggested testing scenarios that you can use to test Cortana in your organization.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.date: 10/05/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Testing scenarios using Cortana in your business or organization
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 747d7491b2..77f7406fb8 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -3,13 +3,14 @@ title: Customize and export Start layout (Windows 10)
 description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 09/18/2018
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Customize and export Start layout
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index d50036f2c7..00570b40da 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -4,10 +4,11 @@ description: Export Start layout to LayoutModification.json with pinned apps, an
 manager: aaroncz
 ms.author: lizlong
 ms.reviewer: ericpapa
-ms.prod: w11
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Customize the Start menu layout on Windows 11
@@ -24,17 +25,17 @@ For example, you can override the default set of apps with your own a set of pin
 
 To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
 
-This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Endpoint Manager policy.
+This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Intune policy.
 
 ## Before you begin
 
 - When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. You can't prevent users from changing the layout.
 
-- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
+- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
 
   In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
 
-  - [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
+  - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
   - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
   - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
 
@@ -54,23 +55,16 @@ Start has the following areas:
 
   The [Start/HideFrequentlyUsedApps CSP](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) exposes settings that configure the "Most used" section, which is at the top of the all apps list.
 
-  In **Endpoint Manager**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
+  In **Intune**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Intune policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
 
   In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
 
   - `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
   - `User Configuration\Administrative Templates\Start Menu and Taskbar`
 
-- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file.
+- **Recommended**: Shows recently opened files and recently installed apps. This section can only be customized in Windows 11 SE using the following policy.
 
-  The  [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) exposes settings that prevent files from showing in this section. This CSP also hides recent files that show from the taskbar.
-
-  In **Endpoint Manager**, you can configure this feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
-
-  In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
-
-  - `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
-  - `User Configuration\Administrative Templates\Start Menu and Taskbar`
+  - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Recommended section from Start Menu`
 
 ## Create the JSON file
 
@@ -124,15 +118,15 @@ If you're familiar with creating JSON files, you can create your own `LayoutModi
 
 Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization.
 
-MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD).  Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list.
+MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD).  Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list.
 
-This section shows you how to create a pinned list policy in Endpoint Manager. There isn't a Group Policy to create a pinned list.
+This section shows you how to create a pinned list policy in Intune. There isn't a Group Policy to create a pinned list.
 
-### Create a pinned list using an Endpoint Manager policy
+### Create a pinned list using an Intune policy
 
 To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment).
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 3. Enter the following properties:
 
@@ -174,7 +168,7 @@ To deploy this policy, the devices must be enrolled, and managed by your organiz
 
 The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md).
 
-### Deploy the policy using Endpoint Manager
+### Deploy the policy using Intune
 
 When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed anytime, including before users sign in the first time.
 
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index 18237e9510..9b5dec303f 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -1,13 +1,14 @@
 ---
 title: Configure and customize Windows 11 taskbar | Microsoft Docs
-description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded.
+description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Intune. See what happens to the taskbar when the Windows OS client is installed or upgraded.
 manager: aaroncz
 ms.author: lizlong
 ms.reviewer: chataylo
-ms.prod: w11
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Customize the Taskbar on Windows 11
@@ -36,17 +37,17 @@ This article shows you how to create the XML file, add apps to the XML, and depl
 
 - Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
 
-- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
+- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
 
   In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
 
-  - [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
+  - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview)
   - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
   - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
 
 ## Create the XML file
 
-1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins two apps to the taskbar - File Explorer and the Command Prompt:
+1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins 2 apps to the taskbar - File Explorer and the Command Prompt:
 
     ```xml
     <?xml version="1.0" encoding="utf-8"?>
@@ -133,7 +134,7 @@ This article shows you how to create the XML file, add apps to the XML, and depl
 
 ## Use Group Policy or MDM to create and deploy a taskbar policy
 
-Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Endpoint Manager.
+Now that you have the XML file with your customized taskbar, you're ready to deploy it to devices in your organization. You can deploy your taskbar XML file using Group Policy, or using an MDM provider, like Microsoft Intune.
 
 This section shows you how to deploy the XML both ways.
 
@@ -159,13 +160,13 @@ Use the following steps to add your XML file to a group policy, and apply the po
 
     For more information on using group policies, see [Implement Group Policy Objects](/training/modules/implement-group-policy-objects/).
 
-### Create a Microsoft Endpoint Manager policy to deploy your XML file
+### Create a Microsoft Intune policy to deploy your XML file
 
-MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list.
+MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Intune, you can deploy a policy that configures the pinned list.
 
-Use the following steps to create an Endpoint Manager policy that deploys your taskbar XML file:
+Use the following steps to create an Intune policy that deploys your taskbar XML file:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 
@@ -187,7 +188,7 @@ Use the following steps to create an Endpoint Manager policy that deploys your t
 
 8. When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized taskbar, the policy can also be deployed before users sign in the first time.
 
-    For more information and guidance on assigning policies using Microsoft Endpoint Manager, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
+    For more information and guidance on assigning policies using Microsoft Intune, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
 
 > [!NOTE]
 > For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index dff79978bd..7752ed29fa 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -3,12 +3,13 @@ title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10)
 description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.author: lizlong
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Customize Windows 10 Start and taskbar with Group Policy
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index d14d3320b6..ff5c66875f 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -3,12 +3,13 @@ title: Change the Windows 10 Start and taskbar using mobile device management |
 description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.topic: article
 ms.author: lizlong
 ms.localizationpriority: medium
 ms.date: 08/05/2021
+ms.technology: itpro-configure
 ---
 
 # Customize Windows 10 Start and taskbar with mobile device management (MDM)
@@ -54,7 +55,7 @@ Two features enable Start layout control:
 
 The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 33777e162b..a853a65ee5 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -3,11 +3,12 @@ title: Customize Windows 10 Start and taskbar with provisioning packages (Window
 description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
+ms.technology: itpro-configure
 ---
 
 # Customize Windows 10 Start and taskbar with provisioning packages
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 346cc5e640..315f3afa7f 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -36,7 +36,7 @@
       "recommendations": true,
       "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
       "uhfHeaderId": "MSDocsHeader-M365-IT",
-      "ms.technology": "windows",
+      "ms.technology": "itpro-configure",
       "ms.topic": "article",
       "feedback_system": "GitHub",
       "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index 27d56ce3c5..89cfab1cba 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -7,8 +7,9 @@ author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
-ms.prod: w10
+ms.prod: windows-client
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 # Find the Application User Model ID of an installed app
 
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 28d7a44308..a5150fcdcb 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -2,7 +2,7 @@
 title: Guidelines for choosing an app for assigned access (Windows 10/11)
 description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
 keywords: [kiosk, lockdown, assigned access]
-ms.prod: w10
+ms.prod: windows-client
 ms.mktglfcycl: manage
 ms.sitesec: library
 author: lizgt2000
@@ -12,6 +12,7 @@ ms.topic: article
 ms.reviewer: sybruckm
 manager: aaroncz
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Guidelines for choosing an app for assigned access (kiosk mode)
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index be1a9d7a92..fe0ebfbafc 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -6,12 +6,9 @@ summary: Find out how to apply custom configurations to Windows 10 and Windows 1
 metadata:
   title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
   description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars.
-  services: windows-10
-  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
-  ms.subservice: subservice
   ms.topic: landing-page # Required
+  ms.prod: windows-client
   ms.collection:
-    - windows-10
     - highpri
   author: aczechowski
   ms.author: aaroncz
diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md
index 3028bbe1c0..fd0756d5ca 100644
--- a/windows/configuration/kiosk-additional-reference.md
+++ b/windows/configuration/kiosk-additional-reference.md
@@ -4,10 +4,11 @@ description: Find more information for configuring, validating, and troubleshoot
 ms.reviewer: sybruckm
 manager: aaroncz
 ms.author: lizlong
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.topic: reference
+ms.technology: itpro-configure
 ---
 
 # More kiosk methods and reference information
@@ -31,5 +32,4 @@ Topic | Description
 [Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps.
 [Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) |  Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface.
 [Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class.
-[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration.
-
+[Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration.
\ No newline at end of file
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md
index abda04599e..3e6444f439 100644
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk-mdm-bridge.md
@@ -4,10 +4,11 @@ description: Environments that use Windows Management Instrumentation (WMI) can
 ms.reviewer: sybruckm
 manager: aaroncz
 ms.author: lizlong
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Use MDM Bridge WMI Provider to create a Windows client kiosk
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index f2071ae8ea..00f8c0181b 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -4,11 +4,11 @@ ms.reviewer: sybruckm
 manager: aaroncz
 ms.author: lizlong
 description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: lizgt2000
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Configure kiosks and digital signs on Windows desktop editions
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index fda5b337bf..32f8c08e76 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -3,11 +3,12 @@ title: Policies enforced on kiosk devices (Windows 10/11)
 description: Learn about the policies enforced on a device when you configure it as a kiosk.
 ms.reviewer: sybruckm
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.author: lizlong
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Policies enforced on kiosk devices
@@ -55,7 +56,7 @@ Remove Task Manager |		Enabled
 Remove Change Password option in Security Options UI |		Enabled
 Remove Sign Out option in Security Options UI	 |	Enabled
 Remove All Programs list from the Start Menu	 |	Enabled – Remove and disable setting
-Prevent access to drives from My Computer	 |	Enabled - Restrict all drivers
+Prevent access to drives from My Computer	 |	Enabled - Restrict all drives
 
 >[!NOTE]
 >When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 011b3f06f3..5ac71f90ec 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -4,11 +4,11 @@ description: Learn how to prepare a device for kiosk configuration. Also, learn
 ms.reviewer: sybruckm
 manager: aaroncz
 ms.author: lizlong
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Prepare a device for kiosk configuration
@@ -29,9 +29,9 @@ ms.collection: highpri
 
   Assigned access can be configured using Windows Management Instrumentation (WMI) or configuration service provider (CSP). Assigned access runs an application using a domain user or service account, not a local account. Using a domain user or service accounts has risks, and might allow an attacker to gain access to domain resources that are accessible to any domain account. When using domain accounts with assigned access, proceed with caution. Consider the domain resources potentially exposed by using a domain account.
 
-- MDM providers, such as [Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
+- MDM providers, such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), use the configuration service providers (CSP) exposed by the Windows OS to manage settings on devices. In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
 
-  - [Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started)
+  - [Endpoint Management at Microsoft](/mem/endpoint-manager-getting-started)
   - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
   - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
 
@@ -43,7 +43,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
   - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications`
 
-  - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+  - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
 
   - **Use the registry**:
 
@@ -58,7 +58,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 - **Enable and schedule automatic updates**. To enable this feature, you have the following options:
 
   - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`.
-  - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+  - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
 
   You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available.
 
@@ -66,7 +66,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
   - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`.
 
-  - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+  - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Intune, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
 
 - **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
 
@@ -91,7 +91,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
 - **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
 
-  - **Use an MDM provider**: In Endpoint Manager, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
+  - **Use an MDM provider**: In Intune, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
   - **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen).
 
 - **Disable the hardware power button**: To enable this feature, you have the following options:
@@ -110,7 +110,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
       To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group.
 
-  - **Use an MDM provider**: In Endpoint Manager, you have some options:
+  - **Use an MDM provider**: In Intune, you have some options:
 
     - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
 
@@ -130,7 +130,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
   - **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
 
-  - **Use MDM**: In Endpoint Manager, you have the following option:
+  - **Use MDM**: In Intune, you have the following option:
 
     - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
 
@@ -145,7 +145,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
   - **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
 
-  - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Endpoint Manager, you have the following options:
+  - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Intune, you have the following options:
 
     - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage.
     - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
@@ -164,7 +164,7 @@ For a more secure kiosk experience, we recommend that you make the following con
     - `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
     - `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
 
-  - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Endpoint Manager, you have the following options:
+  - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Intune, you have the following options:
 
     - [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
 
@@ -186,7 +186,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
     To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
 
-  - **Use an MDM provider**: In Endpoint Manager, you have the following options:
+  - **Use an MDM provider**: In Intune, you have the following options:
 
     - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
 
@@ -206,7 +206,7 @@ For a more secure kiosk experience, we recommend that you make the following con
 
 ## Enable logging
 
-Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
+Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
 
 :::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
 
@@ -244,7 +244,7 @@ You may also want to set up **automatic logon** for your kiosk device. When your
      > [!NOTE]
      > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
 
-   - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
+   - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, don't add this key.
 
 4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
 
@@ -258,7 +258,7 @@ You may also want to set up **automatic logon** for your kiosk device. When your
 
 The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
 
-- **Accessibility**: Assigned access does not change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
+- **Accessibility**: Assigned access doesn't change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
 
   | Key combination | Blocked behavior |
   | --- | --- | 
@@ -270,7 +270,7 @@ The following table describes some features that have interoperability issues we
 
 - **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users.
 
-  Alt + F4, Alt + Shift + Tab, Alt + Tab are not blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
+  Alt + F4, Alt + Shift + Tab, Alt + Tab aren't blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
 
   Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
 
@@ -283,7 +283,7 @@ The following table describes some features that have interoperability issues we
   | Ctrl + Shift + Esc | Open Task Manager. |
   | Ctrl + Tab | Switch windows within the application currently open. |
   | LaunchApp1 | Open the app that is assigned to this key. |
-  | LaunchApp2 | Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator. |
+  | LaunchApp2 | Open the app that is assigned to this key. On many Microsoft keyboards, the app is Calculator. |
   | LaunchMail | Open the default mail client. |
   | Windows logo key | Open the Start screen. |
 
@@ -293,7 +293,7 @@ The following table describes some features that have interoperability issues we
 
   [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
 
-- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it's in assigned access.
+- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user can't turn off the device when it's in assigned access.
 
   For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
 
@@ -315,7 +315,7 @@ Customers sometimes use virtual machines (VMs) to test configurations before dep
 
 A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V. 
 
-When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
+When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** isn't selected in the **View** menu; that means it's a basic session.
 
 :::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
 
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index b2ccf80c40..5987383d91 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -4,11 +4,11 @@ description: Shell Launcher lets you change the default shell that launches when
 ms.reviewer: sybruckm
 manager: aaroncz
 ms.author: lizlong
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Use Shell Launcher to create a Windows client kiosk
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 8410a63f1f..8fe9c59229 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -4,11 +4,12 @@ description: A single-use device is easy to set up in Windows 10 and Windows 11
 ms.reviewer: sybruckm
 manager: aaroncz
 ms.author: lizlong
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Set up a single-app kiosk on Windows 10/11
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
deleted file mode 100644
index ad0602aff4..0000000000
--- a/windows/configuration/kiosk-troubleshoot.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Troubleshoot kiosk mode issues (Windows 10/11)
-description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
-ms.reviewer: sybruckm
-manager: aaroncz
-ms.prod: w10
-author: lizgt2000
-ms.localizationpriority: medium
-ms.author: lizlong
-ms.topic: article
----
-
-# Troubleshoot kiosk mode issues
-
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-## Single-app kiosk issues
-
->[!TIP]
->We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#testing-your-kiosk-in-a-virtual-machine-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
-
-### Sign-in issues 
-
-1. Verify that User Account Control (UAC) is turned on. 
-2. Check the Event Viewer logs for sign-in issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
-
-### Automatic logon issues 
-
-Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
-
-## Multi-app kiosk issues
-
-> [!NOTE]
-> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
-
-### Unexpected results 
-
-For example:
-- Start is not launched in full-screen
-- Blocked hotkeys are allowed
-- Task Manager, Cortana, or Settings can be launched
-- Start layout has more apps than expected
-
-**Troubleshooting steps**
-
-1. [Verify that the provisioning package is applied successfully](kiosk-validate.md).
-2. Verify that the account (config) is mapped to a profile in the configuration XML file.
-3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
-4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
-
-![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png)
-
-
-### Automatic logon issues 
-
-Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.
-
-### Apps configured in AllowedList are blocked 
-
-1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile. 
-2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**).
-
-
-### Start layout not as expected 
-
-- Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid.
-- Check if the apps included in the Start layout are installed for the assigned access user.
-- Check if the shortcut exists on the target device, if a desktop app is missing on Start.
-
diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md
index 6a43b111e8..0d457a1715 100644
--- a/windows/configuration/kiosk-validate.md
+++ b/windows/configuration/kiosk-validate.md
@@ -4,10 +4,11 @@ description: In this article, learn what to expect on a multi-app kiosk in Windo
 ms.reviewer: sybruckm
 manager: aaroncz
 ms.author: lizlong
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Validate kiosk configuration
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index e0277d5709..d2d862af7b 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -3,11 +3,12 @@ title: Assigned Access configuration kiosk XML reference (Windows 10/11)
 description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11.
 ms.reviewer: sybruckm
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.author: lizlong
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Assigned Access configuration (kiosk) XML reference
diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md
index 7c5751d47e..0b37ec1768 100644
--- a/windows/configuration/lock-down-windows-10-applocker.md
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@@ -3,12 +3,13 @@ title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windo
 description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps.
 ms.reviewer: sybruckm
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.date: 07/30/2018
 ms.author: lizlong
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Use AppLocker to create a Windows 10 kiosk that runs multiple apps
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 7f321d5025..4173a48861 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -1,8 +1,8 @@
 ---
 title: Set up a multi-app kiosk on Windows 10
 description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-configure
 author: lizgt2000
 ms.author: lizlong
 manager: aaroncz
@@ -576,7 +576,7 @@ These apps are in addition to any mixed reality apps that you allow.
 
 After the admin has completed setup, the kiosk account can sign in and repeat the setup. The admin user may want to complete the kiosk user setup before providing the PC to employees or customers.
 
-There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
+There's a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](/windows/mixed-reality/discover/navigating-the-windows-mixed-reality-home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they'll see only a blank display in the device, and won't have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
 
 ## Policies set by multi-app kiosk configuration
 
diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md
index 05bf244383..dab9d24432 100644
--- a/windows/configuration/lockdown-features-windows-10.md
+++ b/windows/configuration/lockdown-features-windows-10.md
@@ -3,11 +3,12 @@ title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10)
 description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
+ms.technology: itpro-configure
 ---
 
 # Lockdown features from Windows Embedded 8.1 Industry
diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md
index 13dd5ee45a..c4f9b5a850 100644
--- a/windows/configuration/manage-tips-and-suggestions.md
+++ b/windows/configuration/manage-tips-and-suggestions.md
@@ -1,7 +1,7 @@
 ---
 title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10)
 description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
@@ -9,6 +9,7 @@ ms.localizationpriority: medium
 ms.date: 09/20/2017
 ms.reviewer: 
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index eaff525abc..8df16b0bf1 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -4,10 +4,11 @@ description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get onl
 ms.reviewer: 
 manager: aaroncz
 ms.author: lizlong
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Manage Wi-Fi Sense in your company
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md
index 2971e83a97..4600c0eaf2 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/provisioning-apn.md
@@ -3,12 +3,13 @@ title: Configure cellular settings for tablets and PCs (Windows 10)
 description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 04/13/2018
+ms.technology: itpro-configure
 ---
 
 # Configure cellular settings for tablets and PCs
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index a1ac8234e6..f6230ee388 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -3,11 +3,12 @@ title: Configuration service providers for IT pros (Windows 10/11)
 description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
 ms.reviewer: gkomatsu
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
+ms.technology: itpro-configure
 ---
 
 # Configuration service providers for IT pros
@@ -31,7 +32,7 @@ CSPs are behind many of the management tasks and policies for Windows client, bo
 
 :::image type="content" source="../images/policytocsp.png" alt-text="How intune maps to CSP":::
 
-CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
+CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
 
 ### Synchronization Markup Language (SyncML)
 
@@ -55,7 +56,7 @@ You can use Windows Configuration Designer to create [provisioning packages](./p
 
 Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
 
-:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in icd.":::
+:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in ICD.":::
 
 [Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
 
@@ -81,7 +82,7 @@ The full path to a specific configuration setting is represented by its Open Mob
 
 The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
 
-:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access csp tree.":::
+:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access CSP tree.":::
 
 The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
 
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 149f92d455..12383a7586 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -3,11 +3,12 @@ title: Provision PCs with common settings (Windows 10/11)
 description: Create a provisioning package to apply common settings to a PC running Windows 10.
 ms.reviewer: gkomatsu
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
+ms.technology: itpro-configure
 ---
 
 # Provision PCs with common settings for initial deployment (desktop wizard)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index cfa21daedd..073685eb1c 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -1,7 +1,7 @@
 ---
 title: Provision PCs with apps and certificates (Windows 10)
 description: Create a provisioning package to apply settings to a PC running Windows 10.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
@@ -9,6 +9,7 @@ ms.localizationpriority: medium
 ms.date: 07/27/2017
 ms.reviewer: 
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Provision PCs with apps and certificates for initial deployment (advanced provisioning)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index 7e5632400f..dd404266a8 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,13 +1,14 @@
 ---
 title: Provision PCs with apps  (Windows 10/11)
 description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.author: lizlong
 ms.topic: article
 ms.reviewer: gkomatsu
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Provision PCs with apps 
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index f3f3796147..34e5609b63 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -1,13 +1,14 @@
 ---
 title: Apply a provisioning package (Windows 10/11)
 description: Provisioning packages can be applied to a device during initial setup (OOBE) and after (runtime).
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Apply a provisioning package
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index 365710b8c3..cebf8679f9 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -1,13 +1,14 @@
 ---
 title: Windows Configuration Designer command-line interface (Windows 10/11)
 description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Windows Configuration Designer command-line interface (reference)
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 945abf326f..6e8bd7a6fb 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -1,14 +1,14 @@
 ---
 title: Create a provisioning package (Windows 10/11)
 description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
-ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Create a provisioning package
@@ -149,7 +149,7 @@ For details on each specific setting, see [Windows Provisioning settings referen
 
 ## Learn more
 
-- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
+- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
 
 ## Related articles
 
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index 935cd2807e..f06f67b436 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -1,13 +1,14 @@
 ---
 title: How provisioning works in Windows 10/11
 description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # How provisioning works in Windows
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 6440a0c7d2..a18e5b29ce 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -1,7 +1,7 @@
 ---
 title: Install Windows Configuration Designer (Windows 10/11)
 description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
@@ -9,6 +9,7 @@ ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Install Windows Configuration Designer, and learn about any limitations
@@ -51,6 +52,8 @@ On devices running Windows client, you can install [the Windows Configuration De
 
 ## Current Windows Configuration Designer limitations
 
+- When running Windows Configuration Designer on Windows releases earlier than Windows 10, version 2004 you might need to enable TLS 1.2, especially if using Bulk Enrollment Tokens.  You may see the error message in the `icd.log` file: `Error: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure AD` For more information, see [Enable TLS 1.2 on client or server operating systems](/troubleshoot/azure/active-directory/enable-support-tls-environment#enable-tls-12-on-client-or-server-operating-systems-).
+ 
 - Windows Configuration Designer doesn't work properly if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
 
 - You can only run one instance of Windows Configuration Designer on your computer at a time.
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 36f22395b0..45a99e20e8 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -1,13 +1,14 @@
 ---
 title: Create a provisioning package with multivariant settings (Windows 10/11)
 description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
 ms.author: lizlong
+ms.technology: itpro-configure
 ---
 
 # Create a provisioning package with multivariant settings
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 48a18fc43e..5c61eb922b 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -3,12 +3,13 @@ title: Provisioning packages overview on Windows 10/11
 description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
 ms.reviewer: gkomatsu
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Provisioning packages for Windows
@@ -18,11 +19,11 @@ ms.collection: highpri
 - Windows 10
 - Windows 11
 
-Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
+Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. When you use Windows provisioning, an IT administrator can easily specify the desired configuration and settings required to enroll the devices into management. Then, apply that configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
 
 A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows client, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
 
-Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
+Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. It can result in a significant reduction in the time required to configure multiple devices in your organization.
 
 <!-- The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages.--> 
 Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). 
@@ -92,7 +93,7 @@ The following table provides some examples of settings that you can configure us
 |---|---|
 | Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
 | Applications  |   Windows apps, line-of-business applications  |
-| Bulk enrollment into MDM  | Automatic enrollment into a third-party MDM service <br/><br/>Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager isn't supported. To enroll devices, use the Configuration Manager console. |
+| Bulk enrollment into MDM  | Automatic enrollment into a third-party MDM service <br/><br/>Using a provisioning package for auto-enrollment to Microsoft Intune isn't supported. To enroll devices, use the Configuration Manager console. |
 | Certificates | Root certification authority (CA), client certificates |
 | Connectivity profiles | Wi-Fi, proxy settings, Email   |
 | Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index 76c5aaf5a9..9b347a6304 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -1,13 +1,14 @@
 ---
 title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11)
 description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # PowerShell cmdlets for provisioning Windows client (reference)
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index b203cd0294..ae5b559aae 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -1,13 +1,14 @@
 ---
 title: Use a script to install a desktop app in provisioning packages (Windows 10/11)
 description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Use a script to install a desktop app in provisioning packages
diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
index 553df87c89..2784db5f1e 100644
--- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md
@@ -1,13 +1,14 @@
 ---
 title: Uninstall a provisioning package - reverted settings (Windows 10/11)
 description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: gkomatsu
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Settings changed when you uninstall a provisioning package
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 5a113a2520..beda72c25c 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -2,19 +2,19 @@
 title: Set up a shared or guest Windows device
 description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
 ms.date: 10/15/2022
-ms.prod: windows
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-configure
 ms.topic: reference
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.collection: 
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows 11 SE</b>
 ---
 
 # Set up a shared or guest Windows device
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
index 572cd93eff..b5761ada29 100644
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@@ -4,11 +4,12 @@ description: A single-use device such as a digital sign is easy to set up in Win
 ms.reviewer: sybruckm
 manager: aaroncz
 ms.author: lizlong
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
 ms.date: 09/20/2021
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Set up digital signs on Windows 10/11
diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md
index 7f041e6b09..19e203f23c 100644
--- a/windows/configuration/shared-devices-concepts.md
+++ b/windows/configuration/shared-devices-concepts.md
@@ -2,19 +2,19 @@
 title: Manage multi-user and guest Windows devices
 description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
 ms.date: 10/15/2022
-ms.prod: windows
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-configure
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.collection: 
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows 11 SE</b>
 ---
 
 # Manage multi-user and guest Windows devices with Shared PC
diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc-technical.md
index 2126265a32..a84ff0f030 100644
--- a/windows/configuration/shared-pc-technical.md
+++ b/windows/configuration/shared-pc-technical.md
@@ -2,19 +2,19 @@
 title: Shared PC technical reference
 description: List of policies and settings applied by the Shared PC options.
 ms.date: 10/15/2022
-ms.prod: windows
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-configure
 ms.topic: reference
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.collection: 
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows 11 SE</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows 11 SE</b>
 ---
 
 # Shared PC technical reference
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
deleted file mode 100644
index 28d3a28707..0000000000
--- a/windows/configuration/start-layout-troubleshoot.md
+++ /dev/null
@@ -1,326 +0,0 @@
----
-title: Troubleshoot Start menu errors
-description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance.
-ms.prod: w10
-ms.author: lizlong
-author: lizgt2000
-ms.localizationpriority: medium
-ms.reviewer: 
-manager: aaroncz
-ms.topic: troubleshooting
-ms.collection: highpri
----
-
-# Troubleshoot Start menu errors
-
-Start failures can be organized into these categories:
-
-- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover.
-- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources.
-- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data.
-- **Hangs** - in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start will not have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario.
-- **Other issues** - Customization, domain policies, deployment issues.
-
-## Basic troubleshooting
-	
-When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they are not working as expected. For issues where the Start menu or subcomponent isn't working, you can do some quick tests to narrow down where the issue may reside.
-
-### Check the OS and update version
-
-- Is the system running the latest Feature and Cumulative Monthly update?
-- Did the issue start immediately after an update? Ways to check:
-  - PowerShell:[System.Environment]::OSVersion.Version
-  - WinVer from CMD.exe
-
-### Check if Start is installed
-
-- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully.
-
-- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this problem is to look for output from these two PS commands:
-
-  - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost`
-  - `get-AppXPackage -Name Microsoft.Windows.Cortana`
-
-     :::image type="content" alt-text="Example of output from cmdlets." source="images/start-ts-1.png" lightbox="images/start-ts-1.png":::
-
-    Failure messages will appear if they aren't installed
-
-- If Start is not installed, then the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there is a choice to save to delete user data), or restoring from backup. No method is supported to install Start Appx files. The results are often problematic and unreliable.
-
-### Check if Start is running
-
-If either component is failing to start on boot, reviewing the event logs for errors or crashes during boot may pin point the problem. Booting with MSCONFIG and using a selective or diagnostic startup option will eliminate and/or identify possible interference from additional applications.
-- `get-process -name shellexperiencehost`
-- `get-process -name searchui`
-
-If it is installed but not running, test booting into safe mode or use MSCONFIG to eliminate third-party or additional drivers and applications.
-
-### Check whether the system a clean install or upgrade
-
-- Is this system an upgrade or clean install?
-  - Run `test-path "$env:windir\panther\miglog.xml"`
-  - If that file does not exist, the system is a clean install.
-- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"`
-
-### Check if Start is registered or activated
-
-- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet:
-  - Microsoft-Windows-TWinUI/Operational for Microsoft.Windows.ShellExperienceHost or Microsoft.Windows.Cortana
-    - "Package was not found"
-    - "Invalid value for registry"
-    - "Element not found"
-    - "Package could not be registered"
-    
-If these events are found, Start is not activated correctly. Each event will have more detail in the description and should be investigated further. Event messages can vary.
-
-### Other things to consider
-
-When did the problem start?
-
-- Top issues for Start menu failure are triggered
-  - After an update
-  - After installation of an application
-  - After joining a domain or applying a domain policy
-- Many of those issues are found to be
-  - Permission changes on Registry keys or folders
-  - Start or related component crashes or hangs
-  - Customization failure
-
-To narrow down the problem further, it's good to note:
-
-- What is the install background?
-  - Was this a deployment, install from media, other
-  - Using customizations?
-    - DISM
-    - Group Policy or MDM
-    - copyprofile
-    - Sysprep
-    - Other
-    
-- Domain-joined
-  - Group policy settings that restrict access or permissions to folders or registry keys can cause issues with Start performance.
-  - Some Group Policies intended for Windows 7 or older have been known to cause issues with Start
-  - Untested Start Menu customizations can cause unexpected behavior by typically not complete Start failures. 
-  
-- Is the environment virtualized? 
-  - VMware
-  - Citrix
-  - Other
-  
-## Check Event logs that record Start Issues:
-
-- System Event log
-- Application Event log
-- Microsoft/Windows/Shell-Core*
-- Microsoft/Windows/Apps/
-- Microsoft-Windows-TWinUI*
-- Microsoft/Windows/AppReadiness*
-- Microsoft/Windows/AppXDeployment*
-- Microsoft-Windows-PushNotification-Platform/Operational
-- Microsoft-Windows-CoreApplication/Operational
-- Microsoft-Windows-ShellCommon-StartLayoutPopulation*
-- Microsoft-Windows-CloudStore*
-
-
-- Check for crashes that may be related to Start (explorer.exe, taskbar, and so on)
-  - Application log event 1000, 1001
-  - Check WER reports
-    - C:\ProgramData\Microsoft\Windows\WER\ReportArchive\
-    - C:\ProgramData\Micrt\Windowsosof\WER\ReportQueue\
-    
-If there is a component of Start that is consistently crashing, capture a dump that can be reviewed by Microsoft Support.
-
-## Common errors and mitigation
-
-The following list provides information about common errors you might run into with Start Menu, as well as steps to help you mitigate them.
-
-### Symptom: Start Menu doesn't respond on Windows 2012 R2, Windows 10, or Windows 2016
-
-**Cause**: Background Tasks Infrastructure Service (BrokerInfrastructure) service is not started.
-
-**Resolution**: Ensure that Background Tasks Infrastructure Service is set to automatic startup in Services MMC.
-
-If Background Tasks Infrastructure Service fails to start, verify that the Power Dependency Coordinator Driver (PDC) driver and registry key are not disabled or deleted. If either are missing, restore from backup or the installation media.
-
-To verify the PDC Service, run `C:\>sc query pdc` in a command prompt. The results will be similar to the following:
-
->SERVICE_NAME: pdc
->TYPE          : 1 KERNEL_DRIVER
->STATE          : 4 RUNNING
->  (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
->WIN32_EXIT_CODE     : 0 (0x0)
->SERVICE_EXIT_CODE    : 0 (0x0)
->CHECKPOINT       : 0x0
->WAIT_HINT        : 0x0
-
-The PDC service uses pdc.sys located in the %WinDir%\system32\drivers.
-
-The PDC registry key is:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdc`
-**Description**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-101"
-**DisplayName**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-100"
-**ErrorControl**=dword:00000003
-**Group**="Boot Bus Extender"
-**ImagePath**=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
- 72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,64,00,63,00,2e,00,73,00,79,\
- 00,73,00,00,00
-**Start**=dword:00000000
-**Type**=dword:00000001
-
-In addition to the listed dependencies for the service, Background Tasks Infrastructure Service requires the Power Dependency Coordinator Driver to be loaded. If the PDC does not load at boot, Background Tasks Infrastructure Service will fail and affect Start Menu.
-
-Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC shouldn't be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu.
-
->[!NOTE]
->You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p).
-
-
-### Symptom: After upgrading from 1511 to 1607 versions of Windows, the Group Policy "Remove All Programs list from the Start Menu" may not work
-
-**Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply.
-
-**Resolution**: This issue was resolved in the June 2017 updates. Update Windows 10, version 1607, to the latest cumulative or feature updates.
-
->[!NOTE]
->When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**.
-
-
-### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted
-
-:::image type="content" alt-text="Screenshots that show download icons on app tiles and missing app tiles." source="images/start-ts-2.png" lightbox="images/start-ts-2.png":::
-
-**Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps.
-
-**Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334)
-
-### Symptom: When attempting to customize Start Menu layout, the customizations do not apply or results are not expected
-
-**Cause**: There are two main reasons for this issue:
-
-- Incorrect format: Editing the xml file incorrectly by adding an extra space or spaces, entering a bad character, or saving in the wrong format.
-  - To tell if the format is incorrect, check for **Event ID: 22** in the "Applications and Services\Microsoft\Windows\ShellCommon-StartLayoutPopulation\Operational" log.
-  - Event ID 22 is logged when the xml is malformed, meaning the specified file simply isn’t valid xml.
-  - When editing the xml file, it should be saved in UTF-8 format.
-
-- Unexpected information: This occurs when possibly trying to add a tile via an unexpected or undocumented method.
-  - **Event ID: 64** is logged when the xml is valid but has unexpected values.
-  - For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema.
-
-XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy
-
-### Symptom: Start menu no longer works after a PC is refreshed using F12 during startup 
-
-**Description**: If a user is having problems with a PC, it can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at startup. Refreshing the PC finishes, but Start Menu is not accessible.
-
-**Cause**: This issue is known and was resolved in a cumulative update released August 30, 2018. 
-
-**Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142).
-
-### Symptom: The All Apps list is missing from Start menu
-
-**Cause**: “Remove All Programs list from the Start menu" Group Policy is enabled.
-
-**Resolution**: Disable the “Remove All Programs list from the Start menu" Group Policy.
-
-### Symptom: Tiles are missing from the Start Menu when using Windows 10, version 1703 or older, Windows Server 2016, and Roaming User Profiles with a Start layout
-
-**Description**: There are two different Start Menu issues in Windows 10:
-- Administrator configured tiles in the start layout fail to roam.
-- User-initiated changes to the start layout are not roamed.
-
-Specifically, behaviors include
-- Applications (apps or icons) pinned to the start menu are missing.
-- Entire tile window disappears.
-- The start button fails to respond.
-- If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing.
-
-
-![Example of a working layout.](images/start-ts-3.png)
-
-*Working layout on first sign-in of a new roaming user profile*
-
-![Example of a failing layout.](images/start-ts-4.png)
-
-*Failing layout on subsequent sign-ins*
-
-
-**Cause**: A timing issue exists where the Start Menu is ready before the data is pulled locally from the Roaming User Profile. The issue does not occur on first logons of a new roaming user, as the code path is different and slower.
-
-**Resolution**: This issue has been resolved in Windows 10, versions 1703 and 1607, cumulative updates [as of March 2017](https://support.microsoft.com/help/4013429).
-
-
-### Symptom: Start Menu layout customizations are lost after upgrading to Windows 10, version 1703
-
-**Description**:
-
-Before the upgrade:
- 
-  ![Example of Start screen with customizations applied.](images/start-ts-5.jpg)
-
-After the upgrade the user pinned tiles are missing:
-
-  ![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png)
- 
-Additionally, users may see blank tiles if sign-in was attempted without network connectivity.
-
-  ![Example of blank tiles.](images/start-ts-7.png)
- 
-
-**Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676).
-
-### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown
-
-**Resolution** The April 2018 LCU must be applied to Windows 10, version 1709 before a user logs on. 
-
-### Symptom: Start Menu and/or Taskbar layout customizations are not applied if CopyProfile option is used in an answer file during Sysprep
-
-**Resolution**: CopyProfile is no longer supported when attempting to customize Start Menu or taskbar with a layoutmodification.xml.
-
-### Symptom: Start Menu issues with Tile Data Layer corruption 
-
-**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. (The feature was deprecated in [Windows 10 1703](/windows/deployment/planning/windows-10-removed-features).) 
-
-**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed.
-
-1. The App or Apps work fine when you select the tiles.
-2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information.
-3. The app is missing, but listed as installed via PowerShell and works if you launch via URI.
-   - Example: `windows-feedback://`
-4. In some cases, Start can be blank, and Action Center and Cortana do not launch.
-
->[!Note]
->Corruption recovery removes any manual pins from Start. Apps should still be visible, but you’ll need to re-pin any secondary tiles and/or pin app tiles to the main Start view. Aps that you have installed that are completely missing from “all apps” is unexpected, however. That implies the re-registration didn’t work.
-
-Open a command prompt, and run the following command:
-
-```console
-C:\Windows\System32\tdlrecover.exe -reregister -resetlayout -resetcache
-```
-
-Although a reboot is not required, it may help clear up any residual issues after the command is run.
-
-### Symptoms: Start Menu and Apps cannot start after upgrade to Windows 10 version 1809 when Symantec Endpoint Protection is installed
-
-**Description**: Start menu, Search, and Apps do not start after you upgrade a computer running Windows 7 that has Symantec Endpoint Protection installed to Windows 10 version 1809.
-
-**Cause**: This problem occurs because of a failure to load sysfer.dll.  During upgrade, the setup process does not set the privilege group "All Application Packages" on sysfer.dll and other Symantec modules.
-
-**Resolution** This issue was fixed by the Windows Cumulative Update that were released on December 5, 2018—KB4469342 (OS Build 17763.168).
-
-If you have already encountered this issue, use one of the following two options to fix the issue:
-
-**Option 1** Remove sysfer.dll from system32 folder and copy it back. Windows will set privilege automatically.
-
-**Option 2** 
-
-1. Locate the directory C:\Windows\system32.
-
-2. Right-click on sysfer.dll and choose **Properties**.
-
-3. Switch to the **Security** tab.
-
-4. Confirm that **All Application Packages** group is missing.
-
-5. Select **Edit**, and then select **Add** to add the group.
-
-6. Test Start and other Apps.
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 4d719d63a3..be361db92b 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -1,7 +1,7 @@
 ---
 title: Start layout XML for desktop editions of Windows 10 (Windows 10)
 description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions.
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
@@ -9,7 +9,7 @@ ms.date: 10/02/2018
 ms.reviewer: 
 manager: aaroncz
 ms.localizationpriority: medium
-ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Start layout XML for desktop editions of Windows 10 (reference)
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 23f838107a..8ff898fb1d 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -1,13 +1,14 @@
 ---
 title: Add image for secondary Microsoft Edge tiles (Windows 10)
 description: Add app tiles on Windows 10 that's a secondary tile.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.reviewer: 
 manager: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Add image for secondary Microsoft Edge tiles 
@@ -68,7 +69,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
 
     In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
 
-    Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet does not append the file name extension, and the policy settings require the extension.
+    Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet doesn't append the file name extension, and the policy settings require the extension.
 
 3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
    - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` 
@@ -82,13 +83,13 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
 
 ## Configure policy settings
 
-You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you are including the images for secondary tiles, you must configure an additional setting to import the Edge assets.
+You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you're including the images for secondary tiles, you must configure another setting to import the Edge assets.
 
 ### Using MDM
 
 In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 3. Enter the following properties:
 
@@ -132,7 +133,7 @@ The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce
 
 2. Copy the contents of assets.xml into an online tool that escapes characters.
 
-3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project. 
+3. When you create a provisioning package, you'll copy the text with the escape characters and paste it in the customizations.xml file for your project. 
 
 #### Create a provisioning package that contains a customized Start layout
 
@@ -146,22 +147,22 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 2. Choose **Advanced provisioning**.
 
-3. Name your project, and click **Next**.
+3. Name your project, and select **Next**.
 
-4. Choose **All Windows desktop editions** and click **Next**.
+4. Choose **All Windows desktop editions** and select **Next**.
 
-5. On **New project**, click **Finish**. The workspace for your package opens.
+5. On **New project**, select **Finish**. The workspace for your package opens.
 
-6. Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and click **StartLayout**.
+6. Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and select **StartLayout**.
 
    >[!TIP]
    >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
 
-7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
+7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the layout.xml file in a later step.
 
 8. In the **Available customizations** pane, select **ImportEdgeAssets**.
 
-9. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the assets.xml file in a later step.
+9. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you'll replace with the contents of the assets.xml file in a later step.
 
 10. Save your project and close Windows Configuration Designer.
 
@@ -191,22 +192,22 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
     -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
 
-21. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
+21. Select **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
 
-    Optionally, you can click **Browse** to change the default output location.
+    Optionally, you can select **Browse** to change the default output location.
 
-22. Click **Next**.
+22. Select **Next**.
 
-23. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+23. Select **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
 
-    If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+    If you need to cancel the build, select **Cancel**. It cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
 
 24. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
 
     If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
 
-    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To change the path, select **Back** to change the output package name and path, and then select **Next** to start another build.
+    -   If you're done, select **Finish** to close the wizard and go back to the **Customizations Page**.
 
 25. Copy the provisioning package to the target device.
 
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 03338078f4..3ebc98f62f 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -3,63 +3,63 @@ title: Configure access to Microsoft Store (Windows 10)
 description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 4/16/2018
+ms.date: 11/29/2022
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Configure access to Microsoft Store
 
+**Applies to:**
 
-**Applies to**
+- Windows 10
 
--   Windows 10
-
->For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
+> [!TIP]
+> For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
 
 IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store.
 
-> [!Important]
+> [!IMPORTANT]
 > All executable code including Microsoft Store applications should have an update and maintenance plan.  Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date.
 
 ## Options to configure access to Microsoft Store
 
-You can use these tools to configure access to Microsoft Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition.
+You can use either AppLocker or Group Policy to configure access to Microsoft Store. For Windows 10, configuring access to Microsoft Store is only supported on Windows 10 Enterprise edition.
 
-## <a href="" id="block-store-applocker"></a>Block Microsoft Store using AppLocker
-
-Applies to: Windows 10 Enterprise, Windows 10 Education
+## Block Microsoft Store using AppLocker
 
+Applies to: Windows 10 Enterprise, Windows 10 Education
 
 AppLocker provides policy-based access control management for applications. You can block access to Microsoft Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Microsoft Store app as the packaged app that you want to block from client computers.
 
 For more information on AppLocker, see [What is AppLocker?](/windows/device-security/applocker/what-is-applocker) For more information on creating an AppLocker rule for app packages, see [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps).
 
-**To block Microsoft Store using AppLocker**
+**To block Microsoft Store using AppLocker:**
 
-1.  Type secpol in the search bar to find and start AppLocker.
+1. Enter **`secpol`** in the search bar to find and start AppLocker.
 
-2.  In the console tree of the snap-in, click **Application Control Policies**, click **AppLocker**, and then click **Packaged app Rules**.
+2. In the console tree of the snap-in, select **Application Control Policies**, select **AppLocker**, and then select **Packaged app Rules**.
 
-3.  On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**.
+3. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
 
-4.  On **Before You Begin**, click **Next**.
+4. On **Before You Begin**, select **Next**.
 
-5.  On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+5. On **Permissions**, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
 
-6.  On **Publisher**, you can select **Use an installed app package as a reference**, and then click **Select**.
+6. On **Publisher**, you can select **Use an installed app package as a reference**, and then select **Select**.
 
-7.  On **Select applications**, find and click **Store** under **Applications** column, and then click **OK**. Click **Next**.
+7. On **Select applications**, find and select **Store** under **Applications** column, and then select **OK**. Select **Next**.
 
     [Create a rule for packaged apps](/windows/device-security/applocker/create-a-rule-for-packaged-apps) has more information on reference options and setting the scope on packaged app rules.
 
-8.  Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
+8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. Conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.
 
-## <a href="" id="block-store-csp"></a>Block Microsoft Store using configuration service provider
+## Block Microsoft Store using configuration service provider
 
 Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education
 
@@ -72,53 +72,51 @@ For more information, see [Configure an MDM provider](/microsoft-store/configure
 
 For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
 
+> [!IMPORTANT]
+> If you block access to the Store using CSP, you need to also configure [AllowAppStoreAutoUpdate](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate) to enable in-box store apps to update while still blocking access to the store.
 
-## <a href="" id="block-store-group-policy"></a>Block Microsoft Store using Group Policy
+## Block Microsoft Store using Group Policy
 
+Applies to: Windows 10 Enterprise, Windows 10 Education
 
-Applies to: Windows 10 Enterprise, Windows 10 Education 
-
-> [!Note]
+> [!NOTE]
 > Not supported on Windows 10 Pro, starting with version 1511. For more info, see [Knowledge Base article #3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
 
 You can also use Group Policy to manage access to Microsoft Store.
 
-**To block Microsoft Store using Group Policy**
+**To block Microsoft Store using Group Policy:**
 
-1.  Type gpedit in the search bar to find and start Group Policy Editor.
+1. Enter **`gpedit`** in the search bar to find and start Group Policy Editor.
 
-2.  In the console tree of the snap-in, click **Computer Configuration**, click **Administrative Templates**, click **Windows Components**, and then click **Store**.
+2. In the console tree of the snap-in, select **Computer Configuration**, select **Administrative Templates**, select **Windows Components**, and then select **Store**.
 
-3.  In the Setting pane, click **Turn off the Store application**, and then click **Edit policy setting**.
+3. In the Setting pane, select **Turn off the Store application**, and then select **Edit policy setting**.
 
-4.  On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**.
+4. On the **Turn off the Store application** setting page, select **Enabled**, and then select **OK**.
 
-> [!Important]
-> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This configuration allows in-box store apps to update while still blocking access to the store.
+> [!IMPORTANT]
+> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This policy is found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store**. This configuration allows in-box store apps to update while still blocking access to the store.
 
-## Show private store only using Group Policy 
+## Show private store only using Group Policy
 
-Applies to Windows 10 Enterprise, Windows 10 Education
+Applies to Windows 10 Enterprise, Windows 10 Education
 
-If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. 
+If you're using Microsoft Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Microsoft Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store.
 
-**To show private store only in Microsoft Store app**
+**To show private store only in Microsoft Store app:**
 
-1. Type **gpedit** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
+1. Enter **`gpedit`** in the search bar, and then select **Edit group policy (Control panel)** to find and start Group Policy Editor.
 
-2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**.
+2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then select **Store**.
 
-3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and click **Edit**.
+3. Right-click **Only display the private store within the Microsoft Store app** in the right pane, and select **Edit**.
 
-    This opens the **Only display the private store within the Microsoft Store app** policy settings.
+    The **Only display the private store within the Microsoft Store app** policy settings will open.
 
-4. On the **Only display the private store within the Microsoft Store app** setting page, click **Enabled**, and then click **OK**.
+4. On the **Only display the private store within the Microsoft Store app** setting page, select **Enabled**, and then select **OK**.
 
-## Related topics
+## Related articles
 
 [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store)
 
 [Manage access to private store](/microsoft-store/manage-access-to-private-store)
-
-
- 
diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md
index 4f791b62a0..684b35d6f3 100644
--- a/windows/configuration/supported-csp-start-menu-layout-windows.md
+++ b/windows/configuration/supported-csp-start-menu-layout-windows.md
@@ -4,9 +4,10 @@ description: See a list of the Policy CSP - Start items that are supported on Wi
 manager: aaroncz
 ms.author: lizlong
 ms.reviewer: ericpapa
-ms.prod: w11
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
+ms.technology: itpro-configure
 ---
 
 # Supported configuration service provider (CSP) policies for Windows 11 Start menu
@@ -16,7 +17,7 @@ ms.localizationpriority: medium
 - Windows 11
 - Windows 11, version 22H2
 
-The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices.
+The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices.
 
 This article lists the CSPs that are available to customize the Start menu for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
 
diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md
index da0f246bc9..c094fb12f9 100644
--- a/windows/configuration/supported-csp-taskbar-windows.md
+++ b/windows/configuration/supported-csp-taskbar-windows.md
@@ -4,9 +4,10 @@ description: See a list of the Policy CSP - Start items that are supported on Wi
 manager: aaroncz
 ms.author: lizlong
 ms.reviewer: chataylo
-ms.prod: w11
+ms.prod: windows-client
 author: lizgt2000
 ms.localizationpriority: medium
+ms.technology: itpro-configure
 ---
 
 # Supported configuration service provider (CSP) policies for Windows 11 taskbar
@@ -15,7 +16,7 @@ ms.localizationpriority: medium
 
 - Windows 11
 
-The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices.
+The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices.
 
 This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start).
 
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index 4f970289fa..b72c7c7f8d 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -2,12 +2,13 @@
 title: Administering UE-V with Windows PowerShell and WMI
 description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Administering UE-V with Windows PowerShell and WMI
diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
index 0a76ddcdb0..ba28b638f1 100644
--- a/windows/configuration/ue-v/uev-administering-uev.md
+++ b/windows/configuration/ue-v/uev-administering-uev.md
@@ -2,12 +2,13 @@
 title: Administering UE-V
 description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Administering UE-V
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 3a98106d0c..e33519a625 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -2,12 +2,13 @@
 title: Application Template Schema Reference for UE-V
 description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Application Template Schema Reference for UE-V
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index f9a1b5f123..627c8b1414 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -2,12 +2,13 @@
 title: Changing the Frequency of UE-V Scheduled Tasks
 description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Changing the Frequency of UE-V Scheduled Tasks
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index 249336440f..9367276244 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -2,12 +2,13 @@
 title: Configuring UE-V with Group Policy Objects
 description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Configuring UE-V with Group Policy Objects
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index 4377246f93..2f4dadd57a 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -1,21 +1,22 @@
 ---
-title: Configuring UE-V with Microsoft Endpoint Configuration Manager
-description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Endpoint Configuration Manager. 
+title: Configuring UE-V with Microsoft Configuration Manager
+description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Configuration Manager.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
-# Configuring UE-V with Microsoft Endpoint Manager 
+# Configuring UE-V with Microsoft Configuration Manager 
 
 **Applies to**
 -   Windows 10, version 1607
 
-After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
 
 ## UE-V Configuration Pack supported features
 
@@ -185,7 +186,7 @@ To distribute a new Notepad template, you would perform these steps:
 
 4.  Import the generated CAB file into ConfigMgr using the console or PowerShell Import-CMBaseline.
 
-## Related topics
+## Related articles
 
 
 [Manage Configurations for UE-V](uev-manage-configurations.md)
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index efe3834122..f58d68f203 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -2,12 +2,13 @@
 title: Deploy required UE-V features
 description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Deploy required UE-V features
@@ -29,7 +30,7 @@ To get up and running with User Experience Virtualization (UE-V), install and co
 
     With Windows 10, version 1607, UE-V is installed automatically. You need to enable the UE-V service on each user device you want to include in your UE-V environment.
 
-The topics in this section describe how to deploy these features.
+The articles in this section describe how to deploy these features.
 
 ## Deploy a UE-V Settings Storage Location
 
@@ -114,7 +115,7 @@ You can configure UE-V before, during, or after you enable the UE-V service on u
 
     Windows Server 2012 and Windows Server 2012 R2
 
--   [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+-   [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
 
 -   [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service.
 
@@ -154,7 +155,7 @@ With Windows 10, version 1607 and later, the UE-V service is installed on user d
 
 
 
-## Related topics
+## Related articles
 
 [Prepare a UE-V deployment](uev-prepare-for-deployment.md)
 
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 883ee35328..901c9451d1 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -2,12 +2,13 @@
 title: Use UE-V with custom applications
 description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Use UE-V with custom applications 
@@ -219,7 +220,7 @@ After you create a settings location template with the UE-V template generator,
 
 You can deploy settings location templates using of these methods:
 
--   An electronic software distribution (ESD) system such as Microsoft Endpoint Configuration Manager
+-   An electronic software distribution (ESD) system such as Microsoft Configuration Manager
 
 -   Group Policy preferences
 
diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
index 75fab30ab1..8eb556d6e4 100644
--- a/windows/configuration/ue-v/uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-for-windows.md
@@ -2,12 +2,13 @@
 title: User Experience Virtualization for Windows 10, version 1607
 description: Overview of User Experience Virtualization for Windows 10, version 1607
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 05/02/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # User Experience Virtualization (UE-V) for Windows 10 overview
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index 39bbfe1418..825c7597c7 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -2,11 +2,12 @@
 title: Get Started with UE-V
 description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 03/08/2018
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
+ms.technology: itpro-configure
 ---
 
 # Get Started with UE-V
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 60b4b6dd82..9f62707fab 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -2,12 +2,13 @@
 title: Manage Administrative Backup and Restore in UE-V
 description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Manage Administrative Backup and Restore in UE-V
diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md
index a8f2d63d6f..6f44c3f7ea 100644
--- a/windows/configuration/ue-v/uev-manage-configurations.md
+++ b/windows/configuration/ue-v/uev-manage-configurations.md
@@ -2,12 +2,13 @@
 title: Manage Configurations for UE-V
 description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Manage Configurations for UE-V
@@ -23,11 +24,11 @@ You can use Group Policy Objects to modify the settings that define how UE-V syn
 
 [Configuring UE-V with Group Policy Objects](uev-configuring-uev-with-group-policy-objects.md)
 
-## Configuring UE-V with Microsoft Endpoint Configuration Manager
+## Configuring UE-V with Microsoft Configuration Manager
 
 You can use Microsoft Endpoint Configuration Manager to manage the UE-V service by using the UE-V Configuration Pack.
 
-[Configuring UE-V with Microsoft Endpoint Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
+[Configuring UE-V with Microsoft Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md)
 
 ## Administering UE-V with PowerShell and WMI
 
diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
index ba5bebadea..1ec2b72325 100644
--- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
@@ -2,12 +2,13 @@
 title: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
 description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
index b6ebd53d9d..f6f4e14585 100644
--- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
@@ -2,12 +2,13 @@
 title: Manage UE-V Service and Packages with Windows PowerShell and WMI
 description: Managing the UE-V service and packages with Windows PowerShell and WMI
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Managing the UE-V service and packages with Windows PowerShell and WMI
diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md
index 2716fc1659..39539183ca 100644
--- a/windows/configuration/ue-v/uev-migrating-settings-packages.md
+++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md
@@ -2,12 +2,13 @@
 title: Migrating UE-V settings packages
 description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Migrating UE-V settings packages
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index f44d3f47be..39acddadd3 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -2,12 +2,13 @@
 title: Prepare a UE-V Deployment
 description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Prepare a UE-V Deployment
@@ -15,7 +16,7 @@ ms.topic: article
 **Applies to**
 -   Windows 10, version 1607
 
-Before you deploy User Experience Virtualization (UE-V), review this topic for important information about the type of deployment you're planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this topic.
+Before you deploy User Experience Virtualization (UE-V), review this article for important information about the type of deployment you're planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this article.
 
 ## Plan your UE-V deployment
 
@@ -49,11 +50,11 @@ The workflow diagram below illustrates a typical UE-V deployment and the decisio
 
 ### Planning a UE-V deployment 
 
-Review the following topics to determine which UE-V components you'll be deploying.
+Review the following articles to determine which UE-V components you'll be deploying.
 
 -   [Decide whether to synchronize settings for custom applications](#decide-whether-to-synchronize-settings-for-custom-applications)
 
-    If you want to synchronize settings for custom applications, you'll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involves the following tasks:
+    If you want to synchronize settings for custom applications, you'll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involve the following tasks:
 
     -   Review the [settings that are synchronized automatically in a UE-V deployment](#settings-automatically-synchronized-in-a-ue-v-deployment).
 
@@ -67,7 +68,7 @@ Review the following topics to determine which UE-V components you'll be deployi
 
 In a UE-V deployment, many settings are automatically synchronized. You can also customize UE-V to synchronize settings for other applications, such as line-of-business and third-party apps.
 
-Deciding if you want UE-V to synchronize settings for custom applications is an essential part of planning your UE-V deployment. The topics in this section will help you make that decision.
+Deciding if you want UE-V to synchronize settings for custom applications is an essential part of planning your UE-V deployment. The articles in this section will help you make that decision.
 
 ### Settings automatically synchronized in a UE-V deployment
 
@@ -152,11 +153,11 @@ As an administrator, when you consider which desktop applications to include in
 
 In general, you can synchronize settings that meet the following criteria:
 
--   Settings that are stored in user-accessible locations. For example, do not synchronize settings that are stored in System32 or outside the HKEY\_CURRENT\_USER (HKCU) section of the registry.
+-   Settings that are stored in user-accessible locations. For example, don't synchronize settings that are stored in System32 or outside the HKEY\_CURRENT\_USER (HKCU) section of the registry.
 
--   Settings that are not specific to the particular device. For example, exclude network shortcuts or hardware configurations.
+-   Settings that aren't specific to the particular device. For example, exclude network shortcuts or hardware configurations.
 
--   Settings that can be synchronized between computers without risk of corrupted data. For example, do not use settings that are stored in a database file.
+-   Settings that can be synchronized between computers without risk of corrupted data. For example, don't use settings that are stored in a database file.
 
 ### Checklist for evaluating custom applications
 
@@ -199,7 +200,7 @@ Many enterprise applications, including Microsoft Outlook, Lync, and Skype for B
 
 UE-V can synchronize enterprise credentials, but doesn't roam credentials intended only for use on the local device.
 
-Credentials are synchronous settings, meaning that they're applied to users' profiles the first time they log on to their devices after UE-V synchronizes.
+Credentials are synchronous settings, meaning that they're applied to users' profiles the first time they sign in to their devices after UE-V synchronizes.
 
 Credentials synchronization is managed by its own settings location template, which is disabled by default. You can enable or disable this template through the same methods used for other templates. The template identifier for this feature is RoamingCredentialSettings.
 
@@ -232,7 +233,7 @@ Copy
 
 3.  If this policy is enabled, you can enable credentials synchronization by checking the **Roaming Credentials** check box, or disable credentials synchronization by unchecking it.
 
-4.  Click **OK**.
+4.  Select **OK**.
 
 ### Credential locations synchronized by UE-V
 
@@ -264,9 +265,9 @@ For more information, see the [Windows Application List](uev-managing-settings-l
 
 If you're deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
 
-Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
+Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
 
-For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with Microsoft Endpoint Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
+For more information about custom settings location templates, see [Deploy UE-V with custom applications](uev-deploy-uev-for-custom-applications.md). For more information about using UE-V with Configuration Manager, see [Configuring UE-V with Microsoft Configuration Manager](uev-configuring-uev-with-system-center-configuration-manager.md).
 
 ### Prevent unintentional user settings configuration
 
@@ -274,7 +275,7 @@ UE-V downloads new user settings information from a settings storage location an
 
 -   Each time an application is started that has a registered UE-V template
 
--   When a user logs on to a device
+-   When a user signs in to a device
 
 -   When a user unlocks a device
 
@@ -304,7 +305,7 @@ The UE-V settings storage location and settings template catalog support storing
 
 -   Format the storage volume with an NTFS file system.
 
--   The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see:
+-   The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) isn't supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see:
 
     - [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles)
     
@@ -359,7 +360,7 @@ The UE-V service synchronizes user settings for devices that aren't always conne
 
 Enable this configuration using one of these methods:
 
-- After you enable the UE-V service, use the Settings Management feature in Microsoft Endpoint Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration.
+- After you enable the UE-V service, use the Settings Management feature in Microsoft Configuration Manager or the UE-V ADMX templates (installed with Windows 10, version 1607) to push the SyncMethod = None configuration.
 
 - Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the SyncMethod = None configuration.
 
diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md
index 743b218e4a..b68e1eb3fe 100644
--- a/windows/configuration/ue-v/uev-release-notes-1607.md
+++ b/windows/configuration/ue-v/uev-release-notes-1607.md
@@ -2,12 +2,13 @@
 title: User Experience Virtualization (UE-V) Release Notes
 description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that isn't included in the UE-V documentation.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # User Experience Virtualization (UE-V) Release Notes
diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md
index d6c504b837..4029c2a043 100644
--- a/windows/configuration/ue-v/uev-security-considerations.md
+++ b/windows/configuration/ue-v/uev-security-considerations.md
@@ -2,12 +2,13 @@
 title: Security Considerations for UE-V
 description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Security Considerations for UE-V
diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md
index 0bfc613f89..ddd0e4181c 100644
--- a/windows/configuration/ue-v/uev-sync-methods.md
+++ b/windows/configuration/ue-v/uev-sync-methods.md
@@ -2,12 +2,13 @@
 title: Sync Methods for UE-V
 description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Sync Methods for UE-V
diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md
index a396907df5..6ffa1e76ff 100644
--- a/windows/configuration/ue-v/uev-sync-trigger-events.md
+++ b/windows/configuration/ue-v/uev-sync-trigger-events.md
@@ -2,12 +2,13 @@
 title: Sync Trigger Events for UE-V
 description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Sync Trigger Events for UE-V
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 56ff1970cc..20bedf9737 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -2,12 +2,13 @@
 title: Synchronizing Microsoft Office with UE-V
 description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Synchronizing Office with UE-V
diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md
index f5a9059d3e..1050b221b6 100644
--- a/windows/configuration/ue-v/uev-technical-reference.md
+++ b/windows/configuration/ue-v/uev-technical-reference.md
@@ -2,12 +2,13 @@
 title: Technical Reference for UE-V
 description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Technical Reference for UE-V
diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md
index 3bf804b17d..d5be7f7710 100644
--- a/windows/configuration/ue-v/uev-troubleshooting.md
+++ b/windows/configuration/ue-v/uev-troubleshooting.md
@@ -2,12 +2,13 @@
 title: Troubleshooting UE-V
 description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Troubleshooting UE-V
diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
index 226fe3c440..5f5127f7ea 100644
--- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
+++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
@@ -2,12 +2,13 @@
 title: Upgrade to UE-V for Windows 10
 description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Upgrade to UE-V for Windows 10
diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
index 0396b91e54..951c1b4ff0 100644
--- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
+++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
@@ -2,12 +2,13 @@
 title: Using UE-V with Application Virtualization applications
 description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V).
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index a0b47df0de..facd3330f3 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -2,12 +2,13 @@
 title: What's New in UE-V for Windows 10, version 1607
 description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # What's new in UE-V
diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
index f857c6ac20..0eaaa0f658 100644
--- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
+++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
@@ -2,12 +2,13 @@
 title: Working with Custom UE-V Templates and the UE-V Template Generator
 description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
 author: aczechowski
-ms.prod: w10
+ms.prod: windows-client
 ms.date: 04/19/2017
 ms.reviewer: 
 manager: dougeby
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 
diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md
index 98aa47fcb1..2e7840f541 100644
--- a/windows/configuration/wcd/wcd-accountmanagement.md
+++ b/windows/configuration/wcd/wcd-accountmanagement.md
@@ -1,7 +1,7 @@
 ---
 title: AccountManagement (Windows 10)
 description: This section describes the account management settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # AccountManagement (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index 0186f5e66f..43031314a1 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -1,7 +1,7 @@
 ---
 title: Accounts (Windows 10)
 description: This section describes the account settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Accounts (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 80e83844b0..b393f8b184 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -1,7 +1,7 @@
 ---
 title: ADMXIngestion (Windows 10)
 description: This section describes the ADMXIngestion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # ADMXIngestion (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index f7c184e359..be108dc758 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -1,7 +1,7 @@
 ---
 title: AssignedAccess (Windows 10)
 description: This section describes the AssignedAccess setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # AssignedAccess (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index df8f60051d..37887f4c3d 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -1,7 +1,7 @@
 ---
 title: Browser (Windows 10)
 description: This section describes the Browser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 10/02/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Browser (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index f2f39286c3..af88e9f060 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -1,7 +1,7 @@
 ---
 title: CellCore (Windows 10)
 description: This section describes the CellCore settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 10/02/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # CellCore (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index d0a091f53f..0f7cbab6bd 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -3,11 +3,12 @@ title: Cellular (Windows 10)
 ms.reviewer: 
 manager: dougeby
 description: This section describes the Cellular settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Cellular (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
index 02b779a5db..0fac2bb393 100644
--- a/windows/configuration/wcd/wcd-certificates.md
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -1,7 +1,7 @@
 ---
 title: Certificates (Windows 10)
 description: This section describes the Certificates settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Certificates (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md
index 7fae1e2c06..b826e3cbbe 100644
--- a/windows/configuration/wcd/wcd-changes.md
+++ b/windows/configuration/wcd/wcd-changes.md
@@ -3,11 +3,12 @@ title: Changes to settings in Windows Configuration Designer (Windows 10)
 ms.reviewer: 
 manager: dougeby
 description: This section describes the changes to settings in Windows Configuration Designer in Windows 10, version 1809.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Changes to settings in Windows Configuration Designer
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
index fdcbf1dd2a..7c9b872efe 100644
--- a/windows/configuration/wcd/wcd-cleanpc.md
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -1,7 +1,7 @@
 ---
 title: CleanPC (Windows 10)
 description: This section describes the CleanPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # CleanPC (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 4468f64eee..e8fb9cfb34 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -1,7 +1,7 @@
 ---
 title: Connections (Windows 10)
 description: This section describes the Connections settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Connections (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index 21f4e49131..1692de1889 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -1,7 +1,7 @@
 ---
 title: ConnectivityProfiles (Windows 10)
 description: This section describes the ConnectivityProfile settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # ConnectivityProfiles (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
index 2d326165c7..e008f9285f 100644
--- a/windows/configuration/wcd/wcd-countryandregion.md
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -1,7 +1,7 @@
 ---
 title: CountryAndRegion (Windows 10)
 description: This section describes the CountryAndRegion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # CountryAndRegion (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
index dccfa2bfd8..4c51c6e3ef 100644
--- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
+++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md
@@ -1,7 +1,7 @@
 ---
 title: DesktopBackgroundAndColors (Windows 10)
 description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/21/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # DesktopBackgroundAndColors (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index 62715da105..496b0b07bd 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -1,7 +1,7 @@
 ---
 title: DeveloperSetup (Windows 10)
 description: This section describes the DeveloperSetup settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # DeveloperSetup (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
index a643a6b0f5..be7bfcda42 100644
--- a/windows/configuration/wcd/wcd-deviceformfactor.md
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -1,7 +1,7 @@
 ---
 title: DeviceFormFactor (Windows 10)
 description: This section describes the DeviceFormFactor setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # DeviceFormFactor (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 0eba4cd0e2..b7f1546197 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -1,7 +1,7 @@
 ---
 title: DeviceManagement (Windows 10)
 description: This section describes the DeviceManagement setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # DeviceManagement (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md
index 83bb19007c..716237d02e 100644
--- a/windows/configuration/wcd/wcd-deviceupdatecenter.md
+++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md
@@ -1,12 +1,13 @@
 ---
 title: DeviceUpdateCenter (Windows 10)
 description: This section describes the DeviceUpdateCenter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # DeviceUpdateCenter (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index 1154e1643c..7c7fe21043 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -1,7 +1,7 @@
 ---
 title: DMClient (Windows 10)
 description: This section describes the DMClient setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # DMClient (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index 114234aa5d..c2261d1d6c 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -1,7 +1,7 @@
 ---
 title: EditionUpgrade (Windows 10)
 description: This section describes the EditionUpgrade settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # EditionUpgrade (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md
index a31d1cddcb..ed8813b347 100644
--- a/windows/configuration/wcd/wcd-firewallconfiguration.md
+++ b/windows/configuration/wcd/wcd-firewallconfiguration.md
@@ -1,7 +1,7 @@
 ---
 title: FirewallConfiguration (Windows 10)
 description: This section describes the FirewallConfiguration setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # FirewallConfiguration (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index 2f607deb18..317e860a92 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -1,7 +1,7 @@
 ---
 title: FirstExperience
 description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 08/08/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # FirstExperience (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
index e45a67e31a..d65f38e718 100644
--- a/windows/configuration/wcd/wcd-folders.md
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -1,7 +1,7 @@
 ---
 title: Folders (Windows 10)
 description: This section describes the Folders settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Folders (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
index db0317ff32..6e0bfbe99c 100644
--- a/windows/configuration/wcd/wcd-hotspot.md
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -1,7 +1,7 @@
 ---
 title: HotSpot (Windows 10)
 description: This section describes the HotSpot settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 12/18/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # HotSpot (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md
index 0f38069d39..d1904f8a39 100644
--- a/windows/configuration/wcd/wcd-kioskbrowser.md
+++ b/windows/configuration/wcd/wcd-kioskbrowser.md
@@ -1,7 +1,7 @@
 ---
 title: KioskBrowser (Windows 10)
 description: This section describes the KioskBrowser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 10/02/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # KioskBrowser (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md
index 5e1385d91a..7308c531a1 100644
--- a/windows/configuration/wcd/wcd-licensing.md
+++ b/windows/configuration/wcd/wcd-licensing.md
@@ -1,7 +1,7 @@
 ---
 title: Licensing (Windows 10)
 description: This section describes the Licensing settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Licensing (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md
index 65d0cf04b9..fe920d9f7c 100644
--- a/windows/configuration/wcd/wcd-location.md
+++ b/windows/configuration/wcd/wcd-location.md
@@ -1,13 +1,14 @@
 ---
 title: Location (Windows 10)
 description: This section describes the Location settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Location (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index fa05e3ac5d..1f30e55191 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -1,13 +1,14 @@
 ---
 title: Maps (Windows 10)
 description: This section describes the Maps settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Maps (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md
index 4d50550dee..92226ac222 100644
--- a/windows/configuration/wcd/wcd-networkproxy.md
+++ b/windows/configuration/wcd/wcd-networkproxy.md
@@ -1,13 +1,14 @@
 ---
 title: NetworkProxy (Windows 10)
 description: This section describes the NetworkProxy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # NetworkProxy (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md
index 46d1804745..50a9d20da9 100644
--- a/windows/configuration/wcd/wcd-networkqospolicy.md
+++ b/windows/configuration/wcd/wcd-networkqospolicy.md
@@ -1,13 +1,14 @@
 ---
 title: NetworkQoSPolicy (Windows 10)
 description: This section describes the NetworkQoSPolicy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # NetworkQoSPolicy (Windows Configuration Designer reference)
@@ -20,7 +21,7 @@ Use to create network Quality of Service (QoS) policies. A QoS policy performs a
 | --- | :---: | :---: | :---: | :---: |
 | All settings |   | ✔️ |  |  |
 
-1. In **Available customizations**, select **NetworkQ0SPolicy**, enter a friendly name for the account, and then click **Add**.
+1. In **Available customizations**, select **NetworkQoSPolicy**, enter a friendly name for the account, and then click **Add**.
 2. In **Available customizations**, select the name that you just created. The following table describes the settings you can configure. 
 
 | Setting | Description |
diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md
index f885d27c0e..589cf36452 100644
--- a/windows/configuration/wcd/wcd-oobe.md
+++ b/windows/configuration/wcd/wcd-oobe.md
@@ -3,11 +3,12 @@ title: OOBE (Windows 10)
 ms.reviewer: 
 manager: dougeby
 description: This section describes the OOBE settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # OOBE (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md
index ecd6a488c9..69693eeb45 100644
--- a/windows/configuration/wcd/wcd-personalization.md
+++ b/windows/configuration/wcd/wcd-personalization.md
@@ -1,13 +1,14 @@
 ---
 title: Personalization (Windows 10)
 description: This section describes the Personalization settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Personalization (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 59377ff9bc..c76f9e2459 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -3,11 +3,12 @@ title: Policies (Windows 10)
 ms.reviewer: 
 manager: dougeby
 description: This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Policies (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md
index 827c8bad55..73836d589b 100644
--- a/windows/configuration/wcd/wcd-privacy.md
+++ b/windows/configuration/wcd/wcd-privacy.md
@@ -1,12 +1,13 @@
 ---
 title: Privacy (Windows 10)
 description: This section describes the Privacy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Privacy (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md
index fe6ca80426..1015406211 100644
--- a/windows/configuration/wcd/wcd-provisioningcommands.md
+++ b/windows/configuration/wcd/wcd-provisioningcommands.md
@@ -1,7 +1,7 @@
 ---
 title: ProvisioningCommands (Windows 10)
 description: This section describes the ProvisioningCommands settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # ProvisioningCommands (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index c132d4bdc1..f0574a44c2 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -1,7 +1,7 @@
 ---
 title: SharedPC
 description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 10/16/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # SharedPC (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md
index c3e15932b1..5f29ebedfd 100644
--- a/windows/configuration/wcd/wcd-smisettings.md
+++ b/windows/configuration/wcd/wcd-smisettings.md
@@ -1,7 +1,7 @@
 ---
 title: SMISettings (Windows 10)
 description: This section describes the SMISettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 03/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # SMISettings (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md
index 04bbf138fd..098c9bbb9c 100644
--- a/windows/configuration/wcd/wcd-start.md
+++ b/windows/configuration/wcd/wcd-start.md
@@ -1,7 +1,7 @@
 ---
 title: Start (Windows 10)
 description: This section describes the Start settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Start (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md
index ad8220553a..7ebe657816 100644
--- a/windows/configuration/wcd/wcd-startupapp.md
+++ b/windows/configuration/wcd/wcd-startupapp.md
@@ -1,7 +1,7 @@
 ---
 title: StartupApp (Windows 10)
 description: This section describes the StartupApp settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # StartupApp (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
index dba45f6c55..0ef9b010e5 100644
--- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md
+++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md
@@ -1,7 +1,7 @@
 ---
 title: StartupBackgroundTasks (Windows 10)
 description: This section describes the StartupBackgroundTasks settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # StartupBackgroundTasks (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
index 83269cd2b6..6a133d5a59 100644
--- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
+++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md
@@ -1,12 +1,13 @@
 ---
 title: StorageD3InModernStandby (Windows 10)
 description: This section describes the StorageD3InModernStandby settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # StorageD3InModernStandby (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md
index 5e2b059925..12bd766d54 100644
--- a/windows/configuration/wcd/wcd-surfacehubmanagement.md
+++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md
@@ -1,7 +1,7 @@
 ---
 title: SurfaceHubManagement (Windows 10)
 description: This section describes the SurfaceHubManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # SurfaceHubManagement (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 7c8c7a37e3..15758077ad 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -1,7 +1,7 @@
 ---
 title: TabletMode (Windows 10)
 description: This section describes the TabletMode settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # TabletMode (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md
index b4843fdb7b..1def53b033 100644
--- a/windows/configuration/wcd/wcd-takeatest.md
+++ b/windows/configuration/wcd/wcd-takeatest.md
@@ -1,7 +1,7 @@
 ---
 title: TakeATest (Windows 10)
 description: This section describes the TakeATest settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 09/06/2017
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # TakeATest (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md
index c2a766d169..f7017ef138 100644
--- a/windows/configuration/wcd/wcd-time.md
+++ b/windows/configuration/wcd/wcd-time.md
@@ -1,12 +1,13 @@
 ---
 title: Time (Windows 10)
 description: This section describes the Time settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # Time
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index 8c8c8648db..d402e1ceb6 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -1,13 +1,14 @@
 ---
 title: UnifiedWriteFilter (Windows 10)
 description: This section describes the UnifiedWriteFilter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # UnifiedWriteFilter (reference)
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index f62e4299e3..cb622f51e2 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -1,13 +1,14 @@
 ---
 title: UniversalAppInstall (Windows 10)
 description: This section describes the UniversalAppInstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # UniversalAppInstall (reference)
diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md
index 690bfc3ea4..45e82deba6 100644
--- a/windows/configuration/wcd/wcd-universalappuninstall.md
+++ b/windows/configuration/wcd/wcd-universalappuninstall.md
@@ -1,13 +1,14 @@
 ---
 title: UniversalAppUninstall (Windows 10)
 description: This section describes the UniversalAppUninstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # UniversalAppUninstall (reference)
diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
index 1c9909507e..de2cdfc24b 100644
--- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md
+++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md
@@ -1,13 +1,14 @@
 ---
 title: UsbErrorsOEMOverride (Windows 10)
 description: This section describes the UsbErrorsOEMOverride settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # UsbErrorsOEMOverride (reference)
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index 676df2efed..dfd1c1ee93 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -1,13 +1,14 @@
 ---
 title: WeakCharger (Windows 10)
 description: This section describes the WeakCharger settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # WeakCharger (reference)
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index f42e48ac49..5abe841a5c 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -1,13 +1,14 @@
 ---
 title: WindowsHelloForBusiness (Windows 10)
 description: This section describes the Windows Hello for Business settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # WindowsHelloForBusiness (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index 51e2f55a43..9255158400 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -1,13 +1,14 @@
 ---
 title: WindowsTeamSettings (Windows 10)
 description: This section describes the WindowsTeamSettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # WindowsTeamSettings (reference)
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index 2709497450..c6df66ef0f 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -3,11 +3,12 @@ title: WLAN (Windows 10)
 ms.reviewer: 
 manager: dougeby
 description: This section describes the WLAN settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-configure
 ---
 
 # WLAN (reference)
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index ee8d4e0bc6..2055154e19 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -1,7 +1,7 @@
 ---
 title: Workplace (Windows 10)
 description: This section describes the Workplace settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.topic: article
 ms.date: 04/30/2018
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Workplace (reference)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 6fb2f329ca..0cd1afaa90 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -1,13 +1,14 @@
 ---
 title: Windows Configuration Designer provisioning settings (Windows 10)
 description: This section describes the settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.reviewer: 
 manager: dougeby
+ms.technology: itpro-configure
 ---
 
 # Windows Configuration Designer provisioning settings (reference)
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 11028a1ef0..eec297b628 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -3,13 +3,14 @@ title: Customize and manage the Windows 10 Start and taskbar layout  (Windows 10
 description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 08/05/2021
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Customize the Start menu and taskbar layout on Windows 10 and later devices
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md
index cbd0e23756..e019375c50 100644
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@@ -10,9 +10,9 @@ manager: aaroncz
 ms.localizationpriority: medium
 ms.date: 09/20/2022
 ms.topic: reference
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
 ---
 
 # Accessibility information for IT professionals
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index fcf7dec824..b9bfa40f0f 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -3,13 +3,14 @@ title: Configure Windows Spotlight on the lock screen (Windows 10)
 description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.author: lizlong
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 04/30/2018
 ms.collection: highpri
+ms.technology: itpro-configure
 ---
 
 # Configure Windows Spotlight on the lock screen
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index c89317ccc0..4ac1a97b0f 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -62,16 +62,11 @@
         - name: Features removed or planned for replacement
           items:
             - name: Windows client features lifecycle
-              href: planning/features-lifecycle.md
-            - name: Features we're no longer developing
-              items:
-                - name: Windows deprecated features
-                  href: planning/windows-10-deprecated-features.md
-            - name: Features we removed
-              items:
-                - name: Windows features removed
-                  href: planning/windows-10-removed-features.md       
-
+              href: /windows/whats-new/feature-lifecycle?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+            - name: Deprecated features
+              href: /windows/whats-new/deprecated-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+            - name: Removed features
+              href: /windows/whats-new/removed-features?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json   
     - name: Prepare
       items: 
         - name: Prepare for Windows 11
@@ -182,129 +177,135 @@
               href: update/waas-wufb-group-policy.md
             - name: 'Walkthrough: use Intune to configure Windows Update for Business'
               href: update/deploy-updates-intune.md
-        - name: Monitor Windows client updates
+    - name: Monitor
+      items:
+      - name: Windows Update for Business reports
+        items:
+        - name: Windows Update for Business reports overview
+          href: update/wufb-reports-overview.md     
+        - name: Enable Windows Update for Business reports
+          items: 
+          - name: Windows Update for Business reports prerequisites
+            href: update/wufb-reports-prerequisites.md
+          - name: Enable Windows Update for Business reports
+            href: update/wufb-reports-enable.md                                
+          - name: Configure clients with a script
+            href: update/wufb-reports-configuration-script.md
+          - name: Configure clients manually
+            href: update/wufb-reports-configuration-manual.md
+          - name: Configure clients with Microsoft Intune
+            href: update/wufb-reports-configuration-intune.md 
+        - name: Use Windows Update for Business reports
           items:
-          - name: Monitor with Update Compliance (preview version)
-            items:
-            - name: Update Compliance overview
-              href: update/update-compliance-v2-overview.md     
-            - name: Enable Update Compliance (preview)
-              items: 
-              - name: Update Compliance prerequisites
-                href: update/update-compliance-v2-prerequisites.md
-              - name: Enable the Update Compliance solution
-                href: update/update-compliance-v2-enable.md                                
-              - name: Configure clients with a script
-                href: update/update-compliance-v2-configuration-script.md
-              - name: Configure clients manually
-                href: update/update-compliance-v2-configuration-manual.md
-              - name: Configure clients with Microsoft Endpoint Manager
-                href: update/update-compliance-v2-configuration-mem.md 
-            - name: Use Update Compliance (preview)
-              items:
-              - name: Update Compliance workbook
-                href: update/update-compliance-v2-workbook.md
-              - name: Software updates in the Microsoft admin center (preview)
-                href: update/update-status-admin-center.md                                
-              - name: Use Update Compliance data
-                href: update/update-compliance-v2-use.md                                
-              - name: Feedback, support, and troubleshooting 
-                href: update/update-compliance-v2-help.md                                               
-            - name: Update Compliance schema reference (preview)
-              items:
-              - name: Update Compliance schema reference
-                href: update/update-compliance-v2-schema.md
-              - name: UCClient
-                href: update/update-compliance-v2-schema-ucclient.md
-              - name: UCClientReadinessStatus
-                href: update/update-compliance-v2-schema-ucclientreadinessstatus.md               
-              - name: UCClientUpdateStatus
-                href: update/update-compliance-v2-schema-ucclientupdatestatus.md
-              - name: UCDeviceAlert
-                href: update/update-compliance-v2-schema-ucdevicealert.md                                
-              - name: UCServiceUpdateStatus
-                href: update/update-compliance-v2-schema-ucserviceupdatestatus.md
-              - name: UCUpdateAlert
-                href: update/update-compliance-v2-schema-ucupdatealert.md                                                                         
-          - name: Monitor updates with Update Compliance
-            href: update/update-compliance-monitor.md
-            items:
-            - name: Get started
-              items: 
-              - name: Get started with Update Compliance
-                href: update/update-compliance-get-started.md
-              - name: Update Compliance configuration script
-                href: update/update-compliance-configuration-script.md
-              - name: Manually configuring devices for Update Compliance
-                href: update/update-compliance-configuration-manual.md
-              - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager
-                href: update/update-compliance-configuration-mem.md
-            - name: Update Compliance monitoring
-              items: 
-              - name: Use Update Compliance
-                href: update/update-compliance-using.md
-              - name: Need attention report
-                href: update/update-compliance-need-attention.md
-              - name: Security update status report
-                href: update/update-compliance-security-update-status.md
-              - name: Feature update status report
-                href: update/update-compliance-feature-update-status.md
-              - name: Safeguard holds report
-                href: update/update-compliance-safeguard-holds.md
-              - name: Delivery Optimization in Update Compliance
-                href: update/update-compliance-delivery-optimization.md
-              - name: Data handling and privacy in Update Compliance
-                href: update/update-compliance-privacy.md
-            - name: Schema reference
-              items:
-              - name: Update Compliance schema reference
-                href: update/update-compliance-schema.md
-              - name: WaaSUpdateStatus
-                href: update/update-compliance-schema-waasupdatestatus.md
-              - name: WaaSInsiderStatus
-                href: update/update-compliance-schema-waasinsiderstatus.md
-              - name: WaaSDeploymentStatus
-                href: update/update-compliance-schema-waasdeploymentstatus.md
-              - name: WUDOStatus
-                href: update/update-compliance-schema-wudostatus.md
-              - name: WUDOAggregatedStatus
-                href: update/update-compliance-schema-wudoaggregatedstatus.md
-        - name: Troubleshooting
+          - name: Windows Update for Business reports workbook
+            href: update/wufb-reports-workbook.md
+          - name: Software updates in the Microsoft 365 admin center
+            href: update/wufb-reports-admin-center.md                                
+          - name: Use Windows Update for Business reports data
+            href: update/wufb-reports-use.md                                
+          - name: Feedback, support, and troubleshooting 
+            href: update/wufb-reports-help.md                                               
+        - name: Windows Update for Business reports schema reference
           items:
-            - name: Resolve upgrade errors
-              items:
-                - name: Resolve Windows client upgrade errors
-                  href: upgrade/resolve-windows-10-upgrade-errors.md
-                - name: Quick fixes
-                  href: /troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
-                - name: SetupDiag
-                  href: upgrade/setupdiag.md
-                - name: Troubleshooting upgrade errors
-                  href: /troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
-                - name: Windows error reporting
-                  href: upgrade/windows-error-reporting.md
-                - name: Upgrade error codes
-                  href: /troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
-                - name: Log files
-                  href: upgrade/log-files.md
-                - name: Resolution procedures
-                  href: /troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
-                - name: Submit Windows client upgrade errors
-                  href: upgrade/submit-errors.md
-            - name: Troubleshoot Windows Update
-              items:
-                - name: How to troubleshoot Windows Update
-                  href: /troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
-                - name: Opt out of safeguard holds
-                  href: update/safeguard-opt-out.md
-                - name: Determine the source of Windows Updates
-                  href: ./update/how-windows-update-works.md
-                - name: Common Windows Update errors
-                  href: /troubleshoot/windows-client/deployment/common-windows-update-errors?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
-                - name: Windows Update error code reference
-                  href: update/windows-update-error-reference.md
-                - name: Troubleshoot the Windows Update for Business deployment service
-                  href: update/deployment-service-troubleshoot.md
+          - name: Windows Update for Business reports schema reference
+            href: update/wufb-reports-schema.md
+          - name: UCClient
+            href: update/wufb-reports-schema-ucclient.md
+          - name: UCClientReadinessStatus
+            href: update/wufb-reports-schema-ucclientreadinessstatus.md               
+          - name: UCClientUpdateStatus
+            href: update/wufb-reports-schema-ucclientupdatestatus.md
+          - name: UCDeviceAlert
+            href: update/wufb-reports-schema-ucdevicealert.md
+          - name: UCDOAggregatedStatus
+            href: update/wufb-reports-schema-ucdoaggregatedstatus.md      
+          - name: UCDOStatus
+            href: update/wufb-reports-schema-ucdostatus.md                              
+          - name: UCServiceUpdateStatus
+            href: update/wufb-reports-schema-ucserviceupdatestatus.md
+          - name: UCUpdateAlert
+            href: update/wufb-reports-schema-ucupdatealert.md                                                                         
+      - name: Monitor updates with Update Compliance
+        href: update/update-compliance-monitor.md
+        items:
+        - name: Get started
+          items: 
+          - name: Get started with Update Compliance
+            href: update/update-compliance-get-started.md
+          - name: Update Compliance configuration script
+            href: update/update-compliance-configuration-script.md
+          - name: Manually configuring devices for Update Compliance
+            href: update/update-compliance-configuration-manual.md
+          - name: Configuring devices for Update Compliance in Microsoft Intune
+            href: update/update-compliance-configuration-mem.md
+        - name: Update Compliance monitoring
+          items: 
+          - name: Use Update Compliance
+            href: update/update-compliance-using.md
+          - name: Need attention report
+            href: update/update-compliance-need-attention.md
+          - name: Security update status report
+            href: update/update-compliance-security-update-status.md
+          - name: Feature update status report
+            href: update/update-compliance-feature-update-status.md
+          - name: Safeguard holds report
+            href: update/update-compliance-safeguard-holds.md
+          - name: Delivery Optimization in Update Compliance
+            href: update/update-compliance-delivery-optimization.md
+          - name: Data handling and privacy in Update Compliance
+            href: update/update-compliance-privacy.md
+        - name: Schema reference
+          items:
+          - name: Update Compliance schema reference
+            href: update/update-compliance-schema.md
+          - name: WaaSUpdateStatus
+            href: update/update-compliance-schema-waasupdatestatus.md
+          - name: WaaSInsiderStatus
+            href: update/update-compliance-schema-waasinsiderstatus.md
+          - name: WaaSDeploymentStatus
+            href: update/update-compliance-schema-waasdeploymentstatus.md
+          - name: WUDOStatus
+            href: update/update-compliance-schema-wudostatus.md
+          - name: WUDOAggregatedStatus
+            href: update/update-compliance-schema-wudoaggregatedstatus.md
+    - name: Troubleshooting
+      items:
+      - name: Resolve upgrade errors
+        items:
+        - name: Resolve Windows client upgrade errors
+          href: upgrade/resolve-windows-10-upgrade-errors.md
+        - name: Quick fixes
+          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-quick-fixes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+        - name: SetupDiag
+          href: upgrade/setupdiag.md
+        - name: Troubleshooting upgrade errors
+          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+        - name: Windows error reporting
+          href: upgrade/windows-error-reporting.md
+        - name: Upgrade error codes
+          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+        - name: Log files
+          href: upgrade/log-files.md
+        - name: Resolution procedures
+          href: /troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+        - name: Submit Windows client upgrade errors
+          href: upgrade/submit-errors.md
+      - name: Troubleshoot Windows Update
+        items:
+        - name: How to troubleshoot Windows Update
+          href: /troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+        - name: Opt out of safeguard holds
+          href: update/safeguard-opt-out.md
+        - name: Determine the source of Windows Updates
+          href: ./update/how-windows-update-works.md
+        - name: Windows Update security
+          href: ./update/windows-update-security.md                  
+        - name: Common Windows Update errors
+          href: /troubleshoot/windows-client/deployment/common-windows-update-errors?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
+        - name: Windows Update error code reference
+          href: update/windows-update-error-reference.md
+        - name: Troubleshoot the Windows Update for Business deployment service
+          href: update/deployment-service-troubleshoot.md
 
     - name: Reference
       items:
@@ -434,7 +435,7 @@
         
                 - name: User State Migration Tool (USMT) technical reference
                   items:
-                    - name: USMT overview topics
+                    - name: USMT overview articles
                       items:
                         - name: USMT overview
                           href: usmt/usmt-overview.md
@@ -442,7 +443,7 @@
                           href: usmt/getting-started-with-the-user-state-migration-tool.md
                         - name: Windows upgrade and migration considerations
                           href: upgrade/windows-upgrade-and-migration-considerations.md
-                    - name: USMT How-to topics
+                    - name: USMT How-to articles
                       items:
                         - name: Exclude Files and Settings
                           href: usmt/usmt-exclude-files-and-settings.md
@@ -460,18 +461,6 @@
                           href: usmt/usmt-reroute-files-and-settings.md
                         - name: Verify the Condition of a Compressed Migration Store
                           href: usmt/verify-the-condition-of-a-compressed-migration-store.md
-                        - name: USMT Troubleshooting
-                          href: usmt/usmt-troubleshooting.md
-                        - name: Common Issues
-                          href: usmt/usmt-common-issues.md
-                        - name: Frequently Asked Questions
-                          href: usmt/usmt-faq.yml
-                        - name: Log Files
-                          href: usmt/usmt-log-files.md
-                        - name: Return Codes
-                          href: usmt/usmt-return-codes.md
-                        - name: USMT Resources
-                          href: usmt/usmt-resources.md
         
                     - name: USMT Reference
                       items:
@@ -539,7 +528,22 @@
                           href: usmt/usmt-xml-elements-library.md
                         - name: Offline Migration Reference
                           href: usmt/offline-migration-reference.md
-        
+
+                    - name: Troubleshoot USMT
+                      items:
+                        - name: USMT Troubleshooting
+                          href: usmt/usmt-troubleshooting.md
+                        - name: USMT Common Issues
+                          href: /troubleshoot/windows-client/deployment/usmt-common-issues
+                        - name: USMT Frequently Asked Questions
+                          href: usmt/usmt-faq.yml
+                        - name: USMT Log Files
+                          href: usmt/usmt-log-files.md
+                        - name: USMT Return Codes
+                          href: /troubleshoot/windows-client/deployment/usmt-return-codes
+                        - name: USMT Resources
+                          href: usmt/usmt-resources.md
+
             - name: Application Compatibility Toolkit (ACT) Technical Reference
               items:
                 - name: SUA User's Guide
diff --git a/windows/deployment/Windows-AutoPilot-EULA-note.md b/windows/deployment/Windows-AutoPilot-EULA-note.md
index 1b7ef3ad3b..674bd00551 100644
--- a/windows/deployment/Windows-AutoPilot-EULA-note.md
+++ b/windows/deployment/Windows-AutoPilot-EULA-note.md
@@ -1,19 +1,20 @@
 ---
 title: Windows Autopilot EULA dismissal – important information
 description: A notice about EULA dismissal through Windows Autopilot
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-ms.date: 08/22/2017
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+ms.date: 11/23/2022
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ROBOTS: NOINDEX
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 # Windows Autopilot EULA dismissal – important information
 
->[!IMPORTANT]
->The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
+> [!IMPORTANT]
+> The information below isn't the EULA. It is a notice of awareness to the administrator that's configuring to skip End User License Agreement (EULA) during the OOBE (Out-of-Box Experience).
 
 Using this tool allows you to configure individual installations of Windows on devices managed by your organization. You may choose to suppress or hide certain set-up screens that are normally presented to users when setting up Windows, including the EULA acceptance screen.  
 
diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md
index ba83569cc0..1d67fee4df 100644
--- a/windows/deployment/add-store-apps-to-image.md
+++ b/windows/deployment/add-store-apps-to-image.md
@@ -1,79 +1,91 @@
 ---
 title: Add Microsoft Store for Business applications to a Windows 10 image
 description: This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
+author: frankroj
+ms.author: frankroj
 ms.reviewer: 
-manager: dougeby
+manager: aaroncz
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Add Microsoft Store for Business applications to a Windows 10 image
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
-This topic describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. This will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
+This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. Adding Microsoft Store for Business applications to a Windows 10 image will enable you to deploy Windows 10 with pre-installed Microsoft Store for Business apps.
 
->[!IMPORTANT]
->In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
+> [!IMPORTANT]
+> In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
 
 ## Prerequisites
 
-* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
+- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md) for the tools required to mount and edit Windows images.
 
-* Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app). 
-* A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
+- Download an offline signed app package and license of the application you would like to add through [Microsoft Store for Business](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app).
+- A Windows Image. For instructions on image creation, see [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md).
 
->[!NOTE]
+> [!NOTE]
 > If you'd like to add an internal LOB Microsoft Store application, please follow the instructions on **[Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)**.
 
 ## Adding a Store application to your image
 
 On a machine where your image file is accessible:
+
 1. Open Windows PowerShell with administrator privileges.
-2. Mount the image. At the Windows PowerShell prompt, type:
+
+2. Mount the image. At the Windows PowerShell prompt, enter:
 `Mount-WindowsImage -ImagePath c:\images\myimage.wim -Index 1 -Path C:\test`
-3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, type:
+
+3. Use the Add-AppxProvisionedPackage cmdlet in Windows PowerShell to preinstall the app. Use the /PackagePath option to specify the location of the Store package and /LicensePath to specify the location of the license .xml file. In Windows PowerShell, enter:
 `Add-AppxProvisionedPackage -Path C:\test -PackagePath C:\downloads\appxpackage -LicensePath C:\downloads\appxpackage\license.xml`
 
->[!NOTE]
->Paths and file names are examples. Use your paths and file names where appropriate.
+> [!NOTE]
+> Paths and file names are examples. Use your paths and file names where appropriate.
 >
->Do not dismount the image, as you will return to it later.
+> Do not dismount the image, as you will return to it later.
 
 ## Editing the Start Layout
 
 In order for Microsoft Store for Business applications to persist after image deployment, these applications need to be pinned to Start prior to image deployment.
 
 On a test machine:
+
 1. **Install the Microsoft Store for Business application you previously added** to your image.
+
 2. **Pin these apps to the Start screen**, by typing the name of the app, right-clicking and selecting **Pin to Start**.
+
 3. Open Windows PowerShell with administrator privileges.
+
 4. Use `Export-StartLayout -path <path><file name>.xml` where *\<path>\<file name>* is the path and name of the xml file your will later import into your Windows Image.
+
 5. Copy the XML file you created to a location accessible by the machine you previously used to add Store applications to your image.
 
 Now, on the machine where your image file is accessible:
-1. Import the Start layout. At the Windows PowerShell prompt, type: 
+
+1. Import the Start layout. At the Windows PowerShell prompt, enter:
 `Import-StartLayout -LayoutPath "<path><file name>.xml" -MountPath "C:\test\"`
-2. Save changes and dismount the image. At the Windows PowerShell prompt, type:
+
+2. Save changes and dismount the image. At the Windows PowerShell prompt, enter:
 `Dismount-WindowsImage -Path c:\test -Save`
 
->[!NOTE]
->Paths and file names are examples. Use your paths and file names where appropriate.
+> [!NOTE]
+> Paths and file names are examples. Use your paths and file names where appropriate.
 >
->For more information on Start customization see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization)
+> For more information on Start customization, see [Windows 10 Start Layout Customization](/archive/blogs/deploymentguys/windows-10-start-layout-customization)
 
+## Related articles
 
-## Related topics
-* [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
-* [Export-StartLayout](/powershell/module/startlayout/export-startlayout)
-* [Import-StartLayout](/powershell/module/startlayout/import-startlayout)
-* [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)
-* [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-* [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
-* [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
+- [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout)
+- [Export-StartLayout](/powershell/module/startlayout/export-startlayout)
+- [Import-StartLayout](/powershell/module/startlayout/import-startlayout)
+- [Sideload line of business (LOB) apps in Windows client devices](/windows/application-management/sideload-apps-in-windows-10)
+- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+- [Windows Assessment and Deployment Kit (Windows ADK)](windows-adk-scenarios-for-it-pros.md)
diff --git a/windows/deployment/breadcrumb/toc.yml b/windows/deployment/breadcrumb/toc.yml
index a43252b7e8..3cb4555445 100644
--- a/windows/deployment/breadcrumb/toc.yml
+++ b/windows/deployment/breadcrumb/toc.yml
@@ -9,4 +9,16 @@ items:
     items:
     - name: Deployment
       tocHref: /troubleshoot/windows-client/deployment/
+      topicHref: /windows/deployment/
+
+- name: Learn
+  tocHref: /
+  topicHref: /
+  items:
+  - name: Windows
+    tocHref: /windows/
+    topicHref: /windows/resources/
+    items:
+    - name: Deployment
+      tocHref: /windows/whats-new
       topicHref: /windows/deployment/
\ No newline at end of file
diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
index a4360e4aa4..3dbdf7eef2 100644
--- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
+++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md
@@ -1,27 +1,28 @@
 ---
 title: Configure a PXE server to load Windows PE (Windows 10)
-description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. 
-ms.prod: w10
+description: This article describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network.
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-manager: dougeby
-ms.author: aaroncz
+author: frankroj
+manager: aaroncz
+ms.author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
-ms.collection: highpri
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Configure a PXE server to load Windows PE
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
-This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network.
+This walkthrough describes how to configure a PXE server to load Windows PE by booting a client computer from the network. Using the Windows PE tools and a Windows 10 image file, you can install Windows 10 from the network.
 
 ## Prerequisites
 
-- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) and the Windows PE add-on with ADK installed.
+- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) and the Windows PE add-on with ADK installed.
 - A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required.
 - A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download.
 - A file server: A server hosting a network file share.
@@ -30,113 +31,128 @@ All four of the roles specified above can be hosted on the same computer or each
 
 ## Step 1: Copy Windows PE source files
 
-1. On the deployment computer, click **Start**, and type **deployment**.
+1. On the deployment computer, select **Start**, and type **deployment**.
 
-2. Right-click **Deployment and Imaging Tools Environment** and then click **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools.
+2. Right-click **Deployment and Imaging Tools Environment** and then select **Run as administrator**. The Deployment and Imaging Tools Environment shortcut opens a Command Prompt window and automatically sets environment variables to point to all the necessary tools.
 
-3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **&lt;architecture&gt;** can be **x86**, **amd64**, or **arm** and **&lt;destination&gt;** is a path to a local directory. If the directory doesn't already exist, it will be created.
+3. Run the following command to copy the base Windows PE files into a new folder. The script requires two arguments: hardware architecture and destination location. The value of **&lt;architecture&gt;** can be **x86**, **amd64**, or **arm** and **&lt;destination&gt;** is a path to a local directory. If the directory doesn't already exist, it will be created.
 
-    ```
+    ```cmd
     copype.cmd <architecture> <destination>
     ```
 
     For example, the following command copies **amd64** architecture files to the **C:\winpe_amd64** directory:
 
-    ```
+    ```cmd
     copype.cmd amd64 C:\winpe_amd64
     ```
 
     The script creates the destination directory structure and copies all the necessary files for that architecture. In the previous example, the following directories are created:
-    
-    ```
+
+    ```cmd
     C:\winpe_amd64
     C:\winpe_amd64\fwfiles
     C:\winpe_amd64\media
     C:\winpe_amd64\mount
     ```
-4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example.
 
+4. Mount the base Windows PE image (winpe.wim) to the \mount directory using the DISM tool. Mounting an image file unpacks the file contents into a folder so that you can make changes directly or by using tools such as DISM. See the following example.
+
+    ```cmd
+    dism.exe /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
     ```
-    Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
-    ```
-    Verify that "The operation completed successfully" is displayed. Note: To view currently mounted images, type **dism /get-MountedWiminfo**. 
+
+    Verify that the message **The operation completed successfully** is displayed.
+
+    > [!NOTE]
+    > To view currently mounted images, enter **`dism.exe /get-MountedWiminfo`**.
 
 5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of **\\\PXE-1\TFTPRoot**:
 
-    ```
-    net use y: \\PXE-1\TFTPRoot
+    ```cmd
+    net.exe use y: \\PXE-1\TFTPRoot
     y:
     md Boot
     ```
+
 6. Copy the PXE boot files from the mounted directory to the \boot folder. For example:
 
-    ```
+    ```cmd
     copy c:\winpe_amd64\mount\windows\boot\pxe\*.* y:\Boot
     ```
-7.  Copy the boot.sdi file to the PXE/TFTP server.
 
-    ```
+7. Copy the boot.sdi file to the PXE/TFTP server.
+
+    ```cmd
     copy C:\winpe_amd64\media\boot\boot.sdi y:\Boot
     ```
-8.  Copy the bootable Windows PE image (boot.wim) to the \boot folder.
 
-    ```
+8. Copy the bootable Windows PE image (boot.wim) to the \boot folder.
+
+    ```cmd
     copy C:\winpe_amd64\media\sources\boot.wim y:\Boot
     ```
-9. (Optional) Copy true type fonts to the \boot folder
 
-    ```
+9. (Optional) Copy TrueType fonts to the \boot folder
+
+    ```cmd
     copy C:\winpe_amd64\media\Boot\Fonts y:\Boot\Fonts
     ```
 
 ## Step 2: Configure boot settings and copy the BCD file
 
-1.  Create a BCD store using bcdedit.exe:
+1. Create a BCD store using bcdedit.exe:
 
+    ```cmd
+    bcdedit.exe /createstore c:\BCD
     ```
-    bcdedit /createstore c:\BCD
-    ```
-2.  Configure RAMDISK settings:
 
+2. Configure RAMDISK settings:
+
+    ```cmd
+    bcdedit.exe /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
+    bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
+    bcdedit.exe /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi
+    bcdedit.exe /store c:\BCD /create /d "winpe boot image" /application osloader
     ```
-    bcdedit /store c:\BCD /create {ramdiskoptions} /d "Ramdisk options"
-    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdidevice boot
-    bcdedit /store c:\BCD /set {ramdiskoptions} ramdisksdipath \Boot\boot.sdi
-    bcdedit /store c:\BCD /create /d "winpe boot image" /application osloader
-    ```
+
     The last command will return a GUID, for example:
-    ```
+
+    ```console
     The entry {a4f89c62-2142-11e6-80b6-00155da04110} was successfully created. 
     ```
+
     Copy this GUID for use in the next set of commands. In each command shown, replace "GUID1" with your GUID.
 
-3.  Create a new boot application entry for the Windows PE image:
+3. Create a new boot application entry for the Windows PE image:
 
+    ```cmd
+    bcdedit.exe /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} 
+    bcdedit.exe /store c:\BCD /set {GUID1} path \windows\system32\winload.exe 
+    bcdedit.exe /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} 
+    bcdedit.exe /store c:\BCD /set {GUID1} systemroot \windows
+    bcdedit.exe /store c:\BCD /set {GUID1} detecthal Yes
+    bcdedit.exe /store c:\BCD /set {GUID1} winpe Yes
     ```
-    bcdedit /store c:\BCD /set {GUID1} device ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} 
-    bcdedit /store c:\BCD /set {GUID1} path \windows\system32\winload.exe 
-    bcdedit /store c:\BCD /set {GUID1} osdevice ramdisk=[boot]\Boot\boot.wim,{ramdiskoptions} 
-    bcdedit /store c:\BCD /set {GUID1} systemroot \windows
-    bcdedit /store c:\BCD /set {GUID1} detecthal Yes
-    bcdedit /store c:\BCD /set {GUID1} winpe Yes
-    ```
-4.  Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID):
 
-    ```
-    bcdedit /store c:\BCD /create {bootmgr} /d "boot manager"
-    bcdedit /store c:\BCD /set {bootmgr} timeout 30 
-    bcdedit /store c:\BCD -displayorder {GUID1} -addlast
-    ```
-5.  Copy the BCD file to your TFTP server:
+4. Configure BOOTMGR settings (remember to replace GUID1 in the third command with your GUID):
 
+    ```cmd
+    bcdedit.exe /store c:\BCD /create {bootmgr} /d "boot manager"
+    bcdedit.exe /store c:\BCD /set {bootmgr} timeout 30 
+    bcdedit.exe /store c:\BCD -displayorder {GUID1} -addlast
     ```
+
+5. Copy the BCD file to your TFTP server:
+
+    ```cmd
     copy c:\BCD \\PXE-1\TFTPRoot\Boot\BCD
     ```
 
-Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit /store &lt;BCD file location&gt; /enum all. See the following example. Note: Your GUID will be different than the one shown below.
+Your PXE/TFTP server is now configured. You can view the BCD settings that have been configured using the command bcdedit.exe /store &lt;BCD file location&gt; /enum all. See the following example. Note: Your GUID will be different than the one shown below.
 
-```
-C:\>bcdedit /store C:\BCD /enum all
+```cmd
+C:\>bcdedit.exe /store C:\BCD /enum all
 Windows Boot Manager
 --------------------
 identifier              {bootmgr}
@@ -162,26 +178,46 @@ ramdisksdidevice        boot
 ramdisksdipath          \Boot\boot.sdi
 ```
 
->[!TIP]
->If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory.  In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. 
+> [!TIP]
+> If you start the PXE boot process, but receive the error **The boot configuration data for your PC is missing or contains error**, then verify that `\boot` directory is installed under the correct TFTP server root directory.  In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different.
 
 ## PXE boot process summary
 
 The following process summarizes the PXE client boot.
 
->The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)).
+<!--
 
-1.  A client is directed by DHCP options 066 and 067 to download boot\\PXEboot.n12 from the TFTP server.
-2.  PXEboot.n12 immediately begins a network boot.
-3.  The client downloads boot\\bootmgr.exe and the boot\\BCD file from the TFTP server. Note: The BCD store must reside in the \\boot directory on the TFTP server and must be named BCD.
-5.  Bootmgr.exe reads the BCD operating system entries and downloads boot\\boot.sdi and the Windows PE image (boot\\boot.wim). Optional files that can also be downloaded include true type fonts (boot\\Fonts\\wgl4\_boot.ttf) and the hibernation state file (\\hiberfil.sys) if these files are present.
-6.  Bootmgr.exe starts Windows PE by calling winload.exe within the Windows PE image.
-7.  Windows PE loads, a command prompt opens and wpeinit.exe is run to initialize Windows PE.
-8.  The Windows PE client provides access to tools like imagex, diskpart, and bcdboot using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system.
+DHCP OPTIONS ARE NOT RECOMMENDED AND IN SOME SCENARIOS NOT SUPPORTED. SWITCHING TO IP HELPERS.
 
-## See Also 
+>The following assumes that you have configured DHCP option 67 (Bootfile Name) to `boot\PXEboot.n12` which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)).
 
+1. A client is directed by DHCP options 066 and 067 to download `boot\PXEboot.n12` from the TFTP server.
+-->
 
-### Concepts
+> [!NOTE]
+> The following assumes that the client and PXE server are on the same network/subnet/vlan or that PXE requests have been appropriately forwarded from the client to the PXE server using IP helpers configured in the router or switch. For more information about IP helpers, see [Configuring Your Router to Forward Broadcasts](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732351(v=ws.10)#configuring-your-router-to-forward-broadcasts-recommended).
+
+1. A client contacts the PXE server. When the client is on a different network/subnet/vlan as the PXE server, the client is routed to the PXE server using the IP helpers.
+
+2. The PXE server sends DHCP options 060 (client identifier **PXEClient**), 066 (boot server host name) and 067 (boot file name) to the client.
+
+3. The client downloads `boot\PXEboot.n12` from the TFTP server based on DHCP option 067 boot file name value received from the PXE server.
+
+4. `PXEboot.n12` immediately begins a network boot.
+
+5. The client downloads `boot\bootmgr.exe` and the `boot\BCD` file from the TFTP server.
+
+   > [!NOTE]
+   > The BCD store must reside in the `\boot` directory on the TFTP server and must be named BCD.
+
+6. `Bootmgr.exe` reads the BCD operating system entries and downloads `boot\boot.sdi` and the Windows PE image (`boot\boot.wim`). Optional files that can also be downloaded include TrueType fonts (`boot\Fonts\wgl4_boot.ttf`) and the hibernation state file (`\hiberfil.sys`) if these files are present.
+
+7. `Bootmgr.exe` starts Windows PE by calling `winload.exe` within the Windows PE image.
+
+8. Windows PE loads, a command prompt opens and `wpeinit.exe` is run to initialize Windows PE.
+
+9. The Windows PE client provides access to tools like `imagex.exe`, `diskpart.exe`, and `bcdboot.exe` using the Windows PE command prompt. With the help of these tools accompanied by a Windows 10 image file, the destination computer can be formatted properly to load a full Windows 10 operating system.
+
+### Related articles
 
 [Windows PE Walkthroughs](/previous-versions/windows/it-pro/windows-vista/cc748899(v=ws.10))
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index f06c1107d1..f19a79ea47 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -1,17 +1,18 @@
 ---
 title: Deploy Windows Enterprise licenses
 description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows Enterprise E3 or E5 subscription activation, or for Windows Enterprise E3 in CSP.
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
 ms.topic: how-to
 ms.collection: highpri
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+ms.date: 11/23/2022
 ---
 
 # Deploy Windows Enterprise licenses
@@ -227,7 +228,7 @@ Figure 11 illustrates a device on which the Windows 10 Pro is activated, but the
 
 Figure 11: Windows 10 Enterprise subscription lapsed or removed in Settings.
 
-It displays the following error: "Windows 10 Enterprise subscription is not valid."
+It displays the following error: "Windows 10 Enterprise subscription isn't valid."
 
 #### Device that's not activated and without an Enterprise subscription
 
@@ -251,7 +252,7 @@ Use the following procedures to review whether a particular device meets these r
 
 To determine if the computer has a firmware-embedded activation key, enter the following command at an elevated Windows PowerShell prompt:
 
-```PowerShell
+```powershell
 (Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
 ```
 
@@ -287,7 +288,7 @@ If a device isn't able to connect to Windows Update, it can lose activation stat
 
 - Make sure that the device doesn't have the following registry value: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations = 1 (REG_DWORD)`. If this registry value exists, it must be set to `0`.
 
-- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations.
+- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Don't connect to any Windows Update Internet locations.
 
 ## Virtual Desktop Access (VDA)
 
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 778cc5f140..ace17b1b9f 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -1,24 +1,26 @@
 ---
 title: Deploy Windows 10 with Microsoft 365
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.collection: M365-modern-desktop
 ms.custom: seo-marvel-apr2020
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Deploy Windows 10 with Microsoft 365
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
-This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
+This article provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
 
 [Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://www.microsoft.com/microsoft-365/office-365), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). See the [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster) for an overview.
 
@@ -27,46 +29,50 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
 - Windows Autopilot
 - In-place upgrade
 - Deploying Windows 10 upgrade with Intune
-- Deploying Windows 10 upgrade with Microsoft Endpoint Configuration Manager
-- Deploying a computer refresh with Microsoft Endpoint Configuration Manager
+- Deploying Windows 10 upgrade with Microsoft Configuration Manager
+- Deploying a computer refresh with Microsoft Configuration Manager
 
 ## Free trial account
 
-**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
+### If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center
 
 From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
 In the Enterprise Suites section of the service offerings, you'll find Microsoft 365 E3 and Microsoft 365 E5 tiles.
 There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
 
-**If you do not already have a Microsoft services subscription**
+### If you do not already have a Microsoft services subscription
 
-You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. 
+You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
 
->[!NOTE]
->If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
+> [!NOTE]
+> If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
 
 1. [Obtain a free Microsoft 365 trial](/microsoft-365/commerce/try-or-buy-microsoft-365).
 2. Check out the [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide).
-3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview). 
-
-That's all there's to it! 
+3. Also check out the [Windows Analytics deployment advisor](/mem/configmgr/desktop-analytics/overview). This advisor will walk you through deploying [Desktop Analytics](/mem/configmgr/desktop-analytics/overview).
 
 Examples of these two deployment advisors are shown below.
 
-- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
-- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
+- [Deploy Windows 10 with Microsoft 365](#deploy-windows-10-with-microsoft-365)
+  - [Free trial account](#free-trial-account)
+    - [If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center](#if-you-already-have-a-microsoft-services-subscription-account-and-access-to-the-microsoft-365-admin-center)
+    - [If you do not already have a Microsoft services subscription](#if-you-do-not-already-have-a-microsoft-services-subscription)
+  - [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
+  - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
+  - [Microsoft 365 Enterprise poster](#microsoft-365-enterprise-poster)
+  - [Related articles](#related-articles)
 
 ## Microsoft 365 deployment advisor example
+
 ![Microsoft 365 deployment advisor.](images/m365da.png)
 
 ## Windows Analytics deployment advisor example
 
-
 ## Microsoft 365 Enterprise poster
 
 [![Microsoft 365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter)
 
-## Related Topics
+## Related articles
 
 [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)<br>
 [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home)
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 55f1a653a6..309fe14ba0 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -1,25 +1,26 @@
 ---
 title: What's new in Windows client deployment
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: Use this article to learn about new solutions and online content related to deploying Windows in your organization.
 ms.localizationpriority: medium
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # What's new in Windows client deployment
 
-**Applies to:**
+*Applies to:*
+
 - Windows 10
 - Windows 11
 
-## In this topic
-
-This topic provides an overview of new solutions and online content related to deploying Windows client in your organization.
+This article provides an overview of new solutions and online content related to deploying Windows client in your organization.
 
 - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
 
@@ -30,18 +31,19 @@ When you deploy Windows 11 with Autopilot, you can enable users to view addition
 ## Windows 11
 
 Check out the following new articles about Windows 11:
+
 - [Overview of Windows 11](/windows/whats-new/windows-11)
 - [Plan for Windows 11](/windows/whats-new/windows-11-plan)
 - [Prepare for Windows 11](/windows/whats-new/windows-11-prepare)
 
 The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.<br>
 
-## Deployment tools 
+## Deployment tools
 
 [SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.<br>
 New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).<br>
 VPN support is added to [Windows Autopilot](#windows-autopilot)<br>
-An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).<br>
+An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).<br>
 The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with more content added and more content coming soon.<br>
 
 ## The Modern Desktop Deployment Center
@@ -51,6 +53,7 @@ The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deploym
 ## Microsoft 365
 
 Microsoft 365 is a new offering from Microsoft that combines
+
 - Windows 10
 - Office 365
 - Enterprise Mobility and Security (EMS).
@@ -63,14 +66,15 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic
 
 Windows PowerShell cmdlets for Delivery Optimization have been improved:
 
-- **Get-DeliveryOptimizationStatus** has added the  **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
+- **Get-DeliveryOptimizationStatus** has added the  **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
 - **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
 - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
 
 Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md) include:
+
 - Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
 - Automatic cloud-based congestion detection is available for PCs with cloud service support.
-- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon!
+- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These policies now support Microsoft 365 Apps for enterprise updates and Intune content.
 
 The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
 
@@ -84,12 +88,13 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
 ### Windows Update for Business
 
 [Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
+
 - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
 - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
 
 - [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
 - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and run normally.
+- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
 - **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
 - **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
 - **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
@@ -125,7 +130,7 @@ The following Windows Autopilot features are available in Windows 10, version 19
 - Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
 - Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
 
-### Microsoft Endpoint Configuration Manager
+### Microsoft Configuration Manager
 
 An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
 
@@ -133,7 +138,7 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
 
 Windows 10 Education support has been added to Windows 10 Subscription Activation.
 
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
+With Windows 10, version 1903, you can step up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions - Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
 
 ### SetupDiag
 
@@ -151,12 +156,11 @@ Upgrade Readiness helps you ensure that applications and drivers are ready for a
 
 The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
 
-For more information about Upgrade Readiness, see the following topics:
+For more information about Upgrade Readiness, see the following articles:
 
 - [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/)
 - [Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview)
 
-
 ### Update Compliance
 
 Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
@@ -203,13 +207,13 @@ For more information, see the following guides:
 
 - [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
 - [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
 
 ## Troubleshooting guidance
 
-[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The article provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
 
-## Related topics
+## Related articles
 
 [Overview of Windows as a service](update/waas-overview.md)<br>
 [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/TOC.yml b/windows/deployment/deploy-windows-cm/TOC.yml
index f47a156a14..13d898e1b5 100644
--- a/windows/deployment/deploy-windows-cm/TOC.yml
+++ b/windows/deployment/deploy-windows-cm/TOC.yml
@@ -1,4 +1,4 @@
-- name: Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+- name: Deploy Windows 10 with Microsoft Configuration Manager
   items: 
     - name: Prepare for Windows 10 deployment with Configuration Manager
       items: 
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index af75531621..23b36c4d59 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -2,59 +2,68 @@
 title: Add a Windows 10 operating system image using Configuration Manager
 description: Operating system images are typically the production image used for deployment throughout the organization.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Add a Windows 10 operating system image using Configuration Manager
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
-Operating system images are typically the production image used for deployment throughout the organization. This topic shows you how to add a Windows 10 operating system image created with Microsoft Endpoint Configuration Manager, and how to distribute the image to a distribution point.
+Operating system images are typically the production image used for deployment throughout the organization. This article shows you how to add a Windows 10 operating system image created with Microsoft Configuration Manager, and how to distribute the image to a distribution point.
 
 ## Infrastructure
 
 For the purposes of this guide, we'll use one server computer: CM01.
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
 - CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
 
 An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
->[!IMPORTANT]
->The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below.
+> [!IMPORTANT]
+> The procedures in this article require a reference image. Our reference images is named **REFW10-X64-001.wim**. If you have not already created a reference image, then perform all the steps in [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md) on CM01, replacing MDT01 with CM01. The final result will be a reference image located in the D:\MDTBuildLab\Captures folder that you can use for the procedure below.
 
- ## Add a Windows 10 operating system image
+## Add a Windows 10 operating system image
 
  On **CM01**:
 
-1.  Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
-2.  Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
+1. Using File Explorer, in the **`D:\Sources\OSD\OS`** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
+
+2. Copy the `REFW10-X64-001.wim` file to the **`D:\Sources\OSD\OS\Windows 10 Enterprise x64 RTM`** folder.
 
     ![figure 17.](../images/ref-image.png)
 
-    The Windows 10 image being copied to the Sources folder structure.
+    The Windows 10 image being copied to the Sources folder structure.
 
-3.  Using the Configuration Manager Console, in the Software Library workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
-4.  On the **Data Source** page, in the **Path:** text box, browse to \\\\CM01\\Sources$\\OSD\\OS\\Windows 10 Enterprise x64 RTM\\REFW10-X64-001.wim, select x64 next to Architecture and choose a language, then click **Next**.
-5.  On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**.
-6.  Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**.
-7.  In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
-8.  View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+3. Using the Configuration Manager Console, in the **Software Library** workspace, right-click **Operating System Images**, and select **Add Operating System Image**.
+
+4. On the **Data Source** page, in the **Path:** text box, browse to **`\\CM01\Sources$\OSD\OS\Windows 10 Enterprise x64 RTM\REFW10-X64-001.wim`**, select x64 next to Architecture and choose a language, then select **Next**.
+
+5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, select **Next** twice, and then select **Close**.
+
+6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**.
+
+7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**.
+
+8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file and look for the **STATMSG: ID=2301** line.
 
     ![figure 18.](../images/fig18-distwindows.png)
 
-    The distributed Windows 10 Enterprise x64 RTM package.
+    The distributed Windows 10 Enterprise x64 RTM package.
 
-Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md). 
+Next, see [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md).
 
-## Related topics
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 1d57288f6f..feff4155ed 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -2,36 +2,39 @@
 title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
 description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
 
-**Applies to**
+*Applies to:*
 
-- Windows 10
+- Windows 10
 
-In this topic, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
+In this article, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system.
 
 For the purposes of this guide, we'll use one server computer: CM01.
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
 
  An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 ## Add drivers for Windows PE
 
-This section will show you how to import some network and storage drivers for Windows PE. 
+This section will show you how to import some network and storage drivers for Windows PE.
 
->[!NOTE]
->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need.  An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
+> [!NOTE]
+> Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need.  An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
 
-This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
+This section assumes you've downloaded some drivers to the **`D:\Sources\OSD\DriverSources\WinPE x64`** folder on CM01.
 
 ![Drivers.](../images/cm01-drivers.png)
 
@@ -39,13 +42,19 @@ Driver folder structure on CM01
 
 On **CM01**:
 
-1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
-2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\WinPE x64** folder and click **Next**.
-3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **WinPE x64**, and then click **Next**.
-4. On the **Select the packages to add the imported driver** page, click **Next**.
-5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and click **Next**.
-6. In the popup window that appears, click **Yes** to automatically update the distribution point.
-7. Click **Next**, wait for the image to be updated, and then click **Close**.
+1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
+
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\WinPE x64`** folder and select **Next**.
+
+3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **WinPE x64**, and then select **Next**.
+
+4. On the **Select the packages to add the imported driver** page, select **Next**.
+
+5. On the **Select drivers to include in the boot image** page, select the **Zero Touch WinPE x64** boot image and select **Next**.
+
+6. In the popup window that appears, select **Yes** to automatically update the distribution point.
+
+7. Select **Next**, wait for the image to be updated, and then select **Close**.
 
   ![Add drivers to Windows PE step 1.](../images/fig21-add-drivers1.png)<br>
   ![Add drivers to Windows PE step 2.](../images/fig21-add-drivers2.png)<br>
@@ -66,27 +75,28 @@ Driver folder structure on CM01
 
 On **CM01**:
 
-1. Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
-2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and click **Next**. Wait a minute for driver information to be validated.
-3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, click **OK**, and then click **Next**.
+1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click the **Drivers** node and select **Import Driver**.
+
+2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **`\\CM01\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`** folder and select **Next**. Wait a minute for driver information to be validated.
+
+3. On the **Specify the details for the imported driver** page, select **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, select **OK**, and then select **Next**.
 
     ![Create driver categories.](../images/fig22-createcategories.png "Create driver categories")
 
     Create driver categories
 
+4. On the **Select the packages to add the imported driver** page, select **New Package**, use the following settings for the package, and then select **Next**:
 
-4. On the **Select the packages to add the imported driver** page, click **New Package**, use the following settings for the package, and then click **Next**:
+    - Name: Windows 10 x64 - HP EliteBook 8560w
+    - Path: **`\\CM01\Sources$\OSD\DriverPackages\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`**
 
-    * Name: Windows 10 x64 - HP EliteBook 8560w
-    * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w
+    > [!NOTE]
+    > The package path does not yet exist so it has to be created by typing it in. The wizard will create the new package using the path you specify.
 
-    >[!NOTE]
-    >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify.
+5. On the **Select drivers to include in the boot image** page, don't select anything, and select **Next** twice. After the package has been created, select **Close**.
 
-5.  On the **Select drivers to include in the boot image** page, don't select anything, and click **Next** twice. After the package has been created, click **Close**.
-
-    >[!NOTE]
-    >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
+    > [!NOTE]
+    > If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
   
     ![Drivers imported and a new driver package created.](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created")
   
@@ -94,7 +104,7 @@ On **CM01**:
 
 Next, see [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md).
 
-## Related topics
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index fb7aae6b8e..bc6f5f88b1 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -1,44 +1,53 @@
 ---
 title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Endpoint Configuration Manager.
+description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Configuration Manager.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Create a custom Windows PE boot image with Configuration Manager
 
-**Applies to**
+*Applies to:*
 
-- Windows 10
+- Windows 10
+
+In Microsoft Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This article shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
 
-In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
 - The boot image that is created is based on the version of ADK that is installed.
 
 For the purposes of this guide, we'll use one server computer: CM01.
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
 
  An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 ## Add DaRT 10 files and prepare to brand the boot image
 
-The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image.
+The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools, and later skip adding the DaRT component to the boot image.
 
-We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named <a href="../images/ContosoBackground.png">ContosoBackground.bmp</a>.
+We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **`C:\Setup\Branding`** on CM01. In this section, we use a custom background image named [ContosoBackground.png](../images/ContosoBackground.png)
 
 On **CM01**:
 
-1.  Install DaRT 10 (C:\\Setup\\DaRT 10\\MSDaRT100.msi) using the default settings.
-2.  Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder.
-3.  Copy the Toolsx64.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x64** folder.
-4.  Copy the Toolsx86.cab file to the **C:\\Program Files\\Microsoft Deployment Toolkit\\Templates\\Distribution\\Tools\\x86** folder.
-5.  Using File Explorer, navigate to the **C:\\Setup** folder.
-6.  Copy the **Branding** folder to **D:\\Sources\\OSD**.
+1. Install DaRT 10 (**`C:\\Setup\\DaRT 10\\MSDaRT100.msi`**) using the default settings.
+
+2. Using File Explorer, navigate to the **`C:\Program Files\Microsoft DaRT\v10`** folder.
+
+3. Copy the Toolsx64.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64`** folder.
+
+4. Copy the Toolsx86.cab file to the **`C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86`** folder.
+
+5. Using File Explorer, navigate to the **`C:\Setup`** folder.
+
+6. Copy the **Branding** folder to **`D:\Sources\OSD`**.
 
 ## Create a boot image for Configuration Manager using the MDT wizard
 
@@ -46,15 +55,18 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g
 
 On **CM01**:
 
-1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
-2.  On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Boot\\Zero Touch WinPE x64** and click **Next**.
+1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and select **Create Boot Image using MDT**.
 
-    >[!NOTE]
-    >The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
+2. On the **Package Source** page, in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Boot\Zero Touch WinPE x64`** and select **Next**.
 
-3.  On the **General Settings** page, assign the name **Zero Touch WinPE x64** and click **Next**.
-4.  On the **Options** page, select the **x64** platform, and click **Next**.
-5.  On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and click **Next**.
+    > [!NOTE]
+    > The Zero Touch WinPE x64 folder does not yet exist. The folder will be created later by the wizard.
+
+3. On the **General Settings** page, assign the name **Zero Touch WinPE x64** and select **Next**.
+
+4. On the **Options** page, select the **x64** platform, and select **Next**.
+
+5. On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and select **Next**.
 
     ![Add the DaRT component to the Configuration Manager boot image.](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
 
@@ -62,19 +74,25 @@ On **CM01**:
 
     >Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE.
 
-6.  On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**.
-7.  Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
-8.  In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
-9.  Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
+6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **`\\CM01\Sources$\OSD\Branding\ContosoBackground.bmp`** and then select **Next** twice. Wait a few minutes while the boot image is generated, and then select **Finish**.
+
+7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
+
+8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
+
+9. Using Configuration Manager Trace, review the `D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log` file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **Monitoring** > **Overview** > **Distribution Status** > **Content Status** > **Zero Touch WinPE x64**. See the following examples:
 
     ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)<br>
     ![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png)
 
     Content status for the Zero Touch WinPE x64 boot image
 
-10. Using the Configuration Manager Console, in the Software Library workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
-11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and click **OK**.
+10. Using the Configuration Manager Console, in the **Software Library** workspace, under **Boot Images**, right-click the **Zero Touch WinPE x64** boot image and select **Properties**.
+
+11. On the **Data Source** tab, select the **Deploy this boot image from the PXE-enabled distribution point** check box, and select **OK**.
+
 12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**.
+
 13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below:
 
     ![PS100009 step 1.](../images/ps100009-1.png)<br>
@@ -84,7 +102,7 @@ On **CM01**:
 
 Next, see [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md). 
 
-## Related topics
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
index f846694f35..dc5fff054b 100644
--- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -2,23 +2,26 @@
 title: Create a task sequence with Configuration Manager (Windows 10)
 description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Create a task sequence with Configuration Manager and MDT
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
 In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages.
 
 For the purposes of this guide, we'll use one server computer: CM01.
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
 
  An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly.
@@ -29,33 +32,47 @@ This section walks you through the process of creating a Configuration Manager t
 
 On **CM01**:
 
-1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-2.  On the **Choose Template** page, select the **Client Task Sequence** template and click **Next**.
-3.  On the **General** page, assign the following settings and then click **Next**:
-    * Task sequence name: Windows 10 Enterprise x64 RTM
-    * Task sequence comments: Production image with Office 365 Pro Plus x64
-4.  On the **Details** page, assign the following settings and then click **Next**:
-    * Join a Domain
-    * Domain: contoso.com
-        * Account: contoso\\CM\_JD
-        * Password: pass@word1
-    * Windows Settings
-        * User name: Contoso
-        * Organization name: Contoso
-        * Product key: &lt;blank&gt;
+1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
 
-5.  On the **Capture Settings** page, accept the default settings, and click **Next**.
-6.  On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-7.  On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**.
-8.  On the **MDT Details** page, assign the name **MDT** and click **Next**.
-9.  On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**.
-10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and click **Next**.
-11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and click **Next**.
-12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and click **Next**.
-13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\Settings\\Windows 10 x64 Settings** and click **Next**.
-14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and click **Next**.
-15. On the **Sysprep Package** page, click **Next** twice.
-16. On the **Confirmation** page, click **Finish**.
+2. On the **Choose Template** page, select the **Client Task Sequence** template and select **Next**.
+
+3. On the **General** page, assign the following settings and then select **Next**:
+    - Task sequence name: Windows 10 Enterprise x64 RTM
+    - Task sequence comments: Production image with Office 365 Pro Plus x64
+
+4. On the **Details** page, assign the following settings and then select **Next**:
+    - Join a Domain
+    - Domain: contoso.com
+        - Account: contoso\\CM\_JD
+        - Password: pass@word1
+    - Windows Settings
+        - User name: Contoso
+        - Organization name: Contoso
+        - Product key: *\<blank\>*
+
+5. On the **Capture Settings** page, accept the default settings, and select **Next**.
+
+6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**.
+
+7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\MDT\MDT`**. Then select **Next**.
+
+8. On the **MDT Details** page, assign the name **MDT** and select **Next**.
+
+9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then select **Next**.
+
+10. On the **Deployment Method** page, accept the default settings (Zero Touch installation) and select **Next**.
+
+11. On the **Client Package** page, browse and select the **Microsoft Corporation Configuration Manager Client Package** and select **Next**.
+
+12. On the **USMT Package** page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package and select **Next**.
+
+13. On the **Settings Package** page, select the **Create a new settings package** option, and in the **Package source folder to be created (UNC Path):** text box, enter **`\\CM01\Sources$\OSD\Settings\Windows 10 x64 Settings`** and select **Next**.
+
+14. On the **Settings Details** page, assign the name **Windows 10 x64 Settings** and select **Next**.
+
+15. On the **Sysprep Package** page, select **Next** twice.
+
+16. On the **Confirmation** page, select **Finish**.
 
 ## Edit the task sequence
 
@@ -63,70 +80,74 @@ After you create the task sequence, we recommend that you configure the task seq
 
 On **CM01**:
 
-1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and click **Edit**.
-2.  In the **Install** group (about halfway down), select the **Set Variable for Drive Letter** action and configure the following:
-    * OSDPreserveDriveLetter: True
-    
-    >[!NOTE]
-    >If you don't change this value, your Windows installation will end up in D:\\Windows.
+1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Edit**.
+
+2. In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values).
+
+3. In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
+
+4. After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
+
+5. After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
+
+    - Name: HP EliteBook 8560w
+    - Driver Package: Windows 10 x64 - HP EliteBook 8560w
+    - Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w
+
+    > [!NOTE]
+    > You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
 
-3.  In the **Post Install** group, select **Apply Network Settings**, and configure the **Domain OU** value to use the **Contoso / Computers / Workstations** OU (browse for values).
-4.  In the **Post Install** group, disable the **Auto Apply Drivers** action. (Disabling is done by selecting the action and, in the **Options** tab, selecting the **Disable this step** check box.)
-5.  After the disabled **Post Install / Auto Apply Drivers** action, add a new group name: **Drivers**.
-6.  After the **Post Install / Drivers** group, add an **Apply Driver Package** action with the following settings:
-    * Name: HP EliteBook 8560w
-    * Driver Package: Windows 10 x64 - HP EliteBook 8560w
-    * Options tab - Add Condition: Task Sequence Variable: Model equals HP EliteBook 8560w
-    
-    >[!NOTE]
-    >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
-    
     ![Driver package options.](../images/fig27-driverpackage.png "Driver package options")
-    
+
     The driver package options
 
-7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
-8.  Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
+6. In the **State Restore / Install Applications** group, select the **Install Application** action.
+
+7. Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
 
     ![Add an application to the task sequence.](../images/fig28-addapp.png "Add an application to the task sequence")
 
     Add an application to the Configuration Manager task sequence
 
-  >[!NOTE]
-  >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE.  If these actions are not present, try updating to the Config Mgr current branch release.
+    > [!NOTE]
+    > In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE.  If these actions are not present, try updating to the latest Configuration Manager current branch release.
 
-9.  In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings:
-    * Request state storage location to: Restore state from another computer
-    * If computer account fails to connect to state store, use the Network Access account: selected
-    * Options: Continue on error
-    * Options / Add Condition:
-      * Task Sequence Variable      
-      * USMTLOCAL not equals True
+8. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings:
 
-10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings:
-    * Options: Continue on error
-    * Options / Condition:
-      * Task Sequence Variable
-      * USMTLOCAL not equals True
+    - Request state storage location to: Restore state from another computer
+    - If computer account fails to connect to state store, use the Network Access account: selected
+    - Options: Continue on error
+    - Options / Add Condition:
+      - Task Sequence Variable
+      - USMTLOCAL not equals True
 
-11. Click **OK**.
+9. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings:
+    - Options: Continue on error
+    - Options / Condition:
+      - Task Sequence Variable
+      - USMTLOCAL not equals True
+
+10. Select **OK**.
 
 ## Organize your packages (optional)
 
-If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. 
+If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages.
 
 To create a folder for packages:
 
 On **CM01**:
 
-1.  Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**.
-2.  Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure.
-3.  Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**.
-4.  In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**.
+1. Using the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**, and then select **Packages**.
+
+2. Right-click **Packages**, point to **Folder**, select **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure.
+
+3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**.
+
+4. In the **Move Selected Items** dialog box, select the **OSD** folder, and select **OK**.
 
 Next, see [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md).
 
-## Related topics
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Create a custom Windows PE boot image with Configuration Manager](../deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 102b3ae2d6..7a7d509012 100644
--- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -1,76 +1,89 @@
 ---
 title: Create an app to deploy with Windows 10 using Configuration Manager
-description: Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process.
+description: Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
 ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Create an application to deploy with Windows 10 using Configuration Manager
 
+*Applies to:*
 
-**Applies to**
+- Windows 10
 
--   Windows 10
-
-Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use.
+Microsoft Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Configuration Manager that you later configure the task sequence to use.
 
 For the purposes of this guide, we'll use one server computer: CM01.
-- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
 
->[!NOTE]
->The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image.
+- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
+
+> [!NOTE]
+> The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image.
 
 ## Example: Create the Adobe Reader application
 
 On **CM01**:
 
-1. Create the **D:\Setup** folder if it doesn't already exist.
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader.
-2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example:
+1. Create the **`D:\Setup`** folder if it doesn't already exist.
 
-  ```powershell
-  Set-Location C:\Users\administrator.CONTOSO\Downloads
-  .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne
-  ```
-  >Note: the extraction process will create the "Adobe" folder
+2. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **`D:\Setup\Adobe`** on CM01. The filename will differ depending on the version of Acrobat Reader.
 
-3.  Using File Explorer, copy the **D:\\Setup\\Adobe** folder to the **D:\\Sources\\Software\\Adobe** folder.
-4.  In the Configuration Manager Console, in the Software Library workspace, expand **Application Management**.
-5.  Right-click **Applications**, point to **Folder** and then click **Create Folder**. Assign the name **OSD**.
-6.  Right-click the **OSD** folder, and click **Create Application**.
-7.  In the Create Application Wizard, on the **General** page, use the following settings:
+3. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example:
 
-    * Automatically detect information about this application from installation files
-    * Type: Windows Installer (\*.msi file)
-    * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi
+    ```powershell
+    Set-Location C:\Users\administrator.CONTOSO\Downloads
+    .\AcroRdrDC2000620034_en_US.exe -sfx_o"d:\Setup\Adobe\" -sfx_ne
+    ```
+  
+    > [!NOTE]
+    > The extraction process will create the "Adobe" folder.
+
+4. Using File Explorer, copy the **`D:\Setup\Adobe`** folder to the **`D:\Sources\Software\Adobe`** folder.
+
+5. In the Configuration Manager Console, in the **Software Library** workspace, expand **Application Management**.
+
+6. Right-click **Applications**, point to **Folder** and then select **Create Folder**. Assign the name **OSD**.
+
+7. Right-click the **OSD** folder, and select **Create Application**.
+
+8. In the Create Application Wizard, on the **General** page, use the following settings:
+
+    - Automatically detect information about this application from installation files
+    - Type: Windows Installer (\*.msi file)
+    - Location: `\\CM01\Sources$\Software\Adobe\AcroRead.msi`
 
     ![The Create Application Wizard.](../images/mdt-06-fig20.png "The Create Application Wizard")
 
     The Create Application Wizard
 
-8.  Click **Next**, and wait while Configuration Manager parses the MSI file.
-9.  On the **Import Information** page, review the information and then click **Next**.
-10.  On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, click **Next** twice, and then click **Close**.
+9. Select **Next**, and wait while Configuration Manager parses the MSI file.
 
-  >[!NOTE]
-  >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
+10. On the **Import Information** page, review the information and then select **Next**.
+
+11. On the **General Information** page, name the application Adobe Acrobat Reader DC - OSD Install, select **Next** twice, and then select **Close**.
+
+    > [!NOTE]
+    > Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
   
-  ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
+    ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
   
-  Add the "OSD Install" suffix to the application name
+    Add the "OSD Install" suffix to the application name
 
-11.  In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties).
-12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**.
+12. In the **Applications** node, select the Adobe Reader - OSD Install application, and select **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties).
 
-Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). 
+13. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and select **OK**.
 
-## Related topics
+Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md).
+
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index 253e63190e..6a0dd625b6 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -1,25 +1,27 @@
 ---
 title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
-description: In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences.
+description: In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences.
 ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Deploy Windows 10 using PXE and Configuration Manager
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
-In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
+In this article, you'll learn how to deploy Windows 10 using Microsoft Configuration Manager deployment packages and task sequences. This article will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this article.
+
+This article assumes that you've completed the following prerequisite procedures:
 
-This topic assumes that you've completed the following prerequisite procedures:
 - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
 - [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
 - [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
@@ -29,37 +31,49 @@ This topic assumes that you've completed the following prerequisite procedures:
 - [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
 
 For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001).
+
 - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS).
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
-  - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS.
+
+  - CM01 is also running WDS that will be required to start PC0001 via PXE.
+
+    > [!NOTE]
+    > Ensure that only CM01 is running WDS.
+
 - PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network.
 
->[!NOTE]
->If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.  
+> [!NOTE]
+> If desired, PC0001 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0001 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.  
 
-All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
 
-All server and client computers referenced in this guide are on the same subnet. This connection isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This connection isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates.
 
->[!NOTE]
->No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console.
+> [!NOTE]
+> No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console.
 
 ## Procedures
 
 1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
-2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and click **Next**.
-3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
-4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
-5. The operating system deployment will take several minutes to complete. 
-6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps:
 
-    * Install the Windows 10 operating system.
-    * Install the Configuration Manager client and the client hotfix.
-    * Join the computer to the domain.
-    * Install the application added to the task sequence.
-    
-    >[!NOTE]
-    >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
+2. On the **Welcome to the Task Sequence Wizard** page, enter in the password **pass\@word1** and select **Next**.
+
+3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and select **Next**.
+
+4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, enter **PC0001** and select **OK**. Then select **Next**.
+
+5. The operating system deployment will take several minutes to complete.
+
+6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then select **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps:
+
+    - Install the Windows 10 operating system.
+    - Install the Configuration Manager client and the client hotfix.
+    - Join the computer to the domain.
+    - Install the application added to the task sequence.
+
+    > [!NOTE]
+    > You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
 
     ![MDT monitoring.](../images/pc0001-monitor.png)
 
@@ -86,7 +100,7 @@ Examples are provided below of various stages of deployment:
 
 Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
-## Related topics
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 3984e65a9b..581ec6010d 100644
--- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -2,42 +2,45 @@
 title: Finalize operating system configuration for Windows 10 deployment
 description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
-This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence.
+This article walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence.
 
 For the purposes of this guide, we'll use one server computer: CM01.
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.  
 
  An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 ## Enable MDT monitoring
 
-This section will walk you through the process of creating the D:\\MDTProduction deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
+This section will walk you through the process of creating the **`D:\MDTProduction`** deployment share using the MDT Deployment Workbench to enable monitoring for Configuration Manager.
 
 On **CM01**:
 
-1.  Open the Deployment Workbench, right-click **Deployment Shares** and click **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
+1. Open the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. Use the following settings for the New Deployment Share Wizard:
 
-    * Deployment share path: D:\\MDTProduction
-    * Share name: MDTProduction$
-    * Deployment share description: MDT Production
-    * Options: &lt;default settings&gt;
+    - Deployment share path: D:\\MDTProduction
+    - Share name: MDTProduction$
+    - Deployment share description: MDT Production
+    - Options: *\<default settings\>*
 
-2.  Right-click the **MDT Production** deployment share, and click **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
+2. Right-click the **MDT Production** deployment share, and select **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and select **OK**.
 
     ![Enable MDT monitoring for Configuration Manager.](../images/mdt-06-fig31.png)
 
@@ -49,16 +52,17 @@ The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-
 
 On **CM01**:
 
-1.  To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt:
+1. To configure NTFS permissions using `icacls.exe`, enter the following command at an elevated Windows PowerShell prompt:
 
-    ``` 
-    icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
+    ```cmd
+    icacls.exe D:\Logs /grant '"CM_NAA":(OI)(CI)(M)'
     ```
 
-2. Using File Explorer, navigate to the **D:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder.
-3. To enable server-side logging, edit the CustomSetting.ini file with Notepad.exe and enter the following settings:
+2. Using File Explorer, navigate to the **`D:\Sources\OSD\Settings\Windows 10 x64 Settings`** folder.
 
-   ``` 
+3. To enable server-side logging, edit the `CustomSetting.ini` file with `Notepad.exe` and enter the following settings:
+
+    ```ini
    [Settings]
    Priority=Default
    Properties=OSDMigrateConfigFiles,OSDMigrateMode
@@ -77,12 +81,12 @@ On **CM01**:
 
    ![Settings package during deployment.](../images/fig30-settingspack.png)
 
-   The Settings package, holding the rules and the Unattend.xml template used during deployment
+   The Settings package, holding the rules and the `Unattend.xml` template used during deployment
 
-3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box.
+4. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Select **OK** in the popup dialog box.
 
-   >[!NOTE]
-   >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
+   > [!NOTE]
+   > Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes.
 
 ## Distribute content to the CM01 distribution portal
 
@@ -90,9 +94,11 @@ In Configuration Manager, you can distribute all packages needed by a task seque
 
 On **CM01**:
 
-1.  Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**.
-2.  In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
-3.  Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully.
+1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**.
+
+2. In the Distribute Content Wizard, select **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
+
+3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the `distmgr.log` file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully.
 
    ![Content status.](../images/cm01-content-status1.png)
 
@@ -104,21 +110,26 @@ This section provides steps to help you create a deployment for the task sequenc
 
 On **CM01**:
 
-1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then click **Deploy**.
-2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and click **Next**.
-3. On the **Deployment Settings** page, use the following settings and then click **Next**:
+1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems** and select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM** and then select **Deploy**.
 
-   * Purpose: Available
-   * Make available to the following: Only media and PXE
+2. In the Deploy Software Wizard, on the **General** page, select the **All Unknown Computers** collection and select **Next**.
+
+3. On the **Deployment Settings** page, use the below settings and then select **Next**:
+
+   - Purpose: Available
+   - Make available to the following: Only media and PXE
 
    ![Configure the deployment settings.](../images/mdt-06-fig33.png)
-    
+
    Configure the deployment settings
 
-4. On the **Scheduling** page, accept the default settings and click **Next**.
-5. On the **User Experience** page, accept the default settings and click **Next**.
-6. On the **Alerts** page, accept the default settings and click **Next**.
-7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
+4. On the **Scheduling** page, accept the default settings and select **Next**.
+
+5. On the **User Experience** page, accept the default settings and select **Next**.
+
+6. On the **Alerts** page, accept the default settings and select **Next**.
+
+7. On the **Distribution Points** page, accept the default settings, select **Next** twice, and then select **Close**.
 
    ![Task sequence deployed.](../images/fig32-deploywiz.png)
 
@@ -132,25 +143,25 @@ This section provides steps to help you configure the All Unknown Computers coll
 
 On **CM01**:
 
-1. Using the Configuration Manager console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and click **Properties**.
+1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**.
 
 2. On the **Collection Variables** tab, create a new variable with the following settings:
 
-   * Name: OSDComputerName
-   * Clear the **Do not display this value in the Configuration Manager console** check box.
+   - Name: OSDComputerName
+   - Clear the **Do not display this value in the Configuration Manager console** check box.
 
-3. Click **OK**.
+3. Select **OK**.
+
+   > [!NOTE]
+   > Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
 
-   >[!NOTE]
-   >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
-   
    ![Configure a collection variable.](../images/mdt-06-fig35.png)
-   
+  
    Configure a collection variable
 
 Next, see [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md).
 
-## Related topics
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 02c1c8a43b..2fa98b5ab7 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -2,21 +2,23 @@
 title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
 description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: how-to
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
 
-**Applies to**
+*Applies to:*
 
 - Windows 10
 
-This article walks you through the Zero Touch Installation (ZTI) process of Windows 10 OS deployment using Microsoft Endpoint Configuration Manager [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
+This article walks you through the Zero Touch Installation (ZTI) process of Windows 10 OS deployment using Microsoft Configuration Manager [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
 
 ## Prerequisites
 
@@ -26,18 +28,30 @@ In this article, you'll use [components](#components-of-configuration-manager-op
 
     > [!NOTE]
     > Procedures in this guide use Configuration Manager version 1910. For more information about the versions of Windows 10 supported by  Configuration Manager, see [Support for Windows 10](/mem/configmgr/core/plan-design/configs/support-for-windows-10).
+
 - The [Active Directory Schema has been extended](/mem/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
+
 - Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/mem/configmgr/core/servers/deploy/configure/configure-discovery-methods).
+
 - IP range [boundaries and a boundary group](/mem/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
+
 - The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
+
 - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
-- The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
+
+- The [Windows ADK](/windows-hardware/get-started/adk-install) version that is [supported for the version of Configuration Manager](/mem/configmgr/core/plan-design/configs/support-for-windows-adk) that is installed, including the Windows PE add-on. USMT should be installed as part of the Windows ADK install.
+
+- [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456
+
+- DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
+
 - The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
 
   > [!NOTE]
-  > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**.
+  > CMTrace is automatically installed with the current branch of Configuration Manager at **`Program Files\Microsoft Configuration Manager\tools\cmtrace.exe`**.
+
+For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01.
 
-For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. 
 - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
 - HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member.
@@ -52,18 +66,18 @@ The following generic credentials are used in this guide. You should replace the
 
 - **Active Directory domain name**: `contoso.com`
 - **Domain administrator username**: `administrator`
--**Domain administrator password**: `pass@word1`
+- **Domain administrator password**: `pass@word1`
 
 ## Create the OU structure
 
->[!NOTE]
->If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
+> [!NOTE]
+> If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section.
 
 On **DC01**:
 
 To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell.
 
-To use Windows PowerShell, copy the following commands into a text file and save it as `C:\Setup\Scripts\ou.ps1` Ensure that you're viewing file extensions and that you save the file with the `.ps1` extension.
+To use Windows PowerShell, copy the following commands into a text file and save it as `C:\Setup\Scripts\ou.ps1`. Ensure that you're viewing file extensions and that you save the file with the `.ps1` extension.
 
 ```powershell
 $oulist = Import-csv -Path c:\oulist.txt
@@ -105,25 +119,27 @@ A role-based model is used to configure permissions for the service accounts nee
 
 On **DC01**:
 
-1.  In the Active Directory Users and Computers console, browse to **contoso.com / Contoso / Service Accounts**.
-2.  Select the Service Accounts OU and create the CM\_JD account using the following settings:
+1. In the Active Directory Users and Computers console, browse to **contoso.com** > **Contoso** > **Service Accounts**.
 
-    * Name: CM\_JD
-    * User sign-in name: CM\_JD
-    * Password: `pass@word1`
-    * User must change password at next logon: Clear
-    * User can't change password: Selected
-    * Password never expires: Selected
+2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
 
-3.  Repeat the step, but for the CM\_NAA account.
-4.  After creating the accounts, assign the following descriptions:
+    - Name: CM\_JD
+    - User sign-in name: CM\_JD
+    - Password: `pass@word1`
+    - User must change password at next logon: Clear
+    - User can't change password: Selected
+    - Password never expires: Selected
 
-    * CM\_JD: Configuration Manager Join Domain Account
-    * CM\_NAA: Configuration Manager Network Access Account
+3. Repeat the step, but for the CM\_NAA account.
+
+4. After creating the accounts, assign the following descriptions:
+
+    - CM\_JD: Configuration Manager Join Domain Account
+    - CM\_NAA: Configuration Manager Network Access Account
 
 ## Configure Active Directory permissions
 
-In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
+In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to `C:\Setup\Scripts` on DC01.
 
 On **DC01**:
 
@@ -137,18 +153,18 @@ On **DC01**:
 
 2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted:
 
-   * Scope: This object and all descendant objects
-   * Create Computer objects
-   * Delete Computer objects
-   * Scope: Descendant Computer objects
-   * Read All Properties
-   * Write All Properties
-   * Read Permissions
-   * Modify Permissions
-   * Change Password
-   * Reset Password
-   * Validated write to DNS host name
-   * Validated write to service principal name
+   - Scope: This object and all descendant objects
+   - Create Computer objects
+   - Delete Computer objects
+   - Scope: Descendant Computer objects
+   - Read All Properties
+   - Write All Properties
+   - Read Permissions
+   - Modify Permissions
+   - Change Password
+   - Reset Password
+   - Validated write to DNS host name
+   - Validated write to service principal name
 
 ## Review the Sources folder structure
 
@@ -156,9 +172,6 @@ On **CM01**:
 
 To support the packages you create in this article, the following folder structure should be created on the Configuration Manager primary site server (CM01):
 
->[!NOTE]
->In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
-
 - D:\\Sources
 - D:\\Sources\\OSD
 - D:\\Sources\\OSD\\Boot
@@ -171,11 +184,13 @@ To support the packages you create in this article, the following folder structu
 - D:\\Sources\\Software
 - D:\\Sources\\Software\\Adobe
 - D:\\Sources\\Software\\Microsoft
+- D:\\Logs
+
+> [!NOTE]
+> In most production environments, the packages are stored on a Distributed File System (DFS) share or a "normal" server share, but in a lab environment you can store them on the site server.
 
 You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure:
 
->We'll also create the D:\Logs folder here which will be used later to support server-side logging.
-
 ```powershell
 New-Item -ItemType Directory -Path "D:\Sources"
 New-Item -ItemType Directory -Path "D:\Sources\OSD"
@@ -201,11 +216,13 @@ To extend the Configuration Manager console with MDT wizards and templates, inst
 On **CM01**:
 
 1. Sign in as contoso\administrator.
-2. Ensure the Configuration Manager Console is closed before continuing.
-5. Select Start, type **Configure ConfigManager Integration**, and run the application the following settings:
 
-   * Site Server Name: CM01.contoso.com
-   * Site code: PS1
+2. Ensure the Configuration Manager Console is closed before continuing.
+
+3. Select Start, type **Configure ConfigManager Integration**, and run the application with the following settings:
+
+   - Site Server Name: CM01.contoso.com
+   - Site code: PS1
 
 ![figure 8.](../images/mdt-06-fig08.png)
 
@@ -217,9 +234,11 @@ Most organizations want to display their name during deployment. In this section
 
 On **CM01**:
 
-1.  Open the Configuration Manager Console, select the Administration workspace, then select **Client Settings**.
-2.  In the right pane, right-click **Default Client Settings** and then select **Properties**.
-3.  In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and select **OK**.
+1. Open the Configuration Manager Console, select the **Administration** workspace, then select **Client Settings**.
+
+2. In the right pane, right-click **Default Client Settings** and then select **Properties**.
+
+3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, enter in **Contoso** and select **OK**.
 
 ![figure 9.](../images/mdt-06-fig10.png)
 
@@ -235,9 +254,11 @@ Configuration Manager uses the Network Access account during the Windows 10 depl
 
 On **CM01**:
 
-1.  Using the Configuration Manager Console, in the Administration workspace, expand **Site Configuration** and select **Sites**.
-2.  Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
-3.  On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
+1. Using the Configuration Manager Console, in the **Administration** workspace, expand **Site Configuration** and select **Sites**.
+
+2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
+
+3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the account **CONTOSO\\CM\_NAA** as the Network Access account (password: **pass@word1**). Use the new **Verify** option to verify that the account can connect to the **`\\DC01\sysvol`** network share.
 
 ![figure 11.](../images/mdt-06-fig12.png)
 
@@ -249,52 +270,64 @@ Configuration Manager has many options for starting a deployment, but starting v
 
 On **CM01**:
 
-1.  In the Configuration Manager Console, in the Administration workspace, select **Distribution Points**.
-2.  Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
-3.  On the **PXE** tab, use the following settings:
+1. In the Configuration Manager Console, in the **Administration** workspace, select **Distribution Points**.
 
-    * Enable PXE support for clients
-    * Allow this distribution point to respond to incoming PXE requests
-    * Enable unknown computer
-    * Require a password when computers use PXE
-    * Password and Confirm password: pass@word1
+2. Right-click the **\\\\CM01.CONTOSO.COM distribution point** and select **Properties**.
+
+3. On the **PXE** tab, use the following settings:
+
+    - Enable PXE support for clients
+    - Allow this distribution point to respond to incoming PXE requests
+    - Enable unknown computer
+    - Require a password when computers use PXE
+    - Password and Confirm password: pass@word1
 
     ![figure 12.](../images/mdt-06-fig13.png)
 
     Configure the CM01 distribution point for PXE.
 
-    >[!NOTE]
-    >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
+    > [!NOTE]
+    > If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (**SccmPxe**) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
 
-4.  Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
+4. Using the CMTrace tool, review the **`C:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file. Look for the **ConfigurePXE** and **CcmInstallPXE** lines.
 
     ![figure 13.](../images/mdt-06-fig14.png)
 
-    The distmgr.log displays a successful configuration of PXE on the distribution point.
+    The `distmgr.log` displays a successful configuration of PXE on the distribution point.
 
-5.  Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
+5. Verify that you've seven files in each of the folders **`D:\RemoteInstall\SMSBoot\x86`** and **`D:\RemoteInstall\SMSBoot\x64`**.
 
     ![figure 14.](../images/mdt-06-fig15.png)
 
     The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
 
-    **Note**: These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder.
+    > [!NOTE]
+    > These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder.
 
 Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md).
 
 ## Components of Configuration Manager operating system deployment
 
-Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
+
+- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
+
+- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
+
+- **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
+
+- **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
+
+- **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
+
+- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image.
+
+- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
+
+- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
+
+- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager.
 
--   **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
--   **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
--   **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server.
--   **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process.
--   **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment.
--   **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image.
--   **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
--   **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
--   **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager.
     > [!NOTE]
     > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
 
@@ -302,28 +335,31 @@ Operating system deployment with Configuration Manager is part of the normal sof
 
 As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
 
->[!NOTE]
->MDT installation requires the following:
->-   The Windows ADK for Windows 10 (installed in the previous procedure)
->-   Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
->-   Microsoft .NET Framework
+> [!NOTE]
+> MDT installation requires the following:
+>
+> - The Windows ADK for Windows 10 (installed in the previous procedure)
+> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
+> - Microsoft .NET Framework
 
 ### MDT enables dynamic deployment
 
-When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
+When MDT is integrated with Configuration Manager, the task sequence processes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the `CustomSettings.ini` file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
 
 The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
--   The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence.
 
-    ``` syntax
+- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence.
+
+    ```ini
     [Settings] 
     Priority=Model
     [HP EliteBook 8570w] 
     Packages001=PS100010:Install HP Hotkeys
     ```
--   The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
 
-    ``` syntax
+- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop.
+
+    ```ini
     [Settings]
     Priority= ByLaptopType, ByDesktopType
     [ByLaptopType]
@@ -371,13 +407,17 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op
 
 ### Why use MDT Lite Touch to create reference images
 
-You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
+You can create reference images for Configuration Manager in Configuration Manager, but in general it is recommended to create them in MDT Lite Touch for the following reasons:
 
--   You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
--   Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
--   The Configuration Manager task sequence doesn't suppress user interface interaction.
--   MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured.
--   MDT Lite Touch doesn't require any infrastructure and is easy to delegate.
+- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
+
+- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
+
+- The Configuration Manager task sequence suppresses user interface interaction.
+
+- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured.
+
+- MDT Lite Touch doesn't require any infrastructure and is easy to delegate.
 
 ## Related articles
 
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 41822baf59..d87aff2989 100644
--- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -2,48 +2,52 @@
 title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
 description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
 
-**Applies to**
+*Applies to:*
 
-- Windows 10
+- Windows 10
 
-This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
+This article will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md).
 
 A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps:
 
-1.  Data and settings are backed up locally in a backup folder.
-2.  The partition is wiped, except for the backup folder.
-3.  The new operating system image is applied.
-4.  Other applications are installed.
-5.  Data and settings are restored.
+1. Data and settings are backed up locally in a backup folder.
+2. The partition is wiped, except for the backup folder.
+3. The new operating system image is applied.
+4. Other applications are installed.
+5. Data and settings are restored.
 
 ## Infrastructure
 
-An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). 
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003).
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
+
 - PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10.
 
->[!NOTE]
->If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.  
+> [!NOTE]
+> If desired, PC0003 can be a VM hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, if PC0003 is a VM then you must ensure it has sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
 
-All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
 
 All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
 
->[!IMPORTANT]
->This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
+> [!IMPORTANT]
+> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso** > **Computers** > **Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
 
 ## Verify the Configuration Manager client settings
 
@@ -51,8 +55,10 @@ To verify that PC003 is correctly assigned to the PS1 site:
 
 On **PC0003**:
 
-1. Open the Configuration Manager control panel (control smscfgrc).
-2. On the **Site** tab, click **Configure Settings**, then click **Find Site**.
+1. Open the Configuration Manager control panel (`control.exe smscfgrc`).
+
+2. On the **Site** tab, select **Configure Settings**, then select **Find Site**.
+
 3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example.
 
 ![Found a site to manage this client.](../images/pc0003a.png)
@@ -61,49 +67,49 @@ On **PC0003**:
 
 On **CM01**:
 
-1.  Using the Configuration Manager console, in the Asset and Compliance workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+1. Using the Configuration Manager console, in the **Asset and Compliance** workspace, expand **Overview**, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
 
-  * General
-    * Name: Install Windows 10 Enterprise x64
-    * Limited Collection: All Systems
-  * Membership rules
-    * Add Rule: Direct rule
-      * Resource Class: System Resource
-      * Attribute Name: Name
-      * Value: PC0003
-    * Select Resources
-      * Select **PC0003**
+   - General
+     - Name: Install Windows 10 Enterprise x64
+     - Limited Collection: All Systems
+   - Membership rules
+     - Add Rule: Direct rule
+        - Resource Class: System Resource
+        - Attribute Name: Name
+        - Value: PC0003
+   - Select Resources
+     - Select **PC0003**
 
-  Use the default settings to complete the remaining wizard pages and click **Close**.
+    Use the default settings to complete the remaining wizard pages and select **Close**.
 
-2.  Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection.
+2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection.
 
-    >[!NOTE]
-    >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
+    > [!NOTE]
+    > It may take a short while for the collection to refresh; you can view progress via the `Colleval.log` file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership.
 
 ## Create a new deployment
 
 On **CM01**:
 
-Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then click **Deploy**. Use the following settings:
+Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the below settings:
 
 - General
-    - Collection: Install Windows 10 Enterprise x64
+  - Collection: Install Windows 10 Enterprise x64
 - Deployment Settings
-    - Purpose: Available
-    - Make available to the following: Configuration Manager clients, media and PXE
+  - Purpose: Available
+  - Make available to the following: Configuration Manager clients, media and PXE
 
-    >[!NOTE]
-    >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
+    > [!NOTE]
+    > It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point.
 
 - Scheduling
-    - &lt;default&gt;
+  - *\<default\>*
 - User Experience
-    - &lt;default&gt;
+  - *\<default\>*
 - Alerts
-    - &lt;default&gt;
+  - *\<default\>*
 - Distribution Points
-    - &lt;default&gt;
+  - *\<default\>*
 
 ## Initiate a computer refresh
 
@@ -111,12 +117,14 @@ Now you can start the computer refresh on PC0003.
 
 On **CM01**:
 
-1. Using the Configuration Manager console, in the Assets and Compliance workspace, click the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, click **Download Computer Policy**, and then click **OK** in the popup dialog box that appears.
+1. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **Install Windows 10 Enterprise x64** collection, right-click **PC0003**, point to **Client Notification**, select **Download Computer Policy**, and then select **OK** in the popup dialog box that appears.
 
 On **PC0003**:
 
-1.  Open the Software Center (click Start and type **Software Center**, or click the **New software is available** balloon in the system tray), select **Operating Systems** and click the **Windows 10 Enterprise x64 RTM** deployment, then click **Install**.
-2.  In the **Software Center** warning dialog box, click **Install Operating System**. 
+1. Open the Software Center (select Start and type **Software Center**, or select the **New software is available** balloon in the system tray), select **Operating Systems** and select the **Windows 10 Enterprise x64 RTM** deployment, then select **Install**.
+
+2. In the **Software Center** warning dialog box, select **Install Operating System**.
+
 3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples:
 
 ![Task sequence example 1.](../images/pc0003b.png)<br>
@@ -132,7 +140,7 @@ On **PC0003**:
 
 Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
-## Related topics
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 4d0bcca63b..dd75747e26 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,69 +1,81 @@
 ---
 title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
-description: In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
+description: In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager.
 ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
 
-**Applies to**
+*Applies to:*
 
-- Windows 10
+- Windows 10
 
-In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10.
+In this article, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10.
 
-In this topic, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
+In this article, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md).
 
 ## Infrastructure
 
-An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). 
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006).
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
-  - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. 
+  - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work.
+
 - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced.
+
 - PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004.
 
->[!NOTE]
->PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.  
+> [!NOTE]
+> PC0004 and PC006 can be VMs hosted on the server HV01, which is a Hyper-V host computer that we used previously to build a Windows 10 reference image. However, the VMs must have sufficient resources available to run the Configuration Manager OSD task sequence. 2GB of RAM or more is recommended.
 
-All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
 
 All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
 
->[!IMPORTANT]
->This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
+> [!IMPORTANT]
+> This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed.
 
 ## Create a replace task sequence
 
 On **CM01**:
 
-1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
-2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**.
-3. On the **General** page, assign the following settings and click **Next**:
+1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**.
 
-   * Task sequence name: Replace Task Sequence
-   * Task sequence comments: USMT backup only
+2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and select **Next**.
 
-4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**.
-5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**.
-6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then click **Next**.
-7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**.
-8. On the **Summary** page, review the details and then click **Next**.
-9. On the **Confirmation** page, click **Finish**.
+3. On the **General** page, assign the following settings and select **Next**:
 
-10. Review the Replace Task Sequence. 
+   - Task sequence name: Replace Task Sequence
+   - Task sequence comments: USMT backup only
 
-    >[!NOTE]
-    >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
+4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then select **Next**.
+
+5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then select **Next**.
+
+6. On the **USMT Package** page, browse and select the **OSD / Microsoft Corporation User State Migration Tool for Windows** package. Then select **Next**.
+
+7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then select **Next**.
+
+8. On the **Summary** page, review the details and then select **Next**.
+
+9. On the **Confirmation** page, select **Finish**.
+
+10. Review the Replace Task Sequence.
+
+    > [!NOTE]
+    > This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
 
 ![The back-up only task sequence.](../images/mdt-06-fig42.png "The back-up only task sequence")
 
@@ -75,70 +87,78 @@ This section walks you through the process of associating a new, blank device (P
 
 On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS:
 
-1.  Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet.
+1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet.
 
 On **CM01**:
 
-2.  When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**.
-3.  On the **Select Source** page, select **Import single computer** and click **Next**.
-4.  On the **Single Computer** page, use the following settings and then click **Next**:
+1. When you're using the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices**, and then select **Import Computer Information**.
 
-    * Computer Name: PC0006
-    * MAC Address: &lt;the mac address that you wrote down&gt;
-    * Source Computer: PC0004
+2. On the **Select Source** page, select **Import single computer** and select **Next**.
+
+3. On the **Single Computer** page, use the following settings and then select **Next**:
+
+    - Computer Name: PC0006
+    - MAC Address: *\<the mac address that you wrote down*\>
+    - Source Computer: PC0004
 
     ![Create the computer association.](../images/mdt-06-fig43.png "Create the computer association")
 
     Creating the computer association between PC0004 and PC0006.
 
-5.  On the **User Accounts** page, select **Capture and restore all user accounts** and click **Next**.
-6.  On the **Data Preview** page, click **Next**.
-7.  On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**.
-8.  On the **Summary** page, click **Next**, and then click **Close**.
-9.  Select the **User State Migration** node and review the computer association in the right hand pane.
-10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't.
-11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
+4. On the **User Accounts** page, select **Capture and restore all user accounts** and select **Next**.
+
+5. On the **Data Preview** page, select **Next**.
+
+6. On the **Choose additional collections** page, select **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then select **Next**.
+
+7. On the **Summary** page, select **Next**, and then select **Close**.
+
+8. Select the **User State Migration** node and review the computer association in the right hand pane.
+
+9. Right-click the **PC0004/PC0006** association and select **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't.
+
+10. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again.
 
 ## Create a device collection and add the PC0004 computer
 
 On **CM01**:
 
-1.  When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
 
-    * General
-      * Name: USMT Backup (Replace)
-      * Limited Collection: All Systems
-    * Membership rules:
-      * Add Rule: Direct rule
-        * Resource Class: System Resource
-        * Attribute Name: Name
-        * Value: PC0004
-        * Select Resources:
-          * Select **PC0004**
+    - General
+      - Name: USMT Backup (Replace)
+      - Limited Collection: All Systems
+    - Membership rules:
+      - Add Rule: Direct rule
+        - Resource Class: System Resource
+        - Attribute Name: Name
+        - Value: PC0004
+        - Select Resources:
+          - Select **PC0004**
 
-    Use default settings for the remaining wizard pages, then click **Close**.
+    Use default settings for the remaining wizard pages, then select **Close**.
 
-2.  Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection.
+2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection.
 
 ## Create a new deployment
 
 On **CM01**:
 
-Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
+Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Replace Task Sequence**, and then select **Deploy**. Use the following settings:
 
--   General
-    -   Collection: USMT Backup (Replace)
--   Deployment Settings
-    -   Purpose: Available
-    -   Make available to the following: Only Configuration Manager Clients
--   Scheduling
-    -   &lt;default&gt;
--   User Experience
-    -   &lt;default&gt;
--   Alerts
-    -   &lt;default&gt;
--   Distribution Points
-    -   &lt;default&gt;
+- General
+  - Collection: USMT Backup (Replace)
+- Deployment Settings
+  - Purpose: Available
+  - Make available to the following: Only Configuration Manager Clients
+- Scheduling
+  - *\<default*\>
+- User Experience
+  - *\<default*\>
+- Alerts
+  - *\<default*\>
+- Distribution Points
+  - *\<default*\>
 
 ## Verify the backup
 
@@ -146,15 +166,17 @@ This section assumes that you have a computer named PC0004 with the Configuratio
 
 On **PC0004**:
 
-1.  If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc).
-2.  On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
+1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (**`control.exe smscfgrc`**).
+2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears.
 
-    >[!NOTE]
-    >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+    > [!NOTE]
+    > You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
-3.  Open the Software Center, select the **Replace Task Sequence** deployment and then click **Install**.
-4.  Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
-5.  Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
+3. Open the Software Center, select the **Replace Task Sequence** deployment and then select **Install**.
+
+4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
+
+5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
 
 ![Task sequence example.](../images/pc0004b.png)
 
@@ -162,11 +184,12 @@ Capturing the user state
 
 On **CM01**:
 
-6.  Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup.
-7.  Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location.
+1. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup.
 
-    >[!NOTE]
-    >It may take a few minutes for the user state store location to be populated.
+2. Using the Configuration Manager console, in the **Assets and Compliance** workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location.
+
+    > [!NOTE]
+    > It may take a few minutes for the user state store location to be populated.
 
 ## Deploy the new computer
 
@@ -174,16 +197,16 @@ On **PC0006**:
 
 1. Start the PC0006 virtual machine (or physical computer), press **F12** to Pre-Boot Execution Environment (PXE) boot when prompted. Allow it to boot Windows Preinstallation Environment (Windows PE), and then complete the deployment wizard using the following settings:
 
-    * Password: pass@word1
-    * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
+    - Password: pass@word1
+    - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM
 
-2.  The setup now starts and does the following steps:
+2. The setup now starts and does the following steps:
 
-    * Installs the Windows 10 operating system
-    * Installs the Configuration Manager client
-    * Joins it to the domain
-    * Installs the applications
-    * Restores the PC0004 backup
+    - Installs the Windows 10 operating system
+    - Installs the Configuration Manager client
+    - Joins it to the domain
+    - Installs the applications
+    - Restores the PC0004 backup
 
 When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
 
@@ -199,7 +222,7 @@ When the process is complete, you'll have a new Windows 10 computer in your doma
 
 Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuration-manager.md).
 
-## Related topics
+## Related articles
 
 [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)<br>
 [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
index 5d6a936a26..db3236d549 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md
@@ -1,39 +1,41 @@
 ---
 title: Perform in-place upgrade to Windows 10 via Configuration Manager
-description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Manager task sequence.
+description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Configuration Manager task sequence.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/27/2022
 ---
 
 # Perform an in-place upgrade to Windows 10 using Configuration Manager
 
+*Applies to:*
 
-**Applies to**
+- Windows 10
 
--   Windows 10
+The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Configuration Manager task sequence to completely automate the process.
 
-The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Manager task sequence to completely automate the process.
-
->[!IMPORTANT]
->Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10.
+> [!IMPORTANT]
+> Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10.
 
 ## Infrastructure
 
-An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). 
+An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004).
+
 - CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server.
 - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10.
 
-All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. 
+All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
 
-All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required. But each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the `contoso.com` domain. Internet connectivity is also required to download OS and application updates.
 
 ## Add an OS upgrade package
 
@@ -41,30 +43,40 @@ Configuration Manager Current Branch includes a native in-place upgrade task. Th
 
 On **CM01**:
 
-1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**.
-2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**.
+1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and select **Add Operating System Upgrade Package**.
+
+2. On the **Data Source** page, under **Path**, select **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **`\\cm01\Sources$\OSD\UpgradePackages\Windows 10`**.
+
 3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**.
-4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**.
+
+4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then select **Next**.
+
 5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**.
-6.  Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**.
-7.  In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
-8.  View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
+
+6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**.
+
+7. In the Distribute Content Wizard, add the CM01 distribution point, select **Next** and select **Close**.
+
+8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the **`D:\Program Files\Microsoft Configuration Manager\Logs\distmgr.log`** file and look for the **STATMSG: ID=2301** line.
 
 ## Create an in-place upgrade task sequence
 
 On **CM01**:
 
-1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**.
-2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and click **Next**.
-3. Use the following settings to complete the wizard:
+1. Using the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create Task Sequence**.
 
-   * Task sequence name: Upgrade Task Sequence
-   * Description: In-place upgrade
-   * Upgrade package: Windows 10 x64 RTM
-   * Include software updates: Do not install any software updates
-   * Install applications: OSD \ Adobe Acrobat Reader DC
+2. On the **Create a new task sequence** page, select **Upgrade an operating system from an upgrade package** and select **Next**.
+
+3. Use the below settings to complete the wizard:
+
+   - Task sequence name: Upgrade Task Sequence
+   - Description: In-place upgrade
+   - Upgrade package: Windows 10 x64 RTM
+   - Include software updates: Don't install any software updates
+   - Install applications: OSD \ Adobe Acrobat Reader DC
+
+4. Complete the wizard, and select **Close**.
 
-4. Complete the wizard, and click **Close**.
 5. Review the Upgrade Task Sequence.
 
 ![The upgrade task sequence.](../images/cm-upgrade-ts.png)
@@ -73,13 +85,13 @@ The Configuration Manager upgrade task sequence
 
 ## Create a device collection
 
-After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0004 computer running Windows 7 SP1, with the Configuration Manager client installed.
+After you create the upgrade task sequence, you can create a collection to test a deployment. In this section, we assume you have the PC0004 computer running Windows 7 SP1, with the Configuration Manager client installed.
 
 On **CM01**:
 
-1.  When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
+1. When you're using the Configuration Manager console, in the **Asset and Compliance** workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings:
     - General
-        - Name: Windows 10 x64 in-place upgrade
+        - Name: Windows 10 x64 in-place upgrade
         - Limited Collection: All Systems
     - Membership rules:
         - Direct rule
@@ -89,39 +101,50 @@ On **CM01**:
         - Select Resources
           - Select PC0004
 
-2.  Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection.
+2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection.
 
-## Deploy the Windows 10 upgrade
+## Deploy the Windows 10 upgrade
 
-In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
+In this section, you create a deployment for the Windows 10 Enterprise x64 Update application.
 
 On **CM01**:
 
-1.  Using the Configuration Manager console, in the Software Library workspace, right-click the **Upgrade Task Sequence** task sequence, and then click **Deploy**.
-2.  On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then click **Next**.
-3.  On the **Content** page, click **Next**.
-4.  On the **Deployment Settings** page, click **Next**:
-5.  On the **Scheduling** page, accept the default settings, and then click **Next**.
-6.  On the **User Experience** page, accept the default settings, and then click **Next**.
-7.  On the **Alerts** page, accept the default settings, and then click **Next**.
-7.  On the **Distribution Points** page, accept the default settings, and then click **Next**.
-8.  On the **Summary** page, click **Next**, and then click **Close**.
+1. Using the Configuration Manager console, in the **Software Library** workspace, right-click the **Upgrade Task Sequence** task sequence, and then select **Deploy**.
 
-## Start the Windows 10 upgrade
+2. On the **General** page, browse and select the **Windows 10 x64 in-place upgrade** collection, and then select **Next**.
+
+3. On the **Content** page, select **Next**.
+
+4. On the **Deployment Settings** page, select **Next**:
+
+5. On the **Scheduling** page, accept the default settings, and then select **Next**.
+
+6. On the **User Experience** page, accept the default settings, and then select **Next**.
+
+7. On the **Alerts** page, accept the default settings, and then select **Next**.
+
+8. On the **Distribution Points** page, accept the default settings, and then select **Next**.
+
+9. On the **Summary** page, select **Next**, and then select **Close**.
+
+## Start the Windows 10 upgrade
 
 Next, run the in-place upgrade task sequence on PC0004.
 
 On **PC0004**:
 
-1.  Open the Configuration Manager control panel (control smscfgrc).
-2.  On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears.
+1. Open the Configuration Manager control panel (`control.exe smscfgrc`).
 
-    >[!NOTE]
-    >You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, and then select **OK** in the popup dialog box that appears.
 
-3.  Open the Software Center, select the **Upgrade Task Sequence** deployment and then click **Install**.
-4.  Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
-5.  Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples:
+    > [!NOTE]
+    > You also can use the Client Notification option in the Configuration Manager console, as shown in [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
+
+3. Open the Software Center, select the **Upgrade Task Sequence** deployment and then select **Install**.
+
+4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
+
+5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the **Operating System Upgrade Package** (the Windows installation source files), perform an in-place upgrade, and install your added applications. See the following examples:
 
 ![Upgrade task sequence example 1.](../images/pc0004-a.png)<br>
 ![Upgrade task sequence example 2.](../images/pc0004-b.png)<br>
@@ -131,7 +154,7 @@ On **PC0004**:
 ![Upgrade task sequence example 6.](../images/pc0004-f.png)<br>
 ![Upgrade task sequence example 7.](../images/pc0004-g.png)
 
-## Related topics
+## Related articles
 
 [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
 [Configuration Manager Team blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/bg-p/ConfigurationManagerBlog)
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index 15fb8922d8..80c99d9d57 100644
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -1,49 +1,57 @@
 ---
 title: Assign applications using roles in MDT (Windows 10)
-description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer.
+description: This article will show you how to add applications to a role in the MDT database and then assign that role to a computer.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Assign applications using roles in MDT
 
-This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
+This article will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this article, the application we're adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together.
 
-## <a href="" id="sec01"></a>Create and assign a role entry in the database
+## Create and assign a role entry in the database
 
-1.  On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
-2.  In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
-    1.  Role name: Standard PC
-    2.  Applications / Lite Touch Applications:
-    3.  Install - Adobe Reader XI - x86
+1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**.
+
+2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings:
+
+    1. Role name: Standard PC
+    2. Applications / Lite Touch Applications:
+    3. Install - Adobe Reader XI - x86
 
 ![figure 12.](../images/mdt-09-fig12.png)
 
 Figure 12. The Standard PC role with the application added
 
-## <a href="" id="sec02"></a>Associate the role with a computer in the database
+## Associate the role with a computer in the database
 
 After creating the role, you can associate it with one or more computer entries.
-1.  Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
-2.  In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
-    -   Roles: Standard PC
+
+1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**.
+
+2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
+    - Roles: Standard PC
 
 ![figure 13.](../images/mdt-09-fig13.png)
 
 Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
 
-## <a href="" id="sec03"></a>Verify database access in the MDT simulation environment
+## Verify database access in the MDT simulation environment
 
-When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer.
-1.  On PC0001, log on as **CONTOSO\\MDT\_BA**.
-2.  Modify the C:\\MDT\\CustomSettings.ini file to look like the following:
+When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications aren't installed, but you can see which applications would be installed if you did a full deployment of the computer.
 
-    ``` 
+1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
+
+2. Modify the C:\\MDT\\CustomSettings.ini file to look like below:
+
+    ```ini
     [Settings]
     Priority=CSettings, CRoles, RApplications, Default
     [Default]
@@ -106,9 +114,9 @@ When the database is populated, you can use the MDT simulation environment to si
     Order=Sequence
     ```
 
-3.  Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
+3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
 
-    ``` powershell
+    ```powershell
     Set-Location C:\MDT
     .\Gather.ps1
 
@@ -118,14 +126,12 @@ When the database is populated, you can use the MDT simulation environment to si
 
 Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
 
-## Related topics
+## Related articles
 
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-<BR>[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-<BR>[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-<BR>[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-<BR>[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-<BR>[Use web services in MDT](use-web-services-in-mdt.md)
-<BR>[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- 
- 
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index ccf4df0e57..043e8f7ab8 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -1,32 +1,36 @@
 ---
 title: Build a distributed environment for Windows 10 deployment (Windows 10)
-description: In this topic, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
+description: In this article, you'll learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations.
 ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Build a distributed environment for Windows 10 deployment
 
-**Applies to**
--   Windows 10
+**Applies to:**
+
+- Windows 10
 
 Perform the steps in this article to build a distributed environment for Windows 10 deployment. A distributed environment for deployment is useful when you have a segmented network, for example one that is segmented geographically into two branch locations. If you work in a distributed environment, replicating the deployment shares is an important part of a deployment solution because images of 5 GB or more in size can present bandwidth issues when deployed over the wire. Replicating this content enables clients to do local deployments.
 
-Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation. 
+Four computers are used in this article: DC01, MDT01, MDT02, and PC0006. DC01 is a domain controller, MDT01 and MDT02 are domain member computers running Windows Server 2019, and PC0006 is a blank device where we'll deploy Windows 10. The second deployment server (MDT02) will be configured for a remote site (Stockholm) by replicating the deployment share on MDT01 at the original site (New York). All devices are members of the domain contoso.com for the fictitious Contoso Corporation.
 
-For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this topic, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more information on the infrastructure setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
 ![figure 1.](../images/mdt-10-fig01.png)
 
-Computers used in this topic.
+Computers used in this article.
 
->HV01 is also used in this topic to host the PC0006 virtual machine.
+> [!NOTE]
+> HV01 is also used in this topic to host the PC0006 virtual machine.
 
 ## Replicate deployment shares
 
@@ -34,14 +38,14 @@ Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be do
 
 > [!NOTE]
 > Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.
- 
+
 ### Linked deployment shares in MDT
 
 LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option.
 
 ### Why DFS-R is a better option
 
-DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
+DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your main deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02.
 
 ## Set up Distributed File System Replication (DFS-R) for replication
 
@@ -53,9 +57,9 @@ On **MDT01**:
 
 1. Install the DFS Replication role on MDT01 by entering the following at an elevated Windows PowerShell prompt:
 
-```powershell
-Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
-```
+    ```powershell
+    Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+    ```
 
 2. Wait for installation to complete, and then verify that the installation was successful. See the following output:
 
@@ -73,9 +77,9 @@ On **MDT02**:
 
 1. Perform the same procedure on MDT02 by entering the following at an elevated Windows PowerShell prompt:
 
-```powershell
-Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
-```
+    ```powershell
+    Install-WindowsFeature -Name FS-DFS-Replication -IncludeManagementTools
+    ```
 
 2. Wait for installation to complete, and then verify that the installation was successful. See the following  output:
 
@@ -93,10 +97,10 @@ On **MDT02**:
 
 1. Create and share the **D:\\MDTProduction** folder using default permissions by entering the following at an elevated command prompt:
 
-  ```powershell
-  mkdir d:\MDTProduction
-  New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
-  ```
+    ```powershell
+    mkdir d:\MDTProduction
+    New-SmbShare -Name "MDTProduction$" -Path "D:\MDTProduction"
+    ```
   
 2. You should see the following output:
 
@@ -110,11 +114,11 @@ On **MDT02**:
 
 ### Configure the deployment share
 
-When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property.
+When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT that can be done by using the **DefaultGateway** property.
 
 On **MDT01**:
 
-1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. 
+1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the `Boostrap.ini` file as follows. Under `[DefaultGateway]` enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use.
 
    ```ini
    [Settings]
@@ -136,130 +140,167 @@ On **MDT01**:
    UserPassword=pass@word1
    SkipBDDWelcome=YES
    ```
-   >[!NOTE]
-   >The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
-     
-2. Save the Bootstrap.ini file.
+
+   > [!NOTE]
+   > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md).
+
+2. Save the `Bootstrap.ini` file.
+
 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. Use the default settings for the Update Deployment Share Wizard. This process will take a few minutes.
+
 4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
+
 5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
 
    ![figure 5.](../images/mdt-10-fig05.png)
 
    Replacing the updated boot image in WDS.
 
- >[!TIP]
- >If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
+ > [!TIP]
+ > If you modify bootstrap.ini again later, be sure to repeat the process of updating the deployment share in the Deployment Workbench and replacing the boot image in the WDS console.
 
-   ## Replicate the content
+## Replicate the content
 
-   Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication.
+Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication.
 
-   ### Create the replication group
+### Create the replication group
 
-6. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and click **New Replication Group**.
-7. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**.
-8. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
-9. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
+1. On MDT01, using DFS Management (dfsmgmt.msc), right-click **Replication**, and select **New Replication Group**.
+
+2. On the **Replication Group Type** page, select **Multipurpose replication group**, and select **Next**.
+
+3. On the **Name and Domain** page, assign the **MDTProduction** name, and select **Next**.
+
+4. On the **Replication Group Members** page, select **Add**, add **MDT01** and **MDT02**, and then select **Next**.
 
     ![figure 6.](../images/mdt-10-fig06.png)
 
     Adding the Replication Group Members.
 
-10. On the **Topology Selection** page, select the **Full mesh** option and click **Next**.
-11. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**.
-12. On the **Primary Member** page, select **MDT01** and click **Next**.
-13. On the **Folders to Replicate** page, click **Add**, enter **D:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**.
-14. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**.
-15. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**.
-16. On the **Review Settings and Create Replication Group** page, click **Create**.
-17. On the **Confirmation** page, click **Close**.
+5. On the **Topology Selection** page, select the **Full mesh** option and select **Next**.
 
-    ### Configure replicated folders
+6. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and select **Next**.
+
+7. On the **Primary Member** page, select **MDT01** and select **Next**.
+
+8. On the **Folders to Replicate** page, select **Add**, enter **D:\\MDTProduction** as the folder to replicate, select **OK**, and then select **Next**.
+
+9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and select **Edit**.
+
+10. On the **Edit** page, select the **Enabled** option, type in **D:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, select **OK**, and then select **Next**.
+
+11. On the **Review Settings and Create Replication Group** page, select **Create**.
+
+12. On the **Confirmation** page, select **Close**.
+
+### Configure replicated folders
+
+1. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
+
+2. In the middle pane, right-click the **MDT01** member and select **Properties**.
+
+3. On the **MDT01 (MDTProduction) Properties** page, configure the following and then select **OK**:
+
+    1. In the **Staging** tab, set the quota to **20480 MB**.
+
+    2. In the **Advanced** tab, set the quota to **8192 MB**.
 
-18. On **MDT01**, using DFS Management, expand **Replication** and then select **MDTProduction**.
-19. In the middle pane, right-click the **MDT01** member and click **Properties**.
-20. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**:
-    1.  In the **Staging** tab, set the quota to **20480 MB**.
-    2.  In the **Advanced** tab, set the quota to **8192 MB**.
         In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Below is a Windows PowerShell example that calculates the size of the 16 largest files in the D:\\MDTProduction deployment share:
-        
-        ``` powershell
+
+        ```powershell
         (Get-ChildItem D:\MDTProduction -Recurse | Sort-Object Length -Descending | Select-Object -First 16 | Measure-Object -Property Length -Sum).Sum /1GB
         ```
 
-21. In the middle pane, right-click the **MDT02** member and select **Properties**.
-22. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**:
-    1.  In the **Staging** tab, set the quota to **20480 MB**.
-    2.  In the **Advanced** tab, set the quota to **8192 MB**.
+4. In the middle pane, right-click the **MDT02** member and select **Properties**.
+
+5. On the **MDT02 (MDTProduction) Properties** page, configure the following and then select **OK**:
+    1. In the **Staging** tab, set the quota to **20480 MB**.
+
+    2. In the **Advanced** tab, set the quota to **8192 MB**.
 
     > [!NOTE]
     > It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly.
 
-23. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
+6. Verify that MDT01 and MDT02 are members of the MDTProduction replication group, with MDT01 being primary as follows using an elevated command prompt:
 
-```cmd
-C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
-MemName  IsPrimary
-MDT01    Yes
-MDT02    No
-```
+    ```cmd
+    C:\> dfsradmin membership list /rgname:MDTProduction /attr:MemName,IsPrimary
+    MemName  IsPrimary
+    MDT01    Yes
+    MDT02    No
+    ```
 
 ### Verify replication
 
 On **MDT02**:
 
 1. Wait until you start to see content appear in the **D:\\MDTProduction** folder.
+
 2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**.
-3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and click **Next**.
-4. On the **Path and Name** page, accept the default settings and click **Next**.
-5. On the **Members to Include** page, accept the default settings and click **Next**.
-6. On the **Options** page, accept the default settings and click **Next**.
-7. On the **Review Settings and Create Report** page, click **Create**.
+
+3. In the Diagnostics Report Wizard, on the **Type of Diagnostics Report or Test** page, choose **Health report** and select **Next**.
+
+4. On the **Path and Name** page, accept the default settings and select **Next**.
+
+5. On the **Members to Include** page, accept the default settings and select **Next**.
+
+6. On the **Options** page, accept the default settings and select **Next**.
+
+7. On the **Review Settings and Create Report** page, select **Create**.
+
 8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
 
-![figure 9.](../images/mdt-10-fig09.png)
+    ![figure 9.](../images/mdt-10-fig09.png)
+    The DFS Replication Health Report.
 
-The DFS Replication Health Report.
-
->If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
+    > [!NOTE]
+    > If there are replication errors you can review the DFS event log in Event Viewer under **Applications and Services Logs**.
 
 ## Configure Windows Deployment Services (WDS) in a remote site
 
-Like you did in the previous topic for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
+Like you did in the previous article for MDT01, you need to add the MDT Production Lite Touch x64 Boot image to Windows Deployment Services on MDT02. For the following steps, we assume that WDS has already been installed on MDT02.
+
 1. On MDT02, using the WDS console, right-click **Boot Images** and select **Add Boot Image**.
+
 2. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
 
-## Deploy a Windows 10 client to the remote site
+## Deploy a Windows 10 client to the remote site
 
-Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure. 
+Now you should have a solution ready for deploying the Windows 10 client to the remote site: Stockholm, using the MDTProduction deployment share replica on MDT02. You can test this deployment with the following optional procedure.
 
->For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the Boostrap.ini file.
+> [!NOTE]
+> For demonstration purposes, the following procedure uses a virtual machine (PC0006) hosted by the Hyper-V server HV01. To use the remote site server (MDT02) the VM must be assigned a default gateway that matches the one you entered in the `Boostrap.ini` file.
 
-1.  Create a virtual machine with the following settings:
-    1. Name: PC0006
-    2. Location: C:\\VMs
-    3. Generation: 2
-    4. Memory: 2048 MB
-    5. Hard disk: 60 GB (dynamic disk)
+1. Create a virtual machine with the following settings:
+
+    1. **Name**: PC0006
+    2. **Location**: C:\\VMs
+    3. **Generation**: 2
+    4. **Memory**: 2048 MB
+    5. **Hard disk**: 60 GB (dynamic disk)
     6. Install an operating system from a network-based installation server
-2.  Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
-3.  After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
-    1.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image 
-    2.  Computer Name: PC0006
-    3.  Applications: Select the Install - Adobe Reader
-4.  Setup will now start and perform the following steps:
-    1.  Install the Windows 10 Enterprise operating system.
-    2.  Install applications.
-    3.  Update the operating system using your local Windows Server Update Services (WSUS) server.
+
+2. Start the PC0006 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from the WDS server.
+
+3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
+
+    1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+    2. Computer Name: PC0006
+    3. Applications: Select the Install - Adobe Reader
+
+4. Setup will now start and perform the following steps:
+
+    1. Install the Windows 10 Enterprise operating system.
+    2. Install applications.
+    3. Update the operating system using your local Windows Server Update Services (WSUS) server.
 
 ![pc0001.](../images/pc0006.png)
 
-## Related topics
+## Related articles
 
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
-[Configure MDT settings](configure-mdt-settings.md)
+- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+- [Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
index fe96dcd42b..eb84fdcd77 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md
@@ -2,36 +2,39 @@
 title: Configure MDT deployment share rules (Windows 10)
 description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Configure MDT deployment share rules
 
-In this topic, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
+In this article, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file.
 
-## <a href="" id="sec01"></a>Assign settings
+## Assign settings
 
 When using MDT, you can assign setting in three distinct ways:
--   You can pre-stage the information before deployment.
--   You can prompt the user or technician for information.
--   You can have MDT generate the settings automatically.
+
+- You can pre-stage the information before deployment.
+- You can prompt the user or technician for information.
+- You can have MDT generate the settings automatically.
 
 In order to illustrate these three options, let's look at some sample configurations.
 
-## <a href="" id="sec02"></a>Sample configurations
+## Sample configurations
 
 Before adding the more advanced components like scripts, databases, and web services, consider the commonly used configurations below; they demonstrate the power of the rules engine.
 
 ### Set computer name by MAC Address
 
-If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead.
+If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. When you have many machines, it makes sense to use the database instead.
 
-``` 
+```ini
 [Settings]
 Priority=MacAddress, Default
 [Default]
@@ -46,7 +49,7 @@ In the preceding sample, you set the PC00075 computer name for a machine with a
 
 Another way to assign a computer name is to identify the machine via its serial number.
 
-``` 
+```ini
 [Settings]
 Priority=SerialNumber, Default
 [Default]
@@ -61,7 +64,7 @@ In this sample, you set the PC00075 computer name for a machine with a serial nu
 
 You also can configure the rules engine to use a known property, like a serial number, to generate a computer name on the fly.
 
-``` 
+```ini
 [Settings]
 Priority=Default
 [Default]
@@ -70,15 +73,15 @@ OSDComputerName=PC-%SerialNumber%
 ```
 
 In this sample, you configure the rules to set the computer name to a prefix (PC-) and then the serial number. If the serial number of the machine is CND0370RJ7, the preceding configuration sets the computer name to PC-CND0370RJ7.
-**Note**  
 
-Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters.
- 
+> [!NOTE]
+> Be careful when using the serial number to assign computer names. A serial number can contain more than 15 characters, but the Windows setup limits a computer name to 15 characters.
+
 ### Generate a limited computer name based on a serial number
 
 To avoid assigning a computer name longer than 15 characters, you can configure the rules in more detail by adding VBScript functions, as follows:
 
-``` 
+```ini
 [Settings]
 Priority=Default
 [Default]
@@ -92,7 +95,7 @@ In the preceding sample, you still configure the rules to set the computer name
 
 In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read.
 
-``` 
+```ini
 [Settings]
 Priority=ByLaptopType, Default
 [Default]
@@ -103,18 +106,12 @@ Subsection=Laptop-%IsLaptop%
 MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com
 ```
 
-## Related topics
+## Related articles
 
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
index 821329ba18..19adc65b02 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md
@@ -1,24 +1,26 @@
 ---
 title: Configure MDT for UserExit scripts (Windows 10)
-description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
+description: In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Configure MDT for UserExit scripts
 
-In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
+In this article, you'll learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address.
 
 ## Configure the rules to call a UserExit script
 
 You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder).
 
-``` 
+```ini
 [Settings]
 Priority=Default
 [Default]
@@ -27,13 +29,13 @@ UserExit=Setname.vbs
 OSDComputerName=#SetName("%MACADDRESS%")#
 ```
 
-The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample the %MACADDRESS% variable is passed to the script
+The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample, the %MACADDRESS% variable is passed to the script
 
 ## The Setname.vbs UserExit script
 
 The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address.
 
-``` 
+```vb
 Function UserExit(sType, sWhen, sDetail, bSkip) 
   UserExit = Success 
 End Function 
@@ -46,23 +48,18 @@ Function SetName(sMac)
   SetName = "PC" & re.Replace(sMac, "")
 End Function
 ```
+
 The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value.
 
-**Note**  
-The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
- 
-## Related topics
+> [!NOTE]
+> The purpose of this sample isn't to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process.
 
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+## Related articles
 
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 8c0ba8179d..cfb17a3eee 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -3,39 +3,41 @@ title: Configure MDT settings (Windows 10)
 description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization.
 ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Configure MDT settings
 
-One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
+One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this article, you learn about configuring customizations for your environment.
+For the purposes of this article, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
 
 ![figure 1.](../images/mdt-09-fig01.png)
 
-The computers used in this topic.
+The computers used in this article.
 
 ## In this section
 
--   [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
--   [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
--   [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
--   [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
--   [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
--   [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
--   [Use web services in MDT](use-web-services-in-mdt.md)
--   [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
 
-## Related topics
+## Related articles
 
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 1f482f177d..b26c222f91 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -2,36 +2,40 @@
 title: Create a Windows 10 reference image (Windows 10)
 description: Creating a reference image is important because that image serves as the foundation for the devices in your organization.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Create a Windows 10 reference image
 
-**Applies to**
-- Windows 10
+**Applies to:**
 
-Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you 'll have a Windows 10 reference image that can be used in your deployment solution.
+- Windows 10
 
->[!NOTE]
->For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this article, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this article, you 'll have a Windows 10 reference image that can be used in your deployment solution.
+
+> [!NOTE]
+> For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+
+For the purposes of this article, we'll use three computers: DC01, MDT01, and HV01.
+
+- DC01 is a domain controller for the contoso.com domain.
+- MDT01 is a contoso.com domain member server.
+- HV01 is a Hyper-V server that will be used to build the reference image.
 
-For the purposes of this topic, we'll use three computers: DC01, MDT01, and HV01.
-   - DC01 is a domain controller for the contoso.com domain.
-   - MDT01 is a contoso.com domain member server.
-   - HV01 is a Hyper-V server that will be used to build the reference image.
- 
    ![devices.](../images/mdt-08-fig01.png)
-
-   Computers used in this topic.
+   Computers used in this article.
 
 ## The reference image
 
 The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are:
+
 - To reduce development time and can use snapshots to test different configurations quickly.
 - To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related.
 - To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process.
@@ -39,30 +43,36 @@ The reference image described in this guide is designed primarily for deployment
 
 ## Set up the MDT build lab deployment share
 
-With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
+With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process.
 
 ### Create the MDT build lab deployment share
 
 On **MDT01**:
 
-- Sign in as contoso\\administrator using a password of <b>pass@word1</b> (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic).
-- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access.
-- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
-- Use the following settings for the New Deployment Share Wizard:
-  - Deployment share path: **D:\\MDTBuildLab**
-  - Share name: **MDTBuildLab$**
-  - Deployment share description: **MDT Build Lab**
-- Accept the default selections on the Options page and click **Next**.
-- Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**.
-- Verify that you can access the <b>\\\\MDT01\\MDTBuildLab$</b> share.
+1. Sign in as **contoso\\administrator** using a password of **pass@word1** (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) article).
+
+2. Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access.
+
+3. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**.
+
+4. Use the following settings for the New Deployment Share Wizard:
+
+   - Deployment share path: **D:\\MDTBuildLab**
+   - Share name: **MDTBuildLab$**
+   - Deployment share description: **MDT Build Lab**
+
+5. Accept the default selections on the Options page and select **Next**.
+
+6. Review the Summary page, select **Next**, wait for the deployment share to be created, then select **Finish**.
+
+7. Verify that you can access the **\\\\MDT01\\MDTBuildLab$** share.
 
    ![figure 2.](../images/mdt-08-fig02.png)
-
    The Deployment Workbench with the MDT Build Lab deployment share.
 
 ### Enable monitoring
 
-To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, click **Properties**, click the **Monitoring** tab, and select **Enable monitoring for this deployment share**.  This step is optional.
+To monitor the task sequence as it happens, right-click the **MDT Build Lab** deployment share, select **Properties**, select the **Monitoring** tab, and select **Enable monitoring for this deployment share**. This step is optional.
 
 ### Configure permissions for the deployment share
 
@@ -70,66 +80,76 @@ In order to read files in the deployment share and write the reference image bac
 
 On **MDT01**:
 
-1.  Ensure you're signed in as **contoso\\administrator**.
-2.  Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
+1. Ensure you're signed in as **contoso\\administrator**.
 
-    ``` powershell
+2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt:
+
+    ```powershell
     icacls "D:\MDTBuildLab" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
     grant-smbshareaccess -Name MDTBuildLab$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
     ```
 
 ## Add setup files
 
-This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
+This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image.
 
-### Add the Windows 10 installation files
+### Add the Windows 10 installation files
 
-MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
+MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft.
 
->[!NOTE]
->Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
- 
-### Add Windows 10 Enterprise x64 (full source)
+> [!NOTE]
+> Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM.
+
+### Add Windows 10 Enterprise x64 (full source)
 
 On **MDT01**:
 
-1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
+1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
 
     ![ISO.](../images/iso-data.png)
 
 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
+
 3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+
 4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+
     - Full set of source files
     - Source directory: (location of your source files)
-    - Destination directory name: <b>W10EX64RTM</b>
-5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
+    - Destination directory name: **W10EX64RTM**
+
+5. After adding the operating system, in the **Operating Systems** > **Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
 
     ![Default image.](../images/deployment-workbench01.png)
 
->Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
+> [!NOTE]
+> Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
 
 ## Add applications
 
-Before you create an MDT task sequence, you need to add any applications and scripts you wish to install to the MDT Build Lab share.
+Before you create an MDT task sequence, you need to add applications and scripts you wish to install to the MDT Build Lab share.
 
 On **MDT01**:
 
 First, create an MDT folder to store the Microsoft applications that will be installed:
 
 1. In the MDT Deployment Workbench, expand **Deployment Shares \\ MDT Build Lab \\ Applications**
-2. Right-click **Applications** and then click **New Folder**.
+
+2. Right-click **Applications** and then select **New Folder**.
+
 3. Under **Folder name**, type **Microsoft**.
-4. Click **Next** twice, and then click **Finish**.
 
-The steps in this section use a strict naming standard for your MDT applications. 
-- Use the "<b>Install - </b>" prefix for typical application installations that run a setup installer of some kind, 
-- Use the "<b>Configure - </b>" prefix when an application configures a setting in the operating system. 
-- You also add an "<b> - x86</b>", "<b> - x64</b>", or "<b>- x86-x64</b>" suffix to indicate the application's architecture (some applications have installers for both architectures).
- 
-Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. 
+4. Select **Next** twice, and then select **Finish**.
 
-By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. 
+The steps in this section use a strict naming standard for your MDT applications.
+
+- Use the **Install -** prefix for typical application installations that run a setup installer of some kind.
+- Use the **Configure -** prefix when an application configures a setting in the operating system.
+- You also add an **- x86**, **- x64**, or **- x86-x64** suffix to indicate the application's architecture (some applications have installers for both architectures).
+
+Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency.
+
+By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments.
 
 In example sections, you 'll add the following applications:
 
@@ -140,28 +160,31 @@ In example sections, you 'll add the following applications:
 >The 64-bit version of Microsoft Office 365 Pro Plus is recommended unless you need legacy app support. For more information, see [Choose between the 64-bit or 32-bit version of Office](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261)
 
 Download links:
+
 - [Office Deployment Tool](https://www.microsoft.com/download/details.aspx?id=49117)
 - [Microsoft Visual C++ Redistributable 2019 - x86](https://aka.ms/vs/16/release/VC_redist.x86.exe)
 - [Microsoft Visual C++ Redistributable 2019 - x64](https://aka.ms/vs/16/release/VC_redist.x64.exe)
 
-Download all three items in this list to the D:\\Downloads folder on MDT01. 
+Download all three items in this list to the D:\\Downloads folder on MDT01.
 
-**Note**: For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
+> [!NOTE]
+> For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder, and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads).
+
+> [!NOTE]
+> All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
 
->[!NOTE]
->All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
- 
 ### Create configuration file: Microsoft Office 365 Professional Plus x64
 
-1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**.  The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
+1. After downloading the most current version of the Office Deployment tool from the Microsoft Download Center using the link provided above, run the self-extracting executable file and extract the files to **D:\\Downloads\\Office365**. The Office Deployment Tool (setup.exe) and several sample configuration.xml files will be extracted.
+
 2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename.
 
     For example, you can use the following configuration.xml file, which provides these configuration settings:
-      - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. 
+      - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet.
         > [!NOTE]
-        > 64-bit is now the default and recommended edition. 
-      - Use the General Availability Channel and get updates directly from the Office CDN on the internet. 
-      - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages.
+        > 64-bit is now the default and recommended edition.
+      - Use the General Availability Channel and get updates directly from the Office CDN on the internet.
+      - Perform a silent installation. You won't see anything that shows the progress of the installation and you won't see any error messages.
 
      ```xml
      <Configuration>
@@ -175,43 +198,47 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
      </Configuration>
      ```
 
-     When you use these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise.
+     When you use these settings, anytime you build the reference image you'll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise.
 
- >[!TIP]
- >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
- 
- For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). 
+    > [!TIP]
+    > You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
+
+    For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool).
 
 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder:
 
     ![folder.](../images/office-folder.png)
 
-  Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet.
+Assuming you've named the file `configuration.xml` as shown above, we'll use the command **`setup.exe /configure configuration.xml`** when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet.
 
- >[!IMPORTANT]
- >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
+> [!IMPORTANT]
+> After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image.
 
 Additional information
-- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image.
 
-- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
- - When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
+- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you're using). That means that once you've deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image.
+
+    > [!NOTE]
+    > With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user's device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won't have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.)
+
+- When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you'll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you'll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise.
 
 ### Connect to the deployment share using Windows PowerShell
 
-If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in and then make the deployment share a PowerShell drive (PSDrive).
+If you need to add many applications, you can take advantage of the PowerShell support that MDT has. To start using PowerShell against the deployment share, you must first load the MDT PowerShell snap-in, and then make the deployment share a PowerShell drive (PSDrive).
 
 On **MDT01**:
 
-1.  Ensure you're signed in as **contoso\\Administrator**.
-2.  Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
+1. Ensure you're signed in as **contoso\\Administrator**.
+2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt:
 
-    ``` powershell
+    ```powershell
     Import-Module "C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1"
     New-PSDrive -Name "DS001" -PSProvider MDTProvider -Root "D:\MDTBuildLab"
     ```
->[!TIP]
->Use "Get-Command -module MicrosoftDeploymentToolkit" to see a list of available cmdlets
+
+> [!TIP]
+> Use `Get-Command -module MicrosoftDeploymentToolkit` to see a list of available cmdlets
 
 ### Create the install: Microsoft Office 365 Pro Plus - x64
 
@@ -219,10 +246,11 @@ In these steps, we assume that you've downloaded the Office Deployment Tool. You
 
 On **MDT01**:
 
-1.  Ensure you're signed on as **contoso\\Administrator**.
-2.  Create the application by running the following commands in an elevated PowerShell prompt:
+1. Ensure you're signed on as **contoso\\Administrator**.
 
-    ``` powershell
+2. Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ```powershell
     $ApplicationName = "Install - Office365 ProPlus - x64"
     $CommandLine = "setup.exe /configure configuration.xml"
     $ApplicationSourcePath = "D:\Downloads\Office365"
@@ -230,7 +258,8 @@ On **MDT01**:
     ```
 
     Upon successful installation, the following text is displayed:
-    ```
+
+    ```output
     VERBOSE: Performing the operation "import" on target "Application".
     VERBOSE: Beginning application import
     VERBOSE: Copying application source files from D:\Downloads\Office365 to D:\MDTBuildLab\Applications\Install -
@@ -245,17 +274,18 @@ On **MDT01**:
 
 ### Create the install: Microsoft Visual C++ Redistributable 2019 - x86
 
->[!NOTE]
->We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters.
+> [!NOTE]
+> We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters.
 
 In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads.
 
 On **MDT01**:
 
-1.  Ensure you're signed on as **contoso\\Administrator**.
-2.  Create the application by running the following commands in an elevated PowerShell prompt:
+1. Ensure you're signed on as **contoso\\Administrator**.
 
-    ``` powershell
+2. Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ```powershell
     $ApplicationName = "Install - MSVC 2019 - x86"
     $CommandLine = "vc_redist.x86.exe /Q"
     $ApplicationSourcePath = "D:\Downloads"
@@ -263,7 +293,8 @@ On **MDT01**:
     ```
 
     Upon successful installation, the following text is displayed:
-    ```
+
+    ```output
     VERBOSE: Performing the operation "import" on target "Application".
     VERBOSE: Beginning application import
     VERBOSE: Copying application source files from D:\Downloads to D:\MDTBuildLab\Applications\Install - MSVC 2019 - x86
@@ -281,10 +312,11 @@ In these steps, we assume that you've downloaded Microsoft Visual C++ Redistribu
 
 On **MDT01**:
 
-1.  Ensure you're signed on as **contoso\\Administrator**.
-2.  Create the application by running the following commands in an elevated PowerShell prompt:
+1. Ensure you're signed on as **contoso\\Administrator**.
 
-    ``` powershell
+2. Create the application by running the following commands in an elevated PowerShell prompt:
+
+    ```powershell
     $ApplicationName = "Install - MSVC 2019 - x64"
     $CommandLine = "vc_redist.x64.exe /Q"
     $ApplicationSourcePath = "D:\Downloads"
@@ -293,114 +325,134 @@ On **MDT01**:
 
 ## Create the reference image task sequence
 
-In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image.
+In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image.
 After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you're deploying.
 
 ### Drivers and the reference image
 
-Because we use modern virtual platforms for creating our reference images, we don’t need to worry about drivers when creating reference images for Windows 10. We use Hyper-V in our environment, and Windows Preinstallation Environment (Windows PE) already has all the needed drivers built-in for Hyper-V.
+Because we use modern virtual platforms for creating our reference images, we don't need to worry about drivers when creating reference images for Windows 10. We use Hyper-V in our environment, and Windows Preinstallation Environment (Windows PE) already has all the needed drivers built-in for Hyper-V.
 
 ### Create a task sequence for Windows 10 Enterprise
 
-To create a Windows 10 reference image task sequence, the process is as follows:
+To create a Windows 10 reference image task sequence, the process is as follows:
 
 On **MDT01**:
 
 1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**.
+
 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-   1. Task sequence ID: REFW10X64-001
-   2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image
-   3. Task sequence comments: Reference Build
-   4. Template: Standard Client Task Sequence
-   5. Select OS: Windows 10 Enterprise x64 RTM Default Image
-   6. Specify Product Key: Don't specify a product key at this time
-   7. Full Name: Contoso
-   8. Organization: Contoso
-   9. Internet Explorer home page: http://www.contoso.com
-   10. Admin Password: Don't specify an Administrator Password at this time
 
-### Edit the Windows 10 task sequence
+   1. **Task sequence ID**: REFW10X64-001
+   2. **Task sequence name**: Windows 10 Enterprise x64 RTM Default Image
+   3. **Task sequence comments**: Reference Build
+   4. **Template**: Standard Client Task Sequence
+   5. **Select OS**: Windows 10 Enterprise x64 RTM Default Image
+   6. **Specify Product Key**: Don't specify a product key at this time
+   7. **Full Name**: Contoso
+   8. **Organization**: Contoso
+   9. **Internet Explorer home page**: `http://www.contoso.com`
+   10. **Admin Password**: Don't specify an Administrator Password at this time
 
-The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64.
+### Edit the Windows 10 task sequence
+
+The steps below walk you through the process of editing the Windows 10 reference image task sequence to include the actions required to update the reference image with the latest updates from WSUS, install roles and features, and utilities, and install Microsoft Office365 ProPlus x64.
 
 On **MDT01**:
 
-1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**.
-2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings:
-    1. **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box.
-         
-    2. **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action.
-    3. **State Restore**: After the **Tattoo** action, add a new **Group** action (click **Add** then click **New Group**) with the following setting:
-        -   Name: **Custom Tasks (Pre-Windows Update)**
-    4. **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**.
-        - **Note**: The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
-    5. **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings:
-        1. Name: Install - Microsoft NET Framework 3.5.1
-        2. Select the operating system for which roles are to be installed: Windows 10
-        3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
-        
-        >[!IMPORTANT]
-        >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
-         
+1. In the **Task Sequences / Windows 10** folder, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence, and select **Properties**.
+
+2. On the **Task Sequence** tab, configure the Windows 10 Enterprise x64 RTM Default Image task sequence with the following settings:
+    - **State Restore > Windows Update (Pre-Application Installation)** action: Enable this action by clicking the **Options** tab and clearing the **Disable this step** check box.
+
+    - **State Restore > Windows Update (Post-Application Installation)** action: Also enable this action.
+
+    - **State Restore**: After the **Tattoo** action, add a new **Group** action (select **Add** then select **New Group**) with the following setting:
+        - Name: **Custom Tasks (Pre-Windows Update)**
+
+    - **State Restore**: After **Windows Update (Post-Application Installation)** action, rename **Custom Tasks** to **Custom Tasks (Post-Windows Update)**.
+        > [!NOTE]
+        > The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating.
+
+    - **State Restore > Custom Tasks (Pre-Windows Update)**: Add a new **Install Roles and Features** action with the following settings:
+
+        - **Name**: Install - Microsoft NET Framework 3.5.1
+
+        - **Select the operating system for which roles are to be installed**: Windows 10
+
+        - **Select the roles and features that should be installed**: .NET Framework 3.5 (includes .NET 2.0 and 3.0)
+
+        > [!IMPORTANT]
+        > This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
+
         ![task sequence.](../images/fig8-cust-tasks.png)
 
         The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
 
-    6. **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings:
-        1. Name: Microsoft Visual C++ Redistributable 2019 - x86
-        2. Install a Single Application: browse to **Install - MSVC 2019 - x86**
-    7.  Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
-3. Click **OK**.
+    - **State Restore > Custom Tasks (Pre-Windows Update)**: After the **Install - Microsoft NET Framework 3.5.1** action, add a new **Install Application** action (selected from the **General** group) with the following settings:
 
- ![apps.](../images/mdt-apps.png) 
+        - **Name**: Microsoft Visual C++ Redistributable 2019 - x86
 
+        - **Install a Single Application**: browse to **Install - MSVC 2019 - x86**
+
+    - Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
+
+3. Select **OK**.
+
+ ![apps.](../images/mdt-apps.png)
 
 ### Optional configuration: Add a suspend action
 
-The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
+The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you select the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
 
    ![figure 8.](../images/fig8-suspend.png)
-
    A task sequence with optional Suspend action (LTISuspend.wsf) added.
 
    ![figure 9.](../images/fig9-resumetaskseq.png)
-
    The Windows 10 desktop with the Resume Task Sequence shortcut.
 
-### Edit the Unattend.xml file for Windows 10 Enterprise
+### Edit the Unattend.xml file for Windows 10 Enterprise
 
-When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK).
+When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK).
 
->[!WARNING]
->Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
+> [!WARNING]
+> Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used.
 
->[!NOTE]
->You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing.
- 
-Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence:
+> [!NOTE]
+> You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing.
+
+Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence:
 
 On **MDT01**:
 
 1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
-2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
 
- > [!IMPORTANT]
- > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
- > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
- > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
- > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim). 
- > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
+2. In the **OS Info** tab, select **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
+
+    > [!IMPORTANT]
+    > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error **Could not load file or assembly** in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
+    >
+    > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
+    >
+    > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
+    >
+    > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
+    >
+    > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
 
 3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
+
 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
-  - DisableDevTools: true
+
+   - **DisableDevTools**: true
+
 5. Save the Unattend.xml file, and close Windows SIM.
+
      > [!NOTE]
      > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
-6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
+
+6. On the Windows 10 Enterprise x64 RTM Default Image Properties, select **OK**.
 
     ![figure 10.](../images/fig10-unattend.png)
-
     Windows System Image Manager with the Windows 10 Unattend.xml.
 
 ## Configure the MDT deployment share rules
@@ -409,16 +461,17 @@ Understanding rules is critical to successfully using MDT. Rules are configured
 
 ### MDT deployment share rules overview
 
-In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you click OK. 
+In MDT, there are always two rule files: the **CustomSettings.ini** file and the **Bootstrap.ini** file. You can add almost any rule to either. However, the Bootstrap.ini file is copied from the Control folder to the boot image, so the boot image needs to be updated every time you change that file. For this reason, add only a minimal set of rules to Bootstrap.ini, such as which deployment server and share to connect to - the DEPLOYROOT value. Put the other rules in CustomSettings.ini because that file is updated immediately when you select OK.
 
 To configure the rules for the MDT Build Lab deployment share:
 
 On **MDT01**:
 
-1.  Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**.
-2.  Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration:
+1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**.
 
-    ``` 
+2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration:
+
+    ```ini
     [Settings]
     Priority=Default
     
@@ -453,12 +506,11 @@ On **MDT01**:
     ```
 
     ![figure 11.](../images/mdt-rules.png)
-
     The server-side rules for the MDT Build Lab deployment share.
- 
-3.  Click **Edit Bootstrap.ini** and modify using the following information:
 
-    ``` 
+3. Select **Edit Bootstrap.ini** and modify using the following information:
+
+    ```ini
     [Settings]
     Priority=Default
     
@@ -471,32 +523,38 @@ On **MDT01**:
     SkipBDDWelcome=YES
     ```
 
-    >[!NOTE]
-    >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
-     
-4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
-5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
-   1.  Image description: MDT Build Lab x86
-   2.  ISO file name: MDT Build Lab x86.iso
-6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
-7. In the **Lite Touch Boot Image Settings** area, configure the following settings:
-   1.  Image description: MDT Build Lab x64
-   2.  ISO file name: MDT Build Lab x64.iso
-8. Click **OK**.
+    > [!NOTE]
+    > For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini.
+
+4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**.
+
+5. In the **Lite Touch Boot Image Settings** area, configure the following settings:
+
+   - **Image description**: MDT Build Lab x86
+   - **ISO file name**: MDT Build Lab x86.iso
+
+6. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
+7. In the **Lite Touch Boot Image Settings** area, configure the following settings:
+
+   - **Image description**: MDT Build Lab x64
+   - **ISO file name**: MDT Build Lab x64.iso
+
+8. Select **OK**.
+
+> [!NOTE]
+> In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
 
->[!NOTE]
->In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface).
- 
 ### Update the deployment share
 
 After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created.
 
-1.  In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**.
-2.  Use the default options for the Update Deployment Share Wizard.
+1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**.
+2. Use the default options for the Update Deployment Share Wizard.
+
+> [!NOTE]
+> The update process will take 5 to 10 minutes.
 
->[!NOTE]
->The update process will take 5 to 10 minutes.
- 
 ### The rules explained
 
 Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files.
@@ -505,14 +563,14 @@ The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini
 
 The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media).
 
->[!NOTE]
->The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.
- 
+> [!NOTE]
+> The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section.
+
 ### The Bootstrap.ini file
 
 The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the D:\\MDTBuildLab\\Control folder on MDT01.
 
-``` 
+```ini
 [Settings]
 Priority=Default
 [Default]
@@ -524,23 +582,26 @@ SkipBDDWelcome=YES
 ```
 
 So, what are these settings?
--   **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\].
--   **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
--   **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you.
 
-    >[!WARNING]
-    >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
-     
--   **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
+- **Priority**: This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\].
+
+- **DeployRoot**: This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location.
+
+- **UserDomain, UserID, and UserPassword**: These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you.
+
+    > [!WARNING]
+    > Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic.
+
+- **SkipBDDWelcome**: Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard.
+
+> [!NOTE]
+> All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
 
->[!NOTE]
->All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values.
- 
 ### The CustomSettings.ini file
 
 The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration.
 
-``` 
+```ini
 [Settings]
 Priority=Default
 [Default]
@@ -572,78 +633,114 @@ SkipRoles=YES
 SkipCapture=NO
 SkipFinalSummary=YES
 ```
-- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
-- **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment.
-- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image.
-- **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
-- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed.
-- **AdminPassword.** Sets the local Administrator account password.
-- **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
 
-    **Note**: The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
-     
-- **JoinWorkgroup.** Configures Windows to join a workgroup.
-- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
-- **FinishAction.** Instructs MDT what to do when the task sequence is complete.
-- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image.
-- **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
-- **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
-- **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
-- **SkipAdminPassword.** Skips the pane that asks for the Administrator password.
-- **SkipProductKey.** Skips the pane that asks for the product key.
-- **SkipComputerName.** Skips the Computer Name pane.
-- **SkipDomainMemberShip.** Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties.
-- **SkipUserData.** Skips the pane for user state migration.
-- **SkipLocaleSelection.** Skips the pane for selecting language and keyboard settings.
-- **SkipTimeZone.** Skips the pane for setting the time zone.
-- **SkipApplications.** Skips the Applications pane.
-- **SkipBitLocker.** Skips the BitLocker pane.
-- **SkipSummary.** Skips the initial Windows Deployment Wizard summary pane.
-- **SkipRoles.** Skips the Install Roles and Features pane.
-- **SkipCapture.** Skips the Capture pane.
-- **SkipFinalSummary.** Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to click OK before the machine shuts down.
+- **Priority**: Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file.
+
+- **\_SMSTSORGNAME**: The organization name displayed in the task sequence progress bar window during deployment.
+
+- **UserDataLocation**: Controls the settings for user state backup. You don't need to use when building and capturing a reference image.
+
+- **DoCapture**: Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed.
+
+- **OSInstall**: Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed.
+
+- **AdminPassword**: Sets the local Administrator account password.
+
+- **TimeZoneName**: Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003).
+
+    > [!NOTE]
+    > The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names.
+
+- **JoinWorkgroup**: Configures Windows to join a workgroup.
+
+- **HideShell**: Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles.
+
+- **FinishAction**: Instructs MDT what to do when the task sequence is complete.
+
+- **DoNotCreateExtraPartition**: Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image.
+
+- **WSUSServer**: Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied.
+
+- **SLSHARE**: Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed.
+
+- **ApplyGPOPack**: Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM).
+
+- **SkipAdminPassword**: Skips the pane that asks for the Administrator password.
+
+- **SkipProductKey**: Skips the pane that asks for the product key.
+
+- **SkipComputerName**: Skips the Computer Name pane.
+
+- **SkipDomainMemberShip**: Skips the Domain Membership pane. If set to Yes, you need to configure either the JoinWorkgroup value or the JoinDomain, DomainAdmin, DomainAdminDomain, and DomainAdminPassword properties.
+
+- **SkipUserData**: Skips the pane for user state migration.
+
+- **SkipLocaleSelection**: Skips the pane for selecting language and keyboard settings.
+
+- **SkipTimeZone**: Skips the pane for setting the time zone.
+
+- **SkipApplications**: Skips the Applications pane.
+
+- **SkipBitLocker**: Skips the BitLocker pane.
+
+- **SkipSummary**: Skips the initial Windows Deployment Wizard summary pane.
+
+- **SkipRoles**: Skips the Install Roles and Features pane.
+
+- **SkipCapture**: Skips the Capture pane.
+
+- **SkipFinalSummary**: Skips the final Windows Deployment Wizard summary. Because you use FinishAction=Shutdown, you don't want the wizard to stop in the end so that you need to select OK before the machine shuts down.
 
 ## Build the Windows 10 reference image
 
 As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements).
 
-Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. 
+Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process.
 
 The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image.
 
 1. Copy D:\\MDTBuildLab\\Boot\\MDT Build Lab x86.iso on MDT01 to C:\\ISO on your Hyper-V host (HV01).
 
-    **Note**: Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image.
+    > [!NOTE]
+    > Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image.
 
 On **HV01**:
-     
-2. Create a new virtual machine with the following settings:
+
+1. Create a new virtual machine with the following settings:
+
    1. Name: REFW10X64-001
    2. Store the virtual machine in a different location: C:\VM
    3. Generation 1
    4. Memory: 1024 MB
    5. Network: Must be able to connect to \\MDT01\MDTBuildLab$
-   7. Hard disk: 60 GB (dynamic disk)
-   8. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso
-1. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**.
+   6. Hard disk: 60 GB (dynamic disk)
+   7. Install OS with image file: C:\\ISO\\MDT Build Lab x86.iso
 
-    **Note**: Checkpoints are useful if you need to restart the process and want to make sure you can start clean.
-     
-4. Start the REFW10X64-001 virtual machine and connect to it.
+2. Before you start the VM, add a checkpoint for REFW10X64-001, and name it **Clean with MDT Build Lab x86 ISO**.
 
-    **Note**: Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers.  You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
+    > [!NOTE]
+    > Checkpoints are useful if you need to restart the process and want to make sure you can start clean.
+
+3. Start the REFW10X64-001 virtual machine and connect to it.
+
+    > [!NOTE]
+    > Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11.
 
     After booting into Windows PE, complete the Windows Deployment Wizard with the following settings:
-    1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image
-    2. Specify whether to capture an image: Capture an image of this reference computer
-       -   Location: \\\\MDT01\\MDTBuildLab$\\Captures
-    3. File name: REFW10X64-001.wim
+
+    - **Select a task sequence to execute on this computer**: Windows 10 Enterprise x64 RTM Default Image
+
+    - **Specify whether to capture an image**: Capture an image of this reference computer
+
+       - Location: \\\\MDT01\\MDTBuildLab$\\Captures
+
+    - **File name**: REFW10X64-001.wim
 
         ![capture image.](../images/captureimage.png)
-
         The Windows Deployment Wizard for the Windows 10 reference image.
 
-5. The setup now starts and does the following steps:
+4. The setup now starts and does the following steps:
+
     1. Installs the Windows 10 Enterprise operating system.
     2. Installs the added applications, roles, and features.
     3. Updates the operating system via your local Windows Server Update Services (WSUS) server.
@@ -652,28 +749,28 @@ On **HV01**:
     6. Captures the installation to a Windows Imaging (WIM) file.
     7. Turns off the virtual machine.
 
-After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
+After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
 
    ![image.](../images/image-captured.png)
 
 ## Troubleshooting
 
 > [!IMPORTANT]
-> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7). This 
+> If you encounter errors applying the image when using a BIOS firmware type, see [Windows 10 deployments fail with Microsoft Deployment Toolkit on computers with BIOS type firmware](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7).
 
 If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.
 
    ![monitoring.](../images/mdt-monitoring.png)
 
-If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log.  From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
+If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
 
-After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
+After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
 
-## Related topics
+## Related articles
 
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
-[Configure MDT settings](configure-mdt-settings.md)
+- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+- [Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 90deeb5238..f92a6f30dc 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -1,45 +1,50 @@
 ---
 title: Deploy a Windows 10 image using MDT (Windows 10)
-description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
+description: This article will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.collection: 
+  - highpri
+ms.date: 11/28/2022
 ---
 
 # Deploy a Windows 10 image using MDT
 
-**Applies to**
--   Windows 10
+**Applies to:**
 
-This topic will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). 
+- Windows 10
+
+This article will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT).
 
 We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules.
 
-For the purposes of this topic, we'll use four computers: DC01, MDT01, HV01 and PC0005. 
+For the purposes of this article, we'll use four computers: DC01, MDT01, HV01 and PC0005.
 
-- DC01 is a domain controller 
-- MDT01 is a domain member server 
-- HV01 is a Hyper-V server 
-- PC0005 is a blank device to which we'll deploy Windows 10
+- DC01 is a domain controller
+- MDT01 is a domain member server
+- HV01 is a Hyper-V server
+- PC0005 is a blank device to which we'll deploy Windows 10
 
-MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.  HV01 used to test deployment of PC0005 in a virtual environment.
+MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment.
 
    ![devices.](../images/mdt-07-fig01.png)
 
->[!NOTE]
->For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+> [!NOTE]
+> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
 ## Step 1: Configure Active Directory permissions
 
-These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've  The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
+These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've  The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory.
 
 On **DC01**:
 
-1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**.  This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit.
+1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit.
 
 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
 
@@ -81,14 +86,17 @@ On **MDT01**:
 The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image:
 
 1. Ensure you're signed on as: contoso\administrator.
+
 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
 
-4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
+3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**.
 
-5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
+4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**.
+
+5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**.
+
+6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**.
 
-6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
 
 ### Configure permissions for the production deployment share
@@ -97,37 +105,39 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio
 
 On **MDT01**:
 
-1.  Ensure you're signed in as **contoso\\administrator**.
-2.  Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt:
+1. Ensure you're signed in as **contoso\\administrator**.
 
-    ``` powershell
-    icacls "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
+2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt:
+
+    ```powershell
+    icacls.exe "D:\MDTProduction" /grant '"CONTOSO\MDT_BA":(OI)(CI)(M)'
     grant-smbshareaccess -Name MDTProduction$ -AccountName "Contoso\MDT_BA" -AccessRight Full -force
     ```
 
 ## Step 3: Add a custom image
 
-The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components.
+The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components.
 
-### Add the Windows 10 Enterprise x64 RTM custom image
+### Add the Windows 10 Enterprise x64 RTM custom image
 
-In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
+In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) article, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01.
 
-1.  Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
-2.  Right-click the **Windows 10** folder and select **Import Operating System**.
+1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
 
-3.  On the **OS Type** page, select **Custom image file** and click **Next**.
+2. Right-click the **Windows 10** folder and select **Import Operating System**.
 
-4.  On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
+3. On the **OS Type** page, select **Custom image file** and select **Next**.
 
-5.  On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
+4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and select **Next**.
 
-6.  On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
-7.  After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
+5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and select **Next**.
 
->[!NOTE]
->The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
- 
+6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, select **Next** twice, and then select **Finish**.
+
+7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
+
+> [!NOTE]
+> The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
 
 ![imported OS.](../images/fig2-importedos.png)
 
@@ -139,40 +149,43 @@ When you configure your MDT Build Lab deployment share, you can also add applica
 
 On **MDT01**:
 
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200320282_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+
+2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2200320282_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+
 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
+
 4. Right-click the **Applications** node, and create a new folder named **Adobe**.
 
 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
 
-6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
+6. On the **Application Type** page, select the **Application with source files** option and select **Next**.
 
-7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
+7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and select *Next**.
 
-8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
+8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and select **Next**.
 
-9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
+9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and select **Next**.
 
-10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
+10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, select **Next** twice, and then select **Finish**.
 
     ![acroread image.](../images/acroread.png)
-
     The Adobe Reader application added to the Deployment Workbench.
 
 ## Step 5: Prepare the drivers repository
 
-In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
--   Lenovo ThinkPad T420
--   Dell Latitude 7390
--   HP EliteBook 8560w
--   Microsoft Surface Pro
+In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples:
+
+- Lenovo ThinkPad T420
+- Dell Latitude 7390
+- HP EliteBook 8560w
+- Microsoft Surface Pro
 
 For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers.
 
->[!NOTE]
->You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.
- 
+> [!NOTE]
+> You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time.
+
 ### Create the driver source structure in the file system
 
 The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use.
@@ -182,41 +195,50 @@ On **MDT01**:
 > [!IMPORTANT]
 > In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system.
 
-1.  Using File Explorer, create the **D:\\drivers** folder.
-2.  In the **D:\\drivers** folder, create the following folder structure:
-    1.  WinPE x86
-    2.  WinPE x64
-    3.  Windows 10 x64
-3.  In the new Windows 10 x64 folder, create the following folder structure:
-    -   Dell Inc.
-        -   Latitude E7450
-    -   Hewlett-Packard
-        -   HP EliteBook 8560w
-    -   Lenovo
-        -   ThinkStation P500 (30A6003TUS)
-    -   Microsoft Corporation
-        -   Surface Laptop
+1. Using File Explorer, create the **D:\\drivers** folder.
+
+2. In the **D:\\drivers** folder, create the following folder structure:
+
+    1. WinPE x86
+    2. WinPE x64
+    3. Windows 10 x64
+
+3. In the new Windows 10 x64 folder, create the following folder structure:
+
+   - Dell Inc.
+     - Latitude E7450
+   - Hewlett-Packard
+     - HP EliteBook 8560w
+   - Lenovo
+     - ThinkStation P500 (30A6003TUS)
+   - Microsoft Corporation
+     - Surface Laptop
 
 > [!NOTE]
 > Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.
- 
+
 ### Create the logical driver structure in MDT
 
 When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench.
-1.  On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
-2.  In the **Out-Of-Box Drivers** node, create the following folder structure:
-    1.  WinPE x86
-    2.  WinPE x64
-    3.  Windows 10 x64
-3.  In the **Windows 10 x64** folder, create the following folder structure:
-    -   Dell Inc.
-        -   Latitude E7450
-    -   Hewlett-Packard
-        -   HP EliteBook 8560w
-    -   Lenovo
-        -   30A6003TUS
-    -   Microsoft Corporation
-        -   Surface Laptop
+
+1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node.
+
+2. In the **Out-Of-Box Drivers** node, create the following folder structure:
+
+    1. WinPE x86
+    2. WinPE x64
+    3. Windows 10 x64
+
+3. In the **Windows 10 x64** folder, create the following folder structure:
+
+   - Dell Inc.
+     - Latitude E7450
+   - Hewlett-Packard
+     - HP EliteBook 8560w
+   - Lenovo
+     - 30A6003TUS
+   - Microsoft Corporation
+     - Surface Laptop
 
 The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
 
@@ -226,36 +248,40 @@ Get-WmiObject -Class:Win32_ComputerSystem
 
 Or, you can use this command in a normal command prompt:
 
-```console
-wmic csproduct get name
+```cmd
+wmic.exe csproduct get name
 ```
 
 If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation).
 
 ![drivers.](../images/fig4-oob-drivers.png)
-
 The Out-of-Box Drivers structure in the Deployment Workbench.
 
 ### Create the selection profiles for boot image drivers
 
 By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
-The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can’t locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
+
+The drivers that are used for the boot images (Windows PE) are Windows 10 drivers. If you can't locate Windows 10 drivers for your device, a Windows 7 or Windows 8.1 driver will most likely work, but Windows 10 drivers should be your first choice.
 
 On **MDT01**:
 
-1.  In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
-2.  In the New Selection Profile Wizard, create a selection profile with the following settings:
-    1.  Selection Profile name: WinPE x86
-    2.  Folders: Select the WinPE x86 folder in Out-of-Box Drivers.
-    3. Click **Next**, **Next** and **Finish**.
-3.  Right-click the **Selection Profiles** node again, and select **New Selection Profile**.
-4.  In the New Selection Profile Wizard, create a selection profile with the following settings:
-    1.  Selection Profile name: WinPE x64
-    2.  Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
-    3.  Click **Next**, **Next** and **Finish**.
+1. In the Deployment Workbench, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**.
+
+2. In the **New Selection Profile Wizard**, create a selection profile with the following settings:
+
+    - **Selection Profile name**: WinPE x86
+    - **Folders**: Select the WinPE x86 folder in Out-of-Box Drivers.
+    - Select **Next**, **Next** and **Finish**.
+
+3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**.
+
+4. In the New Selection Profile Wizard, create a selection profile with the following settings:
+
+    - **Selection Profile name**: WinPE x64
+    - **Folders**: Select the WinPE x64 folder in Out-of-Box Drivers.
+    - Select **Next**, **Next** and **Finish**.
 
     ![figure 5.](../images/fig5-selectprofile.png)
-
     Creating the WinPE x64 selection profile.
 
 ### Extract and import drivers for the x64 boot image
@@ -265,11 +291,17 @@ Windows PE supports all the hardware models that we have, but here you learn to
 On **MDT01**:
 
 1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)).
-2.  Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
-    a. **Note**: Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates. 
-3.  Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
-4.  Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
-5.  In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**.
+
+2. Extract PROWinx64.exe to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder.
+
+    > [!NOTE]
+    > Extracting the .exe file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the .exe terminates.
+
+3. Using File Explorer, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+
+4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder.
+
+5. In the Deployment Workbench, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, and select **Import Drivers**, and use the following Driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**.
 
 ### Download, extract, and import drivers
 
@@ -277,8 +309,7 @@ On **MDT01**:
 
 For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
 
-> [!div class="mx-imgBorder"]
-> ![ThinkStation image.](../images/thinkstation.png)
+![ThinkStation image.](../images/thinkstation.png)
 
 To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
 
@@ -288,7 +319,7 @@ On **MDT01**:
 
 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
 
-2.  Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
+2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
 
     **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
 
@@ -304,9 +335,9 @@ On **MDT01**:
 
 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node.
 
-2.  Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
 
-    **D:\\Drivers\\Windows 10 x64\\Dell Inc.\\Latitude E7450**
+    **`D:\Drivers\Windows 10 x64\Dell Inc.\Latitude E7450`**
 
 ### For the HP EliteBook 8560w
 
@@ -316,11 +347,11 @@ In these steps, we assume you've downloaded and extracted the drivers for the HP
 
 On **MDT01**:
 
-1.  In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
 
-2.  Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
+2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
 
-    **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
+    **`D:\Drivers\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w`**
 
 ### For the Microsoft Surface Laptop
 
@@ -328,11 +359,11 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we
 
 On **MDT01**:
 
-1.  In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
+1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
 
-2.  Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: 
+2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers:
 
-    **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
+    **`D:\Drivers\Windows 10 x64\Microsoft\Surface Laptop`**
 
 ## Step 6: Create the deployment task sequence
 
@@ -345,6 +376,7 @@ On **MDT01**:
 1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
 
 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+
    - Task sequence ID: W10-X64-001
    - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
    - Task sequence comments: Production Image
@@ -362,26 +394,27 @@ On **MDT01**:
 
 2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
 
-   1.  Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
-       1.  Name: Set DriverGroup001
-       2.  Task Sequence Variable: DriverGroup001
-       3.  Value: Windows 10 x64\\%Make%\\%Model%
+   1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
 
-   2.  Configure the **Inject Drivers** action with the following settings:
-       - Choose a selection profile: Nothing
-       - Install all drivers from the selection profile
+      - **Name**: Set DriverGroup001
+      - **Task Sequence Variable**: DriverGroup001
+      - **Value**: Windows 10 x64\\%Make%\\%Model%
 
-       > [!NOTE]
-       > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
-             
-   3.  State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
+   2. Configure the **Inject Drivers** action with the following settings:
 
-   4.  State Restore. Enable the **Windows Update (Post-Application Installation)** action.
+      - **Choose a selection profile**: Nothing
+      - Install all drivers from the selection profile
 
-3. Click **OK**.
+        > [!NOTE]
+        > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
+
+   3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
+
+   4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
+
+3. Select **OK**.
 
    ![drivergroup.](../images/fig6-taskseq.png)
-
    The task sequence for production deployment.
 
 ## Step 7: Configure the MDT production deployment share
@@ -396,9 +429,10 @@ In this section, you'll learn how to configure the MDT Build Lab deployment shar
 On **MDT01**:
 
 1. Right-click the **MDT Production** deployment share and select **Properties**.
+
 2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
 
-   ``` 
+   ```ini
    [Settings]
    Priority=Default 
  
@@ -435,9 +469,9 @@ On **MDT01**:
    SkipFinalSummary=NO
    ```
 
-3. Click **Edit Bootstrap.ini** and modify using the following information:
+3. Select **Edit Bootstrap.ini** and modify using the following information:
 
-   ``` 
+   ```ini
    [Settings]
    Priority=Default
 
@@ -457,11 +491,11 @@ On **MDT01**:
 
    - Image description: MDT Production x86
    - ISO file name: MDT Production x86.iso
-        
+
    > [!NOTE]
-   > 
+   >
    > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests.
-         
+
 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
 
 7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
@@ -477,11 +511,11 @@ On **MDT01**:
 
 10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
 
-11. Click **OK**.
+11. Select **OK**.
+
+    > [!NOTE]
+    > It will take a while for the Deployment Workbench to create the monitoring database and web service.
 
-    >[!NOTE]
-    >It will take a while for the Deployment Workbench to create the monitoring database and web service.
- 
     ![figure 8.](../images/mdt-07-fig08.png)
 
     The Windows PE tab for the x64 boot image.
@@ -490,13 +524,13 @@ On **MDT01**:
 
 The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
 
-You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address.  In this example, we're skipping the welcome screen and providing credentials.
+You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials.
 
 ### The Bootstrap.ini file
 
 This file is the MDT Production Bootstrap.ini:
 
-``` 
+```ini
 [Settings]
 Priority=Default
 
@@ -512,7 +546,7 @@ SkipBDDWelcome=YES
 
 This file is the CustomSettings.ini file with the new join domain information:
 
-``` 
+```ini
 [Settings]
 Priority=Default
 
@@ -551,14 +585,15 @@ EventService=http://MDT01:9800
 ```
 
 Some properties to use in the MDT Production rules file are as follows:
--   **JoinDomain.** The domain to join.
--   **DomainAdmin.** The account to use when joining the machine to the domain.
--   **DomainAdminDomain.** The domain for the join domain account.
--   **DomainAdminPassword.** The password for the join domain account.
--   **MachineObjectOU.** The organizational unit (OU) to which to add the computer account.
--   **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command.
--   **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore).
--   **EventService.** Activates logging information to the MDT monitoring web service.
+
+- **JoinDomain.** The domain to join.
+- **DomainAdmin.** The account to use when joining the machine to the domain.
+- **DomainAdminDomain.** The domain for the join domain account.
+- **DomainAdminPassword.** The password for the join domain account.
+- **MachineObjectOU.** The organizational unit (OU) to which to add the computer account.
+- **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command.
+- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore).
+- **EventService.** Activates logging information to the MDT monitoring web service.
 
 > [!NOTE]
 > For more information about localization support, see the following articles:
@@ -574,7 +609,6 @@ If your organization has a Microsoft Software Assurance agreement, you also can
 
 If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps:
 
-
 > [!NOTE]
 > DaRT 10 is part of [MDOP 2015](/microsoft-desktop-optimization-pack/#how-to-get-mdop).
 >
@@ -588,34 +622,33 @@ On **MDT01**:
 
    ![DaRT image.](../images/dart.png)
 
-2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
+3. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
 
-3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
+4. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
 
-4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+5. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
 
-5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
+6. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
 
    ![DaRT selection.](../images/mdt-07-fig09.png)
-
    Selecting the DaRT 10 feature in the deployment share.
 
-8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+7. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
 
-9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
+8. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
 
-10. Click **OK**.
+9. Select **OK**.
 
 ### Update the deployment share
 
 Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created.
 
-1.  Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
+1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
 
-2.  Use the default options for the Update Deployment Share Wizard.
+2. Use the default options for the Update Deployment Share Wizard.
 
->[!NOTE]
->The update process will take 5 to 10 minutes.
+> [!NOTE]
+> The update process will take 5 to 10 minutes.
 
 ## Step 8: Deploy the Windows 10 client image
 
@@ -634,12 +667,11 @@ On **MDT01**:
 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
 
    ![figure 9.](../images/mdt-07-fig10.png)
-
    The boot image added to the WDS console.
 
-### Deploy the Windows 10 client
+### Deploy the Windows 10 client
 
-At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine:
+At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine:
 
 On **HV01**:
 
@@ -653,19 +685,18 @@ On **HV01**:
    - Hard disk: 60 GB (dynamic disk)
    - Installation Options: Install an operating system from a network-based installation server
 
-2.  Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
+2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
 
     ![figure 10.](../images/mdt-07-fig11.png)
-
     The initial PXE boot process of PC0005.
 
-3.  After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
+3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
 
     - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
     - Computer Name: **PC0005**
     - Applications: Select the **Install - Adobe Reader** checkbox.
 
-4.  Setup now begins and does the following steps:
+4. Setup now begins and does the following steps:
 
     - Installs the Windows 10 Enterprise operating system.
     - Installs the added application.
@@ -685,14 +716,13 @@ Since you've enabled the monitoring on the MDT Production deployment share, you
 
 On **MDT01**:
 
-1.  In the Deployment Workbench, expand the **MDT Production** deployment share folder.
+1. In the Deployment Workbench, expand the **MDT Production** deployment share folder.
 
-2.  Select the **Monitoring** node, and wait until you see PC0005.
+2. Select the **Monitoring** node, and wait until you see PC0005.
 
-3.  Double-click PC0005, and review the information.
+3. Double-click PC0005, and review the information.
 
     ![figure 11.](../images/mdt-07-fig13.png)
-
     The Monitoring node, showing the deployment progress of PC0005.
 
 ### Use information in the Event Viewer
@@ -700,7 +730,6 @@ On **MDT01**:
 When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log.
 
 ![figure 12.](../images/mdt-07-fig14.png)
-
 The Event Viewer showing a successful deployment of PC0005.
 
 ## Multicast deployments
@@ -717,18 +746,20 @@ Setting up MDT for multicast is straightforward. You enable multicast on the dep
 
 On **MDT01**:
 
-1.  In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**.
-2.  On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and click **OK**.
-3.  Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
-4.  After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
+1. In the Deployment Workbench, right-click the **MDT Production** deployment share folder and select **Properties**.
+
+2. On the **General** tab, select the **Enable multicast for this deployment share (requires Windows Server 2008 R2 Windows Deployment Services)** check box, and select **OK**.
+
+3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
+
+4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
 
     ![figure 13.](../images/mdt-07-fig15.png)
-
     The newly created multicast namespace.
 
-## Use offline media to deploy Windows 10
+## Use offline media to deploy Windows 10
 
-In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
+In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment.
 
 Offline media are useful not only when you don't have network connectivity to the deployment share, but also when you've limited connection to the deployment share and don't want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire.
 
@@ -738,19 +769,19 @@ To filter what is being added to the media, you create a selection profile. When
 
 On **MDT01**:
 
-1.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
+1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
 
-2.  Use the following settings for the New Selection Profile Wizard:
+2. Use the following settings for the New Selection Profile Wizard:
 
-    - General Settings
-      -   Selection profile name: Windows 10 Offline Media
+   - General Settings
+     - **Selection profile name**: Windows 10 Offline Media
 
-    - Folders
-      - Applications / Adobe
-      - Operating Systems / Windows 10
-      - Out-Of-Box Drivers / WinPE x64
-      - Out-Of-Box Drivers / Windows 10 x64
-      - Task Sequences / Windows 10
+   - Folders
+     - Applications / Adobe
+     - Operating Systems / Windows 10
+     - Out-Of-Box Drivers / WinPE x64
+     - Out-Of-Box Drivers / Windows 10 x64
+     - Task Sequences / Windows 10
 
       ![offline media.](../images/mdt-offline-media.png)
 
@@ -758,17 +789,18 @@ On **MDT01**:
 
 In these steps, you generate offline media from the MDT Production deployment share. To filter what is being added to the media, you use the previously created selection profile.
 
-1.  On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder.
+1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder.
 
-     >[!NOTE]
-     >When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media.
-     
-2.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
+     > [!NOTE]
+     > When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media.
 
-3.  Use the following settings for the New Media Wizard:
-    -   General Settings
-        - Media path: **D:\\MDTOfflineMedia**
-        - Selection profile: **Windows 10 Offline Media**
+2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
+
+3. Use the following settings for the New Media Wizard:
+
+   - General Settings
+     - Media path: **D:\\MDTOfflineMedia**
+     - Selection profile: **Windows 10 Offline Media**
 
 ### Configure the offline media
 
@@ -776,24 +808,25 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi
 
 On **MDT01**:
 
-1.  Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
+1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
 
-2.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
+2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
 
-3.  In the **General** tab, configure the following:
+3. In the **General** tab, configure the following:
     - Clear the Generate x86 boot image check box.
     - ISO file name: Windows 10 Offline Media.iso
 
-4.  On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
 
-5.  On the **General** sub tab, configure the following settings:
-    - In the **Lite Touch Boot Image Settings** area:
-      -  Image description: MDT Production x64
-    - In the **Windows PE Customizations** area, set the Scratch space size to 128.
+5. On the **General** sub tab, configure the following settings:
 
-6.  On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+   - In the **Lite Touch Boot Image Settings** area:
+     - **Image description**: MDT Production x64
+   - In the **Windows PE Customizations** area, set the Scratch space size to 128.
 
-7.  Click **OK**.
+6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+
+7. Select **OK**.
 
 ### Generate the offline media
 
@@ -801,30 +834,36 @@ You've now configured the offline media deployment share, however the share hasn
 
 On **MDT01**:
 
-1.  In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
+1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
 
-2.  Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
+2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
 
 ### Create a bootable USB stick
 
 The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
 
->[!TIP] 
->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`<SkipWimSplit>True</SkipWimSplit>`), so this must be changed and the offline media content updated.
+> [!TIP]
+> In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
+>
+> **`Dism.exe /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.`**
+>
+> Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
+>
+> To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`<SkipWimSplit>True</SkipWimSplit>`), so this must be changed and the offline media content updated.
 
 Follow these steps to create a bootable USB stick from the offline media content:
 
-1.  On a physical machine running Windows 7 or later, insert the USB stick you want to use.
+1. On a physical machine running Windows 7 or later, insert the USB stick you want to use.
 
-2.  Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
+2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
 
-3.  Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
+3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
 
-4.  In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
+4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
 
-5.  In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
+5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
 
-6.  In the Diskpart utility, type **active**, and then type **exit**.
+6. In the Diskpart utility, type **active**, and then type **exit**.
 
 ## Unified Extensible Firmware Interface (UEFI)-based deployments
 
@@ -834,11 +873,11 @@ As referenced in [Windows 10 deployment scenarios and tools](../windows-deployme
 
 The partitions when deploying an UEFI-based machine.
 
-## Related topics
+## Related articles
 
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
-[Configure MDT settings](configure-mdt-settings.md)<br>
+- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+- [Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index 9667f4a047..73c2d4b629 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -1,29 +1,34 @@
 ---
 title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10)
-description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
+description: This article will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.collection: 
+  - highpri
+ms.date: 11/28/2022
 ---
 
 # Get started with MDT
 
-**Applies to**
-- Windows 10
+**Applies to:**
+
+- Windows 10
 
 This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
 ## About MDT
 
-MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution.  MDT is one of the most important tools available to IT professionals today.
+MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.
 
 In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
 
-MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/).
+MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Configuration Manager](/configmgr/).
 
 > [!IMPORTANT]
 > For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-).
@@ -33,49 +38,68 @@ MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Wi
 MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment.
 
 MDT has many useful features, such as:
-- **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10.
-- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
-- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry.
-- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
-- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI.
-- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
+
+- **Windows Client support**: Supports Windows 7, Windows 8.1, and Windows 10.
+
+- **Windows Server support**: Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
+
+- **Additional operating systems support**: Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry.
+
+- **UEFI support**: Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1.
+
+- **GPT support**: Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI.
+
+- **Enhanced Windows PowerShell support**: Provides support for running PowerShell scripts.
 
     ![figure 2.](../images/mdt-05-fig02.png)
-
     The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
 
-- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
-- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
-- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
-- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
-- **Improved deployment wizard.** Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard.
-- **Monitoring.** Allows you to see the status of currently running deployments.
-- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
-- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
-- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
-- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
+- **Add local administrator accounts**: Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard.
+
+- **Automated participation in CEIP and WER**: Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER).
+
+- **Deploy Windows RE**: Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence.
+
+- **Deploy to VHD**: Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file.
+
+- **Improved deployment wizard**: Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard.
+
+- **Monitoring**: Allows you to see the status of currently running deployments.
+
+- **Apply GPO Pack**: Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM).
+
+- **Partitioning routines**: Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure.
+
+- **Offline BitLocker**: Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
+
+- **USMT offline user-state migration**: Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
 
     ![figure 3.](../images/mdt-05-fig03.png)
-
     The offline USMT backup in action.
 
-- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
-- **Microsoft System Center Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence.
-- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image.
-- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office.
-- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
-- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
-- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/).
+- **Install or uninstall Windows roles or features**: Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features.
+
+- **Microsoft System Center Orchestrator integration**: Provides the capability to use Orchestrator runbooks as part of the task sequence.
+
+- **Support for DaRT**: Supports optional integration of the DaRT components into the boot image.
+
+- **Support for Microsoft Office**: Provides added support for deploying Microsoft Office.
+
+- **Support for Modern UI app package provisioning**: Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
+
+- **Extensibility**: Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
+
+- **Upgrade task sequence**: Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/).
 
 ## MDT Lite Touch components
 
-Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disk.
+Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disk.
 
-When the Windows operating system is being deployed using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click **View Script**. You're provided the PowerShell command.
+When the Windows operating system is being deployed using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, select **View Script**. You're provided the PowerShell command.
 
 ![figure 4.](../images/mdt-05-fig04.png)
 
-If you click **View Script** on the right side, you'll get the PowerShell code that was used to perform the task.
+If you select **View Script** on the right side, you'll get the PowerShell code that was used to perform the task.
 
 ## Deployment shares
 
@@ -84,6 +108,7 @@ A deployment share is essentially a folder on the server that is shared and cont
 ## Rules
 
 The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed:
+
 - Computer name
 - Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
 - Whether to enable BitLocker
@@ -91,17 +116,15 @@ The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The r
 You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/).
 
 ![figure 5.](../images/mdt-05-fig05.png)
-
 Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
 
 ## Boot images
 
-Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment 
-share on the server and start the deployment.
+Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment share on the server and start the deployment.
 
 ## Operating systems
 
-Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you've created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
+Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you've created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
 
 ## Applications
 
@@ -120,33 +143,44 @@ With the Deployment Workbench, you can add any Microsoft packages that you want
 Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence.
 
 You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows:
-- **Gather.** Reads configuration settings from the deployment server.
-- **Format and Partition.** Creates the partition(s) and formats them.
-- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository.
-- **Apply Operating System.** Uses ImageX to apply the image.
-- **Windows Update.** Connects to a WSUS server and updates the machine.
+
+- **Gather**: Reads configuration settings from the deployment server.
+- **Format and Partition**: Creates the partition(s) and formats them.
+- **Inject Drivers**: Finds out which drivers the machine needs and downloads them from the central driver repository.
+- **Apply Operating System**: Applies the Windows image.
+- **Windows Update**: Connects to a WSUS server and updates the machine.
 
 ## Task sequence templates
 
 MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence.
-- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
+
+- **Sysprep and Capture task sequence**: Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer.
 
     > [!NOTE]
     > It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't.
-     
-- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
-- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
-- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action).
-- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers.
-- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
-- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments.
-- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
-- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers.
-- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
+
+- **Standard Client task sequence**: The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
+
+- **Standard Client Replace task sequence**: Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
+
+- **Custom task sequence**: As the name implies, a custom task sequence with only one default action (one Install Application action).
+
+- **Standard Server task sequence**: The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers.
+
+- **Lite Touch OEM task sequence**: Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature.
+
+- **Post OS Installation task sequence**: A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments.
+
+- **Deploy to VHD Client task sequence**: Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file.
+
+- **Deploy to VHD Server task sequence**: Same as the Deploy to VHD Client task sequence but for servers.
+
+- **Standard Client Upgrade task sequence**: A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
 
 ## Selection profiles
 
 Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to:
+
 - Control which drivers and packages are injected into the Lite Touch (and generic) boot images.
 - Control which drivers are injected during the task sequence.
 - Control what is included in any media that you create.
@@ -157,8 +191,8 @@ Selection profiles, which are available in the Advanced Configuration node, prov
 
 MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well.
 
-**Note**  
-The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
+> [!NOTE]
+> The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717).
 
 ## Monitoring
 
@@ -166,4 +200,4 @@ On the deployment share, you also can enable monitoring. After you enable monito
 
 ## See next
 
-[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index e691b3677b..e5eb7ae010 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -1,19 +1,24 @@
 ---
 title: Prepare for deployment with MDT (Windows 10)
-description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
+description: This article will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.collection: 
+  - highpri
+ms.date: 11/28/2022
 ---
 
 # Prepare for deployment with MDT
 
-**Applies to**
--   Windows 10
+**Applies to:**
+
+- Windows 10
 
 This article will walk you through the steps necessary to prepare your network and server infrastructure to deploy Windows 10 with the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the file system and in Active Directory.
 
@@ -23,47 +28,56 @@ The procedures in this guide use the following names and infrastructure.
 
 ### Network and servers
 
-For the purposes of this topic, we will use three server computers: **DC01**, **MDT01**, and **HV01**.
-- All servers are running Windows Server 2019. 
-    - You can use an earlier version of Windows Server with minor modifications to some procedures.
-    - Note: Although MDT supports Windows Server 2008 R2, at least Windows Server 2012 R2 or later is required to perform the procedures in this guide.
-- **DC01** is a domain controller, DHCP server, and DNS server for <b>contoso.com</b>, representing the fictitious Contoso Corporation.
-- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
-    - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
+For the purposes of this article, we'll use three server computers: **DC01**, **MDT01**, and **HV01**.
+
+- All servers are running Windows Server 2019.
+
+  - You can use an earlier version of Windows Server with minor modifications to some procedures.
+
+- **DC01** is a domain controller, DHCP server, and DNS server for **contoso.com**, representing the fictitious Contoso Corporation.
+
+- **MDT01** is a domain member server in contoso.com with a data (D:) drive that can store at least 200 GB. MDT01 will host deployment shares and run the Windows Deployment Service. Optionally, MDT01 is also a WSUS server.
+
+  - A second MDT server (**MDT02**) configured identically to MDT01 is optionally used to [build a distributed environment](build-a-distributed-environment-for-windows-10-deployment.md) for Windows 10 deployment. This server is located on a different subnet than MDT01 and has a different default gateway.
+
 - **HV01** is a Hyper-V host computer that is used to build a Windows 10 reference image.
-    - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01.
+  - See [Hyper-V requirements](#hyper-v-requirements) below for more information about HV01.
 
 ### Client computers
 
 Several client computers are referenced in this guide with hostnames of PC0001 to PC0007.
 
-- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
+- **PC0001**: A computer running Windows 10 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain.
+
   - Client name: PC0001
   - IP Address: DHCP
-- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
+
+- **PC0002**: A computer running Windows 7 SP1 Enterprise x64, fully patched with the latest security updates, and configured as a member in the contoso.com domain. This computer is referenced during the migration scenarios.
+
   - Client name: PC0002
   - IP Address: DHCP
+
 - **PC0003 - PC0007**: These are other client computers similar to PC0001 and PC0002 that are used in this guide and another guide for various scenarios. The device names are incremented for clarity within each scenario. For example, PC0003 and PC0004 are running Windows 7 just like PC0002, but are used for Configuration Manager refresh and replace scenarios, respectively.
 
 ### Storage requirements
 
-MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive.
+MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you'll need to adjust some procedures in this guide to specify the C: drive instead of the D: drive.
 
 ### Hyper-V requirements
 
-If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
+If you don't have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
 
 ### Network requirements
 
-All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain.  Internet connectivity is also required to download OS and application updates.
+All server and client computers referenced in this guide are on the same subnet. This isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
 
 ### Domain credentials
 
 The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
 
-**Active Directory domain name**: contoso.com<br>
-**Domain administrator username**: administrator<br>
-**Domain administrator password**: pass@word1
+- **Active Directory domain name**: contoso.com
+- **Domain administrator username**: administrator
+- **Domain administrator password**: pass@word1
 
 ### Organizational unit structure
 
@@ -77,34 +91,40 @@ These steps assume that you have the MDT01 member server running and configured
 
 On **MDT01**:
 
-Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder):
+Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you'll need to create this folder):
+
 - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
 - [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
 - [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
 - (Optional) [The MDT_KB4564442 patch for BIOS firmware](https://download.microsoft.com/download/3/0/6/306AC1B2-59BE-43B8-8C65-E141EF287A5E/KB4564442/MDT_KB4564442.exe)
-  - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines.  If you have a UEFI deployment, you do not need this patch.
+  - This patch is needed to resolve a bug that causes detection of BIOS-based machines as UEFI-based machines. If you have a UEFI deployment, you don't need this patch.
 
->[!TIP]
->You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
+> [!TIP]
+> You might need to temporarily disable IE Enhanced Security Configuration for administrators in order to download files from the Internet to the server. This setting can be disabled by using Server Manager (Local Server/Properties).
+
+1. On **MDT01**, ensure that you're signed in as an administrator in the CONTOSO domain.
+
+   - For the purposes of this guide, we're using a Domain Admin account of **administrator** with a password of **pass@word1**. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
+
+2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
+
+3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), select **Next** twice to accept the default installation parameters, select **Accept** to accept the license agreement, and then on the **Select the features you want to install** page select **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
 
-1. On **MDT01**, ensure that you are signed in as an administrator in the CONTOSO domain.
-    - For the purposes of this guide, we are using a Domain Admin account of **administrator** with a password of <b>pass@word1</b>. You can use your own administrator username and password as long as you properly adjust all steps in this guide that use these login credentials.
-2. Start the **ADK Setup** (D:\\Downloads\\ADK\\adksetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page accept the default list of features by clicking **Install**. This will install deployment tools and the USMT. Verify that the installation completes successfully before moving to the next step.
-3. Start the **WinPE Setup** (D:\\Downloads\\ADK\\adkwinpesetup.exe), click **Next** twice to accept the default installation parameters, click **Accept** to accept the license agreement, and then on the **Select the features you want to install** page click **Install**. This will install Windows PE for x86, AMD64, ARM, and ARM64. Verify that the installation completes successfully before moving to the next step.
 4. Extract the **WSIM 1903 update** (D:\\Downloads\ADK\\WSIM1903.zip) and then run the **UpdateWSIM.bat** file.
    - You can confirm that the update is applied by viewing properties of the ImageCat.exe and ImgMgr.exe files at **C:\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM** and verifying that the **Details** tab displays a **File version** of **10.0.18362.144** or later.
-5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/en-us/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch.
+
+5. If you downloaded the optional MDT_KB4564442 patch for BIOS based deployment, see [this support article](https://support.microsoft.com/topic/windows-10-deployments-fail-with-microsoft-deployment-toolkit-on-computers-with-bios-type-firmware-70557b0b-6be3-81d2-556f-b313e29e2cb7) for instructions on how to install the patch.
 
 ## Install and initialize Windows Deployment Services (WDS)
 
 On **MDT01**:
 
 1. Open an elevated Windows PowerShell prompt and enter the following command:
- 
+
   ```powershell
   Install-WindowsFeature -Name WDS -IncludeManagementTools
-  WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
-  WDSUTIL /Set-Server /AnswerClients:All
+  WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:\RemoteInstall"
+  WDSUTIL.exe /Set-Server /AnswerClients:All
   ```
 
 ## Optional: Install Windows Server Update Services (WSUS)
@@ -113,26 +133,32 @@ If you wish to use MDT as a WSUS server using the Windows Internal Database (WID
 
 To install WSUS on MDT01, enter the following at an elevated Windows PowerShell prompt:
 
-  ```powershell
-  Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
-  cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
-  ```
+```powershell
+Install-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
+"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
+```
 
->To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.
+> [!NOTE]
+> To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the necessary post-installation configuration of WSUS on MDT01.
 
 ## Install MDT
 
->[!NOTE]
->MDT installation requires the following:
->-   The Windows ADK for Windows 10 (installed in the previous procedure)
->-   Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
->-   Microsoft .NET Framework
+> [!NOTE]
+> MDT installation requires the following:
+>
+> - The Windows ADK for Windows 10 (installed in the previous procedure)
+> - Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; enter `$host` to check)
+> - Microsoft .NET Framework
 
 On **MDT01**:
 
-1. Visit the [MDT resource page](/mem/configmgr/mdt/) and click **Download MDT**. 
-2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01. 
-    - **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
+1. Visit the [MDT resource page](/mem/configmgr/mdt/) and select **Download MDT**.
+
+2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01.
+
+    > [!NOTE]
+    > As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
+
 3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
 
 ## Create the OU structure
@@ -157,7 +183,7 @@ Workstations,"OU=Computers,OU=Contoso,DC=CONTOSO,DC=COM"
 Security Groups,"OU=Groups,OU=Contoso,DC=CONTOSO,DC=COM"
 ```
 
-Next, copy the following commands into a file and save it as `~\Setup\Scripts\ou.ps1`. Be sure that you are viewing file extensions and that you save the file with the `.ps1` extension.
+Next, copy the following commands into a file and save it as `~\Setup\Scripts\ou.ps1`. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension.
 
 ```powershell
 Import-CSV -Path $home\Setup\Scripts\oulist.csv | ForEach-Object {
@@ -182,20 +208,27 @@ To use the Active Directory Users and Computers console (instead of PowerShell):
 
 On **DC01**:
 
-1.  Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**.
-2.  In the **Contoso** OU, create the following OUs:
-    1.  Accounts
-    2.  Computers
-    3.  Groups
-3.  In the **Contoso / Accounts** OU, create the following underlying OUs:
-    1.  Admins
-    2.  Service Accounts
-    3.  Users
-4.  In the **Contoso / Computers** OU, create the following underlying OUs:
-    1.  Servers
-    2.  Workstations
-5.  In the **Contoso / Groups** OU, create the following OU:
-    1.   Security Groups
+1. Using the Active Directory Users and Computers console (dsa.msc), in the contoso.com domain level, create a top-level OU named **Contoso**.
+
+2. In the **Contoso** OU, create the following OUs:
+
+   - Accounts
+   - Computers
+   - Groups
+
+3. In the **Contoso / Accounts** OU, create the following underlying OUs:
+
+   - Admins
+   - Service Accounts
+   - Users
+
+4. In the **Contoso / Computers** OU, create the following underlying OUs:
+
+   - Servers
+   - Workstations
+
+5. In the **Contoso / Groups** OU, create the following OU:
+   - Security Groups
 
 The final result of either method is shown below. The **MDT_BA** account will be created next.
 
@@ -208,16 +241,18 @@ To create an MDT build account, open an elevated Windows PowerShell prompt on DC
 ```powershell
 New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
 ```
+
 If you have the Active Directory Users and Computers console open you can refresh the view and see this new account in the **Contoso\Accounts\Service Accounts** OU as shown in the screenshot above.
 
 ## Create and share the logs folder
 
-By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+By default MDT stores the log files locally on the client. In order to capture a reference image, you'll need to enable server-side logging and, to do that, you'll need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
 
 On **MDT01**:
 
-1.  Sign in as **CONTOSO\\administrator**.
-2.  Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
+1. Sign in as **CONTOSO\\administrator**.
+
+2. Create and share the **D:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt:
 
     ```powershell
     New-Item -Path D:\Logs -ItemType directory
@@ -231,7 +266,7 @@ See the following example:
 
 ## Use CMTrace to read log files (optional)
 
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.  
+The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.
 You can use Notepad (example below):
 
 ![figure 8.](../images/mdt-05-fig09.png)
@@ -244,12 +279,13 @@ After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and
 
 ## Next steps
 
-When you have completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
+When you've completed all the steps in this section to prepare for deployment, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md).
 
 ## Appendix
 
-**Sample files**
+### Sample files
+
+The following sample files are also available to help automate some MDT deployment tasks. This guide doesn't use these files, but they're made available here so you can see how some tasks can be automated with Windows PowerShell.
 
-The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell.
 - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
 - [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index 356ba70dcc..b38d0d58a8 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -1,114 +1,122 @@
 ---
 title: Refresh a Windows 7 computer with Windows 10 (Windows 10)
-description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
+description: This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Refresh a Windows 7 computer with Windows 10
 
-**Applies to**
--   Windows 10
+**Applies to:**
 
-This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/).
+- Windows 10
+
+This article will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/).
+
+For the purposes of this article, we'll use three computers: DC01, MDT01, and PC0001.
 
-For the purposes of this topic, we'll use three computers: DC01, MDT01, and PC0001. 
 - DC01 is a domain controller for the contoso.com domain.
 - MDT01 is domain member server that hosts your deployment share.
-- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1.
+- PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1.
 
-Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more information on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
 ![computers.](../images/mdt-04-fig01.png "Computers used in this topic")
-
-The computers used in this topic.
+The computers used in this article.
 
 ## The computer refresh process
 
 A computer refresh isn't the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings.
 
-For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh, you will:
+For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh, you will:
 
-1.  Back up data and settings locally, in a backup folder.
-2.  Wipe the partition, except for the backup folder.
-3.  Apply the new operating system image.
-4.  Install other applications.
-5.  Restore data and settings.
+1. Back up data and settings locally, in a backup folder.
+2. Wipe the partition, except for the backup folder.
+3. Apply the new operating system image.
+4. Install other applications.
+5. Restore data and settings.
 
-During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are linked in the file system, which allows for fast migration, even when there's a lot of data.
+During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are linked in the file system, which allows for fast migration, even when there's many files.
+
+> [!NOTE]
+> In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
 
->[!NOTE]
->In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario.
- 
 ### Multi-user migration
 
 By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a computer that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up by configuring command-line switches to ScanState (added as rules in MDT).
 
-For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: ScanStateArgs=/ue:\*\\\* /ui:CONTOSO\\\*
+For example, the following line configures USMT to migrate only domain user profiles and not profiles from the local SAM account database: `ScanStateArgs=/ue:*\* /ui:CONTOSO\*`
+
+> [!NOTE]
+> You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
 
->[!NOTE]
->You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days.
- 
 ### Support for additional settings
 
 In addition to the command-line switches that control which profiles to migrate, [XML templates](../usmt/understanding-migration-xml-files.md) control exactly what data is being migrated. You can control data within and outside the user profiles.
 
 ### Multicast
 
-Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You'll need to update the deployment share after changing this setting.
+Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment there are only a few computers. You'll need to update the deployment share after changing this setting.
 
-## Refresh a Windows 7 SP1 client
+## Refresh a Windows 7 SP1 client
 
-In this section, we assume that you've already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01:
+In this section, we assume that you've already performed the prerequisite procedures in the following articles, so that you have a deployment share named **MDTProduction$** on MDT01:
 
 - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
 - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
 - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
 
-It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10.  For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909.
- 
-### Upgrade (refresh) a Windows 7 SP1 client
+It's also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909.
 
->[!IMPORTANT]
->Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process.  If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in Contoso > Computers > Workstations. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer. 
+### Upgrade (refresh) a Windows 7 SP1 client
+
+> [!IMPORTANT]
+> Domain join details [specified in the deployment share rules](deploy-a-windows-10-image-using-mdt.md#configure-the-rules) will be used to rejoin the computer to the domain during the refresh process. If the Windows 7 client is domain-jonied in a different OU than the one specified by MachineObjectOU, the domain join process will initially fail and then retry without specifying an OU. If the domain account that is specified (ex: **MDT_JD**) has [permissions limited to a specific OU](deploy-a-windows-10-image-using-mdt.md#step-1-configure-active-directory-permissions) then the domain join will ultimately fail, the refresh process will proceed, and the client computer object will be orphaned in Active Directory. In the current guide, computer objects should be located in **Contoso** > **Computers** > **Workstations**. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. To diagnose MDT domain join errors, see **ZTIDomainJoin.log** in the C:\Windows\Temp\DeploymentLogs directory on the client computer.
+
+1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**.
 
-1. On PC0001, sign in as **contoso\\Administrator** and start the Lite Touch Deploy Wizard by opening **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. 
 2. Complete the deployment guide using the following settings:
-    
-   * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
-   * Computer name: &lt;default&gt;
-   * Specify where to save a complete computer backup: Do not back up the existing computer
-     >[!NOTE]
-     >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
-   * Select one or more applications to install: Install - Adobe Reader
+
+   - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
+
+   - **Computer name**: *\<default\>*
+
+   - **Specify where to save a complete computer backup**: Don't back up the existing computer
+
+     > [!NOTE]
+     > Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
+
+   - **Select one or more applications to install**: Install - Adobe Reader
 
      ![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh")
 
-4. Setup starts and does the following:
-    
-   * Backs up user settings and data using USMT.
-   * Installs the Windows 10 Enterprise x64 operating system.
-   * Installs any added applications.
-   * Updates the operating system using your local Windows Server Update Services (WSUS) server.
-   * Restores user settings and data using USMT.
+3. Setup starts and performs the following actions:
 
-5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
+   - Backs up user settings and data using USMT.
+   - Installs the Windows 10 Enterprise x64 operating system.
+   - Installs any added applications.
+   - Updates the operating system using your local Windows Server Update Services (WSUS) server.
+   - Restores user settings and data using USMT.
+
+4. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
 
      ![monitor deployment.](../images/monitor-pc0001.png)
 
-6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
+5. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
 
-## Related topics
+## Related articles
 
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
-[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)<br>
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)<br>
-[Configure MDT settings](configure-mdt-settings.md)
+- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
+- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+- [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+- [Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index 30ca655b46..b240a4f426 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -3,32 +3,35 @@ title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10)
 description: In this article, you'll learn how to replace a Windows 7 device with a Windows 10 device.
 ms.custom: seo-marvel-apr2020
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Replace a Windows 7 computer with a Windows 10 computer
 
-**Applies to**
--   Windows 10
+**Applies to:**
 
-A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. 
+- Windows 10
+
+A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings.
+
+For the purposes of this article, we'll use four computers: DC01, MDT01, PC0002, and PC0007.
 
-For the purposes of this topic, we'll use four computers: DC01, MDT01, PC0002, and PC0007. 
 - DC01 is a domain controller for the contoso.com domain.
 - MDT01 is domain member server that hosts your deployment share.
-- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. 
+- PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007.
 - PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain.
 
-For more details on the setup for this topic, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+For more details on the setup for this article, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
 ![The computers used in this topic.](../images/mdt-03-fig01.png)
-
-The computers used in this topic.
+The computers used in this article.
 
 >HV01 is also used in this topic to host the PC0007 virtual machine for demonstration purposes, however typically PC0007 is a physical computer.
 
@@ -41,7 +44,9 @@ The computers used in this topic.
 On **MDT01**:
 
 1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, select **Properties**, and then select the **Rules** tab.
+
 2. Change the **SkipUserData=YES** option to **NO**, and select **OK**.
+
 3. Right-click on **MDT Production** and select **Update Deployment Share**. Then select **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings.
 
 ### Create and share the MigData folder
@@ -49,23 +54,25 @@ On **MDT01**:
 On **MDT01**:
 
 1. Create and share the **D:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt:
-   ``` powershell
+
+   ```powershell
    New-Item -Path D:\MigData -ItemType directory
    New-SmbShare -Name MigData$ -Path D:\MigData -ChangeAccess EVERYONE
    icacls D:\MigData /grant '"MDT_BA":(OI)(CI)(M)'
    ```
-   ### Create a backup only (replace) task sequence
 
-2. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**.
+### Create a backup only (replace) task sequence
 
-3. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
+1. In Deployment Workbench, under the **MDT Production** deployment share, select the **Task Sequences** node and create a new folder named **Other**.
 
-   * Task sequence ID: REPLACE-001
-   * Task sequence name: Backup Only Task Sequence
-   * Task sequence comments: Run USMT to backup user data and settings
-   * Template: Standard Client Replace Task Sequence
+2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
 
-4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
+   - Task sequence ID: REPLACE-001
+   - Task sequence name: Backup Only Task Sequence
+   - Task sequence comments: Run USMT to back up user data and settings
+   - Template: Standard Client Replace Task Sequence
+
+3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
 
    ![The Backup Only Task Sequence action list.](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
 
@@ -73,38 +80,41 @@ On **MDT01**:
 
 ## Perform the computer replace
 
-During a computer replace, these are the high-level steps that occur:
+During a computer replace, the following are the high-level steps that occur:
 
-1.  On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup.
-2.  On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
+1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup.
+
+2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored.
 
 ### Run the replace task sequence
 
 On **PC0002**:
 
-1.  Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share.
-2.  Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
-3.  Complete the Windows Deployment Wizard using the following settings:
+1. Sign in as **CONTOSO\\Administrator** and verify that you have write access to the **\\\\MDT01\\MigData$** share.
 
-    1.  Select a task sequence to execute on this computer: Backup Only Task Sequence
-        * Specify where to save your data and settings: Specify a location
-        * Location: \\\\MDT01\\MigData$\\PC0002
-        
-        >[!NOTE]
-        >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
-         
-    2.  Specify where to save a complete computer backup: Do not back up the existing computer
+2. Run **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**.
+
+3. Complete the **Windows Deployment Wizard** using the following settings:
+
+   - **Select a task sequence to execute on this computer**: Backup Only Task Sequence
+
+   - **Specify where to save your data and settings**: Specify a location
+
+     - **Location**: \\\\MDT01\\MigData$\\PC0002
+
+        > [!NOTE]
+        > If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead.
+
+   - **Specify where to save a complete computer backup**: Don't back up the existing computer
 
     The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer.
 
     ![The new task sequence.](../images/mdt-03-fig03.png "The new task sequence")
-
     The new task sequence running the Capture User State action on PC0002.
 
-4.  On **MDT01**, verify that you have an USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
+4. On **MDT01**, verify that you have a USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
 
     ![The USMT backup.](../images/mdt-03-fig04.png "The USMT backup")
-
     The USMT backup of PC0002.
 
 ### Deploy the replacement computer
@@ -113,47 +123,47 @@ To demonstrate deployment of the replacement computer, HV01 is used to host a vi
 
 On **HV01**:
 
-1.  Create a virtual machine with the following settings:
+1. Create a virtual machine with the following settings:
 
-    * Name: PC0007
-    * Location: C:\\VMs
-    * Generation: 2
-    * Memory: 2048 MB
-    * Hard disk: 60 GB (dynamic disk)
-    * Install an operating system from a network-based installation server
+   - **Name**: PC0007
+   - **Location**: C:\\VMs
+   - **Generation**: 2
+   - **Memory**: 2048 MB
+   - **Hard disk**: 60 GB (dynamic disk)
+   - Install an operating system from a network-based installation server
 
-2.  Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
+2. Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
 
     ![The initial PXE boot process.](../images/mdt-03-fig05.png "The initial PXE boot process")
 
     The initial PXE boot process of PC0007.
 
-3.  After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
+3. After Windows Preinstallation Environment (Windows PE) has booted, complete the Windows Deployment Wizard using the following settings:
 
-    * Select a task sequence to execute on this computer:
-        * Windows 10 Enterprise x64 RTM Custom Image
-        * Computer Name: PC0007
-        * Move Data and Settings: Do not move user data and settings.
-        * User Data (Restore) > Specify a location: \\\\MDT01\\MigData$\\PC0002
-        * Applications: Adobe > Install - Adobe Reader
+   - Select a task sequence to execute on this computer:
+     - Windows 10 Enterprise x64 RTM Custom Image
+     - **Computer Name**: PC0007
+     - **Move Data and Settings**: Don't move user data and settings.
+     - **User Data (Restore)** > **Specify a location**: \\\\MDT01\\MigData$\\PC0002
+     - **Applications**: Adobe > Install - Adobe Reader
 
-4.  Setup now starts and does the following:
+4. Setup now starts and does the following actions:
 
-    * Partitions and formats the disk.
-    * Installs the Windows 10 Enterprise operating system.
-    * Installs the application.
-    * Updates the operating system via your local Windows Server Update Services (WSUS) server.
-    * Restores the USMT backup from PC0002.
+    - Partitions and formats the disk.
+    - Installs the Windows 10 Enterprise operating system.
+    - Installs the application.
+    - Updates the operating system via your local Windows Server Update Services (WSUS) server.
+    - Restores the USMT backup from PC0002.
 
 You can view progress of the process by clicking the Monitoring node in the Deployment Workbench on MDT01.
 
 ![Monitor progress.](../images/mdt-replace.png)
 
-## Related topics
+## Related articles
 
-[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)<br>
-[Create a Windows 10 reference image](create-a-windows-10-reference-image.md)<br>
-[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)<br>
-[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)<br>
-[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)<br>
-[Configure MDT settings](configure-mdt-settings.md)
+- [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
+- [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
+- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
+- [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
+- [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
+- [Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index e2976790e7..b8460e77a7 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -1,24 +1,27 @@
 ---
 title: Set up MDT for BitLocker (Windows 10)
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-mar2020
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Set up MDT for BitLocker
 
-This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
+This article will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:
 
 - A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you can also use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password.
+
 - Multiple partitions on the hard drive.
 
-To configure your environment for BitLocker, you will need to do the following:
+To configure your environment for BitLocker, you'll need to do the following actions:
 
 1. Configure Active Directory for BitLocker.
 2. Download the various BitLocker scripts and tools.
@@ -27,16 +30,14 @@ To configure your environment for BitLocker, you will need to do the following:
 
 > [!NOTE]
 > Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For more information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
-If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+>
+> If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
 
-> [!NOTE]
-> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
-
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
+For the purposes of this article, we'll use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this article, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
 
 ## Configure Active Directory for BitLocker
 
-To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
+To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we're running Windows Server 2012 R2, so you don't need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
 
 > [!NOTE]
 > Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
@@ -51,19 +52,25 @@ The BitLocker Recovery information on a computer object in the contoso.com domai
 
 The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):
 
-1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**.
-2. On the **Before you begin** page, click **Next**.
-3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**.
-4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**.
-5. On the **Select server roles** page, click **Next**.
-6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**:
+1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, select **Add roles and features**.
+
+2. On the **Before you begin** page, select **Next**.
+
+3. On the **Select installation type** page, select **Role-based or feature-based installation**, and select **Next**.
+
+4. On the **Select destination server** page, select **DC01.contoso.com** and select **Next**.
+
+5. On the **Select server roles** page, select **Next**.
+
+6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then select **Next**:
+
     1. BitLocker Drive Encryption Administration Utilities
     2. BitLocker Drive Encryption Tools
     3. BitLocker Recovery Password Viewer
-7. On the **Confirm installation selections** page, click **Install**, and then click **Close**.
+
+7. On the **Confirm installation selections** page, select **Install**, and then select **Close**.
 
 ![figure 3.](../images/mdt-09-fig03.png)
-
 Selecting the BitLocker Drive Encryption Administration Utilities.
 
 ### Create the BitLocker Group Policy
@@ -71,32 +78,41 @@ Selecting the BitLocker Drive Encryption Administration Utilities.
 Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.
 
 1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**.
+
 2. Assign the name **BitLocker Policy** to the new Group Policy.
-3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings:
-    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
-    1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
-        1. Allow data recovery agent (default)
-        2. Save BitLocker recovery information to Active Directory Domain Services (default)
-        3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives
-    2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
-    3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
+
+3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings found under **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives**
+
+   1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings:
+
+      - Allow data recovery agent (default)
+      - Save BitLocker recovery information to Active Directory Domain Services (default)
+      - Don't enable BitLocker until recovery information is stored in AD DS for operating system drives
+
+   2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy.
+
+   3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy.
 
 > [!NOTE]
-> If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
+> If you consistently get the error:
+>
+> **Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system.**
+>
+> after encrypting a computer with BitLocker, you might have to change the various **Configure TPM platform validation profile** Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
 
 ### Set permissions in Active Directory for BitLocker
 
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01.
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you've downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01.
 
 1. On DC01, start an elevated PowerShell prompt (run as Administrator).
+
 2. Configure the permissions by running the following command:
 
-    ```dos
-    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
+    ```cmd
+    cscript.exe C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
     ```
 
 ![figure 4.](../images/mdt-09-fig04.png)
-
 Running the Add-TPMSelfWriteACE.vbs script on DC01.
 
 ## Add BIOS configuration tools from Dell, HP, and Lenovo
@@ -109,9 +125,9 @@ If you want to automate enabling the TPM chip as part of the deployment process,
 
 ### Add tools from HP
 
-The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
+The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here's a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:
 
-```dos
+```cmd
 BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234
 ```
 
@@ -131,34 +147,37 @@ Embedded Security Device Availability
 
 ### Add tools from Lenovo
 
-The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:
+The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here's a sample command to enable TPM using the Lenovo tools:
 
-```dos
+```cmd
 cscript.exe SetConfig.vbs SecurityChip Active
 ```
 
 ## Configure the Windows 10 task sequence to enable BitLocker
 
-When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](/archive/blogs/deploymentguys/check-to-see-if-the-tpm-is-enabled).
+When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it's helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we're using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](/archive/blogs/deploymentguys/check-to-see-if-the-tpm-is-enabled).
 
 In the following task sequence, we added five actions:
 
 - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false.
-- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf.
+
+- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip isn't already activated. Use the properties from the ZTICheckforTPM.wsf.
 
     > [!NOTE]
     > It is common for organizations to wrap these tools in scripts to get additional logging and error handling.
 
 - **Restart computer.** Self-explanatory, reboots the computer.
+
 - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time.
+
 - **Enable BitLocker.** Runs the built-in action to activate BitLocker.
 
-## Related topics
+## Related articles
 
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)<br>
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)<br>
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)<br>
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)<br>
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)<br>
-[Use web services in MDT](use-web-services-in-mdt.md)<br>
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index 3b225896bf..b9a293d1de 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -1,23 +1,27 @@
 ---
 title: Simulate a Windows 10 deployment in a test environment (Windows 10)
-description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT.
+description: This article will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Simulate a Windows 10 deployment in a test environment
 
-This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined client.
+This article will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it's most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you're using a domain-joined client.
 
 ## Test environment
 
 - A Windows 10 client named **PC0001** will be used to simulate deployment. The client is joined to the contoso.com domain and has access to the Internet to required download tools and scripts.
-- It is assumed that you have performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share:
+
+- It's assumed that you've performed (at least) the following procedures so that you have an MDT service account and an MDT production deployment share:
+
   - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
   - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
   - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
@@ -27,6 +31,7 @@ This topic will walk you through the process of creating a simulated environment
 On **PC0001**:
 
 1. Sign as **contoso\\Administrator**.
+
 2. Copy the following to a PowerShell script named gather.ps1 and copy it to a directory named **C:\MDT** on PC0001.
 
     ```powershell
@@ -46,15 +51,22 @@ On **PC0001**:
     ```
 
 3. Download and install the free [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool.
+
 4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group.
+
 5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**.
+
 6. Open the **\\\\MDT01\\MDTProduction$\\Scripts** folder and copy the following files to **C:\\MDT**:
-   1.  ZTIDataAccess.vbs
-   2.  ZTIGather.wsf
-   3.  ZTIGather.xml
-   4.  ZTIUtility.vbs
+
+   - ZTIDataAccess.vbs
+   - ZTIGather.wsf
+   - ZTIGather.xml
+   - ZTIUtility.vbs
+
 7. From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**.
+
 8. In the **C:\\MDT** folder, create a subfolder named **X64**.
+
 9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
 
    ![files.](../images/mdt-09-fig06.png)
@@ -62,27 +74,30 @@ On **PC0001**:
    The C:\\MDT folder with the files added for the simulation environment.
 
 10. Type the following at an elevated Windows PowerShell prompt:
-    ``` powershell
+
+    ```powershell
     Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force
     Set-Location C:\MDT
     .\Gather.ps1
     ```
+
     When prompted, press **R** to run the gather script.
 
 11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder using CMTrace.
-    **Note**  
-    Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment.
- 
+
+    > [!NOTE]
+    > Warnings or errors regarding the Wizard.hta are expected. If the log file looks okay, you're ready to try a real deployment.
+
    ![ztigather.](../images/mdt-09-fig07.png)
 
    The ZTIGather.log file from PC0001.
 
-## Related topics
+## Related articles
 
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)<br>
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)<br>
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)<br>
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)<br>
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)<br>
-[Use web services in MDT](use-web-services-in-mdt.md)<br>
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 4f1b8456b8..83c7037743 100644
--- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -1,108 +1,124 @@
 ---
 title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
-description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
+description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Perform an in-place upgrade to Windows 10 with MDT
 
-**Applies to**
--   Windows 10
+**Applies to:**
 
-The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. 
+- Windows 10
 
->[!TIP]
->In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple. 
+The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
 
-In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you cannot use a custom image to perform the in-place upgrade. In this article we will add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade.
+> [!TIP]
+> In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
 
-Three computers are used in this topic: DC01, MDT01, and PC0002. 
+In-place upgrade differs from [computer refresh](refresh-a-windows-7-computer-with-windows-10.md) in that you can't use a custom image to perform the in-place upgrade. In this article, we'll add a default Windows 10 image to the production deployment share specifically to perform an in-place upgrade.
+
+Three computers are used in this article: DC01, MDT01, and PC0002.
 
 - DC01 is a domain controller for the contoso.com domain
-- MDT01 is a domain member server 
-- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
+- MDT01 is a domain member server
+- PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
 
  ![computers.](../images/mdt-upgrade.png)
+ The computers used in this article.
 
- The computers used in this topic.
-
->[!NOTE]
->For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
-
+> [!NOTE]
+> For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+>
 >If you have already completed all the steps in [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md), then you already have a production deployment share and you can skip to [Add Windows 10 Enterprise x64 (full source)](#add-windows-10-enterprise-x64-full-source).
 
 ## Create the MDT production deployment share
 
 On **MDT01**:
 
-1. Ensure you are signed on as: contoso\administrator.
+1. Ensure you're signed on as **contoso\administrator**.
+
 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
-3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
-4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
-5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
-6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
+
+3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and select **Next**.
+
+4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and select **Next**.
+
+5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and select **Next**.
+
+6. On the **Options** page, accept the default settings and select **Next** twice, and then select **Finish**.
+
 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
 
 ## Add Windows 10 Enterprise x64 (full source)
 
->If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
+> [!NOTE]
+> If you have already have a Windows 10 [reference image](create-a-windows-10-reference-image.md) in the **MDT Build Lab** deployment share, you can use the deployment workbench to copy and paste this image from the MDT Build Lab share to the MDT Production share and skip the steps in this section.
 
 On **MDT01**:
 
-1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
+1. Sign in as contoso\\administrator and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01.
+
 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**.
+
 3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
+
 4. Expand the **Operating Systems** node, right-click the **Windows 10** folder, and select **Import Operating System**. Use the following settings for the Import Operating System Wizard:
+
     - Full set of source files
-    - Source directory: (location of your source files)
-    - Destination directory name: <b>W10EX64RTM</b>
+    - **Source directory**: (location of your source files)
+    - **Destination directory name**: `W10EX64RTM`
+
 5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**.
 
-## Create a task sequence to upgrade to Windows 10 Enterprise
+## Create a task sequence to upgrade to Windows 10 Enterprise
 
 On **MDT01**:
 
-1.  Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**.
-2.  Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-    -   Task sequence ID: W10-X64-UPG
-    -   Task sequence name: Windows 10 Enterprise x64 RTM Upgrade
-    -   Template: Standard Client Upgrade Task Sequence
-    -   Select OS: Windows 10 Enterprise x64 RTM Default Image
-    -   Specify Product Key: Do not specify a product key at this time
-    -   Organization: Contoso
-    -   Admin Password: Do not specify an Administrator password at this time
+1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, then create a folder named **Windows 10**.
 
-## Perform the Windows 10 upgrade
+2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**:
+
+    - **Task sequence ID**: W10-X64-UPG
+    - **Task sequence name**: Windows 10 Enterprise x64 RTM Upgrade
+    - **Template**: Standard Client Upgrade Task Sequence
+    - **Select OS**: Windows 10 Enterprise x64 RTM Default Image
+    - **Specify Product Key**: Don't specify a product key at this time
+    - **Organization**: Contoso
+    - **Admin Password**: Don't specify an Administrator password at this time
+
+## Perform the Windows 10 upgrade
 
 To initiate the in-place upgrade, perform the following steps on PC0002 (the device to be upgraded).
 
 On **PC0002**:
 
 1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs**
-2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. 
+
+2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then select **Next**.
+
 3. Select one or more applications to install (will appear if you use custom image): Install - Adobe Reader
-4. On the **Ready** tab, click **Begin** to start the task sequence.
-   When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
+
+4. On the **Ready** tab, select **Begin** to start the task sequence.
+
+When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
 
 ![upgrade1.](../images/upgrademdt-fig5-winupgrade.png)
 
-<br>
-
 ![upgrade2.](../images/mdt-upgrade-proc.png)
 
-<br>
-
 ![upgrade3.](../images/mdt-post-upg.png)
 
-After the task sequence completes, the computer will be fully upgraded to Windows 10.
+After the task sequence completes, the computer will be fully upgraded to Windows 10.
 
-## Related topics
+## Related articles
 
-[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)<br>
-[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/)
+- [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
+- [Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/)
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index 12cf171f4d..141bdd8589 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -2,45 +2,57 @@
 title: Use Orchestrator runbooks with MDT (Windows 10)
 description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Use Orchestrator runbooks with MDT
 
-This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+This article will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions.
+
 MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required.
 
-**Note**  
-If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
- 
-## <a href="" id="sec01"></a>Orchestrator terminology
+> [!NOTE]
+> If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website.
 
-Before diving into the core details, here is a quick course in Orchestrator terminology:
--   **Orchestrator Server.** This is a server that executes runbooks.
--   **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
--   **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
--   **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
--   **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
--   **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
--   **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
+## Orchestrator terminology
 
-**Note**  
-To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)).
+Before diving into the core details, here's a quick course in Orchestrator terminology:
+
+- **Orchestrator Server**: This is a server that executes runbooks.
+
+- **Runbooks**: A runbook is similar to a task sequence; it's a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database.
+
+- **Orchestrator Designer**: This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions.
+
+- **Subscriptions**: These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook.
+
+- **Orchestrator Console**: This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default.
+
+- **Orchestrator web services**: These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default.
+
+- **Integration packs**: These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
+
+> [!NOTE]
+> To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)).
  
-## <a href="" id="sec02"></a>Create a sample runbook
+## Create a sample runbook
 
 This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01.
 
 1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS).
+
 2. In the **E:\\Logfile** folder, create the DeployLog.txt file.
-   **Note**  
-   Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
-     
+
+   > [!NOTE]
+   > Make sure File Explorer is configured to show known file extensions so the file isn't named DeployLog.txt.txt.
+
    ![figure 23.](../images/mdt-09-fig23.png)
 
    Figure 23. The DeployLog.txt file.
@@ -52,11 +64,16 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
    Figure 24. Folder created in the Runbooks node.
 
 4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**.
-5. On the ribbon bar, click **Check Out**.
+
+5. On the ribbon bar, select **Check Out**.
+
 6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**.
+
 7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane:
-   1.  Runbook Control / Initialize Data
-   2.  Text File Management / Append Line
+
+   - Runbook Control / Initialize Data
+   - Text File Management / Append Line
+
 8. Connect **Initialize Data** to **Append Line**.
 
    ![figure 25.](../images/mdt-09-fig25.png)
@@ -64,15 +81,19 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
    Figure 25. Activities added and connected.
 
 9. Right-click the **Initialize Data** activity, and select **Properties**
-10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
+
+10. On **the Initialize Data Properties** page, select **Add**, change **Parameter 1** to **OSDComputerName**, and then select **Finish**.
 
     ![figure 26.](../images/mdt-09-fig26.png)
 
     Figure 26. The Initialize Data Properties window.
 
 11. Right-click the **Append Line** activity, and select **Properties**.
+
 12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**.
+
 13. In the **File** encoding drop-down list, select **ASCII**.
+
 14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
 
     ![figure 27.](../images/mdt-09-fig27.png)
@@ -85,23 +106,32 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
 
     Figure 28. Subscribing to data.
 
-16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**.
+16. In the **Published Data** window, select the **OSDComputerName** item, and select **OK**.
+
 17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
-18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
+
+18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and select **OK**.
 
     ![figure 29.](../images/mdt-09-fig29.png)
 
     Figure 29. The expanded text box after all subscriptions have been added.
 
-19. On the **Append Line Properties** page, click **Finish**.
-    ## <a href="" id="sec03"></a>Test the demo MDT runbook
-    After the runbook is created, you are ready to test it.
-20. On the ribbon bar, click **Runbook Tester**.
-21. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**:
-    -   OSDComputerName: PC0010
-22. Verify that all activities are green (for additional information, see each target).
-23. Close the **Runbook Tester**.
-24. On the ribbon bar, click **Check In**.
+19. On the **Append Line Properties** page, select **Finish**.
+## Test the demo MDT runbook
+
+After the runbook is created, you're ready to test it.
+
+1. On the ribbon bar, select **Runbook Tester**.
+
+2. Select **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then select **OK**:
+
+    - **OSDComputerName**: PC0010
+
+3. Verify that all activities are green (for more information, see each target).
+
+4. Close the **Runbook Tester**.
+
+5. On the ribbon bar, select **Check In**.
 
 ![figure 30.](../images/mdt-09-fig30.png)
 
@@ -109,23 +139,33 @@ Figure 30. All tests completed.
 
 ## Use the MDT demo runbook from MDT
 
-1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
-2.  Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-    1.  Task sequence ID: OR001
-    2.  Task sequence name: Orchestrator Sample
-    3.  Task sequence comments: &lt;blank&gt;
-    4.  Template: Custom Task Sequence
-3.  In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
-4.  Remove the default **Application Install** action.
-5.  Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
-6.  After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
-    1.  Name: Set Task Sequence Variable
-    2.  Task Sequence Variable: OSDComputerName
-    3.  Value: %hostname%
-7.  After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
-    1.  Orchestrator Server: OR01.contoso.com
-    2.  Use Browse to select **1.0 MDT / MDT Sample**.
-8.  Click **OK**.
+1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**.
+
+2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the **New Task Sequence Wizard**:
+
+   - **Task sequence ID**: OR001
+   - **Task sequence name**: Orchestrator Sample
+   - **Task sequence comments**: *\<blank\>*
+   - **Template**: Custom Task Sequence
+
+3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab.
+
+4. Remove the default **Application Install** action.
+
+5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option.
+
+6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings:
+
+   - **Name**: Set Task Sequence Variable
+   - **Task Sequence Variable**: OSDComputerName
+   - **Value**: %hostname%
+
+7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings:
+
+   - **Orchestrator Server**: OR01.contoso.com
+   - Use **Browse** to select **1.0 MDT / MDT Sample**.
+
+8. Select **OK**.
 
 ![figure 31.](../images/mdt-09-fig31.png)
 
@@ -133,40 +173,41 @@ Figure 31. The ready-made task sequence.
 
 ## Run the orchestrator sample task sequence
 
-Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
-**Note**  
-Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)).
- 
-1.  On PC0001, log on as **CONTOSO\\MDT\_BA**.
-2.  Using an elevated command prompt (run as Administrator), type the following command:
+Since this task sequence just starts a runbook, you can test the task sequence on the PC0001 client that you used for the MDT simulation environment.
 
-    ``` syntax
-    cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
+> [!NOTE]
+> Make sure the account you're using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)).
+
+1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
+
+2. Using an elevated command prompt (run as Administrator), type the following command:
+
+    ```cmd
+    cscript.exe \\MDT01\MDTProduction$\Scripts\Litetouch.vbs
     ```
-3.  Complete the Windows Deployment Wizard using the following information:
-    1.  Task Sequence: Orchestrator Sample
-    2.  Credentials:
-        1.  User Name: MDT\_BA
-        2.  Password: P@ssw0rd
-        3.  Domain: CONTOSO
-4.  Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
+
+3. Complete the **Windows Deployment Wizard** using the following information:
+
+    1. **Task Sequence**: Orchestrator Sample
+
+    2. **Credentials**:
+
+      - **User Name**: MDT\_BA
+      - **Password**: P@ssw0rd
+      - **Domain**: CONTOSO
+
+4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
 
 ![figure 32.](../images/mdt-09-fig32.png)
 
 Figure 32. The ready-made task sequence.
 
-## Related topics
+## Related articles
 
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 33cc3b4d4b..61bd481d35 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -2,91 +2,99 @@
 title: Use MDT database to stage Windows 10 deployment info (Windows 10)
 description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Use the MDT database to stage Windows 10 deployment information
 
-This topic is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many additional settings for the machines.
+This article is designed to teach you how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database, rather than include the information in a text file (CustomSettings.ini). You can use this process, for example, to add the client machines you want to deploy, specify their computer names and IP addresses, indicate applications to be deployed, and determine many more settings for the machines.
 
-## <a href="" id="sec01"></a>Database prerequisites
+## Database prerequisites
 
-MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
+MDT can use either SQL Server Express or full SQL Server. However, since the deployment database isn't large, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
 
->[!NOTE]
->Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
- 
-## <a href="" id="sec02"></a>Create the deployment database
+> [!NOTE]
+> Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
+
+## Create the deployment database
 
 The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
 
->[!NOTE]
->Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
- 
-1.  On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
-2.  In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**:
-    1.  SQL Server Name: MDT01
-    2.  Instance: SQLEXPRESS
-    3.  Port: &lt;blank&gt;
-    4.  Network Library: Named Pipes
-3.  On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**.
-4.  On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**.
+> [!NOTE]
+> Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
+
+1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
+
+2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and select **Next**:
+
+    1. SQL Server Name: MDT01
+    2. Instance: SQLEXPRESS
+    3. Port: &lt;blank&gt;
+    4. Network Library: Named Pipes
+
+3. On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and select **Next**.
+
+4. On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and select **Next**. Select **Next** again and then select **Finish**.
 
 ![figure 8.](../images/mdt-09-fig08.png)
 
 Figure 8. The MDT database added to MDT01.
 
-## <a href="" id="sec03"></a>Configure database permissions
+## Configure database permissions
 
 After creating the database, you need to assign permissions to it. In MDT, the account you used to run the deployment is used to access the database. In this environment, the network access account is MDT\_BA.
-1.  On MDT01, start SQL Server Management Studio.
-2.  In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**.
-3.  In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
+
+1. On MDT01, start SQL Server Management Studio.
+
+2. In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and select **Connect**.
+
+3. In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
 
     ![figure 9.](../images/mdt-09-fig09.png)
 
     Figure 9. The top-level Security node.
 
-4.  On the **Login - New** page, next to the **Login** name field, click **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles:
-    1.  db\_datareader
-    2.  db\_datawriter
-    3.  public (default)
-5.  Click **OK**, and close SQL Server Management Studio.
+4. On the **Login - New** page, next to the **Login** name field, select **Search**, and search for **CONTOSO\\MDT\_BA**. Then in the left pane, select **User Mapping**. Select the **MDT** database, and assign the following roles:
+
+    1. db\_datareader
+    2. db\_datawriter
+    3. public (default)
+
+5. Select **OK**, and close SQL Server Management Studio.
 
 ![figure 10.](../images/mdt-09-fig10.png)
 
 Figure 10. Creating the login and settings permissions to the MDT database.
 
-## <a href="" id="sec04"></a>Create an entry in the database
+## Create an entry in the database
 
 To start using the database, you add a computer entry and assign a description and computer name. Use the computer's MAC Address as the identifier.
-1.  On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**.
-2.  Right-click **Computers**, select **New**, and add a computer entry with the following settings:
-    1.  Description: New York Site - PC00075
-    2.  MacAddress: &lt;PC00075 MAC Address in the 00:00:00:00:00:00 format&gt;
-    3.  Details Tab / OSDComputerName: PC00075
+
+1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration**, and expand **Database**.
+
+2. Right-click **Computers**, select **New**, and add a computer entry with the following settings:
+
+    1. Description: New York Site - PC00075
+    2. MacAddress: &lt;PC00075 MAC Address in the 00:00:00:00:00:00 format&gt;
+    3. Details Tab / OSDComputerName: PC00075
 
 ![figure 11.](../images/mdt-09-fig11.png)
 
 Figure 11. Adding the PC00075 computer to the database.
 
-## Related topics
+## Related articles
 
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use web services in MDT](use-web-services-in-mdt.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use web services in MDT](use-web-services-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 2f427ac529..02770d5644 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -1,93 +1,112 @@
 ---
 title: Use web services in MDT (Windows 10)
-description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
+description: Learn how to create a web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/28/2022
 ---
 
 # Use web services in MDT
 
-In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
-Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
+In this article, you'll learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Web services are web applications that run code on the server side, and MDT has built-in functions to call these web services.
+Using a web service in MDT is straightforward, but it does require that you've enabled the Web Server (IIS) role on the server. Developing web services involves some coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web.
 
-## <a href="" id="sec01"></a>Create a sample web service
+## Create a sample web service
 
-In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://www.microsoft.com/download/details.aspx?id=42516) from the Microsoft Download Center and extracted it to C:\\Projects.
-1.  On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
-2.  On the ribbon bar, verify that Release is selected.
-3.  In the **Debug** menu, select the **Build MDTSample** action.
-4.  On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
-5.  From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
-6.  From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
-    1.  Web.config
-    2.  mdtsample.asmx
+In these steps, we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://www.microsoft.com/download/details.aspx?id=42516) from the Microsoft Download Center and extracted it to C:\\Projects.
 
-![figure 15.](../images/mdt-09-fig15.png)
+1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file.
 
-Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
+2. On the ribbon bar, verify that Release is selected.
 
-## <a href="" id="sec02"></a>Create an application pool for the web service
+3. In the **Debug** menu, select the **Build MDTSample** action.
 
-This section assumes that you have enabled the Web Server (IIS) role on MDT01.
-1.  On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
-2.  Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the "Do you want to get started with Microsoft Web Platform?" question, select the **Do not show this message** check box and then click **No**.
-3.  Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
-    1.  Name: MDTSample
-    2.  .NET Framework version: .NET Framework 4.0.30319
-    3.  Manage pipeline mode: Integrated
-    4.  Select the **Start application pool immediately** check box.
-    5.  Click **OK**.
+4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**.
 
-![figure 16.](../images/mdt-09-fig16.png)
+5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01.
 
-Figure 16. The new MDTSample application.
+6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01:
 
-## <a href="" id="sec03"></a>Install the web service
+   - Web.config
+   - mdtsample.asmx
 
-1.  On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
-    1.  Alias: MDTSample
-    2.  Application pool: MDTSample
-    3.  Physical Path: E:\\MDTSample
+    ![figure 15.](../images/mdt-09-fig15.png)
+
+    Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
+
+## Create an application pool for the web service
+
+This section assumes that you've enabled the Web Server (IIS) role on MDT01.
+
+1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools).
+
+2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the **Do you want to get started with Microsoft Web Platform?** question, select the **Do not show this message** check box and then select **No**.
+
+3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings:
+
+   - **Name**: MDTSample
+   - **.NET Framework version**: .NET Framework 4.0.30319
+   - **Manage pipeline mode**: Integrated
+   - Select the **Start application pool immediately** check box.
+   - Select **OK**.
+
+    ![figure 16.](../images/mdt-09-fig16.png)
+
+    Figure 16. The new MDTSample application.
+
+## Install the web service
+
+1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application:
+
+   - **Alias**: MDTSample
+   - **Application pool**: MDTSample
+   - **Physical Path**: E:\\MDTSample
 
     ![figure 17.](../images/mdt-09-fig17.png)
 
     Figure 17. Adding the MDTSample web application.
 
-2.  In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
-    1.  Anonymous Authentication: Enabled
-    2.  ASP.NET Impersonation: Disabled
+2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box:
 
-![figure 18.](../images/mdt-09-fig18.png)
+   - **Anonymous Authentication**: Enabled
+   - **ASP.NET Impersonation**: Disabled
 
-Figure 18. Configuring Authentication for the MDTSample web service.
+    ![figure 18.](../images/mdt-09-fig18.png)
 
-## <a href="" id="sec04"></a>Test the web service in Internet Explorer
+    Figure 18. Configuring Authentication for the MDTSample web service.
 
-1.  On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
-2.  Click the **GetComputerName** link.
+## Test the web service in Internet Explorer
+
+1. On PC0001, using Internet Explorer, navigate to: **`http://MDT01/MDTSample/mdtsample.asmx'**.
+
+2. Select the **GetComputerName** link.
 
     ![figure 19.](../images/mdt-09-fig19.png)
 
     Figure 19. The MDT Sample web service.
-3.  On the **GetComputerName** page, type in the following settings, and click **Invoke**:
-    1.  Model: Hewlett-Packard
-    2.  SerialNumber: 123456789
 
-![figure 20.](../images/mdt-09-fig20.png)
+3. On the **GetComputerName** page, type in the following settings, and select **Invoke**:
 
-Figure 20. The result from the MDT Sample web service.
+   - **Model**: Hewlett-Packard
+   - **SerialNumber**: 123456789
 
-## <a href="" id="sec05"></a>Test the web service in the MDT simulation environment
+    ![figure 20.](../images/mdt-09-fig20.png)
 
-After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment.
+    Figure 20. The result from the MDT Sample web service.
+
+## Test the web service in the MDT simulation environment
+
+After verifying the web service using Internet Explorer, you're ready to do the same test in the MDT simulation environment.
 
 1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following:
-   ``` 
+
+   ```ini
    [Settings]
    Priority=Default, GetComputerName
    [Default]
@@ -97,35 +116,32 @@ After verifying the web service using Internet Explorer, you are ready to do the
    Parameters=Model,SerialNumber
    OSDComputerName=string
    ```
+
    ![figure 21.](../images/mdt-09-fig21.png)
 
    Figure 21. The updated CustomSettings.ini file.
 
 2. Save the CustomSettings.ini file.
+
 3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command:
-   ``` 
+
+   ```powershell
    Set-Location C:\MDT
    .\Gather.ps1
    ```
+
 4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
 
-![figure 22.](../images/mdt-09-fig22.png)
+    ![figure 22.](../images/mdt-09-fig22.png)
 
-Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
+    Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
 
-## Related topics
+## Related articles
 
-[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-
-[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-
-[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-
-[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-
-[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-
-[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
- 
+- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
+- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
+- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
+- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
+- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
+- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
+- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index 3f3f880cc0..0a538f15f8 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -1,57 +1,57 @@
 ---
 title: Deploy Windows To Go in your organization (Windows 10)
-description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface as well as programatically with Windows PowerShell.
+description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface and programatically with Windows PowerShell.
 ms.reviewer: 
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+author: frankroj
+ms.author: frankroj
+ms.prod: windows-client
+ms.technology: itpro-deploy
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.date: 11/23/2022
 ---
 
 # Deploy Windows To Go in your organization
 
+*Applies to:*
 
+- Windows 10
 
-**Applies to**
-
--   Windows 10
-
-This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment.
+This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment.
 
 > [!IMPORTANT]
 > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
 
 ## Deployment tips
 
-The following is a list of items that you should be aware of before you start the deployment process:
+The below list is items that you should be aware of before you start the deployment process:
 
-* Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
+- Only use recommended USB drives for Windows To Go. Use of other drives isn't supported. Check the list at [Windows To Go: feature overview](planning/windows-to-go-overview.md) for the latest USB drives certified for use as Windows To Go drives.
 
-* After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
+- After you provision a new workspace, always eject a Windows To Go drive using the **Safely Remove Hardware and Eject Media** control that can be found in the notification area or in Windows Explorer. Removing the drive from the USB port without ejecting it first can cause the drive to become corrupted.
 
-* When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive.
+- When running a Windows To Go workspace, always shut down the workspace before unplugging the drive.
 
-* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
+- Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
 
-* If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
+- If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive.
 
 ## Basic deployment steps
 
-Unless you're using a customized operating system image, your initial Windows To Go workspace won't be domain joined and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications. This section describes the instructions for creating the correct disk layout on the USB drive, applying the operating system image and the core Windows To Go specific configurations to the drive. The following steps are used in both small-scale and large-scale Windows To Go deployment scenarios.
+Unless you're using a customized operating system image, your initial Windows To Go workspace won't be domain joined, and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain, and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications. This section describes the instructions for creating the correct disk layout on the USB drive, applying the operating system image and the core Windows To Go specific configurations to the drive. The steps that follow are used in both small-scale and large-scale Windows To Go deployment scenarios.
 
 Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For more information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)).
 
->[!WARNING]
->If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
+> [!WARNING]
+> If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
 
 ### Create the Windows To Go workspace
 
 In this step we're creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools.
 
->[!WARNING]
->The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
+> [!WARNING]
+> The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
 
 #### To create a Windows To Go workspace with the Windows To Go Creator Wizard
 
@@ -59,39 +59,33 @@ In this step we're creating the operating system image that will be used on the
 
 2. Insert the USB drive that you want to use as your Windows To Go drive into your PC.
 
-3. Verify that the .wim file location (which can be a network share, a DVD , or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
+3. Verify that the `.wim` file location (which can be a network share, a DVD, or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
 
-    >[!NOTE]
-    >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)).
+    > [!NOTE]
+    > For more information about `.wim` files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)).
 
-4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. The **Windows To Go Creator Wizard** opens.
+4. Search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. The **Windows To Go Creator Wizard** opens.
 
-5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then click **Next.**
+5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then select **Next.**
 
-6. On the **Choose a Windows image** page, click **Add Search Location** and then navigate to the .wim file location and click select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then click **Next**.
+6. On the **Choose a Windows image** page, select **Add Search Location** and then navigate to the `.wim` file location and select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then select **Next**.
 
-7.  (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, click **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions.
-r
+7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you don't wish to encrypt the drive at this time, select **Skip**. If you decide you want to add BitLocker protection later, for instructions see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)).
 
-    >[!WARNING]
-    >If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated.
+    > [!WARNING]
+    > If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated.
 
-    If you choose to encrypt the Windows To Go drive now:
+    If you choose to encrypt the Windows To Go drive now, enter a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters.
 
-    - Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware doesn't support non-ASCII characters.
+    > [!IMPORTANT]
+    > The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)).
 
+8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then select **Create** to start the Windows To Go workspace creation process.
 
-~~~
-    >[!IMPORTANT]
-    >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)).    
-~~~
+    > [!WARNING]
+    > The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.  
 
-8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then click **Create** to start the Windows To Go workspace creation process.
-
-    >[!WARNING]
-    >The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.  
-
-9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer.
+9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page, you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer.
 
 Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using the Windows To Go startup options and boot your Windows To Go drive.
 
@@ -99,33 +93,37 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a
 
 The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC.
 
-1. Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
+1. Search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
 
-2. In the Windows PowerShell session type, the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
+2. In the Windows PowerShell session, enter the following commands to partition a master boot record (MBR) disk for use with a FAT32 system partition and an NTFS-formatted operating system partition. This disk layout can support computers that use either UEFI or BIOS firmware:
 
-    ```
+    <br>
+    <details>
+    <summary>Expand to show PowerShell commands to partition an MBR disk</summary>
+
+    ```powershell
    # The following command will set $Disk to all USB drives with >20 GB of storage
 
     $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
 
    #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
    #
-   # To skip the confirmation prompt, append –confirm:$False
-    Clear-Disk –InputObject $Disk[0] -RemoveData
+   # To skip the confirmation prompt, append -confirm:$False
+    Clear-Disk -InputObject $Disk[0] -RemoveData
 
    # This command initializes a new MBR disk
-    Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR
+    Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR
 
    # This command creates a 350 MB system partition
-    $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive
+    $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive
 
    # This formats the volume with a FAT32 Filesystem
-   # To skip the confirmation dialog, append –Confirm:$False
+   # To skip the confirmation dialog, append -Confirm:$False
     Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
     -Partition $SystemPartition
 
    # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
-    $OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize
+    $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize
     Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
     -Partition $OSPartition
 
@@ -137,28 +135,31 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
     Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
     ```
 
-3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
+    </details>
 
-    >[!TIP]
-    >The index number must be set correctly to a valid Enterprise image in the .WIM file.
+3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
 
-    ``` 
+    > [!TIP]
+    > The index number must be set correctly to a valid Enterprise image in the `.wim` file.
+
+    ```cmd
     #The WIM file must contain a sysprep generalized image.
-    dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
+    dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
     ```
 
-4.  Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
+4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
 
-
-~~~
-``` 
-W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
-```
-~~~
+    ```cmd
+    W:\Windows\System32\bcdboot.exe W:\Windows /f ALL /s S:
+    ```
 
 5. Apply SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step:
 
-    ``` 
+    <br>
+    <details>
+    <summary>Expand to show example san_policy.xml file</summary>
+
+    ```xml
     <?xml version='1.0' encoding='utf-8' standalone='yes'?>
     <unattend xmlns="urn:schemas-microsoft-com:unattend">
       <settings pass="offlineServicing">
@@ -188,15 +189,21 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
     </unattend>
     ```
 
+    </details>
+
 6. Place the **san\_policy.xml** file created in the previous step into the root directory of the Windows partition on the Windows To Go drive (W: from the previous examples) and run the following command:
 
-    ``` 
+    ```cmd
     Dism.exe /Image:W:\ /Apply-Unattend:W:\san_policy.xml
     ```
 
 7. Create an answer file (unattend.xml) that disables the use of Windows Recovery Environment with Windows To Go. You can use the following code sample to create a new answer file or you can paste it into an existing answer file:
 
-    ``` 
+    <br>
+    <details>
+    <summary>Expand to show example san_policy.xml file</summary>
+
+    ```xml
     <?xml version="1.0" encoding="utf-8"?>
     <unattend xmlns="urn:schemas-microsoft-com:unattend">
         <settings pass="oobeSystem">
@@ -220,88 +227,86 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
     </unattend>
     ```
 
-    After the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\)
+    </details>
 
-    >[!IMPORTANT]
-    >Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.
+    After the answer file has been saved, copy `unattend.xml` into the sysprep folder on the Windows To Go drive (for example, `W:\Windows\System32\sysprep\`)
 
-    If you do not wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC.
+    > [!IMPORTANT]
+    > Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **`%systemroot%\panther`** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used.
 
+    If you don't wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC.
 
 Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using the Windows To Go startup options to test your workspace configuration, [configure the workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)), or [enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)).
 
-
 ### To prepare a host computer
 
-Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it is attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace.
+Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it's attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace.
 
->[!TIP]
->If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer.
+> [!TIP]
+> If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer.
 
-
-If you want to use the Windows To Go workspace, simply shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer.
+If you want to use the Windows To Go workspace, shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer.
 
 To set the Windows To Go Startup options for host computers running Windows 10:
 
-1. Using Cortana, search for **Windows To Go startup options** and then press **Enter**.
+1. Search for **Windows To Go startup options** and then press **Enter**.
 
-2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB
+2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB
 
 For host computers running Windows 8 or Windows 8.1:
 
 1. Press **Windows logo key+W**, search for **Windows To Go startup options**, and then press **Enter**.
 
-2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB.
+2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then select **Save Changes** to configure the computer to boot from USB.
 
 You can configure your organization's computers to automatically start from the USB drive by enabling the following Group Policy setting:
 
-**\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\Windows To Go Default Startup Options**
+**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Portable Operating System** > **Windows To Go Default Startup Options**
 
-After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it is started. Users will not be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected will not occur unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options.
+After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it's started. Users won't be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected won't occur unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options.
 
-Your host computer is now ready to boot directly into Windows To Go workspace when it is inserted prior to starting the computer. Optionally you can perform [Configure Windows To Go workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) and [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)).
+Your host computer is now ready to boot directly into Windows To Go workspace when it's inserted prior to starting the computer. Optionally you can perform [Configure Windows To Go workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) and [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)).
 
 ### Booting your Windows To Go workspace
 
-After you have configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace:
+After you've configured your host PC to boot from USB, you can use the following procedure to boot your Windows To Go workspace:
 
-**To boot your workspace**
+**To boot your workspace:**
 
-1.  Make sure that the host PC is not in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it.
+1. Make sure that the host PC isn't in a sleep state. If the computer is in a sleep state, either shut it down or hibernate it.
 
-2.  Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Do not use a USB hub or extender.
+2. Insert the Windows To Go USB drive directly into a USB 3.0 or USB 2.0 port on the PC. Don't use a USB hub or extender.
 
-3.  Turn on the PC. If your Windows To Go drive is protected with BitLocker you will be asked to type the password, otherwise the workspace will boot directly into the Windows To Go workspace.
+3. Turn on the PC. If your Windows To Go drive is protected with BitLocker you'll be asked to enter the password, otherwise the workspace will boot directly into the Windows To Go workspace.
 
 ## Advanced deployment steps
 
-
-The following steps are used for more advanced deployments where you want to have further control over the configuration of the Windows To Go drives, ensure that they are correctly configured for remote access to your organizational resources, and have been protected with BitLocker Drive Encryption.
+The following steps are used for more advanced deployments where you want to have further control over the configuration of the Windows To Go drives, ensure that they're correctly configured for remote access to your organizational resources, and have been protected with BitLocker Drive Encryption.
 
 ### Configure Windows To Go workspace for remote access
 
-Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer which is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that do not have physical access to your corporate network.
+Making sure that Windows To Go workspaces are effective when used off premises is essential to a successful deployment. One of the key benefits of Windows To Go is the ability for your users to use the enterprise managed domain joined workspace on an unmanaged computer that is outside your corporate network. To enable this usage, typically you would provision the USB drive as described in the basic deployment instructions and then add the configuration to support domain joining of the workspace, installation of any line-of-business applications, and configuration of your chosen remote connectivity solution such as a virtual private network client or DirectAccess. Once these configurations have been performed the user can work from the workspace using a computer that is off-premises. The following procedure allows you to provision domain joined Windows To Go workspaces for workers that don't have physical access to your corporate network.
 
-**Prerequisites for remote access scenario**
+**Prerequisites for remote access scenario:**
 
--   A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer
+- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer
 
--   A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings.
+- A Windows To Go drive that hasn't been booted or joined to the domain using unattend settings.
 
--   A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer
+- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer
 
--   [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain
+- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain
 
-**To configure your Windows To Go workspace for remote access**
+**To configure your Windows To Go workspace for remote access:**
 
 1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by &lt;&gt;) with the ones applicable for your environment:
 
-    ``` 
-    djoin /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse
+    ```cmd
+    djoin.exe /provision /domain <exampledomain.com> /machine <examplewindowstogo_workspace_name> /certtemplate <WorkstationAuthentication_template> /policynames <DirectAccess Client Policy: {GUID}> /savefile <C:\example\path\domainmetadatafile> /reuse
     ```
 
-    >[!NOTE]
-    >The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)).
+    > [!NOTE]
+    > The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using `djoin.exe` with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information, see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)).
 
 2. Insert the Windows To Go drive.
 
@@ -309,29 +314,33 @@ Making sure that Windows To Go workspaces are effective when used off premises i
 
 4. From the Windows PowerShell command prompt run:
 
-    ``` 
+    <br>
+    <details>
+    <summary>Expand this section to show PowerShell commands to run</summary>
+
+    ```powershell
    # The following command will set $Disk to all USB drives with >20 GB of storage
 
     $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
 
    #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
    #
-   # To skip the confirmation prompt, append –confirm:$False
-    Clear-Disk –InputObject $Disk[0] -RemoveData
+   # To skip the confirmation prompt, append -confirm:$False
+    Clear-Disk -InputObject $Disk[0] -RemoveData
 
    # This command initializes a new MBR disk
-    Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR
+    Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR
 
    # This command creates a 350 MB system partition
-    $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive
+    $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive
 
    # This formats the volume with a FAT32 Filesystem
-   # To skip the confirmation dialog, append –Confirm:$False
+   # To skip the confirmation dialog, append -Confirm:$False
     Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
     -Partition $SystemPartition
 
    # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
-    $OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize
+    $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize
     Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
     -Partition $OSPartition
 
@@ -343,28 +352,31 @@ Making sure that Windows To Go workspaces are effective when used off premises i
     Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
     ```
 
-5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
+    </details>
 
+5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
 
-~~~
->[!TIP]
->The index number must be set correctly to a valid Enterprise image in the .WIM file.
+    ```cmd
+    #The WIM file must contain a sysprep generalized image.
+    dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
+    ```
 
-``` 
-#The WIM file must contain a sysprep generalized image.
-dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
-```
-~~~
+    > [!TIP]
+    > The index number must be set correctly to a valid Enterprise image in the `.wim` file.
 
 6. After those commands have completed, run the following command:
 
-   ``` 
-   djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows
+   ```cmd
+   djoin.exe /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows
    ```
 
-7. Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)):
+7. Next, we'll need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we're hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you've configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)):
 
-   ``` 
+    <br>
+    <details>
+    <summary>Expand this section to show example unattend.xml file</summary>
+
+   ```xml
    <?xml version="1.0" encoding="utf-8"?>
    <unattend xmlns="urn:schemas-microsoft-com:unattend">
        <settings pass="oobeSystem">
@@ -398,51 +410,61 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind
    </unattend>
    ```
 
+    </details>
+
 8. Safely remove the Windows To Go drive.
 
 9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace.
 
-   * If on premises using a host computer with a direct network connection, sign on using your domain credentials.
+   - If on premises using a host computer with a direct network connection, sign on using your domain credentials.
 
-   * If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials.
+   - If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials.
 
-   >[!NOTE]
-   >Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain.
+   > [!NOTE]
+   > Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain.
 
 You should now be able to access your organization's network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises.
 
 ### Enable BitLocker protection for your Windows To Go drive
 
-Enabling BitLocker on your Windows To Go drive will help ensure that your data is protected from unauthorized use and that if your Windows To Go drive is lost or stolen it will not be easy for an unauthorized person to obtain confidential data or use the workspace to gain access to protected resources in your organization. When BitLocker is enabled, each time you boot your Windows To Go drive, you will be asked to provide the BitLocker password to unlock the drive. The following procedure provides the steps for enabling BitLocker on your Windows To Go drive:
+Enabling BitLocker on your Windows To Go drive will help ensure that your data is protected from unauthorized use and that if your Windows To Go drive is lost or stolen it will not be easy for an unauthorized person to obtain confidential data or use the workspace to gain access to protected resources in your organization. When BitLocker is enabled, each time you boot your Windows To Go drive, you'll be asked to provide the BitLocker password to unlock the drive. The following procedure provides the steps for enabling BitLocker on your Windows To Go drive:
 
 #### Prerequisites for enabling BitLocker scenario
 
-* A Windows To Go drive that can be successfully provisioned.
+- A Windows To Go drive that can be successfully provisioned.
 
-* A computer running Windows 8 configured as a Windows To Go host computer
+- A computer running Windows 8 configured as a Windows To Go host computer
 
-* Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary:
+- Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary:
 
-    **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup**. This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting.
+  - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup**
 
-    **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Configure use of passwords for operating system drives**. This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
+    This policy allows the use of a password key protector with an operating system drive; this policy must be enabled to configure BitLocker from within the Windows To Go workspace. This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a Trusted Platform Module (TPM). You must enable this setting and select the **Allow BitLocker without a compatible TPM** check box and then enable the **Configure use of passwords for operating system drives** setting.
 
-    **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Enable use of BitLocker authentication requiring preboot keyboard input on slates**. This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting is not enabled, passwords cannot be used to unlock BitLocker-protected operating system drives.
+  - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure use of passwords for operating system drives**
+
+    This policy setting enables passwords to be used to unlock BitLocker-protected operating system drives and provides the means to configure complexity and length requirements on passwords for Windows To Go workspaces. For the complexity requirement setting to be effective the Group Policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** must be also enabled.
+
+  - **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Enable use of BitLocker authentication requiring preboot keyboard input on slates**
+  
+    This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. If this setting isn't enabled, passwords can't be used to unlock BitLocker-protected operating system drives.
 
 You can choose to enable BitLocker protection on Windows To Go drives before distributing them to users as part of your provisioning process or you can allow your end-users to apply BitLocker protection to them after they have taken possession of the drive. A step-by-step procedure is provided for both scenarios.
 
-Enabling BitLocker during provisioning ensures that your operating system image is always protected by BitLocker. When enabling BitLocker during the provisioning process you can significantly reduce the time required for encrypting the drive by enabling BitLocker after configuring the disk and just prior to applying the image. If you use this method, you will need to give users their BitLocker password when you give then their Windows To Go workspace. Also, you should instruct your users to boot their workspace and change their BitLocker password as soon as possible (this can be done with standard user privileges).
+Enabling BitLocker during provisioning ensures that your operating system image is always protected by BitLocker. When enabling BitLocker during the provisioning process you can significantly reduce the time required for encrypting the drive by enabling BitLocker after configuring the disk and just prior to applying the image. If you use this method, you'll need to give users their BitLocker password when you give then their Windows To Go workspace. Also, you should instruct your users to boot their workspace and change their BitLocker password as soon as possible (this can be done with standard user privileges).
 
-Enabling BitLocker after distribution requires that your users turn on BitLocker. This means that your Windows To Go workspaces are unprotected until the user enables BitLocker. Administrative rights on the Windows To Go workspace are required to enable BitLocker. For more information about BitLocker see the [BitLocker Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831713(v=ws.11)).
+Enabling BitLocker after distribution requires that your users turn on BitLocker. This means that your Windows To Go workspaces are unprotected until the user enables BitLocker. Administrative rights on the Windows To Go workspace are required to enable BitLocker. For more information about BitLocker, see the [BitLocker Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831713(v=ws.11)).
 
 #### BitLocker recovery keys
 
-BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It is recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you do not want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled.
+BitLocker recovery keys are the keys that can be used to unlock a BitLocker protected drive if the standard unlock method fails. It's recommended that your BitLocker recovery keys be backed up to Active Directory Domain Services (AD DS). If you don't want to use AD DS to store recovery keys you can save recovery keys to a file or print them. How BitLocker recovery keys are managed differs depending on when BitLocker is enabled.
 
--   If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS is not used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive.
+- If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS isn't used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive.
 
--   **Warning**  
-    If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS is not used, they can be printed or saved to a file by the user. If the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place.
+- If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS isn't used, they can be printed or saved to a file by the user.
+
+    > [!WARNING]
+    > If backing up recovery keys to AD DS isn't used and the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place.
 
 #### To enable BitLocker during provisioning
 
@@ -454,32 +476,36 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
 
 4. Provision the Windows To Go drive using the following cmdlets:
 
-    >[!NOTE]
-    >If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
+    > [!NOTE]
+    > If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
 
-   ``` 
+    <br>
+    <details>
+    <summary>Expand this section to show PowerShell commands to run</summary>
+
+   ```powershell
    # The following command will set $Disk to all USB drives with >20 GB of storage
 
     $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot }
 
    #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with 'New-Partition…) Validate that this is the correct disk that you want to completely erase.
    #
-   # To skip the confirmation prompt, append –confirm:$False
-    Clear-Disk –InputObject $Disk[0] -RemoveData
+   # To skip the confirmation prompt, append -confirm:$False
+    Clear-Disk -InputObject $Disk[0] -RemoveData
 
    # This command initializes a new MBR disk
-    Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR
+    Initialize-Disk -InputObject $Disk[0] -PartitionStyle MBR
 
    # This command creates a 350 MB system partition
-    $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive
+    $SystemPartition = New-Partition -InputObject $Disk[0] -Size (350MB) -IsActive
 
    # This formats the volume with a FAT32 Filesystem
-   # To skip the confirmation dialog, append –Confirm:$False
+   # To skip the confirmation dialog, append -Confirm:$False
     Format-Volume -NewFileSystemLabel "UFD-System" -FileSystem FAT32 `
     -Partition $SystemPartition
 
    # This command creates the Windows volume using the maximum space available on the drive. The Windows To Go drive should not be used for other file storage.
-    $OSPartition = New-Partition –InputObject $Disk[0] -UseMaximumSize
+    $OSPartition = New-Partition -InputObject $Disk[0] -UseMaximumSize
     Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS `
     -Partition $OSPartition
 
@@ -491,25 +517,27 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
     Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
     ```
 
-   Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
+    </details>
 
-   >[!TIP]
-   >The index number must be set correctly to a valid Enterprise image in the .WIM file.
+   Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
 
-   ``` 
+   > [!TIP]
+   > The index number must be set correctly to a valid Enterprise image in the `.wim` file.
+
+   ```cmd
    #The WIM file must contain a sysprep generalized image.
-   dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
+   dism.exe /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
    ```
 
-5. In the same PowerShell session use the following cmdlet to add a recovery key to the drive:
+5. In the same PowerShell session, use the following cmdlet to add a recovery key to the drive:
 
-   ``` 
+   ```powershell
    $BitlockerRecoveryProtector = Add-BitLockerKeyProtector W: -RecoveryPasswordProtector
    ```
 
 6. Next, use the following cmdlets to save the recovery key to a file:
 
-   ``` 
+   ```powershell
    #The BitLocker Recovery key is essential if for some reason you forget the BitLocker password
    #This recovery key can also be backed up into Active Directory using manage-bde.exe or the
    #PowerShell cmdlet Backup-BitLockerKeyProtector.
@@ -519,61 +547,60 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
 
 7. Then, use the following cmdlets to add the password as a secure string. If you omit the password the cmdlet will prompt you for the password before continuing the operation:
 
-   ``` 
+   ```powershell
    # Create a variable to store the password
-   $spwd = ConvertTo-SecureString -String <password> -AsplainText –Force
+   $spwd = ConvertTo-SecureString -String <password> -AsplainText -Force
    Enable-BitLocker W: -PasswordProtector $spwd
    ```
 
-   >[!WARNING]
-   >To have BitLocker only encrypt used space on the disk append the parameter `–UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background.
+   > [!WARNING]
+   > To have BitLocker only encrypt used space on the disk append the parameter `-UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background.
 
 8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten.
 
-   >[!WARNING]
-   >If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key.
+   > [!WARNING]
+   > If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key.
 
-   If you want to have the recovery information stored under the account of the Windows To Go workspace you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker). 
+   If you want to have the recovery information stored under the account of the Windows To Go workspace, you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#to-enable-bitlocker-after-distribution).
 
 9. Safely remove the Windows To Go drive.
 
-The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following:
+The Windows To Go drives are now ready to be distributed to users and are protected by BitLocker. When you distribute the drives, make sure the users know the following information:
 
-* Initial BitLocker password that they will need to boot the drives.
+- Initial BitLocker password that they'll need to boot the drives.
 
-* Current encryption status.
+- Current encryption status.
 
-* Instructions to change the BitLocker password after the initial boot.
+- Instructions to change the BitLocker password after the initial boot.
 
-* Instructions for how to retrieve the recovery password if necessary. This may be a help desk process, an automated password retrieval site, or a person to contact.
+- Instructions for how to retrieve the recovery password if necessary. These instructions may be a help desk process, an automated password retrieval site, or a person to contact.
 
-<a href="" id="enable-bitlocker"></a>
 #### To enable BitLocker after distribution
 
 1. Insert your Windows To Go drive into your host computer (that is currently shut down) and then turn on the computer and boot into your Windows To Go workspace
 
 2. Press **Windows logo key+W** to open **Search Settings**, type BitLocker and then select the item for BitLocker Drive Encryption.
 
-3. The drives on the workspace are displayed, click **Turn BitLocker On** for the C: drive. The **BitLocker Setup Wizard** appears.
+3. The drives on the workspace are displayed, select **Turn BitLocker On** for the C: drive. The **BitLocker Setup Wizard** appears.
 
 4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option.
 
->[!NOTE]
->If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace.
+> [!NOTE]
+> If you have not configured the Group Policy setting **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace.
 
 ### Advanced deployment sample script
 
 The following sample script supports the provisioning of multiple Windows To Go drives and the configuration of offline domain join.
 
-The sample script creates an unattend file that streamlines the deployment process so that the initial use of the Windows To Go drive does not prompt the end user for any additional configuration information before starting up.
+The sample script creates an unattend file that streamlines the deployment process so that the initial use of the Windows To Go drive doesn't prompt the end user for any additional configuration information before starting up.
 
 #### Prerequisites for running the advanced deployment sample script
 
-* To run this sample script you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts.
+- To run this sample script, you must open a Windows PowerShell session as an administrator from a domain-joined computer using an account that has permission to create domain accounts.
 
-* Using offline domain join is required by this script, since the script does not create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you are using DirectAccess you will need to modify the djoin.exe command to include the `policynames` and potentially the `certtemplate` parameters.
+- Using offline domain join is required by this script, since the script doesn't create a local administrator user account. However, domain membership will automatically put "Domain admins" into the local administrators group. Review your domain policies. If you're using DirectAccess, you'll need to modify the `djoin.exe` command to include the `policynames` and potentially the `certtemplate` parameters.
 
-* The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters.
+- The script needs to use drive letters, so you can only provision half as many drives as you have free drive letters.
 
 #### To run the advanced deployment sample script
 
@@ -583,22 +610,26 @@ The sample script creates an unattend file that streamlines the deployment proce
 
 3. Configure the PowerShell execution policy. By default PowerShell's execution policy is set to Restricted; that means that scripts won't run until you have explicitly given them permission to. To configure PowerShell's execution policy to allow the script to run, use the following command from an elevated PowerShell prompt:
 
-    ``` 
+    ```powershell
     Set-ExecutionPolicy RemoteSigned
     ```
 
     The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).
 
    > [!TIP]
-   > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing &lt;cmdlet-name&gt; with the name of the cmdlet you want to see the help for:
-   > 
+   > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally, enter the following cmdlet, replacing `<cmdlet-name>` with the name of the cmdlet you want to see the help for:
+   >
    > `Get-Help <cmdlet-name> -Online`
-   > 
+   >
    > This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser.
 
 #### Windows To Go multiple drive provisioning sample script
 
-``` 
+<br>
+<details>
+  <summary>Expand this section to view Windows To Go multiple drive provisioning sample script</summary>
+
+```powershell
 <#
 .SYNOPSIS
 Windows To Go multiple drive provisioning sample script.
@@ -837,7 +868,7 @@ if ($Disks -eq $null)
 #We want to make sure that all non-boot connected USB drives are online, writeable and cleaned.
 #This command will erase all data from all USB drives larger than 20Gb connected to your machine
 #To automate this step you can add: -confirm:$False
-Clear-Disk –InputObject $Disks -RemoveData -erroraction SilentlyContinue
+Clear-Disk -InputObject $Disks -RemoveData -erroraction SilentlyContinue
 
 # Currently the provisioning script needs drive letters (for dism and bcdboot.exe) and the script is more
 # reliable when the main process determines all of the free drives and provides them to the sub-processes.
@@ -863,15 +894,15 @@ foreach ($disk in $Disks)
             $policyFilePath = $args[6]
 
 #For compatibility between UEFI and legacy BIOS we use MBR for the disk.
-            Initialize-Disk –InputObject $Disk -PartitionStyle MBR
+            Initialize-Disk -InputObject $Disk -PartitionStyle MBR
 
 #A short sleep between creating a new partition and formatting helps ensure the partition
 #is ready before formatting.
-            $SystemPartition = New-Partition –InputObject $Disk -Size (350MB) -IsActive
+            $SystemPartition = New-Partition -InputObject $Disk -Size (350MB) -IsActive
             Sleep 1
             Format-Volume -Partition $SystemPartition -FileSystem FAT32 -NewFileSystemLabel "UFD-System" -confirm:$False | Out-Null
 
-            $OSPartition = New-Partition –InputObject $Disk -UseMaximumSize
+            $OSPartition = New-Partition -InputObject $Disk -UseMaximumSize
             Sleep 1
             Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS -Partition $OSPartition -confirm:$False | Out-Null
 
@@ -966,21 +997,22 @@ write-output "Provsioning completed in: $elapsedTime  (hh:mm:ss.000)"
 write-output "" "Provisioning script complete."
 ```
 
+</details>
+
 ## Considerations when using different USB keyboard layouts with Windows To Go
 
 In the PowerShell provisioning script, after the image has been applied, you can add the following commands that will correctly set the keyboard settings. The following example uses the Japanese keyboard layout:
 
-``` 
-            reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
-            reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f
-            reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f
-            reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f
-            reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f
-            reg unload HKLM\WTG-Keyboard
+```cmd
+reg.exe load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log
+reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f
+reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f
+reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f
+reg.exe add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f
+reg.exe unload HKLM\WTG-Keyboard
 ```
 
-## Related topics
-
+## Related articles
 
 [Windows To Go: feature overview](planning/windows-to-go-overview.md)
 
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index 8463fd9abd..6274640054 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -2,34 +2,35 @@
 title: Deploy Windows 10 (Windows 10)
 description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment.
 ms.reviewer: 
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+author: frankroj
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Deploy Windows 10
 
-Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and topics are available.
+Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. Procedures are provided to help you with a new deployment of the Windows 10 operating system, or to upgrade from a previous version of Windows to Windows 10. The following sections and articles are available.
 
-
-|Topic |Description |
+|Article |Description |
 |------|------------|
-|[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
-|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
-|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
-|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
-|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | 
-|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to  deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
-|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
-|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
-|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
-|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
+|[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) |This article provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
+|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This article provides information about support for upgrading directly to Windows 10 from a previous operating system. |
+|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This article provides information about support for upgrading from one edition of Windows 10 to another. |
+|[Windows 10 volume license media](windows-10-media.md) |This article provides information about updates to volume licensing media in the current version of Windows 10. |
+|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After you complete this guide, more guides are provided to  deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md). |
+|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to help Windows 10 deployment planning. |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Configuration Manager in your environment, you'll most likely want to use it to deploy Windows 10. This article will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). |
+|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
+|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install more fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
 
-## Related topics
+## Related articles
 
 [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home)
diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml
index 72ef0f8a71..07805dc6fb 100644
--- a/windows/deployment/do/TOC.yml
+++ b/windows/deployment/do/TOC.yml
@@ -1,49 +1,67 @@
-- name: Delivery Optimization for Windows client
+- name: Delivery Optimization for Windows client and Microsoft Connected Cache
   href: index.yml
+- name: What's new
+  href: whats-new-do.md
   items: 
-    - name: Get started
-      items: 
-        - name: What is Delivery Optimization
-          href: waas-delivery-optimization.md
-        - name: What's new
-          href: whats-new-do.md
-        - name: Delivery Optimization Frequently Asked Questions
-          href: waas-delivery-optimization-faq.yml
-          
-
-     
-    - name: Configure Delivery Optimization
+- name: Delivery Optimization
+  items: 
+  - name: What is Delivery Optimization
+    href: waas-delivery-optimization.md
+  - name: Delivery Optimization Frequently Asked Questions
+    href: waas-delivery-optimization-faq.yml    
+  - name: Configure Delivery Optimization for Windows clients
+    items:
+    - name: Windows client Delivery Optimization settings
+      href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
+    - name: Configure Delivery Optimization settings using Microsoft Intune
+      href: /mem/intune/configuration/delivery-optimization-windows
+  - name: Resources for Delivery Optimization
+    items:
+    - name: Set up Delivery Optimization for Windows
+      href: waas-delivery-optimization-setup.md
+    - name: Delivery Optimization reference
+      href: waas-delivery-optimization-reference.md
+    - name: Delivery Optimization client-service communication
+      href: delivery-optimization-workflow.md       
+    - name: Using a proxy with Delivery Optimization
+      href: delivery-optimization-proxy.md
+- name: Microsoft Connected Cache
+  items:
+    - name: Microsoft Connected Cache overview
+      href: waas-microsoft-connected-cache.md
+    - name: MCC for Enterprise and Education
       items:
-        - name: Configure Windows Clients
-          items:
-            - name: Windows Delivery Optimization settings
-              href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings
-            - name: Windows Delivery Optimization Frequently Asked Questions
-              href: ../do/waas-delivery-optimization-faq.yml
-        - name: Configure Microsoft Endpoint Manager
-          items:
-            - name: Delivery Optimization settings in Microsoft Intune
-              href: /mem/intune/configuration/delivery-optimization-windows
-     
-    - name: Microsoft Connected Cache
+      - name: Requirements
+        href: mcc-enterprise-prerequisites.md
+      - name: Deploy Microsoft Connected Cache
+        href: mcc-enterprise-deploy.md
+      - name: Update or uninstall MCC
+        href: mcc-enterprise-update-uninstall.md
+      - name: Appendix
+        href: mcc-enterprise-appendix.md
+    - name: MCC for ISPs
       items:
-        - name: MCC overview
-          href: waas-microsoft-connected-cache.md
-        - name: MCC for Enterprise and Education
-          href: mcc-enterprise.md
-        - name: MCC for ISPs
+      - name: How-to guides
+        items:  
+        - name: Operator sign up and service onboarding
+          href: mcc-isp-signup.md
+        - name: Create, provision, and deploy the cache node in Azure portal
+          href: mcc-isp-create-provision-deploy.md
+        - name: Verify cache node functionality and monitor health and performance
+          href: mcc-isp-verify-cache-node.md
+        - name: Update or uninstall your cache node
+          href: mcc-isp-update.md
+      - name: Resources
+        items:
+        - name: Frequently Asked Questions
+          href: mcc-isp-faq.yml
+        - name: Enhancing VM performance
+          href: mcc-isp-vm-performance.md
+        - name: Support and troubleshooting
+          href: mcc-isp-support.md
+        - name: MCC for ISPs (early preview)
           href: mcc-isp.md
+- name: Content endpoints for Delivery Optimization and Microsoft Connected Cache
+  href: delivery-optimization-endpoints.md 
 
-    - name: Resources
-      items:
-        - name: Set up Delivery Optimization for Windows
-          href: waas-delivery-optimization-setup.md
-        - name: Delivery Optimization reference
-          href: waas-delivery-optimization-reference.md
-        - name: Delivery Optimization client-service communication
-          href: delivery-optimization-workflow.md       
-        - name: Using a proxy with Delivery Optimization
-          href: delivery-optimization-proxy.md
-        - name: Content endpoints for Delivery Optimization and Microsoft Connected Cache
-          href: delivery-optimization-endpoints.md         
-
+  
diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md
index 984e7fd026..49b08e601c 100644
--- a/windows/deployment/do/delivery-optimization-endpoints.md
+++ b/windows/deployment/do/delivery-optimization-endpoints.md
@@ -2,10 +2,10 @@
 title: Delivery Optimization and Microsoft Connected Cache content endpoints
 description: List of fully qualified domain names, ports, and associated content types to use Delivery Optimization and Microsoft Connected Cache.
 ms.date: 07/26/2022
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: reference
-ms.localizationpriority: medium 
+ms.localizationpriority: medium
 author: cmknox
 ms.author: carmenf
 ms.reviewer: mstewart
@@ -26,12 +26,12 @@ This article lists the endpoints that need to be allowed through the firewall to
 
 |Domain Name  |Protocol/Port(s)  | Content Type | Additional Information | Version |
 |---------|---------|---------------|-------------------|-----------------|
-| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com   |  HTTP / 80  | Windows Update </br> Windows Defender </br> Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.delivery.mp.microsoft.com  |  HTTP / 80  | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net |  HTTP / 80  | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com |  HTTP / 80 </br> HTTPs / 443  | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.statics.teams.cdn.office.net |  HTTP / 80 </br> HTTPs / 443  | Teams | | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com |  HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point |
-| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com |  HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates.  | Microsoft Endpoint Configuration Manager Distribution Point |
+| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com   |  HTTP / 80  | Windows Update </br> Windows Defender </br> Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Microsoft Configuration Manager Distribution Point |
+| *.delivery.mp.microsoft.com  |  HTTP / 80  | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Microsoft Configuration Manager Distribution Point |
+| *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net |  HTTP / 80  | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Microsoft Configuration Manager Distribution Point |
+| *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com |  HTTP / 80 </br> HTTPs / 443  | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Microsoft Configuration Manager Distribution Point |
+| *.statics.teams.cdn.office.net |  HTTP / 80 </br> HTTPs / 443  | Teams | | Microsoft Configuration Manager Distribution Point |
+| *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com |  HTTP / 80 | Xbox | | Microsoft Configuration Manager Distribution Point |
+| *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com |  HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates.  | Microsoft Configuration Manager Distribution Point |
 | *.do.dsp.mp.microsoft.com |  HTTP / 80 </br> HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only.  | Microsoft Connected Cache Managed in Azure |
-| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com |  AMQP / 5671 </br>  MQTT / 8883 </br> HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure |
+| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com |  AMQP / 5671 </br>  MQTT / 8883 </br> HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure |
diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md
index 15bd6957d3..de59da66d7 100644
--- a/windows/deployment/do/delivery-optimization-proxy.md
+++ b/windows/deployment/do/delivery-optimization-proxy.md
@@ -2,12 +2,13 @@
 title: Using a proxy with Delivery Optimization
 manager: dansimp
 description: Settings to use with various proxy configurations to allow Delivery Optimization to work
-ms.prod: w10
+ms.prod: windows-client
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
 ms.collection: M365-modern-desktop
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Using a proxy with Delivery Optimization
diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md
new file mode 100644
index 0000000000..a7af3ce745
--- /dev/null
+++ b/windows/deployment/do/delivery-optimization-test.md
@@ -0,0 +1,209 @@
+---
+title: Testing Delivery Optimization 
+description: Explanation of Delivery Optimization distributed cache and high-level design. Demonstrate how Delivery Optimization peer-to-peer works in different test scenarios.
+ms.date: 11/08/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
+ms.localizationpriority: medium
+author: cmknox
+ms.author: carmenf
+ms.reviewer: mstewart
+manager: naengler
+---
+
+# Testing Delivery Optimization
+
+## Overview
+
+Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to Win10+ and provides default configuration to get the most out of the typical customer environment. It's used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization, 1) HTTP downloader, 2) Peer-to-peer (P2P) cloud technology, and 3) Microsoft Connected Cache. One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments.
+
+## Monitoring The Results
+
+Since Delivery Optimization is on by default, you'll be able to monitor the value either through the Windows Settings for ‘Delivery Optimization’, using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report.](../update/wufb-reports-workbook.md) experience in Azure.
+
+In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, ‘Scenario 1: Basic Setup’ should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests.
+
+## Expectations and Goals
+
+The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal will be to show peer to peer is working as expected, using the following criteria:
+
+* Peers can find each other (for example on the same LAN / subnet / Group – matching your 'Download Mode' policy).
+* Files are downloading in the expected 'Download Mode' policy setting (validates connectivity to DO cloud, HTTP, and local configs).
+* At least some downloads happening via P2P (validates connectivity between peers).
+
+Several elements that influence overall peering, using Delivery Optimization. The most common, impactful environment factors should be considered.
+
+* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device may not be serving a particular file.
+* **File size** **and** **internet connection** **reliability matter.** There's a Delivery Optimization setting to determine the minimum file size to use P2P. In addition, an internet connection must be open and reliable enough to let the Delivery Optimization client make cloud service API calls and download metadata files before starting a file download.
+* **Delivery Optimization Policies can play a role.** In general, it's important to familiarize yourself with the Delivery Optimization settings and defaults [Delivery Optimization reference - Windows Deployment | Microsoft Docs.](waas-delivery-optimization-reference.md).
+
+### Delivery Optimization is a Hybrid P2P Platform
+
+* Delivery Optimization’s hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimization’s ability to find bandwidth savings as more peers become available.
+
+* At the point a download is initiated, the DO client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP.
+
+* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers, which shows Delivery Optimization continuously evaluating the optimal location from which to download the content.
+
+## Test Scenarios
+
+### Scenario 1: Basic Setup
+
+**Goal:**
+Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment
+
+**Expected Results:**
+Machine 1 will download zero bytes from peers and Machine 2 will download 50-99% from peers.
+
+#### Test Machine Setup
+
+|Setup Checklist| Value/Explanation
+|--------|-------------------------------|
+|Number of machines used| 2 |
+|Virtual Machines/physical devices| 2 |
+|Windows OS version | Windows 10 (21H2) and Windows 11 (21H2) |
+|RAM | 8 GB |
+|Disk size | 127 GB |
+|Network | Connected to same network, one that is representative of the corporate network. |
+|Pause Windows Updates | This controls the test environment so no other content is made available during the test, and potentially altering the outcome of the test. If there are problems and no peering happens, use 'Get-DeliveryOptimizationStatus' on the first machine to return a real-time list of the connected peers. |
+|Ensure all Store apps are up to date | This will help prevent any new, unexpected updates to download during testing. |
+|Delivery Optimization 'Download Mode' Policy | 2 (Group)(set on each machine) |
+|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, ‘[[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)’. |
+|**Required on Windows 11 devices only** set Delivery Optimization 'Restrict Peer Selection' policy | 0-NAT (set on each machine). The default behavior in Windows 11 is set to '2-Local Peer Discovery'. For testing purposes, this needs to be scoped to the NAT. |
+
+#### Test Instructions
+
+The following set of instructions will be used for each machine:
+
+1. Open PowerShell console as 'Administrator'.
+   * Clear the DO cache: 'Delete-DeliveryOptimizationCache'.
+   * Run 'Get-DeliveryOptimizationStatus'.
+2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB).
+
+**On machine #1**
+
+* Run 'Test Instructions'
+
+|Windows 10 | Windows 11
+|--------|-------------------------------|
+| :::image type="content" source="images/test-scenarios/win10/m1-basic-complete.png" alt-text="Windows 10 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win10/m1-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m1-basic-complete.png" alt-text="Windows 11 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win11/m1-basic-complete.png"::: |
+| **Observations** | |
+| * No peers were found on the first machine downloading the content.<br>* 'TotalBytesDownloaded' is equal to the file size.<br>* Status is set to 'Caching' the content so future peers can use it.<br>* Download was happening in the foreground.<br>* DownloadMode is set to 'Group' and no peers were found.<br>* No distinct observations seen between Window 10 and Windows 11 devices. |
+
+*Wait 5 minutes*.
+
+**On machine #2**
+
+* Run 'Test Instructions'
+
+|Windows 10 | Windows 11 |
+|--------|--------------------------------|
+| :::image type="content" source="images/test-scenarios/win10/m2-basic-complete.png" alt-text="Windows 10 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win10/m2-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m2-basic-complete.png" alt-text="Windows 11 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win11/m2-basic-complete.png":::|
+| **Observations** | **Observations**|
+| * A peer was found for the content and 87% of total bytes came from the peer. <br> * One peer was found for the piece of content, which is expected as there are only two devices in the peering group. <br> * Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't. <br> * 'DownloadDuration' is roughly the same between machines.|* A peer was found for the content and 90% of total bytes came from the peer. <br> * All other points are the same as Windows 10 results. |
+
+### Scenario 2: Advance Setup
+
+**Goal:**
+Demonstrate how Delivery Optimization peer-to-peer technology works in a non-controlled environment and expanding to three machines
+**Expected Results:**
+Machine 1 will download zero bytes from peers and Machine 2 will find peers and download 50-99% from peers. Machine 3 will find two peers and download 50-99% from peers.
+
+#### Test Machine Setup
+
+|Setup Checklist| Value/Explanation |
+|--------|-------------------------------|
+|Number of machines used| 3 |
+|Virtual Machines| 3 |
+|Windows OS version | Windows 10 (21H2) |
+|RAM | 8 GB |
+|Disk size | 127 GB |
+|Network | Connected to same network, one that is representative of the corporate network. |
+|Delivery Optimization 'Download Mode' Policy| 2 (Group)(set on each machine) |
+|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)'. |
+|Delivery Optimization 'Delay background download from http' Policy | 60 (set on each machine) |
+|Delivery Optimization 'Delay foreground download from http Policy |60 (set on each machine) |
+
+#### Testing Instructions
+
+The following set of instructions will be used for each machine:
+
+1. Clear the DO cache: ‘Delete-DeliveryOptimizationCache’.
+2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB).
+3. Open PowerShell console as Administrator. Run 'Get-DeliveryOptimizationStatus'.
+
+**On machine #1:**
+
+* Run ‘Test Instructions’
+
+**Output: Windows 10 (21H2)**
+
+![Windows 10 21H2 - Machine 1 - Advanced Test.](images/test-scenarios/win10/m1-adv-complete.png)
+
+**Observations**
+
+* The first download in the group of devices shows all bytes coming from HTTP, 'BytesFromHttp'.
+* Download is in the ‘Foreground’ because the Store app is doing the download and in the foreground on the device because it is initiated by the user in the Store app.
+* No peers are found.
+
+*Wait 5 minutes*.
+
+**On machine #2:**
+
+* Run ‘Test Instructions’
+
+**Output** Windows 10 (21H2)
+
+![Windows 10 21H2 - Machine 2 - Advanced Test.](images/test-scenarios/win10/m2-adv-complete.png)
+
+**Observations**
+
+* 'PercentPeerCaching' is 99.8%
+* There are still 'BytesFromHttp' source being used
+* One peer was found
+* All peering was done from device on the LAN, as shown with 'BytesFromLanPeers'
+
+**On machine #3:**
+
+* Run ‘Test Instructions’
+
+**Output:** Windows 10 (21H2)
+
+![Windows 10 21H2 - Machine 3 - Advanced Test.](images/test-scenarios/win10/m3-adv-complete.png)
+
+**Observations**
+
+* 'PercentPeerCaching' is roughly the same as machine #2, at 99.7%.
+* Now, two peers are found.
+* Still downloading from HTTP source as seen with 'BytesFromHttp' value.
+
+## Peer sourcing observations for all machines in the test group
+
+The distributed nature of the Delivery Optimization technology is obvious when you rerun the ‘Get-DeliveryOptimizationStatus’ cmdlet on each of the test machines. For each, there's a new value populated for the ‘BytesToLanPeers’ field. This demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other.
+  
+**Output:** Machine 1
+
+'BytesToPeers' sourced from Machine 1 are '5704426044'. This represents the total number of bytes downloaded by the two peers in the group.
+
+![Windows 10 21H2 - Machine 1 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m1-adv-bytes-to-peers.png)
+
+**Output:** Machine 2
+
+'BytesToPeers' sourced from Machine 2 are '1899143740'. When there are two peers in the group with bytes available, notice that the distribution of bytes comes from either Machine 1 or Machine 2.
+
+![Windows 10 21H2 - Machine 2 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m2-adv-bytes-to-peers.png)
+
+**Output:** Machine 3
+
+'BytesToPeers' sourced from Machine 3 are '0'. This means that no other peers are downloading bytes from this peer, which is expected since it was the last machine in the group.
+
+![Windows 10 21H2 - Machine 3 - Advanced BytesToPeers Test.](images/test-scenarios/win10/m3-adv-bytes-to-peers.png)
+
+## Conclusion
+
+Using Delivery Optimization can help make a big impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device.
+
+The testing scenarios found in this document help to show a controlled test environment, helping to prevent updates from interrupting the peering results. The other, a more real-world case, demonstrates how content available across peers will be used as the source of the content.
+
+If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment.
diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md
index 0edb9f9ba1..e5513df9f2 100644
--- a/windows/deployment/do/delivery-optimization-workflow.md
+++ b/windows/deployment/do/delivery-optimization-workflow.md
@@ -2,12 +2,13 @@
 title: Delivery Optimization client-service communication explained
 manager: dougeby
 description: Details of how Delivery Optimization communicates with the server when content is requested to download.
-ms.prod: w10
+ms.prod: windows-client
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
 ms.collection: M365-modern-desktop
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Delivery Optimization client-service communication explained
diff --git a/windows/deployment/do/images/addcachenode.png b/windows/deployment/do/images/addcachenode.png
new file mode 100644
index 0000000000..ea8db2a08a
Binary files /dev/null and b/windows/deployment/do/images/addcachenode.png differ
diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
new file mode 100644
index 0000000000..f97aed1785
--- /dev/null
+++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md
@@ -0,0 +1,30 @@
+---
+title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diagnose/Solve feature UI
+manager: aaroncz
+description: Elixir images read me file
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: nidos
+ms.localizationpriority: medium
+ms.author: nidos
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Read Me
+
+This file contains the images that are included in this GitHub repository that are used by the Azure UI for Diagnose and Solve. The following images _shouldn't be removed_ from the repository: 
+
+:::image type="content" source="ux-check-verbose-2.png" alt-text="A screenshot that shows 6 out of the 22 checks raising errors.":::
+
+:::image type="content" source="ux-check-verbose-1.png" alt-text="A screenshot that all checks passing after the iotedge check command.":::
+
+:::image type="content" source="ux-connectivity-check.png" alt-text="A screenshot of green checkmarks, showing that all of the connectivity checks are successful.":::
+
+:::image type="content" source="ux-edge-agent-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', which shows three containers and the edgeAgent container failing.":::
+
+:::image type="content" source="ux-iot-edge-list.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing all three containers running successfully.":::
+
+:::image type="content" source="ux-mcc-failed.png" alt-text="A screenshot of the terminal after the command 'iotedge list', showing the MCC container in a failure state.":::
\ No newline at end of file
diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png
new file mode 100644
index 0000000000..692416d04c
Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-1.png differ
diff --git a/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png
new file mode 100644
index 0000000000..5f232fe0c6
Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-check-verbose-2.png differ
diff --git a/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png
new file mode 100644
index 0000000000..0e72c45b33
Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-connectivity-check.png differ
diff --git a/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png
new file mode 100644
index 0000000000..1ce0e3e929
Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-edge-agent-failed.png differ
diff --git a/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png
new file mode 100644
index 0000000000..a26638a119
Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-iot-edge-list.png differ
diff --git a/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png
new file mode 100644
index 0000000000..b82d0e4441
Binary files /dev/null and b/windows/deployment/do/images/elixir_ux/ux-mcc-failed.png differ
diff --git a/windows/deployment/do/images/emcc07.png b/windows/deployment/do/images/emcc07.png
deleted file mode 100644
index 21420eab09..0000000000
Binary files a/windows/deployment/do/images/emcc07.png and /dev/null differ
diff --git a/windows/deployment/do/images/emcc10.png b/windows/deployment/do/images/emcc10.png
deleted file mode 100644
index 77c8754bf5..0000000000
Binary files a/windows/deployment/do/images/emcc10.png and /dev/null differ
diff --git a/windows/deployment/do/images/emcc06.png b/windows/deployment/do/images/ent-mcc-azure-cache-created.png
similarity index 100%
rename from windows/deployment/do/images/emcc06.png
rename to windows/deployment/do/images/ent-mcc-azure-cache-created.png
diff --git a/windows/deployment/do/images/emcc05.png b/windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png
similarity index 100%
rename from windows/deployment/do/images/emcc05.png
rename to windows/deployment/do/images/ent-mcc-azure-create-connected-cache.png
diff --git a/windows/deployment/do/images/emcc04.png b/windows/deployment/do/images/ent-mcc-azure-marketplace.png
similarity index 100%
rename from windows/deployment/do/images/emcc04.png
rename to windows/deployment/do/images/ent-mcc-azure-marketplace.png
diff --git a/windows/deployment/do/images/emcc03.png b/windows/deployment/do/images/ent-mcc-azure-search-result.png
similarity index 100%
rename from windows/deployment/do/images/emcc03.png
rename to windows/deployment/do/images/ent-mcc-azure-search-result.png
diff --git a/windows/deployment/do/images/emcc08.png b/windows/deployment/do/images/ent-mcc-cache-nodes.png
similarity index 100%
rename from windows/deployment/do/images/emcc08.png
rename to windows/deployment/do/images/ent-mcc-cache-nodes.png
diff --git a/windows/deployment/do/images/emcc20.png b/windows/deployment/do/images/ent-mcc-connect-eflowvm.png
similarity index 100%
rename from windows/deployment/do/images/emcc20.png
rename to windows/deployment/do/images/ent-mcc-connect-eflowvm.png
diff --git a/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png
new file mode 100644
index 0000000000..45cb01de9f
Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-connected-cache-installer-download.png differ
diff --git a/windows/deployment/do/images/emcc02.png b/windows/deployment/do/images/ent-mcc-create-azure-resource.png
similarity index 100%
rename from windows/deployment/do/images/emcc02.png
rename to windows/deployment/do/images/ent-mcc-create-azure-resource.png
diff --git a/windows/deployment/do/images/ent-mcc-create-cache-failed.png b/windows/deployment/do/images/ent-mcc-create-cache-failed.png
new file mode 100644
index 0000000000..5c2ac09d56
Binary files /dev/null and b/windows/deployment/do/images/ent-mcc-create-cache-failed.png differ
diff --git a/windows/deployment/do/images/emcc09.5.png b/windows/deployment/do/images/ent-mcc-create-cache-node-name.png
similarity index 100%
rename from windows/deployment/do/images/emcc09.5.png
rename to windows/deployment/do/images/ent-mcc-create-cache-node-name.png
diff --git a/windows/deployment/do/images/emcc09.png b/windows/deployment/do/images/ent-mcc-create-cache-node.png
similarity index 100%
rename from windows/deployment/do/images/emcc09.png
rename to windows/deployment/do/images/ent-mcc-create-cache-node.png
diff --git a/windows/deployment/do/images/emcc11.png b/windows/deployment/do/images/ent-mcc-delete-cache-node.png
similarity index 100%
rename from windows/deployment/do/images/emcc11.png
rename to windows/deployment/do/images/ent-mcc-delete-cache-node.png
diff --git a/windows/deployment/do/images/emcc29.png b/windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png
similarity index 100%
rename from windows/deployment/do/images/emcc29.png
rename to windows/deployment/do/images/ent-mcc-delivery-optimization-activity.png
diff --git a/windows/deployment/do/images/emcc12.png b/windows/deployment/do/images/ent-mcc-download-installer.png
similarity index 100%
rename from windows/deployment/do/images/emcc12.png
rename to windows/deployment/do/images/ent-mcc-download-installer.png
diff --git a/windows/deployment/do/images/emcc28.png b/windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png
similarity index 100%
rename from windows/deployment/do/images/emcc28.png
rename to windows/deployment/do/images/ent-mcc-get-deliveryoptimizationstatus.png
diff --git a/windows/deployment/do/images/emcc26.png b/windows/deployment/do/images/ent-mcc-group-policy-hostname.png
similarity index 100%
rename from windows/deployment/do/images/emcc26.png
rename to windows/deployment/do/images/ent-mcc-group-policy-hostname.png
diff --git a/windows/deployment/do/images/emcc13.png b/windows/deployment/do/images/ent-mcc-installer-script.png
similarity index 100%
rename from windows/deployment/do/images/emcc13.png
rename to windows/deployment/do/images/ent-mcc-installer-script.png
diff --git a/windows/deployment/do/images/emcc23.png b/windows/deployment/do/images/ent-mcc-intune-do.png
similarity index 100%
rename from windows/deployment/do/images/emcc23.png
rename to windows/deployment/do/images/ent-mcc-intune-do.png
diff --git a/windows/deployment/do/images/emcc24.png b/windows/deployment/do/images/ent-mcc-iotedge-list.png
similarity index 100%
rename from windows/deployment/do/images/emcc24.png
rename to windows/deployment/do/images/ent-mcc-iotedge-list.png
diff --git a/windows/deployment/do/images/emcc25.png b/windows/deployment/do/images/ent-mcc-journalctl.png
similarity index 100%
rename from windows/deployment/do/images/emcc25.png
rename to windows/deployment/do/images/ent-mcc-journalctl.png
diff --git a/windows/deployment/do/images/emcc01.png b/windows/deployment/do/images/ent-mcc-overview.png
similarity index 100%
rename from windows/deployment/do/images/emcc01.png
rename to windows/deployment/do/images/ent-mcc-overview.png
diff --git a/windows/deployment/do/images/emcc19.png b/windows/deployment/do/images/ent-mcc-script-complete.png
similarity index 100%
rename from windows/deployment/do/images/emcc19.png
rename to windows/deployment/do/images/ent-mcc-script-complete.png
diff --git a/windows/deployment/do/images/emcc17.png b/windows/deployment/do/images/ent-mcc-script-device-code.png
similarity index 100%
rename from windows/deployment/do/images/emcc17.png
rename to windows/deployment/do/images/ent-mcc-script-device-code.png
diff --git a/windows/deployment/do/images/emcc16.png b/windows/deployment/do/images/ent-mcc-script-dynamic-address.png
similarity index 100%
rename from windows/deployment/do/images/emcc16.png
rename to windows/deployment/do/images/ent-mcc-script-dynamic-address.png
diff --git a/windows/deployment/do/images/emcc15.png b/windows/deployment/do/images/ent-mcc-script-existing-switch.png
similarity index 100%
rename from windows/deployment/do/images/emcc15.png
rename to windows/deployment/do/images/ent-mcc-script-existing-switch.png
diff --git a/windows/deployment/do/images/emcc14.png b/windows/deployment/do/images/ent-mcc-script-new-switch.png
similarity index 100%
rename from windows/deployment/do/images/emcc14.png
rename to windows/deployment/do/images/ent-mcc-script-new-switch.png
diff --git a/windows/deployment/do/images/emcc18.png b/windows/deployment/do/images/ent-mcc-script-select-hub.png
similarity index 100%
rename from windows/deployment/do/images/emcc18.png
rename to windows/deployment/do/images/ent-mcc-script-select-hub.png
diff --git a/windows/deployment/do/images/emcc27.png b/windows/deployment/do/images/ent-mcc-store-example-download.png
similarity index 100%
rename from windows/deployment/do/images/emcc27.png
rename to windows/deployment/do/images/ent-mcc-store-example-download.png
diff --git a/windows/deployment/do/images/emcc22.png b/windows/deployment/do/images/ent-mcc-verify-server-powershell.png
similarity index 100%
rename from windows/deployment/do/images/emcc22.png
rename to windows/deployment/do/images/ent-mcc-verify-server-powershell.png
diff --git a/windows/deployment/do/images/emcc21.png b/windows/deployment/do/images/ent-mcc-verify-server-ssh.png
similarity index 100%
rename from windows/deployment/do/images/emcc21.png
rename to windows/deployment/do/images/ent-mcc-verify-server-ssh.png
diff --git a/windows/deployment/do/images/imcc07.png b/windows/deployment/do/images/imcc07.png
deleted file mode 100644
index 31668ba8a1..0000000000
Binary files a/windows/deployment/do/images/imcc07.png and /dev/null differ
diff --git a/windows/deployment/do/images/imcc21.png b/windows/deployment/do/images/imcc21.png
deleted file mode 100644
index 5bd68d66c5..0000000000
Binary files a/windows/deployment/do/images/imcc21.png and /dev/null differ
diff --git a/windows/deployment/do/images/imcc48.png b/windows/deployment/do/images/imcc48.png
deleted file mode 100644
index eb53b7a5be..0000000000
Binary files a/windows/deployment/do/images/imcc48.png and /dev/null differ
diff --git a/windows/deployment/do/images/imcc49.png b/windows/deployment/do/images/imcc49.png
deleted file mode 100644
index eb53b7a5be..0000000000
Binary files a/windows/deployment/do/images/imcc49.png and /dev/null differ
diff --git a/windows/deployment/do/images/imcc53.png b/windows/deployment/do/images/imcc53.png
deleted file mode 100644
index ddec14d717..0000000000
Binary files a/windows/deployment/do/images/imcc53.png and /dev/null differ
diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png
deleted file mode 100644
index c40ab0c5c9..0000000000
Binary files a/windows/deployment/do/images/imcc54.png and /dev/null differ
diff --git a/windows/deployment/do/images/imcc24.png b/windows/deployment/do/images/mcc-isp-bash-allocate-space.png
similarity index 100%
rename from windows/deployment/do/images/imcc24.png
rename to windows/deployment/do/images/mcc-isp-bash-allocate-space.png
diff --git a/windows/deployment/do/images/imcc23.png b/windows/deployment/do/images/mcc-isp-bash-datadrive.png
similarity index 100%
rename from windows/deployment/do/images/imcc23.png
rename to windows/deployment/do/images/mcc-isp-bash-datadrive.png
diff --git a/windows/deployment/do/images/imcc20.png b/windows/deployment/do/images/mcc-isp-bash-device-code.png
similarity index 100%
rename from windows/deployment/do/images/imcc20.png
rename to windows/deployment/do/images/mcc-isp-bash-device-code.png
diff --git a/windows/deployment/do/images/imcc22.png b/windows/deployment/do/images/mcc-isp-bash-drive-number.png
similarity index 100%
rename from windows/deployment/do/images/imcc22.png
rename to windows/deployment/do/images/mcc-isp-bash-drive-number.png
diff --git a/windows/deployment/do/images/imcc25.png b/windows/deployment/do/images/mcc-isp-bash-iot-prompt.png
similarity index 100%
rename from windows/deployment/do/images/imcc25.png
rename to windows/deployment/do/images/mcc-isp-bash-iot-prompt.png
diff --git a/windows/deployment/do/images/imcc08.png b/windows/deployment/do/images/mcc-isp-cache-nodes-option.png
similarity index 100%
rename from windows/deployment/do/images/imcc08.png
rename to windows/deployment/do/images/mcc-isp-cache-nodes-option.png
diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/mcc-isp-copy-install-script.png
similarity index 100%
rename from windows/deployment/do/images/imcc19.png
rename to windows/deployment/do/images/mcc-isp-copy-install-script.png
diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/mcc-isp-create-cache-node-fields.png
similarity index 100%
rename from windows/deployment/do/images/imcc10.png
rename to windows/deployment/do/images/mcc-isp-create-cache-node-fields.png
diff --git a/windows/deployment/do/images/imcc09.png b/windows/deployment/do/images/mcc-isp-create-cache-node-option.png
similarity index 100%
rename from windows/deployment/do/images/imcc09.png
rename to windows/deployment/do/images/mcc-isp-create-cache-node-option.png
diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/mcc-isp-create-new-node.png
similarity index 100%
rename from windows/deployment/do/images/imcc12.png
rename to windows/deployment/do/images/mcc-isp-create-new-node.png
diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/mcc-isp-create-node-form.png
similarity index 100%
rename from windows/deployment/do/images/imcc13.png
rename to windows/deployment/do/images/mcc-isp-create-node-form.png
diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/mcc-isp-create-resource.png
similarity index 100%
rename from windows/deployment/do/images/imcc02.png
rename to windows/deployment/do/images/mcc-isp-create-resource.png
diff --git a/windows/deployment/do/images/imcc04.png b/windows/deployment/do/images/mcc-isp-create.png
similarity index 100%
rename from windows/deployment/do/images/imcc04.png
rename to windows/deployment/do/images/mcc-isp-create.png
diff --git a/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png
new file mode 100644
index 0000000000..17fb6a18f1
Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-deploy-cache-node-numbered.png differ
diff --git a/windows/deployment/do/images/imcc06.png b/windows/deployment/do/images/mcc-isp-deployment-complete.png
similarity index 100%
rename from windows/deployment/do/images/imcc06.png
rename to windows/deployment/do/images/mcc-isp-deployment-complete.png
diff --git a/windows/deployment/do/images/imcc01.png b/windows/deployment/do/images/mcc-isp-diagram.png
similarity index 100%
rename from windows/deployment/do/images/imcc01.png
rename to windows/deployment/do/images/mcc-isp-diagram.png
diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/mcc-isp-edge-journalctl.png
similarity index 100%
rename from windows/deployment/do/images/imcc27.png
rename to windows/deployment/do/images/mcc-isp-edge-journalctl.png
diff --git a/windows/deployment/do/images/imcc42.png b/windows/deployment/do/images/mcc-isp-gnu-grub.png
similarity index 100%
rename from windows/deployment/do/images/imcc42.png
rename to windows/deployment/do/images/mcc-isp-gnu-grub.png
diff --git a/windows/deployment/do/images/imcc31.png b/windows/deployment/do/images/mcc-isp-hyper-v-begin.png
similarity index 100%
rename from windows/deployment/do/images/imcc31.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-begin.png
diff --git a/windows/deployment/do/images/imcc36.png b/windows/deployment/do/images/mcc-isp-hyper-v-disk.png
similarity index 100%
rename from windows/deployment/do/images/imcc36.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-disk.png
diff --git a/windows/deployment/do/images/imcc33.png b/windows/deployment/do/images/mcc-isp-hyper-v-generation.png
similarity index 100%
rename from windows/deployment/do/images/imcc33.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-generation.png
diff --git a/windows/deployment/do/images/imcc37.png b/windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png
similarity index 100%
rename from windows/deployment/do/images/imcc37.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-installation-options.png
diff --git a/windows/deployment/do/images/imcc34.png b/windows/deployment/do/images/mcc-isp-hyper-v-memory.png
similarity index 100%
rename from windows/deployment/do/images/imcc34.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-memory.png
diff --git a/windows/deployment/do/images/imcc32.png b/windows/deployment/do/images/mcc-isp-hyper-v-name.png
similarity index 100%
rename from windows/deployment/do/images/imcc32.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-name.png
diff --git a/windows/deployment/do/images/imcc35.png b/windows/deployment/do/images/mcc-isp-hyper-v-networking.png
similarity index 100%
rename from windows/deployment/do/images/imcc35.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-networking.png
diff --git a/windows/deployment/do/images/imcc38.png b/windows/deployment/do/images/mcc-isp-hyper-v-summary.png
similarity index 100%
rename from windows/deployment/do/images/imcc38.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-summary.png
diff --git a/windows/deployment/do/images/imcc41.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png
similarity index 100%
rename from windows/deployment/do/images/imcc41.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-processor.png
diff --git a/windows/deployment/do/images/imcc40.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png
similarity index 100%
rename from windows/deployment/do/images/imcc40.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-security.png
diff --git a/windows/deployment/do/images/imcc39.png b/windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png
similarity index 100%
rename from windows/deployment/do/images/imcc39.png
rename to windows/deployment/do/images/mcc-isp-hyper-v-vm-settings.png
diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/mcc-isp-installer-download.png
similarity index 100%
rename from windows/deployment/do/images/imcc18.png
rename to windows/deployment/do/images/mcc-isp-installer-download.png
diff --git a/windows/deployment/do/images/imcc16.png b/windows/deployment/do/images/mcc-isp-list-nodes.png
similarity index 100%
rename from windows/deployment/do/images/imcc16.png
rename to windows/deployment/do/images/mcc-isp-list-nodes.png
diff --git a/windows/deployment/do/images/imcc05.png b/windows/deployment/do/images/mcc-isp-location-west.png
similarity index 100%
rename from windows/deployment/do/images/imcc05.png
rename to windows/deployment/do/images/mcc-isp-location-west.png
diff --git a/windows/deployment/do/images/mcc-isp-metrics.png b/windows/deployment/do/images/mcc-isp-metrics.png
new file mode 100644
index 0000000000..1ca9078f3e
Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-metrics.png differ
diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/mcc-isp-nmcli.png
similarity index 100%
rename from windows/deployment/do/images/imcc30.png
rename to windows/deployment/do/images/mcc-isp-nmcli.png
diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/mcc-isp-node-configuration.png
similarity index 100%
rename from windows/deployment/do/images/imcc17.png
rename to windows/deployment/do/images/mcc-isp-node-configuration.png
diff --git a/windows/deployment/do/images/imcc15.png b/windows/deployment/do/images/mcc-isp-node-names.png
similarity index 100%
rename from windows/deployment/do/images/imcc15.png
rename to windows/deployment/do/images/mcc-isp-node-names.png
diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/mcc-isp-node-server-ip.png
similarity index 100%
rename from windows/deployment/do/images/imcc11.png
rename to windows/deployment/do/images/mcc-isp-node-server-ip.png
diff --git a/windows/deployment/do/images/mcc-isp-operator-verification.png b/windows/deployment/do/images/mcc-isp-operator-verification.png
new file mode 100644
index 0000000000..3641761e0a
Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-operator-verification.png differ
diff --git a/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png
new file mode 100644
index 0000000000..e61bb78fc4
Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-provision-cache-node-numbered.png differ
diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/mcc-isp-running-containers.png
similarity index 100%
rename from windows/deployment/do/images/imcc26.png
rename to windows/deployment/do/images/mcc-isp-running-containers.png
diff --git a/windows/deployment/do/images/imcc03.png b/windows/deployment/do/images/mcc-isp-search-marketplace.png
similarity index 100%
rename from windows/deployment/do/images/imcc03.png
rename to windows/deployment/do/images/mcc-isp-search-marketplace.png
diff --git a/windows/deployment/do/images/mcc-isp-search.png b/windows/deployment/do/images/mcc-isp-search.png
new file mode 100644
index 0000000000..4ab4f0b0d6
Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-search.png differ
diff --git a/windows/deployment/do/images/mcc-isp-sign-up.png b/windows/deployment/do/images/mcc-isp-sign-up.png
new file mode 100644
index 0000000000..0bc62894c6
Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-sign-up.png differ
diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/mcc-isp-success-instructions.png
similarity index 100%
rename from windows/deployment/do/images/imcc14.png
rename to windows/deployment/do/images/mcc-isp-success-instructions.png
diff --git a/windows/deployment/do/images/imcc45.png b/windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png
similarity index 100%
rename from windows/deployment/do/images/imcc45.png
rename to windows/deployment/do/images/mcc-isp-ubuntu-erase-disk.png
diff --git a/windows/deployment/do/images/imcc44.png b/windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png
similarity index 100%
rename from windows/deployment/do/images/imcc44.png
rename to windows/deployment/do/images/mcc-isp-ubuntu-keyboard.png
diff --git a/windows/deployment/do/images/imcc43.png b/windows/deployment/do/images/mcc-isp-ubuntu-language.png
similarity index 100%
rename from windows/deployment/do/images/imcc43.png
rename to windows/deployment/do/images/mcc-isp-ubuntu-language.png
diff --git a/windows/deployment/do/images/imcc51.png b/windows/deployment/do/images/mcc-isp-ubuntu-restart.png
similarity index 100%
rename from windows/deployment/do/images/imcc51.png
rename to windows/deployment/do/images/mcc-isp-ubuntu-restart.png
diff --git a/windows/deployment/do/images/imcc47.png b/windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png
similarity index 100%
rename from windows/deployment/do/images/imcc47.png
rename to windows/deployment/do/images/mcc-isp-ubuntu-time-zone.png
diff --git a/windows/deployment/do/images/imcc52.png b/windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png
similarity index 100%
rename from windows/deployment/do/images/imcc52.png
rename to windows/deployment/do/images/mcc-isp-ubuntu-upgrade.png
diff --git a/windows/deployment/do/images/imcc50.png b/windows/deployment/do/images/mcc-isp-ubuntu-who.png
similarity index 100%
rename from windows/deployment/do/images/imcc50.png
rename to windows/deployment/do/images/mcc-isp-ubuntu-who.png
diff --git a/windows/deployment/do/images/imcc46.png b/windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png
similarity index 100%
rename from windows/deployment/do/images/imcc46.png
rename to windows/deployment/do/images/mcc-isp-ubuntu-write-changes.png
diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/mcc-isp-use-bgp.png
similarity index 100%
rename from windows/deployment/do/images/imcc55.PNG
rename to windows/deployment/do/images/mcc-isp-use-bgp.png
diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/mcc-isp-wget.png
similarity index 100%
rename from windows/deployment/do/images/imcc28.png
rename to windows/deployment/do/images/mcc-isp-wget.png
diff --git a/windows/deployment/do/images/test-scenarios/win10/m1-adv-bytes-to-peers.png b/windows/deployment/do/images/test-scenarios/win10/m1-adv-bytes-to-peers.png
new file mode 100644
index 0000000000..39e145d0f9
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m1-adv-bytes-to-peers.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win10/m1-adv-complete.png b/windows/deployment/do/images/test-scenarios/win10/m1-adv-complete.png
new file mode 100644
index 0000000000..a5d87e1ebf
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m1-adv-complete.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win10/m1-basic-complete.png b/windows/deployment/do/images/test-scenarios/win10/m1-basic-complete.png
new file mode 100644
index 0000000000..4d958b58f7
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m1-basic-complete.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win10/m2-adv-bytes-to-peers.png b/windows/deployment/do/images/test-scenarios/win10/m2-adv-bytes-to-peers.png
new file mode 100644
index 0000000000..3169fc9cda
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m2-adv-bytes-to-peers.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win10/m2-adv-complete.png b/windows/deployment/do/images/test-scenarios/win10/m2-adv-complete.png
new file mode 100644
index 0000000000..e48269c367
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m2-adv-complete.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win10/m2-basic-complete.png b/windows/deployment/do/images/test-scenarios/win10/m2-basic-complete.png
new file mode 100644
index 0000000000..ebaaeda112
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m2-basic-complete.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win10/m3-adv-bytes-to-peers.png b/windows/deployment/do/images/test-scenarios/win10/m3-adv-bytes-to-peers.png
new file mode 100644
index 0000000000..ba85f09312
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m3-adv-bytes-to-peers.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win10/m3-adv-complete.png b/windows/deployment/do/images/test-scenarios/win10/m3-adv-complete.png
new file mode 100644
index 0000000000..0fa7cacbb9
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win10/m3-adv-complete.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win11/m1-basic-complete.png b/windows/deployment/do/images/test-scenarios/win11/m1-basic-complete.png
new file mode 100644
index 0000000000..108ad7581b
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win11/m1-basic-complete.png differ
diff --git a/windows/deployment/do/images/test-scenarios/win11/m2-basic-complete.png b/windows/deployment/do/images/test-scenarios/win11/m2-basic-complete.png
new file mode 100644
index 0000000000..ae37e90a4f
Binary files /dev/null and b/windows/deployment/do/images/test-scenarios/win11/m2-basic-complete.png differ
diff --git a/windows/deployment/do/includes/get-azure-subscription.md b/windows/deployment/do/includes/get-azure-subscription.md
new file mode 100644
index 0000000000..114671fd5e
--- /dev/null
+++ b/windows/deployment/do/includes/get-azure-subscription.md
@@ -0,0 +1,17 @@
+---
+author: amymzhou
+ms.author: amyzhou
+manager: dougeby
+ms.prod: w10
+ms.collection: M365-modern-desktop
+ms.topic: include
+ms.localizationpriority: medium
+---
+<!--This file is shared by do\mcc-enterprise-appendix.md and the do\mcc-isp.md articles. The headers are context driven -->
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select **Subscriptions**. If you don't see **Subscriptions**, type **Subscriptions** in the search bar. As you begin typing, the list filters based on your input.
+1. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. 
+1. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. 
+1. On the **Subscriptions** page, you'll find details about your current subscription. Select the subscription name. 
+1. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Select the **Copy to clipboard** icon next to your Subscription ID to copy the value. 
\ No newline at end of file
diff --git a/windows/deployment/do/includes/mcc-prerequisites.md b/windows/deployment/do/includes/mcc-prerequisites.md
new file mode 100644
index 0000000000..f90bc995e6
--- /dev/null
+++ b/windows/deployment/do/includes/mcc-prerequisites.md
@@ -0,0 +1,17 @@
+---
+author: amyzhou
+ms.author: amyzhou
+manager: dougeby
+ms.prod: w10
+ms.collection: M365-modern-desktop
+ms.topic: include
+ms.date: 11/09/2022
+ms.localizationpriority: medium
+---
+<!-- This file is included in the mcc-isp-faq.yml file. -->
+
+Peak Egress | Hardware Specifications|
+---|---|
+< 5G Peak | VM with 8 cores, 16 GB memory, 1 SSD Drive 500GB|
+10 - 20G Peak | VM with 16 cores, 32 GB memory, 2 - 3 SSD Drives 1 TB|
+20 - 40G Peak | Hardware (sample hardware spec) with 32 cores, 64 GB memory, 4 - 6 SSDs 1 TB |
\ No newline at end of file
diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml
index 85d6ee2703..654cd9f309 100644
--- a/windows/deployment/do/index.yml
+++ b/windows/deployment/do/index.yml
@@ -6,12 +6,10 @@ summary: Set up peer to peer downloads for Windows Updates and learn about Micro
 metadata:
   title: Delivery Optimization # Required; page title displayed in search results. Include the brand. < 60 chars.
   description: Learn about using peer to peer downloads on Windows clients and learn about Microsoft Connected Cache. # Required; article description that is displayed in search results. < 160 chars.
-  services: windows-10
-  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
-  ms.subservice: subservice
-  ms.topic: landing-page # Required
+  ms.topic: landing-page
+  ms.prod: windows-client
+  ms.technology: itpro-updates
   ms.collection:
-    - windows-10
     - highpri
   author: aczechowski
   ms.author: aaroncz
@@ -54,7 +52,7 @@ landingContent:
             url: https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332
 
   # Card (optional)
-  - title: Configure Delivery Optimization on Microsoft Endpoint Manager
+  - title: Configure Delivery Optimization on Microsoft Intune or Configuration Manager
     linkLists:
       - linkListType: how-to-guide
         links:
@@ -69,8 +67,8 @@ landingContent:
     linkLists:
       - linkListType: deploy
         links:
-          - text: MCC for Enterprise and Education (Private Preview)
-            url: mcc-enterprise.md
+          - text: MCC for Enterprise and Education (early preview)
+            url: waas-microsoft-connected-cache.md
           - text: Sign up
             url: https://aka.ms/MSConnectedCacheSignup 
 
@@ -79,10 +77,13 @@ landingContent:
     linkLists:
       - linkListType: deploy
         links:
-          - text: MCC for ISPs (Private Preview)
-            url: mcc-isp.md
+          - text: MCC for ISPs (public preview)
+            url: mcc-isp-signup.md
           - text: Sign up
-            url: https://aka.ms/MSConnectedCacheSignup 
+            url: https://aka.ms/MCCForISPSurvey
+          - text: MCC for ISPs (early preview)
+            url: mcc-isp.md
+          
 
   # Card (optional)
   - title: Resources
@@ -99,4 +100,6 @@ landingContent:
             url: delivery-optimization-proxy.md
           - text: Content endpoints for Delivery Optimization and Microsoft Connected Cache
             url: delivery-optimization-endpoints.md
+          - text: Testing Delivery Optimization
+            url: delivery-optimization-test.md
 
diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md
new file mode 100644
index 0000000000..ef710a3929
--- /dev/null
+++ b/windows/deployment/do/mcc-enterprise-appendix.md
@@ -0,0 +1,123 @@
+---
+title: Appendix
+manager: aaroncz
+description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education.
+ms.prod: w10
+author: amymzhou
+ms.author: amyzhou
+ms.localizationpriority: medium
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Appendix
+
+## Steps to obtain an Azure Subscription ID
+
+<!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
+[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
+
+### Troubleshooting
+
+If you're not able to sign up for a Microsoft Azure subscription with the **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** error, see the following articles:
+- [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). 
+- [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up).
+
+## Installing on VMWare
+
+We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made:
+
+1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**.
+1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**.
+
+## Diagnostics Script
+
+If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug.
+
+To run this script:
+
+1. Navigate to the following folder in the MCC installation files:
+
+    mccinstaller > Eflow > Diagnostics
+
+1. Run the following commands:
+
+   ```powershell
+   Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
+   .\collectMccDiagnostics.ps1
+   ```
+
+1. The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file, which you can share with us. The location should be **\<currentpath\>**\mccdiagnostics\support_bundle_\$timestamp.tar.gz
+
+1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process.
+
+## IoT Edge runtime
+
+The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices.
+The runtime sits on the IoT Edge device, and performs management and
+communication operations. The runtime performs several functions:
+
+- Installs and update workloads (Docker containers) on the device.
+- Maintains Azure IoT Edge security standards on the device.
+- Ensures that IoT Edge modules (Docker containers) are always running.
+- Reports module (Docker containers) health to the cloud for remote monitoring.
+- Manages communication between an IoT Edge device and the cloud.
+
+For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge).
+
+## Routing local Windows Clients to an MCC
+
+### Get the IP address of your MCC using ifconfig
+
+There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC.
+
+#### Registry Key
+
+You can either set your MCC IP address or FQDN using:
+
+1.  Registry Key (version 1709 and later):  
+    `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
+</br>
+    "DOCacheHost"=" "  
+    
+    From an elevated command prompt:
+
+    ```
+    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f
+    ```
+
+1. MDM Path (version 1809 and later):
+
+    `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost`
+
+1. In Windows (release version 1809 and later), you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. Set the **Cache Server Hostname** to the IP address of your MCC, such as `10.137.187.38`.
+
+   :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png":::
+
+
+**Verify Content using the DO Client**
+
+To verify that the Delivery Optimization client can download content using MCC, you can use the following steps:
+
+1. Download a game or application from the Microsoft Store.
+
+   :::image type="content" source="./images/ent-mcc-store-example-download.png" alt-text="Screenshot of the Microsoft Store with the game, Angry Birds 2, selected.":::
+
+
+1. Verify downloads came from MCC by one of two methods:
+
+    - Using the PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see *BytesFromCacheServer*.
+
+      :::image type="content" source="./images/ent-mcc-get-deliveryoptimizationstatus.png" alt-text="Screenshot of the output of Get-DeliveryOptimization | FT from PowerShell." lightbox="./images/ent-mcc-get-deliveryoptimizationstatus.png":::
+
+    - Using the Delivery Optimization Activity Monitor
+    
+      :::image type="content" source="./images/ent-mcc-delivery-optimization-activity.png" alt-text="Screenshot of the Delivery Optimization Activity Monitor.":::
+
+## EFLOW
+
+- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows)
+- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge)
+- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions)
+- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow)
+- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers)
\ No newline at end of file
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
new file mode 100644
index 0000000000..74ef198811
--- /dev/null
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -0,0 +1,325 @@
+---
+title: Deploying your cache node
+manager: dougeby
+description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node
+ms.prod: w10
+author: amymzhou
+ms.localizationpriority: medium
+ms.author: amyzhou
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Deploying your cache node
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+## Steps to deploy MCC
+
+To deploy MCC to your server:
+
+1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id)
+1. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure)
+1. [Create an MCC Node](#create-an-mcc-node-in-azure)
+1. [Edit Cache Node Information](#edit-cache-node-information)
+1. [Install MCC on a physical server or VM](#install-mcc-on-windows)
+1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server)
+1. [Review common Issues](#common-issues) if needed.
+
+For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
+
+### Provide Microsoft with the Azure Subscription ID
+
+As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. 
+
+> [!IMPORTANT]
+> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step.
+
+For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id).
+
+### Create the MCC resource in Azure
+
+The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. 
+
+Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. 
+
+1. In the Azure portal home page, choose **Create a resource**:  
+    :::image type="content" source="./images/ent-mcc-create-azure-resource.png" alt-text="Screenshot of the Azure portal. The create a resource option is outlined in red.":::
+
+1. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results.
+
+   > [!NOTE]
+   > You won't see Microsoft Connected Cache in the drop-down list. You'll need to type the string and press enter to see the result.
+
+1. Select **Microsoft Connected Cache Enterprise** and choose **Create** on the next screen to start the process of creating the MCC resource.
+
+    :::image type="content" source="./images/ent-mcc-azure-search-result.png" alt-text="Screenshot of the Azure portal search results for Microsoft Connected Cache.":::
+    :::image type="content" source="./images/ent-mcc-azure-marketplace.png" alt-text="Screenshot of Microsoft Connected Cache Enterprise within the Azure Marketplace.":::
+
+1. Fill in the required fields to create the MCC resource.
+
+    - Choose the subscription that you provided to Microsoft.
+    - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group.
+    - Choose **(US) West US** for the location of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview.
+
+       > [!IMPORTANT]
+       > Your MCC resource will not be created properly if you do not select **(US) West US**
+
+    - Choose a name for the MCC resource.
+      - Your MCC resource must not contain the word **Microsoft** in it.
+
+      :::image type="content" source="./images/ent-mcc-azure-create-connected-cache.png" alt-text="Screenshot of the Create a Connected Cache page within the Azure Marketplace.":::
+
+1. Once all the information has been entered, select the **Review + Create** button. Once validation is complete, select the **Create** button to start the
+    resource creation.
+
+    :::image type="content" source="./images/ent-mcc-azure-cache-created.png" alt-text="Screenshot of the completed cache deployment within the Azure." lightbox="./images/ent-mcc-azure-cache-created.png":::
+
+#### Error: Validation failed
+
+- If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**.
+  - To resolve this error, go to the previous step and choose **(US) West US**.
+
+    :::image type="content" source="./images/ent-mcc-create-cache-failed.png" alt-text="Screenshot of a failed cache deployment due to an incorrect location.":::
+
+### Create an MCC node in Azure
+
+Creating an MCC node is a multi-step process and the first step is to access the MCC early preview management portal.
+
+1. After the successful resource creation, select  **Go to resource**.
+1. Under **Cache Node Management** section on the leftmost panel, select **Cache Nodes**.
+
+    :::image type="content" source="./images/ent-mcc-cache-nodes.png" alt-text="Screenshot of the Cache Node Management section with the navigation link to the Cache Nodes page outlined in red.":::
+
+1. On the **Cache Nodes** blade, select the **Create Cache Node** button.
+
+    :::image type="content" source="./images/ent-mcc-create-cache-node.png" alt-text="Screenshot of the Cache Nodes page with the Create Cache Node option outlined in red.":::
+
+1. Selecting the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation.
+
+   | **Field Name**| **Expected Value**|**Description** |
+   |---|---|---|
+   | **Cache Node Name** | Alphanumeric name that doesn't include any spaces. | The name of the cache node. You may choose names based on location such as `Seattle-1`. This name must be unique and can't be changed later. |
+
+1. Enter the information for the **Cache Node** and select the **Create** button.
+
+   :::image type="content" source="./images/ent-mcc-create-cache-node-name.png" alt-text="Screenshot of the Cache Nodes page displaying the Cache Node Name text entry during the creation process.":::
+
+If there are errors, the form will provide guidance on how to correct the errors.
+
+Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section.
+
+:::image type="content" source="./images/ent-mcc-connected-cache-installer-download.png" alt-text="Screenshot of the Connected Cache installer download button, installer instructions, and script.":::
+
+#### Edit cache node information
+
+Cache nodes can be deleted here by selecting the check box to the left of a **Cache Node Name** and then selecting the delete toolbar item. Be aware that if a cache node is deleted, there's no way to recover the cache node or any of the information related to the cache node.
+
+:::image type="content" source="./images/ent-mcc-delete-cache-node.png" alt-text="Screenshot of deleting a cache node from the Cache Nodes page.":::
+
+### Install MCC on Windows
+
+Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks:
+
+- Installs the Azure CLI
+- Downloads, installs, and deploys EFLOW
+- Enables Microsoft Update so EFLOW can stay up to date
+- Creates a virtual machine
+- Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications.
+- Configures Connected Cache tuning settings.
+- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge.
+- Deploys the MCC container to server.
+
+#### Run the installer
+
+1. Download and unzip `mccinstaller.zip` from the create cache node page or cache node configuration page, both of which contain the necessary installation files.
+
+   :::image type="content" source="./images/ent-mcc-download-installer.png" alt-text="Screenshot of the download installer option on the Create Cache Node page.":::
+
+   The following files are contained in the `mccinstaller.zip` file:
+
+   - **installmcc.ps1**: Main installer file.
+   - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance.
+   - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane.
+   - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes.
+   - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version.
+   - **mccupdate.json**: Used as part of the update script
+
+1. Open Windows PowerShell as administrator then navigate to the location of these files.
+
+   > [!NOTE]
+   > Ensure that Hyper-V is enabled on your device.
+   > - **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
+   > - **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)'
+   >
+   > Don't use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported.
+
+#### If you're installing MCC on a local virtual machine
+
+1. Turn the virtual machine **off** while you enable nested virtualization and MAC spoofing.
+   1. Enable nested virtualization:
+
+      ```powershell
+      Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
+      ```
+
+   1. Enable MAC spoofing:
+
+      ```powershell
+      Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On
+      ```
+
+1. Set the execution policy.
+
+    ```powershell
+    Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
+    ```
+
+    > [!NOTE]
+    > After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**.
+
+1. Copy the command from the Azure portal and run it in Windows PowerShell.
+
+    :::image type="content" source="./images/ent-mcc-installer-script.png" alt-text="Screenshot of the installer script for the connected cache node.":::
+
+    > [!NOTE]
+    > After running the command, and multiple times throughout the installation process, you'll receive the following notice. Select **[R] Run once** to proceed.
+    > </br>
+    > </br> Security warning
+    > </br> Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\Users\mccinstaller\Eflow\installmcc.ps1?
+    > </br>
+    > </br> [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"):
+
+1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch.
+
+    > [!NOTE]
+    > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted.
+
+    If you restarted your computer after creating a switch, start from Step 2 above and skip step 5.
+
+   :::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png":::
+
+1. Rerun the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created.
+
+     :::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png":::
+
+1. Decide whether you would like to use dynamic or static address for the Eflow VM
+
+    :::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png":::
+
+    > [!NOTE]
+    > Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts.
+
+1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts.
+
+1. Follow the Azure Device Login link and sign into the Azure portal.
+
+     :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png":::
+
+1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
+
+    1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
+
+       :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png":::
+       :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
+
+
+1. Your MCC deployment is now complete.
+
+    1. If you don't see any errors, continue to the next section to validate your MCC deployment.
+    1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
+    1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
+
+## Verify proper functioning MCC server
+
+#### Verify Client Side
+
+Connect to the EFLOW VM and check if MCC is properly running:
+
+1. Open PowerShell as an Administrator.
+2. Enter the following commands:
+
+   ```powershell
+   Connect-EflowVm
+   sudo -s
+   iotedge list
+   ```
+
+   :::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
+
+You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
+
+#### Verify server side
+
+For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
+
+```powershell
+wget [http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]
+```
+
+A successful test result will display a status code of 200 along with additional information.
+
+:::image type="content" source="./images/ent-mcc-verify-server-ssh.png" alt-text="Screenshot of a successful wget with an SSH client." lightbox="./images/ent-mcc-verify-server-ssh.png":::
+
+ :::image type="content" source="./images/ent-mcc-verify-server-powershell.png" alt-text="Screenshot of a successful wget using PowerShell." lightbox="./images/ent-mcc-verify-server-powershell.png":::
+
+Similarly, enter the following URL from a browser in the network:
+
+`http://<YourCacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com`
+
+If the test fails, see the [common issues](#common-issues) section for more information.
+
+### Intune (or other management software) configuration for MCC
+
+For an [Intune](/mem/intune/) deployment, create a **Configuration Profile** and include the Cache Host eFlow IP Address or FQDN:
+
+:::image type="content" source="./images/ent-mcc-intune-do.png" alt-text="Screenshot of Intune showing the Delivery Optimization cache server host names.":::
+
+## Common Issues
+
+#### PowerShell issues
+
+If you're seeing errors similar to this error: `The term Get-<Something> isn't recognized as the name of a cmdlet, function, script file, or operable program.`
+
+1. Ensure you're running Windows PowerShell version 5.x.
+
+1. Run \$PSVersionTable and ensure you're running version 5.x and *not version 6 or 7*.
+
+1. Ensure you have Hyper-V enabled:
+
+    **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
+
+    **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)
+
+#### Verify Running MCC Container
+
+Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands:
+
+```bash
+Connect-EflowVm
+sudo iotedge list
+```
+
+:::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png":::
+
+If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command:
+
+```bash
+sudo journalctl -u iotedge -f
+```
+
+For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start.  
+
+:::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png":::
+
+Use this command to check the IoT Edge Journal
+
+```bash
+sudo journalctl -u iotedge -f
+```
+
+> [!NOTE]
+> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.
diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md
new file mode 100644
index 0000000000..84faf8d670
--- /dev/null
+++ b/windows/deployment/do/mcc-enterprise-prerequisites.md
@@ -0,0 +1,56 @@
+---
+title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education
+manager: dougeby
+description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education.
+ms.prod: w10
+author: amymzhou
+ms.localizationpriority: medium
+ms.author: amyzhou
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Requirements of Microsoft Connected Cache for Enterprise and Education (early preview)
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+## Enterprise requirements for MCC
+
+1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.
+
+    Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
+
+    The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions.
+
+2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
+  
+   > [!NOTE]
+   > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations.
+
+    **EFLOW Requires Hyper-V support**
+    - On Windows client, enable the Hyper-V feature
+    - On Windows Server, install the Hyper-V role and create a default network switch
+
+    Disk recommendations:
+    - Using an SSD is recommended as cache read speed of SSD is superior to HDD
+
+    NIC requirements:
+    - Multiple NICs on a single MCC instance aren't supported.
+    - 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
+    - For best performance, NIC and BIOS should support SR-IOV
+
+    VM networking:
+    -  An external virtual switch to support outbound and inbound network communication (created during the installation process)
+
+## Sizing recommendations
+
+| Component  | Branch Office / Small Enterprise | Large Enterprise |
+| -- | --- | --- |
+| OS|  Windows Server 2019*/2022 <br> Windows 10*/11 (Pro or Enterprise) with Hyper-V Support <br><br>* Windows 10 and Windows Server 2019 build 17763 or later | Same |
+|NIC | 1 Gbps | 5 Gbps |
+|Disk | SSD <br>1 drive <br>50 GB each  |SSD <br>1 drive <br>200 GB each  |
+|Memory | 4 GB | 8 GB |
+|Cores | 4 | 8  |
diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md
new file mode 100644
index 0000000000..60d0df68e3
--- /dev/null
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@@ -0,0 +1,45 @@
+---
+title: Update or uninstall Microsoft Connected Cache for Enterprise and Education
+manager: dougeby
+description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education.
+ms.prod: w10
+author: amymzhou
+ms.localizationpriority: medium
+ms.author: amyzhou
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+# Update or uninstall Microsoft Connected Cache for Enterprise and Education
+
+Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update.
+
+## Update MCC
+
+Run the following command with the **arguments** we provided in the email to update your MCC:
+
+```powershell
+# .\updatemcc.ps1 version="**\<VERSION\>**" tenantid="**\<TENANTID\>**" customerid="**\<CUSTOMERID\>**" cachenodeid="**\<CACHENODEID\>**" customerkey="**\<CUSTOMERKEY\>**"
+```
+
+For example:
+
+```powershell
+# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a"
+```
+
+## Uninstall MCC
+
+Please contact the MCC Team before uninstalling to let us know if you're facing issues.
+
+This script will remove the following items:
+
+1. EFLOW + Linux VM
+1. IoT Edge
+1. Edge Agent
+1. Edge Hub
+1. MCC
+1. Moby CLI
+1. Moby Engine
+
+To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT
+Edge LTS \> Uninstall
diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md
deleted file mode 100644
index 6b83267846..0000000000
--- a/windows/deployment/do/mcc-enterprise.md
+++ /dev/null
@@ -1,544 +0,0 @@
----
-title: Microsoft Connected Cache for Enterprise and Education (private preview)
-manager: dougeby
-description: Details on Microsoft Connected Cache (MCC) for Enterprise and Education.
-ms.prod: w10
-author: carmenf
-ms.localizationpriority: medium
-ms.author: carmenf
-ms.collection: M365-modern-desktop
-ms.topic: article
----
-
-# Microsoft Connected Cache for Enterprise and Education (private preview)
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
-## Overview
-
-> [!IMPORTANT]
-> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying a client policy using your management tool, such as [Intune](/mem/intune/).
-
-MCC is a hybrid (a mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module; it's a Docker compatible Linux container that is deployed to your Windows devices. IoT Edge for Linux on Windows (EFLOW) was chosen because it's a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS.
-
-Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container, deployment, and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs the following important functions to manage MCC on your edge device: 
-
-1. Installs and updates MCC on your edge device. 
-2. Maintains Azure IoT Edge security standards on your edge device. 
-3. Ensures that MCC is always running. 
-4. Reports MCC health and usage to the cloud for remote monitoring.
-
-To deploy a functional MCC to your device, you must obtain the necessary keys that will provision the Connected Cache instance to communicate with Delivery Optimization services and enable the device to cache and deliver content. See [figure 1](#fig1) below for a summary of the architecture of MCC, built using IoT Edge.
-
-For more information about Azure IoT Edge, see [What is Azure IoT Edge](/azure/iot-edge/about-iot-edge).
-
-## How MCC works
-
-The following steps describe how MCC is provisioned and used.
-
-1. The Azure Management Portal is used to create MCC nodes.
-2. The MCC container is deployed and provisioned to a server using the installer provided in the portal.
-3. Client policy is configured in your management solution to point to the IP address or FQDN of the cache server.
-4. Microsoft end-user devices make range requests for content from the MCC node.
-5. An MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers content to the client.
-6. Subsequent requests from end-user devices for content come from the cache.
-
-If an MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers.
-
-<a id="fig1">
-
-![eMCC img01](images/emcc01.png)
-
-</a>Figure 1: **MCC processes**. Each number in the diagram corresponds to the steps described above.
-
-
-## Enterprise requirements for MCC
-
-1. **Azure subscription**: MCC management portal is hosted within Azure and is used to create the Connected Cache [Azure resource](/azure/cloud-adoption-framework/govern/resource-consistency/resource-access-management) and IoT Hub resource. Both are free services.
-
-    Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you do not have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/).
-
-    The resources used for the preview and in the future when this product is ready for production will be completely free to you, like other caching solutions.
-
-2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps.
-
-    **EFLOW Requires Hyper-V support**
-    - On Windows client, enable the Hyper-V feature
-    - On Windows Server, install the Hyper-V role and create a default network switch
-
-    Disk recommendations:
-    - Using an SSD is recommended as cache read speed of SSD is superior to HDD
-
-    NIC requirements:
-    - Multiple NICs on a single MCC instance aren't supported.
-    - 1 Gbps NIC is the minimum speed recommended but any NIC is supported.
-    - For best performance, NIC and BIOS should support SR-IOV
-
-    VM networking:
-    -  An external virtual switch to support outbound and inbound network communication (created during the installation process)
-
-### Sizing recommendations
-
-| Component  | Branch Office / Small Enterprise | Large Enterprise |
-| -- | --- | --- |
-| OS|  Windows Server 2019*/2022 <br> Windows 10*/11 (Pro or Enterprise) with Hyper-V Support <br><br>* Windows 10 and Windows Server 2019 build 17763 or later | Same |
-|NIC | 1 Gbps | 5 Gbps |
-|Disk | SSD <br>1 drive <br>50GB each  |SSD <br>1 drive <br>200GB each  |
-|Memory | 4GB | 8GB |
-|Cores | 4 | 8  |
-
-## Steps to deploy MCC
-
-To deploy MCC to your server:
-
-1.  [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id)
-2.  [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure)
-3.  [Create an MCC Node](#create-an-mcc-node-in-azure)
-4.  [Edit Cache Node Information](#edit-cache-node-information)
-5.  [Install MCC on a physical server or VM](#install-mcc-on-windows)
-6.  [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server)
-7.  [Review common Issues](#common-issues) if needed.
-
-For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
-
-### Provide Microsoft with the Azure Subscription ID
-
-As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. 
-
-> [!IMPORTANT]
-> [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step.
-
-For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id).
-
-### Create the MCC resource in Azure
-
-The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. 
-
-Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you will be given a link to the Azure portal where you can create the resource described below. 
-
-1.  On the Azure portal home page, choose **Create a resource**:  
-    ![eMCC img02](images/emcc02.png)
-
-2.  Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results.
-
-> [!NOTE]
-> You'll not see Microsoft Connected Cache in the drop-down list. You need to type it and press enter to see the result.
-
-3.  Select **Microsoft Connected Cache** and choose **Create** on the next screen to start the process of creating the MCC resource.
-
-    ![eMCC img03](images/emcc03.png)
-    ![eMCC img04](images/emcc04.png)
-
-4.  Fill in the required fields to create the MCC resource.
-
-    -   Choose the subscription that you provided to Microsoft.
-    -   Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group.
-    -   Choose **(US) West US** for the location of the resource. This choice will not impact MCC if the physical location isn't in the West US, it's just a limitation of the preview.
-
-       > [!NOTE]
-       > Your MCC resource will not be created properly if you do not select **(US) West US**
-
-    -   Choose a name for the MCC resource.
-
-      > [!NOTE]
-      > Your MCC resource must not contain the word **Microsoft** in it.
-
-      ![eMCC img05](images/emcc05.png)
-
-5.  Once all the information has been entered, click the **Review + Create** button. Once validation is complete, click the **Create** button to start the
-    resource creation.
-
-    ![eMCC img06](images/emcc06.png)
-
-#### Error: Validation failed
-
--   If you get a Validation failed error message on your portal, it's likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**.
--   To resolve this error, go to the previous step and choose **(US) West US**.
-
-    ![eMCC img07](images/emcc07.png)
-
-### Create an MCC node in Azure
-
-Creating an MCC node is a multi-step process and the first step is to access the MCC private preview management portal.
-
-1.  After the successful resource creation click on the **Go to resource**.
-2.  Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**.
-
-    ![eMCC img08](images/emcc08.png)
-
-3.  On the **Cache Nodes** blade, click on the **Create Cache Node** button.
-
-    ![eMCC img09](images/emcc09.png)
-
-4.  Clicking the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation.
-
-| **Field Name**      | **Expected Value**                         | **Description**                                                                                                                      |
-|---------------------|--------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|
-| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and cannot be changed later. |
-
-5.  Enter the information for the **Cache Node** and click the **Create** button.
-
-![eMCC img9.5](images/emcc09.5.png)
-
-If there are errors, the form will provide guidance on how to correct the errors.
-
-Once the MCC node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this article, in the [Install Connected Cache](#install-mcc-on-windows) section.
-
-![eMCC img10](images/emcc10.png)
-
-#### Edit cache node information
-
-Cache nodes can be deleted here by clicking the check box to the left of a **Cache Node Name** and then clicking the delete toolbar item. Be aware that if a cache node is deleted, there is no way to recover the cache node or any of the information related to the cache node.
-
-![eMCC img11](images/emcc11.png)
-
-### Install MCC on Windows
-
-Installing MCC on your Windows device is a simple process. A PowerShell script performs the following tasks:
-
-  - Installs the Azure CLI
-  - Downloads, installs, and deploys EFLOW
-  - Enables Microsoft Update so EFLOW can stay up to date
-  - Creates a virtual machine
-  - Enables the firewall and opens ports 80 and 22 for inbound and outbound traffic. Port 80 is used by MCC, and port 22 is used for SSH communications.
-  - Configures Connected Cache tuning settings.
-  - Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge.
-  - Deploys the MCC container to server.
-
-#### Run the installer
-
-1.  Download and unzip mccinstaller.zip from the create cache node page or cache node configuration page which contains the necessary installation files.
-
-  ![eMCC img12](images/emcc12.png)
-
-Files contained in the mccinstaller.zip file:
-
-  - **installmcc.ps1**: Main installer file.
-  - **installEflow.ps1**: Installs the necessary prerequisites such as the Linux VM, IoT Edge runtime, and Docker, and makes necessary host OS settings to optimize caching performance.
-  - **resourceDeploymentForConnectedCache.ps1**: Creates Azure cloud resources required to support MCC control plane.
-  - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container, such as cache drive location sizes.
-  - **updatemcc.ps1**: The update script used to upgrade MCC to a particular version.
-  - **mccupdate.json**: Used as part of the update script
-
-1.  Open Windows PowerShell as administrator and navigate to the location of these files.
-
-> [!NOTE]
-> Ensure that Hyper-V is enabled on your device.
-> Do not use PowerShell ISE, PowerShell 6.x, or PowerShell 7.x. Only Windows PowerShell version 5.x is supported.
-
-  **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
-
-  **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)
-
-#### If you're installing MCC on a local virtual machine:
-
-1. Enable Nested Virtualization
-
-  ```powershell
-  Set -VMProcessor -VMName "VM name" -ExposeVirtualizationExtensions $true
-  ```
-2. Enable Mac Spoofing
-  ```powershell
-  Get-VMNetworkAdapter -VMName "VM name" | Set-VMNetworkAdapter -MacAddressSpoofing On
-  ```
-  **Virtual machine should be in the OFF state while enabling Nested Virtualization and Mac Spoofing**
-
-3.  Set the execution policy
-
-  ```powershell
-  Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
-  ```
-  > [!NOTE]
-  >  After setting the execution policy, you'll see a warning asking if you wish to change the execution policy. Choose **[A] Yes to All**.
-
-4.  Copy the command from the portal and run it in Windows PowerShell
-
-    ![eMCC img13](images/emcc13.png)
-
-  > [!NOTE]
-  > After running the command, and multiple times throughout the installation process, you'll receive the following notice. **Please select [R] Run once to proceed**.
-  > <br>
-  > <br>Security warning
-  > <br>Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning message. Do you want to run C:\\Users\\mccinstaller\\Eflow\\installmcc.ps1?
-  ><br>
-  > <br>[D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"):
-
-3.  Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch.
-
-  > [!NOTE]
-  > Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted.
-
-  If you restarted your computer after creating a switch, start from Step 2 above and skip step 5.
-
-  ![eMCC img14](images/emcc14.png)
-
-4.  Re-run the script after the restart. This time, choose **No** when asked to create a new switch. Enter the number corresponding to the switch you previously created.
-
-    ![eMCC img15](images/emcc15.png)
-
-5.  Decide whether you would like to use dynamic or static address for the Eflow VM
-
-    ![eMCC img16](images/emcc16.png)
-
-  > [!NOTE]
-  > Choosing a dynamic IP address might assign a different IP address when the MCC restarts.
-  > <br>A static IP address is recommended so you do not have to change this value in your management solution when MCC restarts.
-
-6.  Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and cores you would like to allocate for the VM. In this example, we chose the default values for all prompts.
-
-7.  Follow the Azure Device Login link and sign into the Azure portal.
-
-    ![eMCC img17](images/emcc17.png)
-
-8.  If this is your first MCC deployment, please select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
-
-    1.  You'll be shown a list of existing IoT Hubs in your Azure Subscription; Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter “1”**
-
-    ![eMCC img18](images/emcc18.png)
-    ![eMCC img19](images/emcc19.png)
-
-9.  Your MCC deployment is now complete.
-
-    1.  If you do not see any errors, please continue to the next section to validate your MCC deployment.
-    2.  After validating your MCC is properly functional, please review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
-    3.  If you had errors during your deployment, see the [Troubleshooting](#troubleshooting) section in this article.
-
-### Verify proper functioning MCC server
-
-#### Verify Client Side
-
-Connect to the EFLOW VM and check if MCC is properly running:
-
-1.  Open PowerShell as an Administrator
-2.  Enter the following commands:
-
-```powershell
-Connect-EflowVm
-sudo -s
-iotedge list
-```
-
-![eMCC img20](images/emcc20.png)
-
-You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, please try this command in a few minutes. The MCC container can take a few minutes to deploy
-
-#### Verify server side
-
-For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
-
-```powershell
-wget [http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]
-```
-
-A successful test result will look like this:
-
-![eMCC img21](images/emcc21.png)
-
-OR
-
-![eMCC img22](images/emcc22.png)
-
-Similarly, enter this URL from a browser in the network:
-
-[http://YourCacheServerIP/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]()
-
-If the test fails, see the common issues section for more information.
-
-### Intune (or other management software) configuration for MCC
-
-For an Intune deployment, create a Configuration Profile and include the Cache Host eFlow IP Address or FQDN:
-
-![eMCC img23](images/emcc23.png)
-
-### Common Issues
-
-#### PowerShell issues
-
-If you're seeing errors similar to this: “The term ‘Get-Something’ isn't recognized as the name of a cmdlet, function, script file, or operable program.”
-
-1.  Ensure you're running Windows PowerShell version 5.x.
-
-2.  Run \$PSVersionTable and ensure you’re running version 5.x and *not version 6 or 7*.
-
-3.  Ensure you have Hyper-V enabled:
-
-    **Windows 10:** [Enable Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v)
-
-    **Windows Server:** [Install the Hyper-V role on Windows Server](/windows-server/virtualization/hyper-v/get-started/install-the-hyper-v-role-on-windows-server)
-
-#### Verify Running MCC Container
-
-Connect to the Connected Cache server and check the list of running IoT Edge modules using the following commands:
-
-```bash
-Connect-EflowVm
-sudo iotedge list​
-```
-
-![eMCC img24](images/emcc24.png)
-
-If edgeAgent and edgeHub containers are listed, but not “MCC”, you may view the status of the IoT Edge security manager using the command:
-
-```bash
-sudo journalctl -u iotedge -f
-```
-
-For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start as is shown in the sample below:  
-
-![eMCC img25](images/emcc25.png)
-
-Use this command to check the IoT Edge Journal
-
-```bash
-sudo journalctl -u iotedge –f
-```
-
-Please note: You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we have listed a few issues below that we hit during our internal validation.
-
-## Diagnostics Script
-
-If you're having issues with your MCC, we included a diagnostics script which will collect all your logs and zip them into a single file. You can then send us these logs via email for the MCC team to debug.
-
-To run this script:
-
-1.  Navigate to the following folder in the MCC installation files:
-
-    mccinstaller \> Eflow \> Diagnostics
-
-2.  Run the following commands:
-
-```powershell
-Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process
-.\collectMccDiagnostics.ps1
-```
-
-3.  The script stores all the debug files into a folder and then creates a tar file. After the script is finished running, it will output the path of the tar file which you can share with us (should be “**\<currentpath\>**\\mccdiagnostics\\support_bundle_\$timestamp.tar.gz”)
-
-4.  [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process.
-
-## Update MCC
-
-Throughout the private preview phase, we will send you security and feature updates for MCC. Please follow these steps to perform the update.
-
-Run the following command with the **arguments** we provided in the email to update your MCC:
-
-```powershell
-# .\updatemcc.ps1 version="**\<VERSION\>**" tenantid="**\<TENANTID\>**" customerid="**\<CUSTOMERID\>**" cachenodeid="**\<CACHENODEID\>**" customerkey="**\<CUSTOMERKEY\>**"
-```
-For example:
-```powershell
-# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a”
-```
-
-## Uninstall MCC
-
-Please contact the MCC Team before uninstalling to let us know if you're facing
-issues.
-
-This script will remove the following:
-
-1.  EFLOW + Linux VM
-2.  IoT Edge
-3.  Edge Agent
-4.  Edge Hub
-5.  MCC
-6.  Moby CLI
-7.  Moby Engine
-
-To delete MCC, go to Control Panel \> Uninstall a program \> Select Azure IoT
-Edge LTS \> Uninstall
-
-## Appendix
-
-### Steps to obtain an Azure Subscription ID
-
-1. Sign in to https://portal.azure.com/ and navigate to the Azure services section.
-2. Click on **Subscriptions**. If you do not see **Subscriptions**, click on the **More Services** arrow and search for **Subscriptions**. 
-3. If you already have an Azure Subscription, skip to step 5. If you do not have an Azure Subscription, select **+ Add** on the top left. 
-4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. 
-5. On the **Subscriptions** blade, you'll find details about your current subscription. Click on the subscription name. 
-6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Click on the **Copy to clipboard** icon next to your Subscription ID to copy the value. 
-
-### Troubleshooting
-
-If you’re not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). 
-
-Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up).
-
-### IoT Edge runtime
-
-The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices.
-The runtime sits on the IoT Edge device, and performs management and
-communication operations. The runtime performs several functions:
-
--   Installs and update workloads (Docker containers) on the device.
--   Maintains Azure IoT Edge security standards on the device.
--   Ensures that IoT Edge modules (Docker containers) are always running.
--   Reports module (Docker containers) health to the cloud for remote monitoring.
--   Manages communication between an IoT Edge device and the cloud.
-
-For more information on Azure IoT Edge, please see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge).
-
-### EFLOW
-
-- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows)
-- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge)
-- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions)
-- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow)
-- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers)
-
-### Routing local Windows Clients to an MCC
-
-#### Get the IP address of your MCC using ifconfig
-
-There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC.
-
-##### Registry Key
-
-You can either set your MCC IP address or FQDN using:
-
-1.  Registry Key in 1709 and higher -  
-    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization]<br>
-    "DOCacheHost"=" "  
-    
-  From an elevated command prompt:
-
-  ```
-  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f
-  ```
-
-2.  MDM Path in 1809 or higher:
-
-  .Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost
-
-3. In Windows release version 1809 and later, you can apply the policy via Group Policy Editor. The policy to apply is **DOCacheHost**. To configure the clients to pull content from the MCC using Group Policy, set the Cache Server Hostname (Setting found under Computer Configuration, Administrative Templates, Windows Components, Delivery Optimization) to the IP address of your MCC. For example 10.137.187.38.
-
-    ![eMCC img26](images/emcc26.png)
-
-**Verify Content using the DO Client**
-
-To verify that the Delivery Optimization client can download content using MCC, you can use the following steps:
-
-1. Download a game or application from the Microsoft Store.   
-
-    ![eMCC img27](images/emcc27.png)
-
-2. Verify downloads came from MCC by one of two methods:
-
-    - Using PowerShell Cmdlet Get-DeliveryOptimizationStatus you should see BytesFromCacheServer test  
-
-      ![eMCC img28](images/emcc28.png)
-
-    - Looking at the Delivery Optimization Activity Monitor
-
-      ![eMCC img29](images/emcc29.png)
-
-## Also see
-
-[Microsoft Connected Cache for ISPs](mcc-isp.md)<br>
-[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898)
diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md
new file mode 100644
index 0000000000..ae5404b2ae
--- /dev/null
+++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md
@@ -0,0 +1,43 @@
+---
+title: Cache node configuration
+manager: aaroncz
+description: Configuring a cache node on Azure portal
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: amyzhou
+ms.localizationpriority: medium
+ms.author: amyzhou
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Cache node configuration
+
+All cache node configuration will take place within Azure portal. This article outlines all of the settings that you'll be able to configure. 
+
+## Settings
+
+| Field Name | Expected Value| Description |
+| -- | --- | --- |
+| **Cache node name** | Alphanumeric string that contains no spaces  | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
+| **Server IP address** | IPv4 address  | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
+| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.|
+| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. |
+
+## Storage
+
+| Field Name | Expected Value| Description |
+| -- | --- | --- |
+| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: /dev/folder/ |
+| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. |
+
+## Client routing
+
+| Field Name | Expected Value| Description |
+| -- | --- | --- |
+| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
+| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. |
+| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. |
+
diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md
new file mode 100644
index 0000000000..7ef7e28969
--- /dev/null
+++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md
@@ -0,0 +1,147 @@
+---
+title: Create, provision, and deploy the cache node in Azure portal
+manager: aaroncz
+description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: nidos
+ms.localizationpriority: medium
+ms.author: nidos
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Create, Configure, provision, and deploy the cache node in Azure portal
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+This article outlines how to create, provision, and deploy your Microsoft Connected Cache nodes. The creation and provisioning of your cache node takes place in Azure portal. The deployment of your cache node will require downloading an installer script that will be run on your cache server.
+
+> [!IMPORTANT]
+> Before you can create your Microsoft Connected Cache, you will need to complete the [sign up process](mcc-isp-signup.md). You cannot proceed without signing up for our service.
+
+## Create cache node
+
+1. Open [Azure portal](https://www.portal.azure.com) and navigate to the **Microsoft Connected Cache** resource.
+
+1. Navigate to **Settings** > **Cache nodes** and select **Create Cache Node**.
+
+1. Provide a name for your cache node and select **Create** to create your cache node.
+
+## Configure cache node
+
+During the configuration of your cache node, there are many fields for you to configure your cache node. To learn more about the definitions of each field, review the [Configuration fields](#general-configuration-fields) at the bottom of this article.
+
+### Client routing
+
+Before serving traffic to your customers, client routing configuration is needed. During the configuration of your cache node in Azure portal, you'll be able to route your clients to your cache node.
+
+Microsoft Connected Cache offers two ways for you to route your clients to your cache node. The first method of manual entry involves uploading a comma-separated list of CIDR blocks that represents the clients. The second method of setting BGP (Border Gateway Protocol) is more automatic and dynamic, which is set up by establishing neighborships with other ASNs. All routing methods are set up within Azure portal.
+
+Once client routing and other settings are configured, your cache node will be able to download content and serve traffic to your customers.
+
+At this time, only IPv4 addresses are supported. IPv6 addresses aren't supported.
+
+#### Manual routing
+
+You can manually upload a list of your CIDR blocks in Azure portal to enable manual routing of your customers to your cache node.
+
+#### BGP routing
+
+BGP (Border Gateway Protocol) routing is another method offered for client routing. BGP dynamically retrieves CIDR ranges by exchanging information with routers to understand reachable networks. For an automatic method of routing traffic, you can choose to configure BGP routing in Azure portal.
+
+1. Navigate to **Settings** > **Cache nodes**. Select the cache node you wish to provision.
+
+    :::image type="content" source="images/mcc-isp-provision-cache-node-numbered.png" alt-text="Screenshot of the Azure portal depicting the cache node configuration page of a cache node. This screenshot shows all of the fields you can choose to configure the cache node." lightbox="./images/mcc-isp-provision-cache-node-numbered.png":::  
+
+1. Enter the max allowable egress that your hardware can support.  
+
+1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes.  
+**Note:** Up to nine cache drives are supported.  
+
+1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing).
+
+    - If you choose **Manual routing**, enter your address range/CIDR blocks.  
+    - If you choose **BGP routing**, enter the ASN and IP addresses of the neighborship.  
+    > [!NOTE]
+    > **Prefix count** and **IP Space** will stop displaying `0` when BGP is successfully established.
+
+## Deploy cache node software to server  
+
+Once the user executes the cache server provisioning script, resources are created behind the scenes resulting in the successful cache node installation. The script takes the input of different IDs outlined below to register the server as an Azure IoT Edge device. Even though Microsoft Connected Cache scenario isn't related to IoT, Azure IoT Edge is installed for container management and communication operation purposes.
+
+### Components installed during provisioning
+
+#### IoT Edge
+
+IoT Edge performs several functions important to manage MCC on your edge device:
+
+1. Installs and updates MCC on your edge device.
+1. Maintains Azure IoT Edge security standards on your edge device.
+1. Ensures that MCC is always running.
+1. Reports MCC health and usage to the cloud for remote monitoring.
+
+#### Docker container engine
+
+Azure IoT Edge relies on an OCI-compatible container runtime. The Moby engine is the only container engine officially supported with IoT Edge and is installed as part of the server provisioning process.
+
+### Components of the device provisioning script
+
+There are five IDs that the device provisioning script takes as input in order to successfully provision and install your cache server. The provisioning script will automatically include these keys, with no input necessary from the user.
+
+| ID | Description |
+|---|---|
+| Customer ID | A unique alphanumeric ID that the cache nodes are associated with. |
+| Cache node ID | The unique alphanumeric ID of the cache node being provisioned. |
+| Customer key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. |
+| Registration key | Single use device registration key used by Microsoft Delivery Optimization services. |
+
+:::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal.":::
+
+1. After completing cache node provisioning, navigate to the **Server provisioning** tab. Select **Download provisioning package** to download the installation package to your server.  
+
+1. Open a terminal window in the directory where you would like to deploy your cache node and run the following command to change the access permission to the Bash script: 
+
+    ```bash
+    sudo chmod +x provisionmcc.sh
+    ```
+
+1. Copy and paste the script command line shown in the Azure portal.
+
+1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md).
+
+    > [!NOTE]
+    > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script.
+
+### General configuration fields
+
+| Field Name | Expected Value| Description |
+|---|---|---|
+| **Cache node name** | Alphanumeric string that contains no spaces  | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
+| **Server IP address** | IPv4 address  | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. The IP address must be publicly accessible. |
+| **Max allowable egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, 10,000 Mbps.|
+| **Enable cache node** | Enable or Disable | You can choose to enable or disable a cache node at any time. |
+
+### Storage fields
+
+> [!IMPORTANT]
+> All cache drives must have read/write permissions set or the cache node will not function.
+> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive`
+
+| Field Name | Expected Value| Description |
+|---|---|---|
+| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. |
+| **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. |
+
+### Client routing fields
+
+| Field Name | Expected Value| Description |
+|---|---|---|
+| **Manual routing - Address range/CIDR blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24 |
+| **BGP - Neighbor ASN** | ASN | When configuring BGP, enter the ASN(s) of your neighbors that you want to establish. |
+| **BGP - Neighbor IP address** | IPv4 address | When configuring BGP, enter the IP address(es) of neighbors that you want to establish. |
diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml
new file mode 100644
index 0000000000..19f6da7226
--- /dev/null
+++ b/windows/deployment/do/mcc-isp-faq.yml
@@ -0,0 +1,83 @@
+### YamlMime:FAQ
+metadata:
+  title: Microsoft Connected Cache Frequently Asked Questions
+  description: The following article is a list of frequently asked questions for Microsoft Connected Cache.
+  ms.sitesec: library
+  ms.pagetype: security
+  ms.localizationpriority: medium
+  author: amymzhou
+  ms.author: amymzhou
+  manager: aaroncz
+  audience: ITPro
+  ms.collection:
+    - M365-security-compliance
+    - highpri
+  ms.topic: faq
+  ms.date: 09/30/2022
+  ms.custom: seo-marvel-apr2020
+title: Microsoft Connected Cache Frequently Asked Questions
+summary: |
+  **Applies to**
+  -   Windows 10
+  -   Windows 11
+  
+sections:
+  - name: Ignored
+    questions:
+      - question: Is this product a free service?
+        answer: Yes. Microsoft Connected Cache is a free service.  
+      - question: What will Microsoft Connected Cache do for me? How will it impact our customers?
+        answer: As an ISP, your network can benefit from reduced load on your backbone and improve customer download experience for supported Microsoft static content. It will also help you save on CDN costs.  
+      - question: Is there a non-disclosure agreement to sign?
+        answer: No, a non-disclosure agreement isn't required.
+      - question: What are the prerequisites and hardware requirements?
+        answer: | 
+         - Azure subscription  
+         - Hardware to host Microsoft Connected Cache:   
+          
+          <!--Using include file, mcc-prerequisites.md, for shared content on DO monitoring-->
+          [!INCLUDE [Microsoft Connected Cache Prerequisites](includes/mcc-prerequisites.md)]
+
+         We have one customer who is able to achieve 40-Gbps egress rate using the following hardware specification:  
+          - Dell PowerEdge R330  
+          - 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core  
+          - 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s  
+          - 4 - Transcend SSD230s 1 TB SATA Drives  
+          Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
+      - question: Will I need to provide hardware BareMetal server or VM?
+        answer: Microsoft Connected Cache is a software-only caching solution and will require you to provide your own server to host the software.
+      - question: Can we use hard drives instead of SSDs?
+        answer: We highly recommend using SSDs as Microsoft Connected Cache is a read intensive application. We also recommend using multiple drives to improve performance.  
+      - question: Will I need to manually enter the CIDR blocks? If I have multiple cache nodes, should I configure a subset of CIDR blocks to each cache node?
+        answer: You can choose to route your traffic using manual CIDR blocks or BGP. If you have multiple Microsoft Connected Cache(s), you can allocate subsets of CIDR blocks to each cache node if you wish. However, since Microsoft Connected Cache has automatic load balancing, we recommend adding all of your traffic to all of your cache nodes.  
+      - question: Should I add any load balancing mechanism?
+        answer: You don't need to add any load balancing. Our service will take care of routing traffic if you have multiple cache nodes serving the same CIDR blocks based on the reported health of the cache node.  
+      - question: How many Microsoft Connected Cache instances will I need? How do we set up if we support multiple countries?
+        answer: As stated in the table above, the recommended configuration will achieve near the maximum possible egress of 40 Gbps with a two-port link aggregated NIC and four cache drives. We have a feature coming soon that will help you estimate the number of cache nodes needed. If your ISP spans multiple countries, you can set up separate cache nodes per country.  
+      - question: Where should we install Microsoft Connected Cache?
+        answer: You are in control of your hardware and you can pick the location based on your traffic and end customers. You can choose the location where you have your routers or where you have dense traffic or any other parameters.
+      - question: How long would a piece of content live within the Microsoft Connected Cache? Is content purged from the cache?
+        answer: Once a request for said content is made, NGINX will look at the cache control headers from the original acquisition. If that content has expired, NGINX will continue to serve the stale content while it's downloading the new content.  We cache the content for 30 days. The content will be in the hot cache path (open handles and such) for 24 hrs, but will reside on disk for 30 days. The drive fills up and nginx will start to delete content based on its own algorithm, probably some combination of least recently used.
+      - question: What content is cached by Microsoft Connected Cache?
+        answer: For more information about content cached, see [Delivery Optimization and Microsoft Connected Cache content endpoints - Windows Deployment](delivery-optimization-endpoints.md).  
+      - question: Does Microsoft Connected Cache support Xbox or Teams content?
+        answer: Currently, Microsoft Connected Cache doesn't support Xbox or Teams content. However, supporting Xbox content is of high priority, and we expect this feature soon. We'll let you know as soon as it becomes available!  
+      - question: Is IPv6 supported?
+        answer: No, we don't currently support IPV6. We plan to support it in the future.   
+      - question: Is Microsoft Connected Cache stable and reliable?
+        answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers.
+      - question: How does Microsoft Connected Cache populate its content?
+        answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD.
+      - question: What do I do if I need more support and have more questions even after reading this FAQ page?
+        answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md).
+      - question: What CDNs will Microsoft Connected Cache pull content from?
+        answer: | 
+         Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content.  Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge.  If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time:
+         
+         $ dig +noall +answer tlu.dl.delivery.mp.microsoft.com | grep -P "IN\tA"
+
+         c-0001.c-msedge.net.    20      IN      A       13.107.4.50
+
+         $ whois 13.107.4.50|grep "Organization:"
+         
+         Organization:   Microsoft Corporation (MSFT)
diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md
new file mode 100644
index 0000000000..291a69a7ab
--- /dev/null
+++ b/windows/deployment/do/mcc-isp-signup.md
@@ -0,0 +1,94 @@
+---
+title: Operator sign up and service onboarding
+manager: aaroncz
+description: Service onboarding for Microsoft Connected Cache for ISP
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: nidos
+ms.localizationpriority: medium
+ms.author: nidos
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Operator sign up and service onboarding for Microsoft Connected Cache
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview). 
+
+## Prerequisites
+
+Before you begin sign up, ensure you have the following components:
+- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/).
+- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal.
+- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. 
+- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS.
+
+## Resource creation and sign up process  
+
+1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**.
+
+   :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace.":::
+
+1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource.  
+
+   > [!IMPORTANT]
+   > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information.
+1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for.
+
+   :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png":::
+
+1. Once we verify the information entered, a verification code will be sent to the NOC email address provided on [Peering DB](https://www.peeringdb.com/). Once you receive the email, navigate to your Azure portal > **Microsoft Connected Cache** > **Settings** > **Verify operator**, and enter the verification code sent to the NOC email address.
+
+    > [!NOTE]
+    > Verification codes expire in 24 hours. You will need to generate a new code if it expires.
+
+   :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png":::
+
+1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node.
+
+<!--## Traffic estimation
+
+During the sign-up process, Microsoft will provide you with a traffic estimation based on your ASN(s). We make estimations based on our predictions on historical data about Microsoft content download volume. We'll use these estimations to recommend hardware or VM configurations. You can review these recommendations within the Azure portal.
+
+We make these estimations based on the Microsoft content types that Microsoft Connected Cache serves. To learn more about the types of content that are supported, see [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md).  -->
+
+### Cache performance
+
+To make sure you're maximizing the performance of your cache node, review the following information:
+
+#### OS requirements
+
+The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice.
+
+#### NIC requirements
+
+- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
+- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
+
+#### Drive performance
+
+The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. 
+
+RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping.
+
+### Hardware configuration example
+
+There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps:
+
+**Dell PowerEdge R330**
+
+- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core
+- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s
+- 4 - Transcend SSD230s 1 TB SATA Drives
+- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated)
+
+### Virtual machines
+
+Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance.
\ No newline at end of file
diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md
new file mode 100644
index 0000000000..a321ac671c
--- /dev/null
+++ b/windows/deployment/do/mcc-isp-support.md
@@ -0,0 +1,51 @@
+---
+title: Support and troubleshooting
+manager: aaroncz
+description: Troubleshooting issues for Microsoft Connected Cache for ISP
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+audience: itpro
+author: nidos
+ms.localizationpriority: medium
+ms.author: nidos
+ms.collection: M365-modern-desktop
+ms.topic: reference
+---
+
+# Support and troubleshooting
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+This article provides information on how to troubleshoot common issues with Microsoft Connected Cache for ISPs.
+## Sign up errors
+
+### Cannot verify account
+
+During sign-up, we verify the information you provide against what is present in [Peering DB](https://www.peeringdb.com/). Make sure the information for your ISP entry on [Peering DB](https://www.peeringdb.com/) is up to date and matches what you provide during sign-up.
+
+### Invalid verification code
+
+During sign-up, a verification code is sent to your NOC email address present in [Peering DB](https://www.peeringdb.com/). This code expires in 24 hours. If it's expired, you'll need to request a new verification code to complete the sign-up.  
+
+## Cache Node Errors  
+
+### Cannot find my cache node
+
+Did you previously had access to your cache nodes but it's now no longer accessible? If so, it may be because you had a trial subscription, and its trial period ended. To resolve this issue, complete the following two steps:
+
+1. Create a new Azure Pay-As-You-Go subscription  
+1. Recreate the cache nodes using the new subscription
+
+## Steps to obtain an Azure subscription ID
+
+<!--Using include file, get-azure-subscription.md, for shared content-->
+[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
+
+## Recommended resources
+
+- [Pay-as-you-go-subscription](https://azure.microsoft.com/offers/ms-azr-0003p/)
+- [Azure free account FAQs](https://azure.microsoft.com/free/free-account-faq/)
+
diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md
new file mode 100644
index 0000000000..c6bdfe27c8
--- /dev/null
+++ b/windows/deployment/do/mcc-isp-update.md
@@ -0,0 +1,58 @@
+---
+title: Update or uninstall your cache node
+manager: aaroncz
+description: How to update or uninstall your cache node
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: amyzhou
+ms.localizationpriority: medium
+ms.author: amyzhou
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Update or uninstall your cache node
+
+This article details how to update or uninstall your cache node. 
+
+## Update cache node
+
+Microsoft will release updates for Microsoft Connected Cache periodically to improve performance, functionality, and security. Updates won't require any action from the customer. Instead, when an update is available, your cache node will automatically update during low traffic hours with minimal to no impact to your end customers. 
+
+To view which version your cache nodes are currently on, navigate to the **Cache nodes** tab to view the versions in the list view.
+
+## Uninstall cache node
+
+There are two main steps required to uninstall your cache node:
+
+1. Remove your cache node from Azure portal
+1. Run the uninstall script to cleanly remove MCC from your server
+
+You must complete both steps to ensure a clean uninstall of your cache node.
+
+### Remove your cache node from Azure portal
+
+Within the [Azure portal](https://www.portal.azure.com), navigate to **Cache Nodes**, then select the cache node you wish to delete. Once selected, select **Delete** on the top bar to remove this cache node from your account.
+
+### Run the uninstall script to cleanly remove Microsoft Connected Cache from your server
+
+In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls Microsoft Connected Cache and all the related components. Only run it if you're facing issues with Microsoft Connected Cache installation.
+
+The **uninstallmcc.sh** script removes the following components:
+
+- IoT Edge
+- Edge Agent
+- Edge Hub
+- MCC
+- Moby CLI
+- Moby engine
+
+To run the script, use the following commands:
+
+```bash
+sudo chmod +x uninstallmcc.sh
+sudo ./uninstallmcc.sh
+
+```
diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md
new file mode 100644
index 0000000000..22f8b3de86
--- /dev/null
+++ b/windows/deployment/do/mcc-isp-verify-cache-node.md
@@ -0,0 +1,80 @@
+---
+title: Verify cache node functionality and monitor health and performance
+manager: aaroncz
+description: How to verify the functionality of a cache node
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: amyzhou
+ms.localizationpriority: medium
+ms.author: amyzhou
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Verify cache node functionality and monitor health and performance
+
+This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. 
+
+## Verify functionality on Azure portal
+
+Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue.
+
+## Verify functionality on the server
+
+It can take a few minutes for the container to deploy after you've saved the configuration.
+
+To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `<CacheServerIP>` with the IP address of the cache server.
+
+```bash
+wget http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
+```
+
+If successful, you'll see a terminal output similar to the following output:
+
+```bash
+HTTP request sent, awaiting response... 200 OK
+Length: 969710 (947K) [image/gif]
+Saving to: 'wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com'
+
+wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com   100%[========================]
+```
+
+Similarly, enter the following URL into a web browser on any device on the network:
+
+```http
+http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
+```
+
+If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article.
+
+## Monitor cache node health and performance
+
+Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance.
+
+### Available Metrics
+
+Within Azure portal, you're able to build your custom charts and graphs using the following available metrics:
+
+| Metric name | Description |
+|---|---|  
+| **Cache Efficiency** |  Cache efficiency is defined as the total cache hit bytes divided by all bytes requested. The higher this value (0 - 100%), the more efficient the cache node is. |
+| **Healthy nodes** |  The number of cache nodes that are reporting as healthy|
+| **Unhealthy nodes**| The number of cache nodes that are reporting as unhealthy|
+| **Maximum in**| The maximum egress (in Gbps) of inbound traffic|
+| **Maximum out**| The maximum egress (in Gbps) of outbound traffic|
+|  **Average in**|  The average egress (in Gbps) of inbound traffic|
+| **Average out**| The average egress (in Gbps) of outbound traffic|
+
+For more information about how to build your custom charts and graphs, see [Azure Monitor](/azure/azure-monitor/essentials/data-platform-metrics).
+
+### Monitoring your metrics
+
+To view the metrics associated with your cache nodes, navigate to the **Overview** > **Monitoring** tab within the Azure portal.
+
+:::image type="content" source="./images/mcc-isp-metrics.png" alt-text="Screenshot of the Azure portal displaying the metrics view in the Overview tab.":::
+
+You can choose to monitor the health and performance of all cache nodes or one at a time by using the dropdown menu. The **Egress bits per second** graph shows your inbound and outbound traffic of your cache nodes over time. You can change the time range (1 hour, 12 hours, 1 day, 7 days, 14 days, and 30 days) by selecting the time range of choice on the top bar.
+
+If you're unable to view metrics for your cache node, it may be that your cache node is unhealthy, inactive, or hasn't been fully configured.
diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md
new file mode 100644
index 0000000000..6cb5ab9b45
--- /dev/null
+++ b/windows/deployment/do/mcc-isp-vm-performance.md
@@ -0,0 +1,36 @@
+---
+title: Enhancing VM performance
+manager: aaroncz
+description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: amyzhou
+ms.localizationpriority: medium
+ms.author: amyzhou
+ms.collection: M365-modern-desktop
+ms.topic: reference
+---
+
+# Enhancing virtual machine performance
+
+In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings.
+
+## Virtual machine settings
+
+Change the following settings to maximize the egress in virtual environments:
+
+1. Enable **Single Root I/O Virtualization (SR-IOV)** in the following three locations:
+
+    - The BIOS of the MCC virtual machine
+    - The network card properties of the MCC virtual machine
+    - The hypervisor for the MCC virtual machine
+
+    Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment.
+
+2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment.
+
+## Next steps
+
+[Support and troubleshooting](mcc-isp-support.md)
diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md
index 1e1933c2aa..055f86b888 100644
--- a/windows/deployment/do/mcc-isp.md
+++ b/windows/deployment/do/mcc-isp.md
@@ -1,21 +1,21 @@
 ---
 title: Microsoft Connected Cache for Internet Service Providers (ISPs)
 description: Details on Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs).
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.localizationpriority: medium
 author: amymzhou
-ms.author: aaroncz
+ms.author: amyzhou
 ms.reviewer: carmenf
-manager: dougeby
+manager: aaroncz
 ms.collection: M365-modern-desktop
 ms.topic: how-to
 ms.date: 05/20/2022
 ---
 
-# Microsoft Connected Cache for Internet Service Providers (ISPs)
+# Microsoft Connected Cache for Internet Service Providers (early preview)
 
-_Applies to_
+*Applies to*
 
 - Windows 10
 - Windows 11
@@ -23,7 +23,7 @@ _Applies to_
 ## Overview
 
 > [!IMPORTANT]
-> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> This document is for Microsoft Connected Cache (early preview). During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
 Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads.
 
@@ -31,15 +31,15 @@ Microsoft Connected Cache is a hybrid application, in that it's a mix of on-prem
 
 ## How MCC works
 
-:::image type="content" source="images/imcc01.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="images/imcc01.png":::
+:::image type="content" source="./images/mcc-isp-diagram.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="./images/mcc-isp-diagram.png":::
 
 The following steps describe how MCC is provisioned and used:
 
 1. The Azure Management Portal is used to create and manage MCC nodes.
 
-2. A shell script is used to provision the server and deploy the MCC application.
+1. A shell script is used to provision the server and deploy the MCC application.
 
-3. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
+1. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server.
 
     - The publicly accessible IPv4 address of the server is configured on the portal.
 
@@ -50,31 +50,31 @@ The following steps describe how MCC is provisioned and used:
         > [!NOTE]
         > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error.
 
-4. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
+1. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node.
 
-5. Microsoft clients make the range requests for content from the MCC node.
+1. Microsoft clients make the range requests for content from the MCC node.
 
-6. A MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
+1. An MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
 
-7. Subsequent requests from end-user devices for content will be served from cache.
+1. Subsequent requests from end-user devices for content will be served from cache.
 
-8. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
+1. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers.
 
 ## ISP requirements for MCC
 
 ### Azure subscription
 
-The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are _free_ services.
+The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are *free* services.
 
 > [!NOTE]
 > If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses.
 
-Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). _Don't submit a trial subscription_ as you'll lose access to your Azure resources after the trial period ends.
+Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). *Don't submit a trial subscription* as you'll lose access to your Azure resources after the trial period ends.
 
 The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions.
 
 > [!IMPORTANT]
-> To join the Microsoft Connected Cache private preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey).
+> To join the Microsoft Connected Cache early preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey).
 
 ### Hardware to host the MCC
 
@@ -89,7 +89,7 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC
 
 #### NIC requirements
 
-- Multiple NICs on a single MCC instance are supported using a _link aggregated_ configuration.
+- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration.
 - 10 Gbps NIC is the minimum speed recommended, but any NIC is supported.
 
 ### Sizing recommendations
@@ -97,10 +97,10 @@ This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC
 The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC.
 
 | Component  | Minimum | Recommended |
-| -- | --- | --- |
+|---|---|---|
 | OS |  Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) |
 | NIC | 10 Gbps| at least 10 Gbps |
-| Disk | SSD <br>1 drive <br>2 TB each  |SSD <br>2-4 drives <br>at least 2 TB each  |
+| Disk | SSD </br>1 drive </br>2 TB each  |SSD </br>2-4 drives </br>at least 2 TB each  |
 | Memory | 8 GB | 32 GB or greater |
 | Cores | 4 | 8 or more  |
 
@@ -110,8 +110,8 @@ To deploy MCC:
 
 1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id)
 2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure)
-3. [Create a Cache Node](#create-a-mcc-node-in-azure)
-4. [Configure Cache Node Routing](#edit-cache-node-information) 
+3. [Create a Cache Node](#create-an-mcc-node-in-azure)
+4. [Configure Cache Node Routing](#edit-cache-node-information)
 5. [Install MCC on a physical server or VM](#install-mcc)
 6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server)
 7. [Review common issues if needed](#common-issues)
@@ -135,20 +135,20 @@ Operators who have been given access to the program will be sent a link to the A
 
 1. Choose **Create a resource**.
 
-    :::image type="content" source="images/imcc02.png" alt-text="Select the option to 'Create a resource' in the Azure portal.":::
+    :::image type="content" source="./images/mcc-isp-create-resource.png" alt-text="Screenshot of the option to 'Create a resource' in the Azure portal.":::
 
 1. Type **Microsoft Connected Cache** into the search box and press **Enter** to show the search results.
 
 1. Select **Microsoft Connected Cache**.
 
-    :::image type="content" source="images/imcc03.png" alt-text="Search the Azure Marketplace for 'Microsoft Connected Cache'.":::
+    :::image type="content" source="./images/mcc-isp-search-marketplace.png" alt-text="Screenshot of searching the Azure Marketplace for 'Microsoft Connected Cache'.":::
 
     > [!IMPORTANT]
-    > Don't select _Connected Cache Resources_, which is different from **Microsoft Connected Cache**.
+    > Don't select *Connected Cache Resources*, which is different from **Microsoft Connected Cache**.
 
 1. Select **Create** on the next screen to start the process of creating the MCC resource.
 
-    :::image type="content" source="images/imcc04.png" alt-text="Select the option to Create the Microsoft Connected Cache service.":::
+    :::image type="content" source="./images/mcc-isp-create.png" alt-text="Screenshot of the Create option for the Microsoft Connected Cache service.":::
 
 1. Fill in the following required fields to create the MCC resource:
 
@@ -163,11 +163,11 @@ Operators who have been given access to the program will be sent a link to the A
 
     - Specify a **Connected Cache Resource Name**.
 
-    :::image type="content" source="images/imcc05.png" alt-text="Enter the required information to create a Connected Cache in Azure.":::
+      :::image type="content" source="./images/mcc-isp-location-west.png" alt-text="Screenshot of entering the required information, including the West US location, to create a Connected Cache in Azure.":::
 
 1. Select **Review + Create**. Once validation is complete, select **Create** to start the resource creation.
 
-    :::image type="content" source="images/imcc06.png" alt-text="'Your deployment is complete' message displaying deployment details.":::
+    :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="'Screenshot of the 'Your deployment is complete' message displaying deployment details.":::
 
 #### Common Resource Creation Errors
 
@@ -175,58 +175,55 @@ Operators who have been given access to the program will be sent a link to the A
 
 If you get the error message "Validation failed" in the Azure portal, it's likely because you selected the **Location** as **US West 2** or another unsupported location. To resolve this error, go to the previous step and choose **(US) West US** for the **Location**.
 
-:::image type="content" source="images/imcc07.png" alt-text="'Validation failed' error message for Connected Cache in an unsupported location.":::
-
 ##### Error: Could not create Marketplace item
 
 If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot:
 
-- Make sure that you've selected **Microsoft Connected Cache** and not _Connected Cache resources_ while trying to create a MCC resource.
+- Make sure that you've selected **Microsoft Connected Cache** and not *Connected Cache resources* while trying to create an MCC resource.
 
 - Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource.
 
 - If the issue persists, clear your browser cache and start in a new window.
 
-### Create a MCC node in Azure
+### Create an MCC node in Azure
 
 1. After you successfully create the resource, select **Go to resource**.
 
 1. Under the **Cache Node Management** section in the left panel, select **Cache Nodes**.
 
-    :::image type="content" source="images/imcc08.png" alt-text="The 'Cache Nodes' option in the Cache Node Management menu section.":::
+    :::image type="content" source="./images/mcc-isp-cache-nodes-option.png" alt-text="Screenshot of the 'Cache Nodes' option in the Cache Node Management menu section.":::
 
 1. On the **Cache Nodes** section, select **Create Cache Node**.
 
-    :::image type="content" source="images/imcc09.png" alt-text="Select the 'Create Cache Node' option.":::
+    :::image type="content" source="./images/mcc-isp-create-cache-node-option.png" alt-text="Screenshot of the selecting the 'Create Cache Node' option.":::
 
 1. This action opens the **Create Cache Node** page. The only required fields are **Cache Node Name** and **Max Allowable Egress (Mbps)**.
 
     | Field name | Expected value | Description |
     |--|--|--|
     | **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. |
-    | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. _The IP address must be publicly accessible._ |
+    | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. *The IP address must be publicly accessible.* |
     | **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. |
     | **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` |
-    | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests. <br>**Disable** prevents the cache node from receiving content requests. <br>Cache nodes are enabled by default. |
+    | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests. </br>**Disable** prevents the cache node from receiving content requests. </br>Cache nodes are enabled by default. |
 
-    :::image type="content" source="images/imcc10.png" alt-text="Available fields on the Create Cache Node page.":::
+    :::image type="content" source="./images/mcc-isp-create-cache-node-fields.png" alt-text="Screenshot of the available fields on the Create Cache Node page.":::
 
     > [!TIP]
     > The information icon next to each field provides a description.
     >
-    > :::image type="content" source="images/imcc11.png" alt-text="Create Cache Node page showing the description for the Server IP Address field.":::
+    > :::image type="content" source="./images/mcc-isp-node-server-ip.png" alt-text="Screenshot of the Create Cache Node page showing the description for the Server IP Address field.":::
 
-    > [!NOTE]
-    > After you create the cache node, if you return to this page, it populates the values for the two read-only fields:
-    >
-    > | Field name | Description |
-    > |--|--|
-    > | **IP Space** | Number of IP addresses that will be routed to your cache server. |
-    > | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. |
+   After you create the cache node, if you return to this page, it populates the values for the two read-only fields:
+
+     | Field name | Description |
+     |--|--|
+     | **IP Space** | Number of IP addresses that will be routed to your cache server. |
+    | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. |
 
 1. Enter the information to create the cache node, and then select **Create**.
 
-    :::image type="content" source="images/imcc12.png" alt-text="Select 'Create' on the Create Cache Node page.":::
+    :::image type="content" source="./images/mcc-isp-create-new-node.png" alt-text="Screenshot of selecting 'Create' on the Create Cache Node page.":::
 
 If there are errors, the page gives you guidance on how to correct the errors. For example:
 
@@ -236,11 +233,11 @@ If there are errors, the page gives you guidance on how to correct the errors. F
 
 See the following example with all information entered:
 
-:::image type="content" source="images/imcc13.png" alt-text="Create Cache Node page with all information entered.":::
+:::image type="content" source="./images/mcc-isp-create-node-form.png" alt-text="Screenshot of the Create Cache Node page with all information entered.":::
 
 Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section.
 
-:::image type="content" source="images/imcc14.png" alt-text="Cache node successfully created with Connected Cache installer instructions.":::
+:::image type="content" source="./images/mcc-isp-success-instructions.png" alt-text="Screenshot of the Cache node successfully created with Connected Cache installer instructions.":::
 
 ### IP address space approval
 
@@ -258,15 +255,15 @@ There are three states for IP address space. MCC configuration supports BGP and
 
   If your IP address space has this status, contact Microsoft for more information.
 
-:::image type="content" source="images/imcc15.png" alt-text="A list of cache node names with example IP address space statuses.":::
+:::image type="content" source="./images/mcc-isp-node-names.png" alt-text="Screenshot of a list of cache node names with example IP address space statuses.":::
 
 ## Edit cache node information
 
-:::image type="content" source="images/imcc16.png" alt-text="Cache Nodes list in the Azure portal.":::
+:::image type="content" source="./images/mcc-isp-list-nodes.png" alt-text="Screenshot of the Cache Nodes list in the Azure portal.":::
 
 To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node.
 
-:::image type="content" source="images/imcc17.png" alt-text="Cache Node Configuration page, highlighting editable fields.":::
+:::image type="content" source="./images/mcc-isp-node-configuration.png" alt-text="Screenshot of the Cache Node Configuration page, highlighting editable fields.":::
 
 To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node.
 
@@ -298,7 +295,7 @@ Before you start, make sure that you have a data drive configured on your server
 
 1. From either **Create Cache Node** or **Cache Node Configuration** pages, select **Download Installer** to download the installer file.
 
-    :::image type="content" source="images/imcc18.png" alt-text="The Create Cache Node page highlighting the Download Installer action.":::
+    :::image type="content" source="./images/mcc-isp-installer-download.png" alt-text="Screenshot of the Create Cache Node page highlighting the Download Installer action.":::
 
     Unzip the **mccinstaller.zip** file, which includes the following installation files and folders:
 
@@ -322,19 +319,19 @@ Before you start, make sure that you have a data drive configured on your server
 
 1. In the Azure portal, in the Connected Cache installer instructions, copy the cache node installer Bash script command. Run the Bash script from the terminal.
 
-    :::image type="content" source="images/imcc19.png" alt-text="Copy the cache node installer Bash script in the Connected Cache installer instructions.":::
+    :::image type="content" source="./images/mcc-isp-copy-install-script.png" alt-text="Screenshot of the Copy option for the cache node installer Bash script in the Connected Cache installer instructions.":::
 
 1. Sign in to the Azure portal with a device code.
 
-    :::image type="content" source="images/imcc20.png" alt-text="Bash script prompt to sign in to the Azure portal with a device code.":::
+    :::image type="content" source="./images/mcc-isp-bash-device-code.png" alt-text="Screenshot of the Bash script prompt to sign in to the Azure portal with a device code." lightbox="./images/mcc-isp-bash-device-code.png":::
 
 1. Specify the number of drives to configure. Use an integer value less than 10.
 
-    :::image type="content" source="images/imcc22.png" alt-text="Bash script prompt to enter the number of cache drives to configure.":::
+    :::image type="content" source="./images/mcc-isp-bash-drive-number.png" alt-text="Screenshot of the Bash script prompt to enter the number of cache drives to configure." lightbox="./images/mcc-isp-bash-drive-number.png":::
 
 1. Specify the location of the cache drives. For example, `/datadrive/`
 
-    :::image type="content" source="images/imcc23.png" alt-text="Bash script prompt to enter the location for cache drive.":::
+    :::image type="content" source="./images/mcc-isp-bash-datadrive.png" alt-text="Screenshot of the Bash script prompt to enter the location for cache drive." lightbox="./images/mcc-isp-bash-datadrive.png":::
 
     > [!IMPORTANT]
     > The script changes the permission and ownership on the cache drive to **everyone** with the command `chmod 777`.
@@ -350,15 +347,15 @@ Before you start, make sure that you have a data drive configured on your server
 
 1. Specify an integer value as the size in GB for each cache drive. The minimum is `100` GB.
 
-    :::image type="content" source="images/imcc24.png" alt-text="Bash script prompt to enter the amount of space to allocate to the cache drive.":::
+    :::image type="content" source="./images/mcc-isp-bash-allocate-space.png" alt-text="Screenshot of the Bash script prompt to enter the amount of space to allocate to the cache drive." lightbox="./images/mcc-isp-bash-allocate-space.png":::
 
 1. Specify whether you have an existing IoT Hub.
 
-    - If this process is for your _first MCC deployment_, enter `n`.
+    - If this process is for your *first MCC deployment*, enter `n`.
 
-    - If you already have a MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue.
+    - If you already have an MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue.
 
-    :::image type="content" source="images/imcc25.png" alt-text="Bash script output with steps for existing IoT Hub.":::
+    :::image type="content" source="./images/mcc-isp-bash-iot-prompt.png" alt-text="Screenshot of the Bash script output with steps for existing IoT Hub." lightbox="./images/mcc-isp-bash-iot-prompt.png":::
 
 1. If you want to configure BGP, enter `y`. If you want to use manual entered prefixes for routing, enter `n` and skip to Step 16. You can always configure BGP at a later time using the Update Script.
 
@@ -394,7 +391,7 @@ Before you start, make sure that you have a data drive configured on your server
 
 1. To start routing using BGP, change the **Prefix Source** from **Manually Entered** to **Use BGP**.
 
-    :::image type="content" source="images/imcc55.PNG" alt-text="Cache node configuration with the Prefix Source set to Use BGP.":::
+    :::image type="content" source="./images/mcc-isp-use-bgp.png" alt-text="Screenshot of the Cache Node Configuration page with the Prefix Source set to Use BGP.":::
 
 
 1. If there are no errors, go to the next section to verify the MCC server.
@@ -415,7 +412,7 @@ Sign in to the Connected Cache server or use SSH. Run the following command from
 sudo iotedge list
 ```
 
-:::image type="content" source="images/imcc26.png" alt-text="Terminal output of iotedge list command, showing the running containers.":::
+:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png":::
 
 If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command:
 
@@ -425,7 +422,7 @@ sudo journalctl -u iotedge -f
 
 For example, this command provides the current status of the starting and stopping of a container, or the container pull and start:
 
-:::image type="content" source="images/imcc27.png" alt-text="Terminal output of journalctl command for iotedge.":::
+:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png":::
 
 ### Verify server side
 
@@ -439,7 +436,7 @@ wget http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.wind
 
 The following screenshot shows a successful test result:
 
-:::image type="content" source="images/imcc28.png" alt-text="Terminal output of successful test result with wget command to validate a MCC.":::
+:::image type="content" source="./images/mcc-isp-wget.png" alt-text="Screenshot of the terminal output of successful test result with wget command to validate a Microsoft Connected Cache." lightbox="./images/mcc-isp-wget.png":::
 
 Similarly, enter the following URL into a web browser on any device on the network:
 
@@ -484,7 +481,7 @@ To configure the device to work with your DNS, use the following steps:
     nmcli device show eno1 
     ```
 
-    :::image type="content" source="images/imcc30.png" alt-text="Sample output of nmcli command to show network adapter information.":::
+    :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png":::
 
 1. Open or create the Docker configuration file used to configure the DNS server.
 
@@ -535,7 +532,7 @@ To run the script:
 
 ## Updating your MCC
 
-Throughout the private preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC.
+Throughout the early preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC.
 
 Run the following commands, replacing the variables with the values provided in the email to update your MCC:
 
@@ -553,7 +550,7 @@ sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-u
 
 ### Configure BGP on an Existing MCC
 
-If you have a MCC that's already active and running, follow the steps below to configure BGP.
+If you have an MCC that's already active and running, follow the steps below to configure BGP.
 
 1. Run the Update commands as described above.
 
@@ -585,20 +582,12 @@ sudo ./uninstallmcc.sh
 ```
 
 ## Appendix
-
+ 
 ### Steps to obtain an Azure subscription ID
 
-1. Sign in to the [Azure portal](https://portal.azure.com/) and go to the **Azure services** section.
+<!--Using include file, get-azure-subscription.md, for shared content-->
+[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)]
 
-2. Select **Subscriptions**. If you don't see **Subscriptions**, select the **More Services** arrow and search for **Subscriptions**.
-
-3. If you already have an Azure subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left.
-
-4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you won't be charged for using the MCC service.
-
-5. On the **Subscriptions** section, you'll find details about your current subscription. Select the subscription name.
-
-6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. To copy the value, select the **Copy to clipboard** icon next to your subscription ID.
 
 ### Performance of MCC in virtual environments
 
@@ -618,7 +607,7 @@ In virtual environments, the cache server egress peaks at around 1.1 Gbps. If yo
 
 More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource.
 
-For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the _MCC resource_ and _MCC resource group_.
+For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the *MCC resource* and *MCC resource group*.
 
 ### Setting up a VM on Windows Server
 
@@ -631,93 +620,93 @@ You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an
 
 1. Start the **New Virtual Machine Wizard** in Hyper-V.
 
-    :::image type="content" source="images/imcc31.png" alt-text="The Before You Begin page of the Hyper-V New Virtual Machine Wizard.":::
+    :::image type="content" source="./images/mcc-isp-hyper-v-begin.png" alt-text="Screenshot of the Before You Begin page of the Hyper-V New Virtual Machine Wizard.":::
 
 1. Specify a name and choose a location.
 
-    :::image type="content" source="images/imcc32.png" alt-text="The Specify Name and Location page of the Hyper-V New Virtual Machine Wizard.":::
+    :::image type="content" source="./images/mcc-isp-hyper-v-name.png" alt-text="Screenshot of the Specify Name and Location page in the Hyper-V New Virtual Machine Wizard.":::
 
 1. Select **Generation 2**. You can't change this setting later.
 
-    :::image type="content" source="images/imcc33.png" alt-text="The Specify Generation page of the Hyper-V New Virtual Machine Wizard.":::
+    :::image type="content" source="./images/mcc-isp-hyper-v-generation.png" alt-text="Screenshot of the Specify Generation page in the Hyper-V New Virtual Machine Wizard.":::
 
 1. Specify the startup memory.
 
-    :::image type="content" source="images/imcc34.png" alt-text="The Assign Memory page of the Hyper-V New Virtual Machine Wizard.":::
+    :::image type="content" source="./images/mcc-isp-hyper-v-memory.png" alt-text="Screenshot of the Assign Memory page of the Hyper-V New Virtual Machine Wizard.":::
 
 1. Choose the network adapter connection.
 
-    :::image type="content" source="images/imcc35.png" alt-text="The Configure Networking page of the Hyper-V New Virtual Machine Wizard.":::
+    :::image type="content" source="./images/mcc-isp-hyper-v-networking.png" alt-text="Screenshot of the Configure Networking page of the Hyper-V New Virtual Machine Wizard.":::
 
 1. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. For example, `1024` GB is 1 terabyte.
 
-    :::image type="content" source="images/imcc36.png" alt-text="The Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard.":::
+    :::image type="content" source="./images/mcc-isp-hyper-v-disk.png" alt-text="Screenshot of the Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard.":::
 
 1. Select **Install an OS from a bootable image file** and browse to the ISO for Ubuntu 20.04 LTS that you previously downloaded.
 
-    :::image type="content" source="images/imcc37.png" alt-text="The Installation Options page of the Hyper-V New Virtual Machine Wizard.":::
+    :::image type="content" source="./images/mcc-isp-hyper-v-installation-options.png" alt-text="Screenshot of the Installation Options page of the Hyper-V New Virtual Machine Wizard.":::
 
 1. Review the settings and select **Finish** to create the Ubuntu VM.
 
-    :::image type="content" source="images/imcc38.png" alt-text="Completing the New Virtual Machine Wizard on Hyper-V.":::
+    :::image type="content" source="./images/mcc-isp-hyper-v-summary.png" alt-text="Screenshot of completing the New Virtual Machine Wizard on Hyper-V.":::
 
 1. Before you start the Ubuntu VM, disable **Secure Boot** and allocate multiple cores to the VM.
 
     1. In Hyper-V Manager, open the **Settings** for the VM.
 
-        :::image type="content" source="images/imcc39.png" alt-text="Open Settings for a VM in Hyper-V Manager.":::
+        :::image type="content" source="./images/mcc-isp-hyper-v-vm-settings.png" alt-text="Screenshot of the settings for a VM in Hyper-V Manager.":::
 
     1. Select **Security**. Disable the option to **Enable Secure Boot**.
 
-        :::image type="content" source="images/imcc40.png" alt-text="Security page of VM settings in Hyper-V Manager.":::
+        :::image type="content" source="./images/mcc-isp-hyper-v-vm-security.png" alt-text="Screenshot of the security page from VM settings in Hyper-V Manager.":::
 
     1. Select **Processor**. Increase the number of virtual processors. This example shows `12`, but your configuration may vary.
 
-        :::image type="content" source="images/imcc41.png" alt-text="Processor page of VM settings in Hyper-V Manager.":::
+        :::image type="content" source="./images/mcc-isp-hyper-v-vm-processor.png" alt-text="Screenshot of the processor page from VM settings in Hyper-V Manager.":::
 
 1. Start the VM and select **Install Ubuntu**.
 
-    :::image type="content" source="images/imcc42.png" alt-text="GNU GRUB screen, select Install Ubuntu.":::
+    :::image type="content" source="./images/mcc-isp-gnu-grub.png" alt-text="Screenshot of the GNU GRUB screen, with Install Ubuntu selected.":::
 
 1. Choose your default language.
 
-    :::image type="content" source="images/imcc43.png" alt-text="Ubuntu install, Welcome page, select language.":::
+    :::image type="content" source="./images/mcc-isp-ubuntu-language.png" alt-text="Screenshot of the Ubuntu install's language selection page.":::
 
 1. Choose the options for installing updates and third party hardware. For example, download updates and install third party software drivers.
 
 1. Select **Erase disk and install Ubuntu**. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04.
 
-    :::image type="content" source="images/imcc45.png" alt-text="Ubuntu install, Installation type page, Erase disk and install Ubuntu.":::
+    :::image type="content" source="./images/mcc-isp-ubuntu-erase-disk.png" alt-text="Screenshot of the Ubuntu install Installation type page with the Erase disk and install Ubuntu option selected.":::
 
     Review the warning about writing changes to disk, and select **Continue**.
 
-    :::image type="content" source="images/imcc46.png" alt-text="Ubuntu install, 'Write the changes to disks' warning.":::
+    :::image type="content" source="./images/mcc-isp-ubuntu-write-changes.png" alt-text="Screenshot of the Ubuntu install's 'Write the changes to disks' warning.":::
 
 1. Choose the time zone.
 
-    :::image type="content" source="images/imcc47.png" alt-text="Ubuntu install, 'Where are you page' to specify time zone.":::
+    :::image type="content" source="./images/mcc-isp-ubuntu-time-zone.png" alt-text="Screenshot of the Ubuntu install's 'Where are you page' to specify time zone.":::
 
 1. Choose the keyboard layout.
 
-    :::image type="content" source="images/imcc48.png" alt-text="Ubuntu install, Keyboard layout page.":::
+    :::image type="content" source="./images/mcc-isp-ubuntu-keyboard.png" alt-text="Screenshot of the Ubuntu install's Keyboard layout page.":::
 
 1. Specify your name, a name for the computer, a username, and a strong password. Select the option to **Require my password to log in**.
 
     > [!TIP]
     > Everything is case sensitive in Linux.
 
-    :::image type="content" source="images/imcc50.png" alt-text="Ubuntu install, 'Who are you' screen.":::
+    :::image type="content" source="./images/mcc-isp-ubuntu-who.png" alt-text="Screenshot of the Ubuntu install's, 'Who are you' screen.":::
 
 1. To complete the installation, select **Restart now**.
 
-    :::image type="content" source="images/imcc51.png" alt-text="Ubuntu install, installation complete, restart now.":::
+    :::image type="content" source="./images/mcc-isp-ubuntu-restart.png" alt-text="Screenshot of the Ubuntu install's installation complete, restart now screen.":::
 
 1. After the computer restarts, sign in with the username and password.
 
     > [!IMPORTANT]
     > If it shows that an upgrade is available, select **Don't upgrade**.
     >
-    > :::image type="content" source="images/imcc52.png" alt-text="Ubuntu install, Upgrade Available prompt, Don't Upgrade.":::
+    > :::image type="content" source="./images/mcc-isp-ubuntu-upgrade.png" alt-text="Screenshot of the Ubuntu install's Upgrade Available prompt with Don't Upgrade selected.":::
 
 Your Ubuntu VM is now ready to [Install MCC](#install-mcc).
 
@@ -735,6 +724,6 @@ For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/
 
 ## Related articles
 
-[Microsoft Connected Cache for enterprise and education](mcc-enterprise.md)
+[Microsoft Connected Cache overview](waas-microsoft-connected-cache.md)
 
 [Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898)
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index 77b1f52534..22dff75ed5 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -3,13 +3,14 @@ title: Delivery Optimization reference
 ms.reviewer: 
 manager: dougeby
 description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings.
-ms.prod: w10
+ms.prod: windows-client
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
 ms.collection: M365-modern-desktop
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Delivery Optimization reference
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 928132b662..ff28a0815c 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -3,13 +3,14 @@ title: Set up Delivery Optimization
 ms.reviewer: 
 manager: dougeby
 description: In this article, learn how to set up Delivery Optimization.
-ms.prod: w10
+ms.prod: windows-client
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
 ms.collection: M365-modern-desktop
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Set up Delivery Optimization for Windows
diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md
index c59be068e5..d22068202b 100644
--- a/windows/deployment/do/waas-delivery-optimization.md
+++ b/windows/deployment/do/waas-delivery-optimization.md
@@ -2,16 +2,17 @@
 title: What is Delivery Optimization?
 manager: dougeby
 description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
-ms.prod: w10
+ms.prod: windows-client
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
-ms.collection:
-- M365-modern-desktop
-- m365initiative-coredeploy
-- highpri
+ms.collection: 
+  - M365-modern-desktop
+  - m365initiative-coredeploy
+  - highpri
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # What is Delivery Optimization?
@@ -23,7 +24,7 @@ ms.custom: seo-marvel-apr2020
 
 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158).
 
-Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Manager (when installation of Express Updates is enabled).  
+Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization is a cloud-managed solution that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled).  
 
 Access to the Delivery Optimization cloud services and the Internet, are both requirements for using the peer-to-peer functionality of Delivery Optimization.
 
@@ -95,7 +96,7 @@ To gain a deeper understanding of the Delivery Optimization client-service commu
 
 ## Set up Delivery Optimization for Windows
 
-[Learn more](waas-delivery-optimization-setup.md) about the Delivery Optimization settings to ensure proper set up in your environment.
+[Learn more](waas-delivery-optimization-setup.md) about the Delivery Optimization settings to ensure proper setup in your environment.
 
 ## Delivery Optimization reference
 
diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md
index 22076d8f9a..8888c9ec94 100644
--- a/windows/deployment/do/waas-microsoft-connected-cache.md
+++ b/windows/deployment/do/waas-microsoft-connected-cache.md
@@ -2,16 +2,16 @@
 title: Microsoft Connected Cache overview
 manager: dougeby
 description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution.
-ms.prod: w10
+ms.prod: windows-client
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
-ms.collection:
-- M365-modern-desktop
-- m365initiative-coredeploy
-- highpri
+ms.collection: 
+  - M365-modern-desktop
+  - m365initiative-coredeploy
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Microsoft Connected Cache overview
@@ -22,41 +22,40 @@ ms.custom: seo-marvel-apr2020
 - Windows 11
 
 > [!IMPORTANT]
-> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
 Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
 
-MCC is a hybrid (mix of on-prem and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS.  
+MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS.  
 
-Even though your MCC scenario is not related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
+Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device:
 
 1. Installs and updates MCC on your edge device.
-2. Maintains Azure IoT Edge security standards on your edge device.
-3. Ensures that MCC is always running.
-4. Reports MCC health and usage to the cloud for remote monitoring.
+1. Maintains Azure IoT Edge security standards on your edge device.
+1. Ensures that MCC is always running.
+1. Reports MCC health and usage to the cloud for remote monitoring.
   
 To deploy a functional MCC to your device, you must obtain the necessary keys to provision the Connected Cache instance that communicates with Delivery Optimization services, and enable the device to cache and deliver content. The architecture of MCC is described below.
   
-For more details information on Azure IoT Edge, please see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).
+For more information on Azure IoT Edge, see the Azure IoT Edge [documentation](/azure/iot-edge/about-iot-edge).
 
 ## How MCC Works  
 
 1. The Azure Management Portal is used to create MCC nodes.
-2. The MCC container is deployed and provisioned to the server using the installer provided in the portal.
-3. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
-4. Microsoft end-user devices make range requests for content from the MCC node.
-5. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
-6. Subsequent requests from end-user devices for content will now come from cache.
-7. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers.
+1. The MCC container is deployed and provisioned to the server using the installer provided in the portal.
+1. Client policy is set in your management solution to point to the IP address or FQDN of the cache server.
+1. Microsoft end-user devices make range requests for content from the MCC node.
+1. The MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client.
+1. Subsequent requests from end-user devices for content will now come from cache.
+1. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers.
 
-See the following diagram.
+The following diagram displays and overview of how MCC functions:
 
-![MCC Overview](images/waas-mcc-diag-overview.png#lightbox)
+:::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png":::
 
-For more information about MCC, see the following articles:
-- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise.md)
-- [Microsoft Connected Cache for ISPs](mcc-isp.md)
 
-## Also see
 
-[Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898)
\ No newline at end of file
+## Next steps
+
+- [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md)
+- [Microsoft Connected Cache for ISPs](mcc-isp-signup.md)
diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md
index 6bf560ab5a..75f5fb76b3 100644
--- a/windows/deployment/do/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/do/waas-optimize-windows-10-updates.md
@@ -1,13 +1,14 @@
 ---
 title: Optimize Windows update delivery
 description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: aaroncz
 ms.author: aaroncz
 ms.reviewer: 
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Optimize Windows update delivery
@@ -26,14 +27,14 @@ Two methods of peer-to-peer content distribution are available.
 
 - [Delivery Optimization](waas-delivery-optimization.md) is a peer-to-peer distribution method in Windows. Windows clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests.
 
-    Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
+    Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources and the time it takes for clients to retrieve the updates.
 
 - [BranchCache](../update/waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
 
     >[!NOTE]
     >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
 
-    Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
+    Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
 
 <br/><br/>
 
@@ -43,9 +44,9 @@ Two methods of peer-to-peer content distribution are available.
 | BranchCache | ![no.](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
 
 > [!NOTE]
-> Microsoft Endpoint Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
+> Microsoft Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
 >
-> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
+> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Configuration Manager](/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
 
 ## Express update delivery
 
@@ -55,7 +56,7 @@ Windows client quality update downloads can be large because every package conta
 > Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
 
 ### How Microsoft supports Express
-- **Express on Microsoft Endpoint Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
+- **Express on Microsoft Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update.
 - **Express on WSUS Standalone**
 
   Express update delivery is available on [all support versions of WSUS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc708456(v=ws.10)).
@@ -77,7 +78,7 @@ The Windows Update client will try to download Express first, and under certain
 1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package.
 2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered.
 3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required.
-4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded.
+4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if more ranges are needed. This step repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded.
 
 At this point, the download is complete and the update is ready to be installed.
 
@@ -92,5 +93,5 @@ At this point, the download is complete and the update is ready to be installed.
 | ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows client updates](../update/waas-servicing-strategy-windows-10-updates.md) |
 | ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](../update/waas-deployment-rings-windows-10-updates.md) |
 | ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](../update/waas-servicing-channels-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) |
-| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)<br/>or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)<br/>or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done.](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this article) |
+| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](../update/waas-manage-updates-wufb.md)<br/>or [Deploy Windows client updates using Windows Server Update Services](../update/waas-manage-updates-wsus.md)<br/>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md
index 3643b5fea8..35b2652d61 100644
--- a/windows/deployment/do/whats-new-do.md
+++ b/windows/deployment/do/whats-new-do.md
@@ -2,16 +2,16 @@
 title: What's new in Delivery Optimization
 manager: dougeby
 description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11.
-ms.prod: w10
+ms.prod: windows-client
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
-ms.collection:
-- M365-modern-desktop
-- m365initiative-coredeploy
-- highpri
+ms.collection: 
+  - M365-modern-desktop
+  - m365initiative-coredeploy
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # What's new in Delivery Optimization 
@@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020
 - Windows 10
 - Windows 11
 
-## Microsoft Connected Cache (private preview)
+## Microsoft Connected Cache (early preview)
 
 Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune.
 
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index a7dbbcc6f0..58bb72052d 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -6,17 +6,15 @@ summary: Learn about deploying and keeping Windows client devices up to date.  #
 metadata:
   title: Windows client deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
   description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
-  services: windows-10
-  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
-  ms.subservice: subservice
-  ms.topic: landing-page # Required
+  ms.topic: landing-page
+  ms.technology: itpro-apps
+  ms.prod: windows-client
   ms.collection:
-    - windows-10
     - highpri
-  author: aczechowski
-  ms.author: aaroncz
-  manager: dougeby
-  ms.date: 02/08/2022 #Required; mm/dd/yyyy format.
+  author: frankroj
+  ms.author: frankroj
+  manager: aaroncz
+  ms.date: 10/31/2022 #Required; mm/dd/yyyy format.
   localization_priority: medium
     
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 112c4d3436..eb154e5d93 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -1,40 +1,42 @@
 ---
 title: MBR2GPT
 description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk.
-ms.prod: w10
-author: aczechowski
-ms.author: aaroncz
-ms.date: 02/13/2018
-manager: dougeby
+ms.prod: windows-client
+author: frankroj
+ms.author: frankroj
+ms.date: 11/23/2022
+manager: aaroncz
 ms.localizationpriority: high
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri
+ms.technology: itpro-deploy
 ---
 
 # MBR2GPT.EXE
 
-**Applies to**
--   Windows 10
+*Applies to:*
 
-**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option.
+- Windows 10
 
-MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later.
+**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option.
+
+MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later.
 
 The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
 
 See the following video for a detailed description and demonstration of MBR2GPT.
 
-<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/hfJep4hmg9o" frameborder="0" allowfullscreen></iframe>
+> [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o]
 
 You can use MBR2GPT to:
 
-- Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
+- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
 - Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
-- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT provided that your task sequence uses Windows PE version 1703 or later.
+- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT if your task sequence uses Windows PE version 1703 or later.
 
-Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
 
 > [!IMPORTANT]
 > After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
@@ -44,18 +46,19 @@ Offline conversion of system disks with earlier versions of Windows installed, s
 ## Disk Prerequisites
 
 Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that:
+
 - The disk is currently using MBR
-- There is enough space not occupied by partitions to store the primary and secondary GPTs:
-  - 16KB + 2 sectors at the front of the disk
-  - 16KB + 1 sector at the end of the disk
-- There are at most 3 primary partitions in the MBR partition table
+- There's enough space not occupied by partitions to store the primary and secondary GPTs:
+  - 16 KB + 2 sectors at the front of the disk
+  - 16 KB + 1 sector at the end of the disk
+- There are at most three primary partitions in the MBR partition table
 - One of the partitions is set as active and is the system partition
-- The disk does not have any extended/logical partition
+- The disk doesn't have any extended/logical partition
 - The BCD store on the system partition contains a default OS entry pointing to an OS partition
-- The volume IDs can be retrieved for each volume which has a drive letter assigned
+- The volume IDs can be retrieved for each volume that has a drive letter assigned
 - All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
 
-If any of these checks fails, the conversion will not proceed and an error will be returned.
+If any of these checks fails, the conversion won't proceed, and an error will be returned.
 
 ## Syntax
 
@@ -65,21 +68,21 @@ If any of these checks fails, the conversion will not proceed and an error will
 
 | Option | Description |
 |----|-------------|
-|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. |
-|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. |
-|/disk:\<diskNumber\>| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
-|/logs:\<logDirectory\>| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
-|/map:\<source\>=\<destination\>| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
-|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it cannot be reused. In this case, a new ESP is created by shrinking the OS partition.|
+|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. |
+|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. |
+|**/disk:*\<diskNumber\>***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
+|**/logs:*\<logDirectory\>***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
+|**/map:*\<source\>*=*\<destination\>***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
+|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. <br>**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
 
 ## Examples
 
 ### Validation example
 
-In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**.
+In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
 
-```console
-X:\>mbr2gpt /validate /disk:0
+```cmd
+X:\>mbr2gpt.exe /validate /disk:0
 MBR2GPT: Attempting to validate disk 0
 MBR2GPT: Retrieving layout of disk
 MBR2GPT: Validating layout, disk sector size is: 512
@@ -91,16 +94,25 @@ MBR2GPT: Validation completed successfully
 In the following example:
 
 1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+
 2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
-2. The MBR2GPT tool is used to convert disk 0.
-3. The DiskPart tool displays that disk 0 is now using the GPT format.
-4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+3. The MBR2GPT tool is used to convert disk 0.
+
+4. The DiskPart tool displays that disk 0 is now using the GPT format.
+
+5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+
+6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
 
 As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
 
-```console
-X:\>DiskPart
+<br>
+<details>
+  <summary>Expand to show MBR2GPT example</summary>
+
+```cmd
+X:\>DiskPart.exe
 
 Microsoft DiskPart version 10.0.15048.0
 
@@ -218,6 +230,8 @@ Offset in Bytes: 524288000
 * Volume 1     D   Windows      NTFS   Partition     58 GB  Healthy
 ```
 
+</details>
+
 ## Specifications
 
 ### Disk conversion workflow
@@ -225,9 +239,9 @@ Offset in Bytes: 524288000
 The following steps illustrate high-level phases of the MBR-to-GPT conversion process:
 
 1. Disk validation is performed.
-2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist.
+2. The disk is repartitioned to create an EFI system partition (ESP) if one doesn't already exist.
 3. UEFI boot files are installed to the ESP.
-4. GPT metadata and layout information is applied.
+4. GPT metadata and layout information are applied.
 5. The boot configuration data (BCD) store is updated.
 6. Drive letter assignments are restored.
 
@@ -236,14 +250,14 @@ The following steps illustrate high-level phases of the MBR-to-GPT conversion pr
 For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
 
 1. The existing MBR system partition is reused if it meets these requirements:
-   1. It is not also the OS or Windows Recovery Environment partition.
-   1. It is at least 100MB (or 260MB for 4K sector size disks) in size.
-   1. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition.
-   1. The conversion is not being performed from the full OS. In this case, the existing MBR system partition is in use and cannot be repurposed.
+   1. It isn't also the OS or Windows Recovery Environment partition.
+   1. It is at least 100 MB (or 260 MB for 4K sector size disks) in size.
+   1. It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition.
+   1. The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed.
 
-2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32.
+2. If the existing MBR system partition can't be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32.
 
-If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified.
+If the existing MBR system partition isn't reused for the ESP, it's no longer used by the boot process after the conversion. Other partitions aren't modified.
 
 >[!IMPORTANT]
 >If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
@@ -258,17 +272,18 @@ Since GPT partitions use a different set of type IDs than MBR partitions, each p
 4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
 
 In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
+
 - GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
 - GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
 
 For more information about partition types, see:
+
 - [GPT partition types](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt)
 - [MBR partition types](/windows/win32/fileio/disk-partition-types)
 
-
 ### Persisting drive letter assignments
 
-The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. 
+The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
 
 > [!IMPORTANT]
 > This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
@@ -277,11 +292,11 @@ The conversion tool will obtain volume unique ID data before and after the layou
 
 1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
 2. If found, set the value to be the new unique ID, obtained after the layout conversion.
-3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
+3. If the new unique ID can't be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
 
 ## Troubleshooting
 
-The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
+The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
 
 ### Logs
 
@@ -292,7 +307,7 @@ Four log files are created by the MBR2GPT tool:
 - setupact.log
 - setuperr.log
 
-These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. 
+These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion.
 
 > [!NOTE]
 > The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
@@ -301,12 +316,12 @@ The default location for all these log files in Windows PE is **%windir%**.
 
 ### Interactive help
 
-To view a list of options available when using the tool, type **mbr2gpt /?**
+To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`**
 
 The following text is displayed:
 
-```console
-C:\> mbr2gpt /?
+```cmd
+C:\> mbr2gpt.exe /?
 
 Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk.
 
@@ -347,25 +362,23 @@ MBR2GPT has the following associated return codes:
 
 | Return code | Description |
 |----|-------------|
-|0| Conversion completed successfully.|
-|1| Conversion was canceled by the user.|
-|2| Conversion failed due to an internal error.|
-|3| Conversion failed due to an initialization error.|
-|4| Conversion failed due to invalid command-line parameters. |
-|5| Conversion failed due to error reading the geometry and layout of the selected disk.|
-|6| Conversion failed because one or more volumes on the disk is encrypted.|
-|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.|
-|8| Conversion failed due to error while creating the EFI system partition.|
-|9| Conversion failed due to error installing boot files.|
-|10| Conversion failed due to error while applying GPT layout.|
-|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.|
-
+|**0**| Conversion completed successfully.|
+|**1**| Conversion was canceled by the user.|
+|**2**| Conversion failed due to an internal error.|
+|**3**| Conversion failed due to an initialization error.|
+|**4**| Conversion failed due to invalid command-line parameters. |
+|**5**| Conversion failed due to error reading the geometry and layout of the selected disk.|
+|**6**| Conversion failed because one or more volumes on the disk is encrypted.|
+|**7**| Conversion failed because the geometry and layout of the selected disk don't meet requirements.|
+|**8**| Conversion failed due to error while creating the EFI system partition.|
+|**9**| Conversion failed due to error installing boot files.|
+|**10**| Conversion failed due to error while applying GPT layout.|
+|**100**| Conversion to GPT layout succeeded, but some boot configuration data entries couldn't be restored.|
 
 ### Determining the partition type
 
 You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown:
 
-
 ```powershell
 PS C:\> Get-Disk | ft -Auto
 
@@ -379,11 +392,10 @@ You can also view the partition type of a disk by opening the Disk Management to
 
 :::image type="content" alt-text="Volumes." source="images/mbr2gpt-volume.png":::
 
+If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
 
-If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
-
-```console
-X:\>DiskPart
+```cmd
+X:\>DiskPart.exe
 
 Microsoft DiskPart version 10.0.15048.0
 
@@ -400,26 +412,25 @@ DISKPART> list disk
 
 In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT.
 
-
 ## Known issue
 
-### MBR2GPT.exe cannot run in Windows PE
+### MBR2GPT.exe can't run in Windows PE
 
 When you start a Windows 10, version 1903-based computer in the Windows Preinstallation Environment (Windows PE), you encounter the following issues:
 
-**Issue 1** When you run the MBR2GPT.exe command, the process exits without converting the drive.
+**Issue 1** When you run the `MBR2GPT.exe` command, the process exits without converting the drive.
 
-**Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool.
+**Issue 2** When you manually run the `MBR2GPT.exe` command in a Command Prompt window, there's no output from the tool.
 
-**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
+**Issue 3** When `MBR2GPT.exe` runs inside an imaging process such as a Microsoft Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781.
 
 #### Cause
 
-This issue occurs because in Windows 10, version 1903 and later versions, MBR2GPT.exe requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
+This issue occurs because in Windows 10, version 1903 and later versions, `MBR2GPT.exe` requires access to the ReAgent.dll file. However, this dll file and its associated libraries are currently not included in the Windows PE boot image for Windows 10, version 1903 and later.
 
 #### Workaround
 
-To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps:
+To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. Use follow these steps:
 
 1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
 
@@ -432,34 +443,33 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
 
     **Command 1:**
   
-    ```console
+    ```cmd
     copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\ReAgent*.*" "C:\WinPE_Mount\Windows\System32"
     ```
-   
+
     This command copies three files:
 
-    * ReAgent.admx
-    * ReAgent.dll
-    * ReAgent.xml
+    - ReAgent.admx
+    - ReAgent.dll
+    - ReAgent.xml
 
     **Command 2:**
   
-    ```console
+    ```cmd
     copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Setup\amd64\Sources\En-Us\ReAgent*.*" "C:\WinPE_Mount\Windows\System32\En-Us"
     ```
-   
+
     This command copies two files:
 
-    * ReAgent.adml
-    * ReAgent.dll.mui
+    - ReAgent.adml
+    - ReAgent.dll.mui
 
     > [!NOTE]
     > If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
 
-3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
+3. After you copy all the files, commit the changes and unmount the Windows PE WIM. `MBR2GPT.exe` now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
 
-
-## Related topics
+## Related articles
 
 [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
 <BR>[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index 8faeb00aab..4a758fcbc4 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -2,11 +2,13 @@
 title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10)
 description: The Microsoft Application Compatibility Toolkit (ACT) helps you see if the apps and devices in your org are compatible with different versions of Windows.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Application Compatibility Toolkit (ACT) Technical Reference
@@ -17,11 +19,11 @@ ms.topic: article
  
 >[!IMPORTANT]
 >We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](/mem/configmgr/desktop-analytics/overview), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
- 
-Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. 
- 
+
+Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft's experience upgrading millions of devices to Windows 10. 
+
 With Windows diagnostic data enabled, Windows Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. 
- 
+
 Use Windows Analytics to get:
 - A visual workflow that guides you from pilot to production
 - Detailed computer and application inventory
@@ -29,7 +31,7 @@ Use Windows Analytics to get:
 - Guidance and insights into application and driver compatibility issues, with suggested fixes 
 - Data driven application rationalization tools
 - Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools, including Microsoft Endpoint Configuration Manager
+- Data export to commonly used software deployment tools, including Microsoft Configuration Manager
 
 The Windows Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
 
diff --git a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
index d6cc26188b..a66f84e71b 100644
--- a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
+++ b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md
@@ -2,25 +2,25 @@
 title: Applying Filters to Data in the SUA Tool (Windows 10)
 description: Learn how to apply filters to results from the Standard User Analyzer (SUA) tool while testing your application.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Applying Filters to Data in the SUA Tool
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 On the user interface for the Standard User Analyzer (SUA) tool, you can apply filters to the issues that the tool has found so that you can view only the information that interests you.
 
diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
index 1db5157b5e..1d00068f16 100644
--- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
+++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md
@@ -2,17 +2,17 @@
 title: Available Data Types and Operators in Compatibility Administrator (Windows 10)
 description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Available Data Types and Operators in Compatibility Administrator
 
-
 **Applies to**
 
 -   Windows 10
@@ -26,7 +26,6 @@ The Compatibility Administrator tool provides a way to query your custom-compati
 
 ## Available Data Types
 
-
 Customized-compatibility databases in Compatibility Administrator contain the following data types.
 
 -   **Integer**. A numerical value with no fractional part. All integers are unsigned because none of the attributes can have a negative value.
@@ -37,7 +36,6 @@ Customized-compatibility databases in Compatibility Administrator contain the fo
 
 ## Available Attributes
 
-
 The following table shows the attributes you can use for querying your customized-compatibility databases in Compatibility Administrator.
 
 |Attribute|Description|Data type|
@@ -77,4 +75,3 @@ The following table shows the operators that you can use for querying your custo
 ## Related topics
 
 [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)
-
diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
index fead1005e4..64b214e0e5 100644
--- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
+++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md
@@ -2,11 +2,13 @@
 title: Best practice recommendations for Windows To Go (Windows 10)
 description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Best practice recommendations for Windows To Go
@@ -14,7 +16,7 @@ ms.topic: article
 
 **Applies to**
 
--   Windows 10
+-   Windows 10
 
 > [!IMPORTANT]
 > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
@@ -39,9 +41,9 @@ Additionally, we recommend that when you plan your deployment you should also pl
 [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)<br>
 [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)<br>
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md
index a3a1f27a04..57500f6608 100644
--- a/windows/deployment/planning/compatibility-administrator-users-guide.md
+++ b/windows/deployment/planning/compatibility-administrator-users-guide.md
@@ -1,26 +1,27 @@
 ---
 title: Compatibility Administrator User's Guide (Windows 10)
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows.
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-mar2020
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Compatibility Administrator User's Guide
 
-
 **Applies to**
 
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
 
 The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides:
 
diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
index 6ace821889..e6aa979948 100644
--- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
+++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
@@ -1,19 +1,19 @@
 ---
 title: Compatibility Fix Database Management Strategies and Deployment (Windows 10)
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database.
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
 ms.custom: seo-marvel-mar2020
+ms.technology: itpro-deploy
 ---
 
 # Compatibility Fix Database Management Strategies and Deployment
 
-
 **Applies to**
 
 -   Windows 10
diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
index 905b52b295..36d1893c70 100644
--- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
+++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -2,18 +2,18 @@
 title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista
 description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
 ---
 
 # Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
 
-
 **Applies to**
 
 -   Windows 10
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
index fe0d8b09c8..82a1bae472 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
@@ -2,16 +2,17 @@
 title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10)
 description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Creating a Custom Compatibility Fix in Compatibility Administrator
 
-
 **Applies to**
 
 -   Windows 10
@@ -44,7 +45,6 @@ The Compatibility Administrator tool has preloaded fixes for many common applica
 
 ## Creating a New Compatibility Fix
 
-
 If you are unable to find a preloaded compatibility fix for your application, you can create a new one for use by your customized database.
 
 **To create a new compatibility fix**
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
index 2f0793108b..01691fdc5d 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -2,17 +2,17 @@
 title: Create a Custom Compatibility Mode (Windows 10)
 description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Creating a Custom Compatibility Mode in Compatibility Administrator
 
-
 **Applies to**
 
 -   Windows 10
@@ -26,19 +26,15 @@ Windows® provides several *compatibility modes*, groups of compatibility fixes
 
 ## What Is a Compatibility Mode?
 
-
 A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API.
 
 ## Searching for Existing Compatibility Modes
 
-
 The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database.
 
 > [!IMPORTANT]
 > Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
 
-
-
 **To search for an existing application**
 
 1.  In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
@@ -47,14 +43,11 @@ The Compatibility Administrator tool has preloaded fixes for many common applica
 
 ## Creating a New Compatibility Mode
 
-
 If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database.
 
 > [!IMPORTANT]  
 > A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
 
-
-
 **To create a new compatibility mode**
 
 1.  In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**.
@@ -72,13 +65,4 @@ If you are unable to find a preloaded compatibility mode for your application, y
    The compatibility mode is added to your custom database.
 
 ## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
index 55551f08fc..78bd540870 100644
--- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -2,45 +2,41 @@
 title: Create AppHelp Message in Compatibility Administrator (Windows 10)
 description: Create an AppHelp text message with Compatibility Administrator; a message that appears upon starting an app with major issues on the Windows® operating system.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Creating an AppHelp Message in Compatibility Administrator
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
 
 ## Blocking Versus Non-Blocking AppHelp Messages
 
-
 A blocking AppHelp message prevents the application from starting and displays a message to the user. You can define a specific URL where the user can download an updated driver or other fix to resolve the issue. When using a blocking AppHelp message, you must also define the file-matching information to identify the version of the application and enable the corrected version to continue.
 
-A non-blocking AppHelp message does not prevent the application from starting, but provides a message to the user including information such as security issues, updates to the application, or changes to the location of network resources.
+A non-blocking AppHelp message doesn't prevent the application from starting, but provides a message to the user that includes information such as security issues, updates to the application, or changes to the location of network resources.
 
 ## Searching for Existing Compatibility Fixes
 
-
 The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new AppHelp message, you can search for an existing application and then copy and paste the known fixes into your custom database.
 
 > [!IMPORTANT]
 > Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
 
- 
-
 **To search for an existing application**
 
 1.  In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
@@ -49,18 +45,17 @@ The Compatibility Administrator tool has preloaded fixes for many common applica
 
 ## Creating a New AppHelp Message
 
-
-If you are unable to find a preloaded AppHelp message for your application, you can create a new one for use by your custom database.
+If you're unable to find a preloaded AppHelp message for your application, you can create a new one for use by your custom database.
 
 **To create a new AppHelp message**
 
-1.  In the left-side pane of Compatibility Administrator, below the **Custom Databases** heading, right-click the name of the database to which you will apply the AppHelp message, click **Create New**, and then click **AppHelp Message**.
+1.  In the left-side pane of Compatibility Administrator, below the **Custom Databases** heading, right-click the name of the database to which you'll apply the AppHelp message, click **Create New**, and then click **AppHelp Message**.
 
 2.  Type the name of the application to which this AppHelp message applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
 
     The wizard shows the known **Matching Information**, which is used for program identification.
 
-3.  Select any additional criteria to use to match your applications to the AppHelp message, and then click **Next**.
+3.  Select any other criteria to use to match your applications to the AppHelp message, and then click **Next**.
 
     By default, Compatibility Administrator selects the basic matching criteria for your application.
 
@@ -68,9 +63,9 @@ If you are unable to find a preloaded AppHelp message for your application, you
 
 4.  Click one of the following options:
 
-    -   **Display a message and allow this program to run**. This is a non-blocking message, which means that you can alert the user that there might be a problem, but the application is not prevented from starting.
+    -   **Display a message and allow this program to run**. This message is non-blocking, which means that you can alert the user that there might be a problem, but the application isn't prevented from starting.
 
-    -   **Display a message and do not allow this program to run**. This is a blocking message, which means that the application will not start. Instead, this message points the user to a location that provides more information about fixing the issue.
+    -   **Display a message and do not allow this program to run**. This message is blocking, which means that the application won't start. Instead, this message points the user to a location that provides more information about fixing the issue.
 
 5.  Click **Next**.
 
@@ -78,10 +73,9 @@ If you are unable to find a preloaded AppHelp message for your application, you
 
 6.  Type the website URL and the message text to appear when the user starts the application, and then click **Finish**.
 
-## Issues with AppHelp Messages and Computers Running Windows 2000
+## Issues with AppHelp Messages and Computers Running Windows 2000
 
-
-The following issues might occur with computers running Windows 2000:
+The following issues might occur with computers running Windows 2000:
 
 -   You might be unable to create a custom AppHelp message.
 
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 76eadc45f9..45096f66f5 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -2,12 +2,14 @@
 title: Deployment considerations for Windows To Go (Windows 10)
 description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Deployment considerations for Windows To Go
diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
index 9e64ab8e0b..6be90716a2 100644
--- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -2,25 +2,26 @@
 title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
 description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Enabling and Disabling Compatibility Fixes in Compatibility Administrator
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
 
@@ -31,8 +32,6 @@ Customized compatibility databases can become quite complex as you add your fixe
 >[!IMPORTANT]
 >Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
 
- 
-
 **To disable a compatibility fix within a database**
 
 1.  In the left-sde pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to disable, and then select the specific compatibility fix.
@@ -41,14 +40,11 @@ Customized compatibility databases can become quite complex as you add your fixe
 
 2.  On the **Database** menu, click **Disable Entry**.
 
-    **Important**  
+    **Important**  
     When you disable an entry, it will remain disabled even if you do not save the database file.
 
-     
-
 ## Enabling Compatibility Fixes
 
-
 You can enable your disabled compatibility fixes at any time.
 
 **To enable a compatibility fix within a database**
diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
index 54b85fbaa4..8f65a9df75 100644
--- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
+++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
@@ -2,25 +2,25 @@
 title: Fixing Applications by Using the SUA Tool (Windows 10)
 description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Fixing Applications by Using the SUA Tool
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
 
@@ -36,15 +36,4 @@ On the user interface for the Standard User Analyzer (SUA) tool, you can apply f
     |--- |--- |
     |**Apply Mitigations**|Opens the **Mitigate AppCompat Issues** dialog box, in which you can select the fixes that you intend to apply to the application.|
     |**Undo Mitigations**|Removes the application fixes that you just applied.<p>This option is available only after you apply an application fix and before you close the SUA tool. Alternatively, you can manually remove application fixes by using **Programs and Features** in Control Panel.|
-    |**Export Mitigations as Windows Installer file**|Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.|
-
-     
-
- 
-
- 
-
-
-
-
-
+    |**Export Mitigations as Windows Installer file**|Exports your application fixes as a Windows® Installer (.msi) file, which can then be deployed to other computers that are running the application.|
\ No newline at end of file
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 72b7ebe705..4d26878cb9 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -1,25 +1,27 @@
 ---
 title: Plan for Windows 10 deployment (Windows 10)
-description: Find resources for your Windows 10 deployment. Windows 10 provides new deployment capabilities and tools, and introduces new ways to keep the OS up to date. 
-ms.prod: w10
+description: Find resources for your Windows 10 deployment. Windows 10 provides new deployment capabilities and tools, and introduces new ways to keep the OS up to date.
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Plan for Windows 10 deployment
-Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. Together, these changes require that you rethink the traditional deployment process.
+Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. Together, these changes require that you rethink the traditional deployment process.
 
 ## In this section
 |Topic |Description |
 |------|------------|
 |[Windows 10 Enterprise: FAQ for IT professionals](windows-10-enterprise-faq-itpro.yml) | Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. |
-|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
-|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
-|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
-|[Features removed or planned for replacement](features-lifecycle.md) |Information is provided about Windows 10 features and functionality that are removed or planned for replacement. |
+|[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. |
+|[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. |
+|[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. |
+|[Features removed or planned for replacement](/windows/whats-new/feature-lifecycle) |Information is provided about Windows features and functionality that are removed or planned for replacement. |
 |[Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) |The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. |
 
 ## Related topics
@@ -29,4 +31,4 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
 - [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
 - [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
 - [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
- 
+ 
diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index cdd078d772..4744b0559a 100644
--- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -2,12 +2,13 @@
 title: Install/Uninstall Custom Databases (Windows 10)
 description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
@@ -15,21 +16,21 @@ ms.topic: article
 
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
 
-By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator.
+By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator.
 
 > [!IMPORTANT]
 > Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
 
-In addition, you must deploy your databases to your organization’s computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md).
+In addition, you must deploy your databases to your organization's computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md).
 
  
 
diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
index 9e24aa3ddf..99aae19234 100644
--- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
+++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -2,25 +2,25 @@
 title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10)
 description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Managing Application-Compatibility Fixes and Custom Fix Databases
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
 
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index 78f1404be6..a1328a53ce 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -1,21 +1,22 @@
 ---
 title: Prepare your organization for Windows To Go (Windows 10)
-description: Though Windows To Go is no longer being developed, you can find info here about the the “what”, “why”, and “when” of deployment.
+description: Though Windows To Go is no longer being developed, you can find info here about the "what", "why", and "when" of deployment.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Prepare your organization for Windows To Go
 
-
 **Applies to**
 
--   Windows 10
+-   Windows 10
 
 > [!IMPORTANT]
 > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
@@ -24,89 +25,78 @@ The following information is provided to help you plan and design a new deployme
 
 ## What is Windows To Go?
 
-
-Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. Offering a new mobility option, a Windows To Go workspace is not intended to replace desktops or laptops, or supplant other mobility offerings.
+Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. A Windows To Go workspace isn't intended to replace desktops or laptops, or supplant other mobility offerings.
 
 Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are:
 
 -   USB boot capable
 -   Have USB boot enabled in the firmware
 -   Meet Windows 7 minimum system requirements
--   Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM is not a supported processor for Windows To Go.
+-   Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM isn't a supported processor for Windows To Go.
 -   Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace
 
-Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go.
+Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go.
 
-The following topics will familiarize you with how you can use a Windows To Go workspace and give you an overview of some of the things you should consider in your design.
+The following articles will familiarize you with how you can use a Windows To Go workspace. They also give you an overview of some of the things you should consider in your design.
 
 ## Usage scenarios
 
 
 The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer:
 
--   **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the very first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes.
+-   **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection, or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes.
 
--   **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker's personal computer.
+-   **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker. Then they can be assisted with any necessary other user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive. And run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker's personal computer.
 
--   **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer.
+-   **Managed free seating.** The employee is issued a Windows To Go drive. This drive is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return, they use the same USB flash drive but use a different host computer.
 
--   **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
+-   **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work. This boot caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
 
--   **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
+-   **Travel lightly.** In this situation, you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
 
 > [!NOTE]
-> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace's computer object is not potentially deleted from Active Directory Domain Services (AD DS).
+> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace's computer object isn't potentially deleted from Active Directory Domain Services (AD DS).
 
- 
+ ## Infrastructure considerations
 
-## Infrastructure considerations
-
-
-Because Windows To Go requires no additional software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no additional infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group.
+Because Windows To Go requires no other software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no other infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group.
 
 ## Activation considerations
 
-
 Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
 
-Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](/DeployOffice/vlactivation/plan-volume-activation-of-office).
+Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This method is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](/DeployOffice/vlactivation/plan-volume-activation-of-office).
 
-You should investigate other software manufacturer's licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
+You should investigate other software manufacturer's licensing requirements to ensure they're compatible with roaming usage before deploying them to a Windows To Go workspace.
 
 > [!NOTE]
-> Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive.
+> Using Multiple Activation Key (MAK) activation isn't a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive.
 
- 
-
-See [Plan for Volume Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134042(v=ws.11)) for more information about these activation methods and how they can be used in your organization.
+ For more information about these activation methods and how they can be used in your organization, see [Plan for Volume Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134042(v=ws.11)).
 
 ## Organizational unit structure and use of Group Policy Objects
 
+You may find it beneficial to create other Active Directory organizational unit (OU) structures to support your Windows To Go deployment: one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers that can boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation.
 
-You may find it beneficial to create additional Active Directory organizational unit (OU) structures to support your Windows To Go deployment; one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers which have the ability to boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation.
-
-If you are deploying Windows To Go workspaces for a scenario in which they are not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store.
+If you're deploying Windows To Go workspaces for a scenario in which they're not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store.
 
 For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
 
 ## Computer account management
 
-
-If you configure Windows To Go drives for scenarios where drives may remain unused for extended period of time such as use in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule or modify any maintenance scripts to not clean up computer accounts in the Windows To Go device organizational unit.
+If you configure Windows To Go drives for scenarios where drives may remain unused for extended periods of time such as used in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule, or modify any maintenance scripts to not clean computer accounts in the Windows To Go device organizational unit.
 
 ## User account and data management
 
-
-People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
+People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to be able to get to the data that they work with, and to keep it accessible when the workspace isn't being used. For this reason, we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
 
 Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace.
 
 ## Remote connectivity
 
+If you want Windows To Go to be able to connect back to organizational resources when it's being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn636119(v=ws.11)).
 
-If you want Windows To Go to be able to connect back to organizational resources when it is being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn636119(v=ws.11)).
-
-## Related topics
+## Related articles
 
 
 [Windows To Go: feature overview](windows-to-go-overview.md)
@@ -116,6 +106,3 @@ If you want Windows To Go to be able to connect back to organizational resources
 [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
 
 [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.yml)
-
- 
-
diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
index 53d51c7ea4..05272344a0 100644
--- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -2,25 +2,25 @@
 title: Searching for Fixed Applications in Compatibility Administrator (Windows 10)
 description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Searching for Fixed Applications in Compatibility Administrator
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
 
@@ -31,8 +31,6 @@ The **Query Compatibility Databases** tool provides additional search options. F
 > [!IMPORTANT]
 > You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
 
- 
-
 **To search for previous fixes**
 
 1.  On the Compatibility Administrator toolbar, click **Search**.
@@ -47,12 +45,10 @@ The **Query Compatibility Databases** tool provides additional search options. F
 
 ## Viewing Your Query Results
 
-
 Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix.
 
 ## Exporting Your Query Results
 
-
 You can export your search results to a text (.txt) file for later review or archival.
 
 **To export your search results**
@@ -62,13 +58,4 @@ You can export your search results to a text (.txt) file for later review or arc
 2.  Browse to the location where you want to store your search result file, and then click **Save**.
 
 ## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 496856bf9f..5d49ad0b11 100644
--- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -2,16 +2,17 @@
 title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10)
 description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
 
-
 **Applies to**
 
 -   Windows 10
@@ -102,7 +103,7 @@ You can use the **Fix Description** tab of the Query tool to add parameters that
 
 ## Querying by Using the Advanced Tab
 
-You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria.
+You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria.
 
 **To query by using the Advanced tab**
 
diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
index cbb62f87be..f99d187140 100644
--- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
@@ -2,19 +2,19 @@
 title: Security and data protection considerations for Windows To Go (Windows 10)
 description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Security and data protection considerations for Windows To Go
 
-
 **Applies to**
 
--   Windows 10
+-   Windows 10
 
 > [!IMPORTANT]
 > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
@@ -23,38 +23,32 @@ One of the most important requirements to consider when you plan your Windows To
 
 ## Backup and restore
 
-
 When you don't save data on the Windows To Go drive, you don't need for a backup and restore solution for Windows To Go. If you're saving data on the drive and aren't using folder redirection and offline files, you should back up all of your data to a network location such as cloud storage or a network share, after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement.
 
 If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and reprovision the drive with Windows To Go, so all data and customization on the drive will be lost. This result is another reason why using roaming user profiles, folder redirection, and offline files with Windows To Go is recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
 
 ## BitLocker
 
-
 We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace. This password requirement helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) can't be used by BitLocker to protect the drive. Instead, you'll be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller.
 
 You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace.
 
-**Tip**  
-If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
+> [!Tip]
+> If the Windows To Go Creator wizard isn't able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.yml#why-can-t-i-enable-bitlocker-from-windows-to-go-creator-)
 
- 
-
-When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode.
+When you use a host computer running Windows 7 that has BitLocker enabled, suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker isn't suspended first, the next boot of the computer is in recovery mode.
 
 ## Disk discovery and data leakage
 
-
 We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This prevention means the drive won't appear in Windows Explorer and an Auto-Play prompt won't be displayed to the user. This non-display of the drive and the prompt reduces the likelihood that an end user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you.
 
-To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
+To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - "4" to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It's recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
 
 For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)).
 
 ## Security certifications for Windows To Go
 
-
-Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider’s specific hardware environment. For more information about Windows security certifications, see the following articles.
+Windows to Go is a core capability of Windows when it's deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for more certifications by the solution provider that cover the solution provider's specific hardware environment. For more information about Windows security certifications, see the following articles.
 
 -   [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria)
 
@@ -62,7 +56,6 @@ Windows to Go is a core capability of Windows when it's deployed on the drive an
 
 ## Related articles
 
-
 [Windows To Go: feature overview](windows-to-go-overview.md)
 
 [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
index f6e9d05353..e08401cc6b 100644
--- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
+++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
@@ -2,25 +2,25 @@
 title: Showing Messages Generated by the SUA Tool (Windows 10)
 description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Showing Messages Generated by the SUA Tool
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
 
@@ -37,11 +37,4 @@ On the user interface for the Standard User Analyzer (SUA) tool, you can show th
 |**Error Messages**|When this command is selected, the user interface shows error messages that the SUA tool has generated. Error messages are highlighted in pink.<p>This command is selected by default.|
 |**Warning Messages**|When this command is selected, the user interface shows warning messages that the SUA tool has generated. Warning messages are highlighted in yellow.|
 |**Information Messages**|When this command is selected, the user interface shows informational messages that the SUA tool has generated. Informational messages are highlighted in green.|
-|**Detailed Information**|When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.|
-
- 
-
-
-
-
-
+|**Detailed Information**|When this command is selected, the user interface shows information that the SUA tool has generated, such as debug, stack trace, stop code, and severity information.|
\ No newline at end of file
diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md
index 50bae4c447..2da3a82f9e 100644
--- a/windows/deployment/planning/sua-users-guide.md
+++ b/windows/deployment/planning/sua-users-guide.md
@@ -3,25 +3,25 @@ title: SUA User's Guide (Windows 10)
 description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature.
 ms.custom: seo-marvel-apr2020
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # SUA User's Guide
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 You can use Standard User Analyzer (SUA) to test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows.
 
@@ -36,6 +36,4 @@ You can use SUA in either of the following ways:
 |Topic|Description|
 |--- |--- |
 |[Using the SUA wizard](using-the-sua-wizard.md)|The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.|
-|[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.|
-
-
+|[Using the SUA Tool](using-the-sua-tool.md)|By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.|
\ No newline at end of file
diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
index ab6c4e83a7..4b809cd144 100644
--- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
+++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
@@ -2,25 +2,25 @@
 title: Tabs on the SUA Tool Interface (Windows 10)
 description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Tabs on the SUA Tool Interface
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
 
@@ -31,7 +31,7 @@ The following table provides a description of each tab on the user interface for
 |App Info|Provides the following information for the selected application:<li>Debugging information<li>Error, warning, and informational messages (if they are enabled)<li>Options for running the application|
 |File|Provides information about access to the file system.<p>For example, this tab might show an attempt to write to a file that only administrators can typically access.|
 |Registry|Provides information about access to the system registry.<p>For example, this tab might show an attempt to write to a registry key that only administrators can typically access.|
-|INI|Provides information about WriteProfile API issues.<p>For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from **Standard** to **Scientific**, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.|
+|INI|Provides information about WriteProfile API issues.<p>For example, in the Calculator tool (Calc.exe) in Windows® XP, when you change the view from **Standard** to **Scientific**, Calc.exe calls the WriteProfile API to write to the Windows\Win.ini file. The Win.ini file is writable only for administrators.|
 |Token|Provides information about access-token checking.<p>For example, this tab might show an explicit check for the Builtin\Administrators security identifier (SID) in the user's access token. This operation may not work for a standard user.|
 |Privilege|Provides information about permissions.<p>For example, this tab might show an attempt to explicitly enable permissions that do not work for a standard user.|
 |Name Space|Provides information about creation of system objects.<p>For example, this tab might show an attempt to create a new system object, such as an event or a memory map, in a restricted namespace. Applications that attempt this kind of operation do not function for a standard user.|
diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md
index 4ab4be6a19..28f0233990 100644
--- a/windows/deployment/planning/testing-your-application-mitigation-packages.md
+++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md
@@ -2,31 +2,30 @@
 title: Testing Your Application Mitigation Packages (Windows 10)
 description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Testing Your Application Mitigation Packages
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
 
 ## Testing Your Application Mitigation Packages
 
-
 Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment.
 
 **To test your mitigation strategies**
@@ -49,7 +48,6 @@ Testing your application mitigation package strategies is an iterative process,
 
 ## Reporting the Compatibility Mitigation Status to Stakeholders
 
-
 After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings.
 
 -   **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment.
@@ -62,7 +60,6 @@ After testing your application mitigation package, you must communicate your sta
 
 ## Resolving Outstanding Compatibility Issues
 
-
 At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods.
 
 -   Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool.
@@ -70,8 +67,6 @@ At this point, you probably cannot resolve any unresolved application compatibil
     > [!NOTE]
     > For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md).
 
-     
-
 -   Run the application in a virtual environment.
 
     Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system.
diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
index d91279a5d5..fe304771ef 100644
--- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
+++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
@@ -2,11 +2,13 @@
 title: Understanding and Using Compatibility Fixes (Windows 10)
 description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Understanding and Using Compatibility Fixes
@@ -37,8 +39,6 @@ Specifically, the process modifies the address of the affected Windows function
 >[!NOTE]
 >For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API.
 
- 
-
 ## Design Implications of the Compatibility Fix Infrastructure
 
 There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure.
diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
index 2e1dbd9ead..586884be61 100644
--- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md
+++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
@@ -2,31 +2,30 @@
 title: Using the Compatibility Administrator Tool (Windows 10)
 description: This section provides information about using the Compatibility Administrator tool.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Using the Compatibility Administrator Tool
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 This section provides information about using the Compatibility Administrator tool.
 
 ## In this section
 
-
 |Topic|Description|
 |--- |--- |
 |[Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)|The Compatibility Administrator tool provides a way to query your custom-compatibility databases.|
@@ -37,8 +36,4 @@ This section provides information about using the Compatibility Administrator to
 |[Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)|The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.|
 |[Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)|The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.|
 |[Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)|You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.|
-|[Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)|The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.|
-
-
-
-
+|[Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)|The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.|
\ No newline at end of file
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index e4196523e8..9ce7891647 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -2,26 +2,26 @@
 title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
 description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Using the Sdbinst.exe Command-Line Tool
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2016
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2016
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 Deploy your customized database (.sdb) files to other computers in your organization. That is, before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways. By using a logon script, by using Group Policy, or by performing file copy operations.
 
@@ -66,4 +66,4 @@ The following table describes the available command-line options.
 
 ## Related articles
 
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
index f4de4f8ae5..6e2479ed22 100644
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ b/windows/deployment/planning/using-the-sua-tool.md
@@ -2,25 +2,25 @@
 title: Using the SUA Tool (Windows 10)
 description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Using the SUA Tool
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
 
@@ -32,7 +32,6 @@ In the SUA tool, you can choose to run the application as **Administrator** or a
 
 ## Testing an Application by Using the SUA Tool
 
-
 Before you can use the SUA tool, you must install Application Verifier. You must also install the Microsoft® .NET Framework 3.5 or later.
 
 The following flowchart shows the process of using the SUA tool.
@@ -76,13 +75,4 @@ The following flowchart shows the process of using the SUA tool.
 
 [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md)
 
-[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
-
- 
-
- 
-
-
-
-
-
+[Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index e0a506b5ca..5ce139085f 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -2,25 +2,25 @@
 title: Using the SUA wizard (Windows 10)
 description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 10/28/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Using the SUA wizard
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 The Standard User Analyzer (SUA) wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA wizard doesn't offer detailed analysis, and it can't disable virtualization or elevate your permissions.
 
@@ -28,7 +28,6 @@ For information about the SUA tool, see [Using the SUA Tool](using-the-sua-tool.
 
 ## Testing an Application by Using the SUA wizard
 
-
 Install Application Verifier before you can use the SUA wizard. If Application Verifier isn't installed on the computer that is running the SUA wizard, the SUA wizard notifies you. In addition, install the Microsoft® .NET Framework 3.5 or later before you can use the SUA wizard.
 
 The following flowchart shows the process of using the SUA wizard.
@@ -74,13 +73,4 @@ The following flowchart shows the process of using the SUA wizard.
     If the remedies don't fix the issue with the application, click **No** again, and the wizard may offer another remedies. If the other remedies don't fix the issue, the wizard informs you that there are no more remedies available. For information about how to run the SUA tool for more investigation, see [Using the SUA Tool](using-the-sua-tool.md).
 
 ## Related articles
-[SUA User's Guide](sua-users-guide.md)
-
- 
-
- 
-
-
-
-
-
+[SUA User's Guide](sua-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
index 3d363d0db4..88e06925c5 100644
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
@@ -2,39 +2,37 @@
 title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
 description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Viewing the Events Screen in Compatibility Administrator
 
-
 **Applies to**
 
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012
--   Windows Server 2008 R2
+-   Windows 10
+-   Windows 8.1
+-   Windows 8
+-   Windows 7
+-   Windows Server 2012
+-   Windows Server 2008 R2
 
 The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
 
 >[!IMPORTANT]
 >The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list.
 
- 
-
-**To open the Events screen**
+ **To open the Events screen**
 
 - On the **View** menu, click **Events**.
 
 ## Handling Multiple Copies of Compatibility Fixes
 
-
 Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names.
 
 If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 790592964c..11fe1573d4 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -1,40 +1,40 @@
 ---
 title: Windows 10 compatibility (Windows 10)
-description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Windows 10 compatibility
 
-
 **Applies to**
 
--   Windows 10
+-   Windows 10
 
-Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
+Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
 
-For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
+For full system requirements, see [Windows 10 specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077). Some driver updates may be required for Windows 10.
 
 Existing desktop (Win32) application compatibility is also expected to be strong, with most existing applications working without any changes. Those applications that interface with Windows at a low level, those applications that use undocumented APIs, or those that do not follow recommended coding practices could experience issues.
 
-Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
+Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
 
-For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](/internet-explorer/ie11-deploy-guide/)
+For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](/internet-explorer/ie11-deploy-guide/)
 
 ## Recommended application testing process
 
+Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to use more optimized testing processes, which reflect the higher levels of compatibility that are expected. At a high level:
 
-Historically, organizations have performed extensive, and often exhaustive, testing of the applications they use before deployment of a new Windows version, service pack, or any other significant update. With Windows 10, organizations are encouraged to use more optimized testing processes, which reflect the higher levels of compatibility that are expected. At a high level:
+-   Identify mission-critical applications and websites, those applications and websites that are essential to the organization's operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
 
--   Identify mission-critical applications and websites, those applications and websites that are essential to the organization’s operations. Focus testing efforts on this subset of applications, early in the Windows development cycle (for example, with Windows Insider Program builds) to identify potential issues. Report any issues you encounter with the Windows Feedback tool, so that these issues can be addressed prior to the next Windows release.
-
--   For less critical applications, apply an “internal flighting” or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
+-   For less critical applications, apply an "internal flighting" or pilot-based approach, by deploying new Windows upgrades to groups of machines, growing gradually in size and potential impact, to verify compatibility with hardware and software. Reactively address issues before you expand the pilot to more machines.
 
 ## Related articles
 
@@ -43,8 +43,4 @@ Historically, organizations have performed extensive, and often exhaustive, test
 
 [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
 
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-
- 
-
- 
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index a9fb6d7c33..09dbb881a7 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -1,31 +1,32 @@
 ---
 title: Windows 10 deployment considerations (Windows 10)
-description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
+description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Windows 10 deployment considerations
 
-
 **Applies to**
 
--   Windows 10
+-   Windows 10
 
-There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
+There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
 
-For many years, organizations have deployed new versions of Windows using a “wipe and load” deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary.
+For many years, organizations have deployed new versions of Windows using a "wipe and load" deployment process. At a high level, this process captures existing data and settings from the existing device, deploys a new custom-built Windows image to a PC, injects hardware drivers, reinstalls applications, and finally restores the data and settings. With Windows 10, this process is still fully supported, and for some deployment scenarios is still necessary.
 
-Windows 10 also introduces two additional scenarios that organizations should consider:
+Windows 10 also introduces two additional scenarios that organizations should consider:
 
 -   **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
 
--   **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.
+-   **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.
 
     Both of these scenarios eliminate the image creation process altogether, which can greatly simplify the deployment process.
 
@@ -34,33 +35,32 @@ Windows 10 also introduces two additional scenarios that organizations should c
 | Consider ... | For these scenarios  |
 |---|---|
 | In-place upgrade  | - When you want to keep all (or at least most) existing applications<br/>- When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)<br/>- To migrate from Windows 10 to a later Windows 10 release |
-| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS<br/>- When you make significant device or operating system configuration changes<br/>- When you “start clean”. For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs<br/>- When you migrate from Windows Vista or other previous operating system versions |
-| Dynamic provisioning | - For new devices, especially in “choose your own device” scenarios when simple configuration (not reimaging) is all that is required. <br/>- When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps |
-
+| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS<br/>- When you make significant device or operating system configuration changes<br/>- When you "start clean". For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs<br/>- When you migrate from Windows Vista or other previous operating system versions |
+| Dynamic provisioning | - For new devices, especially in "choose your own device" scenarios when simple configuration (not reimaging) is all that is required. <br/>- When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps |
 
 ## Migration from previous Windows versions
 
-For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.
+For existing PCs running Windows 7 or Windows 8.1, in-place upgrade is the recommended method for Windows 10 deployment and should be used whenever possible. Although wipe-and-load (OS refresh) deployments are still fully supported (and necessary in some scenarios, as mentioned previously), in-place upgrade is simpler and faster, and enables a faster Windows 10 deployment overall.
 
-The original Windows 8 release was only supported until January 2016. For devices running Windows 8.0, you can update to Windows 8.1 and then upgrade to Windows 10.
+The original Windows 8 release was only supported until January 2016. For devices running Windows 8.0, you can update to Windows 8.1 and then upgrade to Windows 10.
 
 For PCs running operating systems older than Windows 7, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware.
 
 For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed).
 
-For organizations that did not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
+For organizations that did not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
 
 ## Setting up new computers
 
-For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
+For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
 
--   **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+-   **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their "work or school account" within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
 -   **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
 
 In either of these scenarios, you can make a variety of configuration changes to the PC:
 
--   Transform the edition (SKU) of Windows 10 that is in use.
+-   Transform the edition (SKU) of Windows 10 that is in use.
 -   Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on).
 -   Install apps, language packs, and updates.
 -   Enroll the device in a management solution (applicable for IT admin-driven scenarios, configuring the device just enough to allow the management tool to take over configuration and ongoing management).
@@ -80,10 +80,5 @@ The upgrade process is also optimized to reduce the overall time and network ban
 
 ## Related topics
 
-
 [Windows 10 compatibility](windows-10-compatibility.md)<br>
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
-
- 
-
- 
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
index 4a695dc7b7..853855b43b 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@@ -3,15 +3,16 @@ metadata:
   title: Windows 10 Enterprise FAQ for IT pros (Windows 10)
   description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise.
   keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools
-  ms.prod: w10
+  ms.prod: windows-client
+  ms.technology: itpro-deploy
   ms.mktglfcycl: plan
   ms.localizationpriority: medium
   ms.sitesec: library
-  ms.date: 05/12/2022
+  ms.date: 10/28/2022
   ms.reviewer: 
-  author: aczechowski
-  ms.author: aaroncz
-  manager: dougeby
+  author: frankroj
+  ms.author: frankroj
+  manager: aaroncz
   audience: itpro
   ms.topic: faq
 title: 'Windows 10 Enterprise: FAQ for IT professionals'
@@ -49,7 +50,7 @@ sections:
           For many devices, drivers will be automatically installed in Windows 10 and there will be no need for further action.
           - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
           - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
-          - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
+          - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
               - [HP driver pack](https://www.hp.com/us-en/solutions/client-management-solutions/drivers-pack.html)
               - [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
               - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984)
@@ -70,9 +71,9 @@ sections:
       - question: |
           Which deployment tools support Windows 10?
         answer: |
-          Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) support Windows 10.
+          Updated versions of Microsoft deployment tools, including Microsoft Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) support Windows 10.
 
-          - [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using it, download a free 180-day trial of [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager).
+          - [Microsoft Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using it, download a free 180-day trial of [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager).
 
           - [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment.
 
@@ -81,7 +82,7 @@ sections:
       - question: |
           Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
         answer: |
-          Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
+          Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
           
       - question: |
           Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
@@ -114,7 +115,7 @@ sections:
           - Windows Update
           - Windows Update for Business
           - Windows Server Update Services
-          - Microsoft Endpoint Configuration Manager
+          - Microsoft Configuration Manager
           
           For more information, see [Servicing Tools](../update/waas-overview.md#servicing-tools).
           
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 4bde7474f4..26aff43d39 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -2,26 +2,27 @@
 title: Windows 10 infrastructure requirements (Windows 10)
 description: Review the infrastructure requirements for deployment and management of Windows 10,  prior to significant Windows 10 deployments within your organization.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Windows 10 infrastructure requirements
 
-
 **Applies to**
 
--   Windows 10
+-   Windows 10
 
-There are specific infrastructure requirements that should be in place for the deployment and management of Windows 10. Fulfill these requirements before any Windows 10-related deployments take place.
+There are specific infrastructure requirements that should be in place for the deployment and management of Windows 10. Fulfill these requirements before any Windows 10-related deployments take place.
 
 ## High-level requirements
 
-For initial Windows 10 deployments, and for subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage.
+For initial Windows 10 deployments, and for subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to use local server storage.
 
 For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.)
 
@@ -29,21 +30,21 @@ For persistent VDI environments, carefully consider the I/O impact from upgradin
 
 The latest version of the Windows Assessment and Deployment Toolkit (ADK) is available for download [here](/windows-hardware/get-started/adk-install).
 
-Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more).
+Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which use the Windows Imaging and Configuration Designer (Windows ICD). There's also updated versions of existing deployment tools (DISM, USMT, Windows PE, and more).
 
 The latest version of the Microsoft Deployment Toolkit (MDT) is available for download [here](/mem/configmgr/mdt/release-notes).
 
-For Configuration Manager, Windows 10 version specific support is offered with [various releases](/mem/configmgr/core/plan-design/configs/support-for-windows-10).
+For Configuration Manager, Windows 10 version specific support is offered with [various releases](/mem/configmgr/core/plan-design/configs/support-for-windows-10).
 
-For more details about Microsoft Endpoint Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+For more information about Microsoft Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
 ## Management tools
 
-In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) to update the ADMX files stored in that central store.
+In addition to Microsoft Configuration Manager, Windows 10 also uses other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you're using a central policy store, follow the steps outlined [here](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) to update the ADMX files stored in that central store.
 
-No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features.
+No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these schema updates to support new features.
 
-Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 10. The minimum versions required to support Windows 10 are as follows:
+Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 10. The minimum versions required to support Windows 10 are as follows:
 
 | Product                                                  | Required version         |
 |----------------------------------------------------------|--------------------------|
@@ -55,50 +56,46 @@ Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 
 
 For more information, see the [MDOP TechCenter](/microsoft-desktop-optimization-pack/).
 
-For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](/windows/client-management/mdm/) for more information.
+For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10. New Windows 10 MDM settings and capabilities will require updates to the MDM services. For more information, see [Mobile device management](/windows/client-management/mdm/).
 
-Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions:
+Windows Server Update Services (WSUS) requires some more configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions:
 
-1.  Select the **Options** node, and then click **Products and Classifications**.
-2.  In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**.
+1.  Select the **Options** node, and then select **Products and Classifications**.
+2.  In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Select **OK**.
 3.  From the **Synchronizations** node, right-click and choose **Synchronize Now**.
 
 ![figure 1.](images/fig4-wsuslist.png)
 
-WSUS product list with Windows 10 choices
+WSUS product list with Windows 10 choices
 
-Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's update. Consider using “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)) for more information.
+Because Windows 10 updates are cumulative in nature, each month's new update will supersede the previous month's update. Consider using "express installation" packages to reduce the size of the payload that needs to be sent to each PC each month. For more information, see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)).
 
 > [!NOTE]
 > The usage of "express installation" packages will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.
 
 ## Activation
 
-Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers:
+Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers:
 
 | Product                                | Required update                                                                             |
 |----------------------------------------|---------------------------------------------------------------------------------------------|
-| Windows 10                             | None                                                                                        |
-| Windows Server 2012 R2 and Windows 8.1 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
-| Windows Server 2012 and Windows 8      | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
-| Windows Server 2008 R2 and Windows 7   | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821)                                                                   |
+| Windows 10                             | None                                                                                        |
+| Windows Server 2012 R2 and Windows 8.1 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
+| Windows Server 2012 and Windows 8      | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
+| Windows Server 2008 R2 and Windows 7   | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821)                                                                   |
 
 Also see: [Windows Server 2016 Volume Activation Tips](/archive/blogs/askcore/windows-server-2016-volume-activation-tips)
 
-Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys:
+Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation). These keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys:
 
 -   Sign into the [Volume Licensing Service Center (VLSC)](https://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights.
--   For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key.
--   For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.)
+-   For KMS keys, select **Licenses** and then select **Relationship Summary**. Select the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key.
+-   For MAK keys, select **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Select the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys won't work on Windows servers running KMS.)
 
-Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
+Windows 10 Enterprise and Windows 10 Enterprise LTSC installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
 
 ## Related articles
 
 [Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)<br>
 [Windows 10 deployment considerations](windows-10-deployment-considerations.md)<br>
-[Windows 10 compatibility](windows-10-compatibility.md)<br>
-
- 
-
- 
+[Windows 10 compatibility](windows-10-compatibility.md)<br>
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
index f57d4eedc3..c234ad4992 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
@@ -4,21 +4,23 @@ metadata:
   description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature.
   ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e
   ms.reviewer: 
-  author: aczechowski
-  ms.author: aaroncz
-  manager: dougeby
+  author: frankroj
+  ms.author: frankroj
+  manager: aaroncz
   keywords: FAQ, mobile, device, USB
-  ms.prod: w10
+  ms.prod: windows-client
+  ms.technology: itpro-deploy
   ms.mktglfcycl: deploy
   ms.pagetype: mobility
   ms.sitesec: library
   audience: itpro
   ms.topic: faq
+  ms.date: 10/28/2022
 title: 'Windows To Go: frequently asked questions'
 summary: |
   **Applies to**
   
-  -   Windows 10
+  -   Windows 10
   
   > [!IMPORTANT]
   > Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
@@ -114,12 +116,12 @@ sections:
       - question: |
           What is Windows To Go?
         answer: |
-          Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs.
+          Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs.
 
       - question: |
           Does Windows To Go rely on virtualization?
         answer: |
-          No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
+          No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It's just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
 
       - question: |
           Who should use Windows To Go?
@@ -133,9 +135,9 @@ sections:
           
           -   A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware)
           
-          -   A Windows 10 Enterprise or Windows 10 Education image
+          -   A Windows 10 Enterprise or Windows 10 Education image
           
-          -   A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys
+          -   A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys
           
           You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you're creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process.
           
@@ -147,7 +149,7 @@ sections:
       - question: |
           Is Windows To Go supported on USB 2.0 and USB 3.0 ports?
         answer: |
-          Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later.
+          Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later.
 
       - question: |
           How do I identify a USB 3.0 port?
@@ -162,22 +164,22 @@ sections:
       - question: |
           Can the user self-provision Windows To Go?
         answer: |
-          Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746).
+          Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746).
           
       - question: |
           How can Windows To Go be managed in an organization?
         answer: |
-          Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Endpoint Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
+          Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like Microsoft Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
 
       - question: |
           How do I make my computer boot from USB?
         answer: |
-          For host computers running Windows 10
+          For host computers running Windows 10
           
           -   Using Cortana, search for **Windows To Go startup options**, and then press Enter.
           -   In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB.
           
-          For host computers running Windows 8 or Windows 8.1:
+          For host computers running Windows 8 or Windows 8.1:
           
           Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter.
           
@@ -198,7 +200,7 @@ sections:
           
           For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
           
-          **Warning**  
+          **Warning**  
           Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive.
           
            
@@ -206,7 +208,7 @@ sections:
       - question: |
           Why isn't my computer booting from USB?
         answer: |
-          Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
+          Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
           
           1.  Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device.
           
@@ -221,7 +223,7 @@ sections:
         answer: |
           If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive isn't reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds.
           
-          **Warning**  
+          **Warning**  
           You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive.
           
            
@@ -229,7 +231,7 @@ sections:
       - question: |
           Can I use BitLocker to protect my Windows To Go drive?
         answer: |
-          Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace.
+          Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you'll be prompted to enter this password every time you use the Windows To Go workspace.
 
       - question: |
           Why can't I enable BitLocker from Windows To Go Creator?
@@ -265,12 +267,12 @@ sections:
       - question: |
           Does Windows To Go support crash dump analysis?
         answer: |
-          Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
+          Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
 
       - question: |
           Do "Windows To Go Startup Options" work with dual boot computers?
         answer: |
-          Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
+          Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
           
           If you have configured a dual boot computer with a Windows operating system and another operating system, it might work occasionally and fail occasionally. Using this configuration is unsupported.
           
@@ -279,7 +281,7 @@ sections:
         answer: |
           Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
           
-          **Warning**  
+          **Warning**  
           It's strongly recommended that you don't plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
           
            
@@ -289,8 +291,8 @@ sections:
         answer: |
           Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
           
-          **Warning**  
-          It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
+          **Warning**  
+          It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
           
            
           
@@ -307,7 +309,7 @@ sections:
       - question: |
           Does Windows To Go work with ARM processors?
         answer: |
-          No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors.
+          No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors.
 
       - question: |
           Can I synchronize data from Windows To Go with my other computer?
@@ -332,7 +334,7 @@ sections:
       - question: |
           Can I use all my applications on Windows To Go?
         answer: |
-          Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time.
+          Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time.
 
       - question: |
           Does Windows To Go work slower than standard Windows?
@@ -347,14 +349,14 @@ sections:
       - question: |
           Can I boot Windows To Go on a Mac?
         answer: |
-          We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac.
+          We're committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers aren't certified for use with Windows 7 or later, using Windows To Go isn't supported on a Mac.
 
       - question: |
           Are there any APIs that allow applications to identify a Windows To Go workspace?
         answer: |
           Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true, it means that the operating system was booted from an external USB device.
           
-          Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
+          Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
           
           For more information, see the MSDN article on the [Win32\_OperatingSystem class](/windows/win32/cimwin32prov/win32-operatingsystem).
           
@@ -371,17 +373,17 @@ sections:
       - question: |
           Why won't Windows To Go work on a computer running Windows XP or Windows Vista?
         answer: |
-          Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
+          Actually it might. If you've purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you've configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
 
       - question: |
           Why does the operating system on the host computer matter?
         answer: |
-          It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
+          It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer can't boot from USB there's no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
 
       - question: |
-          My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
+          My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
         answer: |
-          The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary.
+          The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary.
           
           You can reset the BitLocker system measurements to incorporate the new boot order using the following steps:
           
@@ -404,7 +406,7 @@ sections:
           The host computer will now be able to be booted from a USB drive without triggering recovery mode.
           
           > [!NOTE]
-          > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order.
+          > The default BitLocker protection profile in Windows 8 or later doesn't monitor the boot order.
           
            
           
@@ -429,7 +431,7 @@ sections:
       - question: |
           Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?
         answer: |
-          One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
+          One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
           
           In certain cases, third-party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs that don't  support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
           
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index 483767ebfe..5465e73df5 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -2,16 +2,19 @@
 title: Windows To Go feature overview (Windows 10)
 description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.collection: 
+  - highpri
+ms.date: 10/28/2022
 ---
 
 # Windows To Go: feature overview
 
-
 **Applies to**
 
 - Windows 10
@@ -21,12 +24,15 @@ ms.topic: article
 
 Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
 
-PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
+PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
 
-- [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif)
-- [Roaming with Windows To Go](#bkmk-wtgroam)
-- [Prepare for Windows To Go](#wtg-prep-intro)
-- [Hardware considerations for Windows To Go](#wtg-hardware)
+- [Windows To Go: feature overview](#windows-to-go-feature-overview)
+  - [<a href="" id="bkmk-wtgdif"></a>Differences between Windows To Go and a typical installation of Windows](#differences-between-windows-to-go-and-a-typical-installation-of-windows)
+  - [<a href="" id="bkmk-wtgroam"></a>Roaming with Windows To Go](#roaming-with-windows-to-go)
+  - [<a href="" id="wtg-prep-intro"></a>Prepare for Windows To Go](#prepare-for-windows-to-go)
+  - [<a href="" id="wtg-hardware"></a>Hardware considerations for Windows To Go](#hardware-considerations-for-windows-to-go)
+  - [Additional resources](#additional-resources)
+  - [Related topics](#related-topics)
 
 > [!NOTE]
 > Windows To Go is not supported on Windows RT.
@@ -35,12 +41,12 @@ PCs that meet the Windows 7 or later [certification requirements](/previous-vers
 
 Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are:
 
-- **Internal disks are offline.** To ensure data isn’t accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in Windows Explorer.
+- **Internal disks are offline.** To ensure data isn't accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in Windows Explorer.
 - **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
 - **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings.
 - **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows.
-- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer’s standard for the computer doesn’t apply when running a Windows To Go workspace, so the feature was disabled.
-- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
+- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer's standard for the computer doesn't apply when running a Windows To Go workspace, so the feature was disabled.
+- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
 
 ## <a href="" id="bkmk-wtgroam"></a>Roaming with Windows To Go
 
@@ -50,7 +56,7 @@ The applications that you want to use from the Windows To Go workspace should be
 
 ## <a href="" id="wtg-prep-intro"></a>Prepare for Windows To Go
 
-Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Endpoint Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
+Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
 
 These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available.
 
@@ -117,7 +123,7 @@ As of the date of publication, the following are the USB drives currently certif
 
 -   Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722))
 
-    We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go.  For more information about the WD Compass utility please refer to [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)
+    We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go.  For more information about the WD Compass utility please refer to [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)
 
 **For host computers**
 
@@ -164,4 +170,4 @@ In addition to the USB boot support in the BIOS, the Windows 10 image on your Wi
 [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)<br>
 [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)<br>
 [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)<br>
-[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
+[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
\ No newline at end of file
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 59ec7c3e89..3fc8a55190 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -2,13 +2,14 @@
 title: Windows 10 Pro in S mode
 description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
 ms.localizationpriority: high
-ms.prod: w10
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
+ms.prod: windows-client
+manager: aaroncz
+author: frankroj
+ms.author: frankroj
 ms.topic: article
 ms.custom: seo-marvel-apr2020
-ms.collection: highpri
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Windows 10 in S mode - What is it?
@@ -19,24 +20,23 @@ S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update
 
 ## S mode key features
 
-**Microsoft-verified security**
+### Microsoft-verified security
 
-With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
+With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
 
-**Performance that lasts**
+### Performance that lasts
 
-Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go.
+Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go.
 
-**Choice and flexibility**
+### Choice and flexibility
 
-Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
+Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
 
 ![Switching out of S mode flow chart.](images/s-mode-flow-chart.png)
 
-
 ## Deployment
 
-Windows 10 in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](/mem/autopilot/windows-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
+Windows 10 in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
 
 ## Keep line of business apps functioning with Desktop Bridge
 
@@ -44,12 +44,11 @@ Worried about your line of business apps not working in S mode? [Desktop Bridge]
 
 ## Repackage Win32 apps into the MSIX format
 
-The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode.
-
+The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. The MSIX Packaging Tool is another way to get your apps ready to run on Windows 10 in S mode.
 
 ## Related links
 
 - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
-- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
+- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
 - [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
-- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+- [Microsoft Defender for Endpoint](/microsoft-365/windows/microsoft-defender-atp)
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index 60bc7df800..7d41b154fe 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Updates using forward and reverse differentials
 description: A technique to produce compact software updates optimized for any origin and destination revision pair
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.reviewer:
 manager: dougeby
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Windows Updates using forward and reverse differentials
@@ -67,7 +68,7 @@ numerous advantages:
 
 Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version.
 
-For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
+For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), Microsoft Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints.
 
 The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly.
 
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 3551bd63d5..97cc22efe7 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -2,12 +2,13 @@
 title: Introduction to the Windows Insider Program for Business
 description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
 ms.custom: seo-marvel-apr2020
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.reviewer: 
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Introduction to the Windows Insider Program for Business
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index a865459e80..007cd09674 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -7,23 +7,24 @@ author: DocsPreview
 manager: jren
 ms.reviewer: mstewart
 ms.topic: how-to
-ms.prod: w10
+ms.prod: windows-client
 localization_priority: medium
 ms.custom: 
-- Adm_O365
-- 'O365P_ServiceHealthModern'
-- 'O365M_ServiceHealthModern'
-- 'O365E_ViewStatusServices'
-- 'O365E_ServiceHealthModern'
-- 'seo-marvel-apr2020'
-ms.collection:
-- Ent_O365
-- M365-subscription-management
-search.appverid:
-- MET150
-- MOE150
-- BCS160
-- IWA160
+  - Adm_O365
+  - 'O365P_ServiceHealthModern'
+  - 'O365M_ServiceHealthModern'
+  - 'O365E_ViewStatusServices'
+  - 'O365E_ServiceHealthModern'
+  - 'seo-marvel-apr2020'
+ms.collection: 
+  - Ent_O365
+  - M365-subscription-management
+search.appverid: 
+  - MET150
+  - MOE150
+  - BCS160
+  - IWA160
+ms.technology: itpro-updates
 ---
 
 # How to check Windows release health
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index 03631234e5..5263372cb3 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -1,13 +1,14 @@
 ---
 title: Create a deployment plan
 description: Devise the number of deployment rings you need and how you want to populate them
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.collection: m365initiative-coredeploy
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Create a deployment plan
@@ -19,7 +20,7 @@ ms.topic: article
 
 A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
 
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
 
 At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
 
@@ -38,7 +39,7 @@ A common ring structure uses three deployment groups:
 
 ## How many rings should I have?
 
-There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization.
+There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large organization, you might want to consider assigning devices to rings based on geographic location. Or assign based on the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization.
 
 ## Advancing between rings
 
@@ -59,17 +60,17 @@ The purpose of the Preview ring is to evaluate the new features of the update. I
 
 ### Who goes in the Preview ring?
 
-The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
+The Preview ring users are the most tech savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
 
 During your plan and prepare phases, you should focus on the following activities:
 
 - Work with Windows Insider Preview builds.
 - Identify the features and functionality your organization can or wants to use.
-- Establish who will use the features and how they will benefit.
-- Understand why you are putting out the update.
+- Establish who will use the features and how they'll benefit.
+- Understand why you're putting out the update.
 - Plan for usage feedback.
 
-Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release.
+Remember, you're working with pre-release software in the Preview ring and you'll be evaluating features and testing the update for a targeted release.
 
 > [!IMPORTANT]
 > If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds:
@@ -79,11 +80,11 @@ Remember, you are working with pre-release software in the Preview ring and you
 ## Limited ring
 
 The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback are generated to enable the decision to move forward to broader deployment. Desktop
-Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment.
+Analytics can help with defining a good Limited ring of representative devices and help monitor the deployment.
 
 ### Who goes in the Limited ring?
 
-The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network.
+The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network.
 
 
 During your pilot and validate phases, you should focus on the following activities:
@@ -92,7 +93,7 @@ During your pilot and validate phases, you should focus on the following activit
 - Assess and act if issues are encountered.
 - Move forward unless blocked.
 
-When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring, because your Limited ring represents your organization across the board, and when you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
+When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly.
 
 ## Broad deployment
 
@@ -100,7 +101,7 @@ Once the devices in the Limited ring have had a sufficient stabilization period,
 
 ### Who goes in the Broad deployment ring?
 
-In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly.
+In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision), a broad deployment can occur relatively quickly.
 
 > [!NOTE]
 > In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission critical-devices.
@@ -108,19 +109,19 @@ In most businesses, the Broad ring includes the rest of your organization. Becau
 During the broad deployment phase, you should focus on the following activities:
 
 - Deploy to all devices in the organization.
-- Work through any final unusual issues that were not detected in your Limited ring.
+- Work through any final unusual issues that weren't detected in your Limited ring.
 
 
 ## Ring deployment planning
 
-Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics.
+Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We've combined many of these tasks, and more, into a single interface with Desktop Analytics.
 
 
-[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
+[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Configuration Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
 make informed decisions about the readiness of your Windows devices.
 
-In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest
-feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions.
+In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Configuration Manager can help you assess app compatibility with the latest
+feature update. You can create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions.
 
 > [!IMPORTANT]
 > Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity.
@@ -129,8 +130,8 @@ feature update and create groups that represent the broadest number of hardware
 
 There are two ways to implement a ring deployment plan, depending on how you manage your devices:
 
-- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans).
-- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide).
+- If you're using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans).
+- If you're using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide).
 
 For more about Desktop Analytics, see these articles:
 
diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md
index bc3f4c1e0e..a7aa23afba 100644
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@@ -1,13 +1,14 @@
 ---
 title: Deploy Windows client updates with Configuration Manager
 description: Deploy Windows client updates with Configuration Manager
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.localizationpriority: medium
 ms.author: mstewart
 ms.reviewer: 
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Deploy Windows 10 updates with Configuration Manager
@@ -17,4 +18,4 @@ ms.topic: article
 - Windows 10
 - Windows 11
 
-See the Microsoft Endpoint Manager [documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
+See the [Microsoft Configuration Manager documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md
index d63870c7e0..31deefe3f5 100644
--- a/windows/deployment/update/deploy-updates-intune.md
+++ b/windows/deployment/update/deploy-updates-intune.md
@@ -1,13 +1,16 @@
 ---
 title: Deploy updates with Intune
 description: Deploy Windows client updates with Intune
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.reviewer: 
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
+ms.collection: 
+  - highpri
 ---
 
 # Deploy Windows 10 updates with Intune
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index f8d5a8cd98..5ae667d595 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -2,13 +2,14 @@
 title: Windows Update for Business deployment service
 description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates
 ms.custom: seo-marvel-apr2020
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.reviewer:
+ms.reviewer: 
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 
@@ -43,16 +44,16 @@ Windows Update for Business comprises three elements:
 - Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell)
 - Update Compliance to monitor update deployment – available through the Azure Marketplace
 
-Unlike existing client policy, the deployment service does not interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.
+Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.
 
 :::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text.":::
 
 Using the deployment service typically follows a common pattern:
-1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Endpoint Manager.
+1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune.
 2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
 3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
 
-The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager.
+The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune.
 
 ## Prerequisites
 
@@ -77,9 +78,9 @@ Additionally, your organization must have one of the following subscriptions:
 
 To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
 
-### Using Microsoft Endpoint Manager
+### Using Microsoft Intune
 
-Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
+Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
 
 ### Scripting common actions using PowerShell
 
@@ -91,7 +92,7 @@ Microsoft Graph makes deployment service APIs available through. Get started wit
 - Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/)
 - Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/)
 
-Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.
+Once you're familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.
 
 ## Deployment protections
 
@@ -106,9 +107,9 @@ The deployment service allows any update to be deployed over a period of days or
 3. Start deploying to earlier waves to build coverage of device attributes present in the population.
 4. Continue deploying at a uniform rate until all waves are complete and all devices are updated.
 
-This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service does not provide a workflow for creating rings themselves.
+This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves.
 
-You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring.
+You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring.
 
 ### Safeguard holds against likely and known issues
 
@@ -138,9 +139,9 @@ To enroll devices in Windows Update for Business cloud processing, set the **All
 | GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` |
 | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` |
 
-Following is an example of setting the policy using Microsoft Endpoint Manager:
+Following is an example of setting the policy using Intune:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Devices** > **Configuration profiles** > **Create profile**.
 
@@ -174,7 +175,7 @@ Follow these suggestions for the best results with the service.
 
 ### General
 
-Avoid using different channels to manage the same resources. If you use Microsoft Endpoint Manager along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it.
+Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it.
 
 
 ## Next steps
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index 2db7f7d1ca..cf7599e9c8 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -2,13 +2,14 @@
 title: Troubleshoot the Windows Update for Business deployment service
 description: Solutions to common problems with the service
 ms.custom: seo-marvel-apr2020
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.reviewer:
+ms.reviewer: 
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 4ba30f5bc9..29d681f691 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -1,13 +1,14 @@
 ---
 title: Evaluate infrastructure and tools
 description: Steps to make sure your infrastructure is ready to deploy updates
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: m365initiative-coredeploy
+ms.technology: itpro-updates
 ---
 
 # Evaluate infrastructure and tools
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index 41810807d7..de573530ce 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -1,7 +1,7 @@
 ---
-title: Best practices - deploy feature updates for user-initiated installations 
+title: Best practices - deploy feature updates for user-initiated installations
 description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -11,6 +11,7 @@ manager: dougeby
 ms.collection: M365-modern-desktop
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Deploy feature updates for user-initiated installations (during a fixed service window)
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 01de0f8c92..3d51115d70 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -1,7 +1,7 @@
 ---
 title: Make FoD and language packs available for WSUS/Configuration Manager
 description: Learn how to make FoD and language packs available when you're using WSUS/Configuration Manager.
-ms.prod: w10
+ms.prod: windows-client
 ms.author: aaroncz
 author: aczechowski
 ms.localizationpriority: medium
@@ -10,6 +10,7 @@ ms.reviewer:
 manager: dougeby
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 # How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
 
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index b7b501f2c4..d53be32342 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,13 +1,13 @@
 ---
 title: Windows client updates, channels, and tools
 description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-updates
 ---
 
 # Windows client updates, channels, and tools
@@ -44,7 +44,7 @@ We include information here about many different update types you'll hear about,
 
 There are three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process.
 
-The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization.
+The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization.
 
 
 ### General Availability Channel
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 4d9b31486c..492051959d 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -1,16 +1,16 @@
 ---
-title: How Windows Update works 
+title: How Windows Update works
 description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
-ms.collection:
+ms.collection: 
   - M365-modern-desktop
-  - highpri
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # How Windows Update works
diff --git a/windows/deployment/update/images/update-terminology.png b/windows/deployment/update/images/update-terminology.png
index 803c35d447..81e1b28320 100644
Binary files a/windows/deployment/update/images/update-terminology.png and b/windows/deployment/update/images/update-terminology.png differ
diff --git a/windows/deployment/update/images/wufb-do-overview.png b/windows/deployment/update/images/wufb-do-overview.png
new file mode 100644
index 0000000000..bacdb44d25
Binary files /dev/null and b/windows/deployment/update/images/wufb-do-overview.png differ
diff --git a/windows/deployment/update/includes/update-compliance-admin-center-permissions.md b/windows/deployment/update/includes/update-compliance-admin-center-permissions.md
deleted file mode 100644
index 01f67b2713..0000000000
--- a/windows/deployment/update/includes/update-compliance-admin-center-permissions.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-author: mestew
-ms.author: mstewart
-manager: dougeby
-ms.prod: w10
-ms.collection: M365-modern-desktop
-ms.topic: include
-ms.date: 08/18/2022
-ms.localizationpriority: medium
----
-<!--This file is shared by updates/update-compliance-v2-enable.md and the update/update-status-admin-center.md articles. Headings may be driven by article context.  -->
-[Enabling Update Compliance](../update-compliance-v2-enable.md) requires access to the [Microsoft admin center software updates (preview) page](../update-status-admin-center.md) as does displaying Update Compliance data in the admin center. The following permissions are needed for access to the [Microsoft 365 admin center](https://admin.microsoft.com):
-
-
-- To enable Update Compliance, edit Update Compliance configuration settings, and view the **Windows** tab in the **Software Updates** page: 
-  - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
-  - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
-- To view the **Windows** tab in the **Software Updates** page:
-  - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
-
-> [!NOTE]
-> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
diff --git a/windows/deployment/update/includes/update-compliance-onboard-admin-center.md b/windows/deployment/update/includes/update-compliance-onboard-admin-center.md
deleted file mode 100644
index 13183b46dd..0000000000
--- a/windows/deployment/update/includes/update-compliance-onboard-admin-center.md
+++ /dev/null
@@ -1,23 +0,0 @@
----
-author: mestew
-ms.author: mstewart
-manager: dougeby
-ms.prod: w10
-ms.collection: M365-modern-desktop
-ms.topic: include
-ms.date: 08/18/2022
-ms.localizationpriority: medium
----
-<!--This file is shared by updates/update-compliance-v2-enable.md and the update/update-status-admin-center.md articles. Headings are driven by article context.  -->
-1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in.
-1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu.
-1. In the **Software Updates** page, select the **Windows** tab.
-1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Update Compliance](../update-compliance-v2-overview.md). Verify or supply the following information about the settings for Update Compliance:
-
-    - The Azure subscription
-    - The Log Analytics workspace
-1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Update Compliance data**.
-1. After the initial setup is complete, the **Windows** tab will display your Update Compliance data in the charts.
-
-> [!Tip]
-> If you don't see an entry for **Software updates (preview)** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates).
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
new file mode 100644
index 0000000000..3dc65fd476
--- /dev/null
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -0,0 +1,21 @@
+---
+author: mestew
+ms.author: mstewart
+manager: dougeby
+ms.prod: w10
+ms.collection: M365-modern-desktop
+ms.topic: include
+ms.date: 08/18/2022
+ms.localizationpriority: medium
+---
+<!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context.  -->
+
+To enroll into Windows Update for Business reports, edit configuration settings, display and edit the workbook, and view the **Windows** tab in the **Software Updates** page from the [Microsoft 365 admin center](https://admin.microsoft.com) use one of the following roles:
+
+- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
+- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
+- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
+   - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but not the Microsoft 365 admin center
+
+To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role:
+  - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
diff --git a/windows/deployment/update/includes/update-compliance-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md
similarity index 88%
rename from windows/deployment/update/includes/update-compliance-endpoints.md
rename to windows/deployment/update/includes/wufb-reports-endpoints.md
index ebb1b35eb2..727f6eec4b 100644
--- a/windows/deployment/update/includes/update-compliance-endpoints.md
+++ b/windows/deployment/update/includes/wufb-reports-endpoints.md
@@ -8,13 +8,13 @@ ms.topic: include
 ms.date: 04/06/2022
 ms.localizationpriority: medium
 ---
-<!--This file is shared by updates/update-compliance-v2-prerequisites.md and the update/update-compliance-configuration-manual.md articles. Headings are driven by article context.  -->
+<!--This file is shared by updates/wufb-reports-prerequisites.md and the update/update-compliance-configuration-manual.md articles. Headings are driven by article context.  -->
 
 Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data: 
 
 | **Endpoint**  | **Function**  |
 |---------------------------------------------------------|-----------|
-| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Update Compliance. |
+| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Windows Update for Business reports. |
 | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
 | `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
 | `https://adl.windows.com` | Required for Windows Update functionality. |
diff --git a/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
new file mode 100644
index 0000000000..4a9b61242e
--- /dev/null
+++ b/windows/deployment/update/includes/wufb-reports-onboard-admin-center.md
@@ -0,0 +1,23 @@
+---
+author: mestew
+ms.author: mstewart
+manager: dougeby
+ms.prod: w10
+ms.collection: M365-modern-desktop
+ms.topic: include
+ms.date: 08/18/2022
+ms.localizationpriority: medium
+---
+<!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings are driven by article context.  -->
+1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in.
+1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu.
+   - If you don't see an entry for **Software updates** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates).
+1. In the **Software Updates** page, select the **Windows** tab.
+1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Windows Update for Business reports](../wufb-reports-overview.md). Verify or supply the following information about the settings for Windows Update for Business reports:
+
+    - The Azure subscription
+    - The Log Analytics workspace
+1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Windows Update for Business reports data**.
+1. After the initial setup is complete, the **Windows** tab will display your Windows Update for Business reports data in the charts.
+   > [!Note]
+   > The device counts in the **Windows** tab may vary from the **Microsoft 365 Apps** tab since their requirements are different.  
diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md
new file mode 100644
index 0000000000..7a8c702ba0
--- /dev/null
+++ b/windows/deployment/update/includes/wufb-reports-recommend.md
@@ -0,0 +1,14 @@
+---
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.prod: w10
+ms.collection: M365-modern-desktop
+ms.topic: include
+ms.date: 11/04/2022
+ms.localizationpriority: medium
+---
+<!--This file is shared by all Update Compliance v1 articles.  -->
+
+> [!Important]
+> If you're using Update Compliance, it's highly recommended that you start transitioning to Windows Update for Business reports. For more information, see [Windows Update for Business reports overview](..\wufb-reports-overview.md).
diff --git a/windows/deployment/update/includes/update-compliance-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
similarity index 90%
rename from windows/deployment/update/includes/update-compliance-script-error-codes.md
rename to windows/deployment/update/includes/wufb-reports-script-error-codes.md
index fa70e9df8b..6d4248cbb0 100644
--- a/windows/deployment/update/includes/update-compliance-script-error-codes.md
+++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
@@ -8,7 +8,7 @@ ms.topic: include
 ms.date: 08/18/2022
 ms.localizationpriority: medium
 ---
-<!--This file is shared by updates/update-compliance-v2-configuration-script.md and the update/update-compliance-configuration-script.md articles. Headings are driven by article context.  -->
+<!--This file is shared by updates/wufb-reports-configuration-script.md and the update/update-compliance-configuration-script.md articles. Headings are driven by article context.  -->
 |Error  |Description  |
 |---------|---------|
 | 1    | General unexpected error|
@@ -58,5 +58,5 @@ ms.localizationpriority: medium
 | 97 | Failed to update value for EnableAllowCommercialDataPipeline |
 | 98 | Unexpected exception in EnableAllowCommercialDataPipeline |
 | 99    | Device isn't Windows 10.|
-| 100 | Device must be AADJ or hybrid AADJ to use Update Compliance |
+| 100 | Device must be AADJ or hybrid AADJ to use Windows Update for Business reports or Update Compliance |
 | 101 | Check AADJ failed with unexpected exception |
\ No newline at end of file
diff --git a/windows/deployment/update/includes/update-compliance-verify-device-configuration.md b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md
similarity index 83%
rename from windows/deployment/update/includes/update-compliance-verify-device-configuration.md
rename to windows/deployment/update/includes/wufb-reports-verify-device-configuration.md
index d3fdaa9c05..1b22ab60cd 100644
--- a/windows/deployment/update/includes/update-compliance-verify-device-configuration.md
+++ b/windows/deployment/update/includes/wufb-reports-verify-device-configuration.md
@@ -8,7 +8,7 @@ ms.topic: include
 ms.date: 08/10/2022
 ms.localizationpriority: medium
 ---
-<!--This file is shared by updates/update-compliance-v2-help.md and the update/update-compliance-v2-configuration-script.md articles. Headings are driven by article context.  -->
+<!--This file is shared by updates/wufb-reports-help.md and the update/wufb-reports-configuration-script.md articles. Headings are driven by article context.  -->
 
 In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps:
 
@@ -35,9 +35,9 @@ In some cases, you may need to manually verify the device configuration has the
    1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
    1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**.
 1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items:
-   - The **EnrolledTenantID** field under **m365a** should equal the `CommercialID` of your Log Analytics workspace for Update Compliance. `CommercialID` is no longer required for the [preview version of Updates Compliance](../update-compliance-v2-overview.md), but the value may still be listed in this field.
+   - The **EnrolledTenantID** field under **m365a** should equal the `CommercialID` of your Log Analytics workspace for Update Compliance. `CommercialID` is no longer required for [Windows Update for Business reports](../wufb-reports-overview.md), but the value may still be listed in this field.
    - The **MSP** field value under **protocol** should be either `16` or `18`.
    - If you need to send this data to Microsoft Support, select **Export data**.  
 
-   :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="../media/update-compliance-diagnostic-data-viewer.png" lightbox="../media/update-compliance-diagnostic-data-viewer.png"::: 
+   :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="../media/wufb-reports-diagnostic-data-viewer.png" lightbox="../media/wufb-reports-diagnostic-data-viewer.png"::: 
 
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index effea4ec16..352013a1ea 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -1,12 +1,13 @@
 ---
 title: Update Windows client in enterprise deployments
 description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows client.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 manager: dougeby
 ms.localizationpriority: high
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Update Windows client in enterprise deployments
@@ -19,14 +20,14 @@ ms.topic: article
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
-Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. 
+Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly. It spreads out the required effort into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. 
 
 
  
 
 ## In this section
 
-| Topic | Description|
+| Article | Description|
 | --- | --- |
 | [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. |
 | [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
@@ -36,10 +37,10 @@ Windows as a service provides a new way to think about building, deploying, and
 | [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution.  |
 | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune.  |
 | [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. |
-| [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates.  |
+| [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates.  |
 | [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
-| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
+| [Manage more Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
 | [Windows Insider Program for Business](/windows-insider/business/register) | Explains how the Windows Insider Program for Business works and how to become an insider. |
 
 >[!TIP]
->For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows.
+>For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows.
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 936f68a628..7470c798bc 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -1,15 +1,15 @@
 ---
 title: Update Windows installation media with Dynamic Update
 description: Learn how to deploy feature updates to your mission critical devices
-ms.prod: w10
+ms.prod: windows-client
 author: SteveDiAcetis
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
-ms.collection:
+ms.collection: 
   - M365-modern-desktop
-  - highpri
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Update Windows installation media with Dynamic Update
diff --git a/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png b/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png
deleted file mode 100644
index bf5f0272ac..0000000000
Binary files a/windows/deployment/update/media/33771278-update-compliance-workbook-summary.png and /dev/null differ
diff --git a/windows/deployment/update/media/33771278-update-deployment-status-table.png b/windows/deployment/update/media/33771278-update-deployment-status-table.png
index dd070d8e21..858e340f73 100644
Binary files a/windows/deployment/update/media/33771278-update-deployment-status-table.png and b/windows/deployment/update/media/33771278-update-deployment-status-table.png differ
diff --git a/windows/deployment/update/media/33771278-update-compliance-feedback.png b/windows/deployment/update/media/33771278-wufb-reports-feedback.png
similarity index 100%
rename from windows/deployment/update/media/33771278-update-compliance-feedback.png
rename to windows/deployment/update/media/33771278-wufb-reports-feedback.png
diff --git a/windows/deployment/update/media/33771278-wufb-reports-workbook-summary.png b/windows/deployment/update/media/33771278-wufb-reports-workbook-summary.png
new file mode 100644
index 0000000000..87e3fd1ea4
Binary files /dev/null and b/windows/deployment/update/media/33771278-wufb-reports-workbook-summary.png differ
diff --git a/windows/deployment/update/media/37063317-admin-center-software-updates.png b/windows/deployment/update/media/37063317-admin-center-software-updates.png
index 978ef1b476..f31988b83d 100644
Binary files a/windows/deployment/update/media/37063317-admin-center-software-updates.png and b/windows/deployment/update/media/37063317-admin-center-software-updates.png differ
diff --git a/windows/deployment/update/media/update-compliance-v2-query-table.png b/windows/deployment/update/media/update-compliance-v2-query-table.png
deleted file mode 100644
index f48e6dc074..0000000000
Binary files a/windows/deployment/update/media/update-compliance-v2-query-table.png and /dev/null differ
diff --git a/windows/deployment/update/media/update-compliance-diagnostic-data-viewer.png b/windows/deployment/update/media/wufb-reports-diagnostic-data-viewer.png
similarity index 100%
rename from windows/deployment/update/media/update-compliance-diagnostic-data-viewer.png
rename to windows/deployment/update/media/wufb-reports-diagnostic-data-viewer.png
diff --git a/windows/deployment/update/media/wufb-reports-query-table.png b/windows/deployment/update/media/wufb-reports-query-table.png
new file mode 100644
index 0000000000..3cd58928fa
Binary files /dev/null and b/windows/deployment/update/media/wufb-reports-query-table.png differ
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index b4fd53631f..a200aba260 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -3,10 +3,11 @@ title: Olympia Corp Retirement
 description: Learn about the retirement of Olympia Corp and how to back up your data prior to October 31, 2022.
 ms.author: lizlong
 ms.topic: article
-ms.prod: w10
+ms.prod: windows-client
 author: lizgt2000
 ms.reviewer: 
 manager: aaroncz
+ms.technology: itpro-updates
 ---
 
 # Olympia Corp
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index ad5d745581..6dc355433f 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -1,13 +1,14 @@
 ---
 title: Migrating and acquiring optional Windows content
 description: Keep language resources and Features on Demand during operating system updates
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.collection: M365-modern-desktop
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Migrating and acquiring optional Windows content during updates
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index 3b0180ab07..e0740e7232 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -1,13 +1,14 @@
 ---
 title: Define readiness criteria
 description: Identify important roles and figure out how to classify apps
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: m365initiative-coredeploy
+ms.technology: itpro-updates
 ---
 
 # Define readiness criteria
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index 33c9252297..cacb1535bc 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -1,13 +1,14 @@
 ---
 title: Define update strategy
 description: Two examples of a calendar-based approach to consistent update installation
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
 ms.collection: m365initiative-coredeploy
+ms.technology: itpro-updates
 ---
 
 # Define update strategy with a calendar
@@ -21,13 +22,13 @@ Traditionally, organizations treated the deployment of operating system updates
 
 Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
 
-Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
+We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. So, you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
 
 ## Calendar approaches
-You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
+You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they'll stop receiving the monthly security updates.
 
 ### Annual
-Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles:
+Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles:
 
 [ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
 
@@ -35,7 +36,7 @@ This approach provides approximately 12 months of use from each feature update b
 
 This cadence might be most suitable for you if any of these conditions apply:
 
-- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
+- You're just starting your journey with the Windows 10 servicing process. If you're unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
 
 - You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
 
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index ffe6a2795d..d2bbbc7d48 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -2,12 +2,13 @@
 title: Determine application readiness
 manager: dougeby
 description: How to test your apps to know which need attention prior to deploying an update
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: m365initiative-coredeploy
 ms.author: aaroncz
 author: aczechowski
+ms.technology: itpro-updates
 ---
 
 # Determine application readiness
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index 070a39e360..6e5fbbe148 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -1,7 +1,7 @@
 ---
 title: Prepare to deploy Windows
 description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.reviewer:
 manager: dougeby
 ms.topic: article
 ms.collection: m365initiative-coredeploy
+ms.technology: itpro-updates
 ---
 
 # Prepare to deploy Windows
diff --git a/windows/deployment/update/quality-updates.md b/windows/deployment/update/quality-updates.md
index 4bc2d59668..c7c30db293 100644
--- a/windows/deployment/update/quality-updates.md
+++ b/windows/deployment/update/quality-updates.md
@@ -1,13 +1,14 @@
 ---
 title: Monthly quality updates (Windows 10/11)
 description: Learn about Windows monthly quality updates to stay productive and protected.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.reviewer: 
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Monthly quality updates
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index bfae10b8e8..dfe7420469 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -1,12 +1,15 @@
 ---
 title: Safeguard holds
 description: What are safeguard holds, how can you tell if one is in effect, and what to do about it
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
+ms.collection: 
+  - highpri
 ---
 
 # Safeguard holds
diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md
index b217acde9b..b8da300767 100644
--- a/windows/deployment/update/safeguard-opt-out.md
+++ b/windows/deployment/update/safeguard-opt-out.md
@@ -1,12 +1,13 @@
 ---
 title: Opt out of safeguard holds
 description: Steps to install an update even it if has a safeguard hold applied
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Opt out of safeguard holds
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index fe131c3f60..69b46485fc 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -1,16 +1,17 @@
 ---
 title: Servicing stack updates
 description: In this article, learn how servicing stack updates improve the code that installs the other updates.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: high
 ms.author: aaroncz
 manager: dougeby
-ms.collection:
+ms.collection: 
   - M365-modern-desktop
   - highpri
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Servicing stack updates
@@ -39,7 +40,9 @@ Servicing stack update are released depending on new issues or vulnerabilities.
 
 Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
 
-Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
+Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
+
+Beginning with the February 2021 LCU, Microsoft will publish all future cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
 
 ## Is there any special guidance?
 
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index 2c977fd2f0..a943c5f47b 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -1,12 +1,13 @@
 ---
 title: Update Baseline
 description: Use an update baseline to optimize user experience and meet monthly update goals
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Update Baseline
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index bc6e8a327e..14b086ba49 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -3,12 +3,13 @@ title: Manually configuring devices for Update Compliance
 ms.reviewer: 
 manager: aczechowski
 description: Manually configuring devices for Update Compliance
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Manually Configuring Devices for Update Compliance
@@ -18,6 +19,10 @@ ms.topic: article
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
+
 There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows client. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
 
 The requirements are separated into different categories:
@@ -67,7 +72,7 @@ All Group policies that need to be configured for Update Compliance are under **
 To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
 
 <!--Using include for endpoint access requirements-->
-[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-endpoints.md)]
+[!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-endpoints.md)]
 
 ## Required services
 
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index 31cc1b5b80..c43640a133 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -1,27 +1,31 @@
 ---
-title: Configuring Microsoft Endpoint Manager devices for Update Compliance
+title: Configuring Microsoft Intune devices for Update Compliance
 ms.reviewer: 
 manager: aczechowski
-description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance
-ms.prod: w10
+description: Configuring devices that are enrolled in Intune for Update Compliance
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
-# Configuring Microsoft Endpoint Manager devices for Update Compliance
+# Configuring Microsoft Intune devices for Update Compliance
 
 **Applies to**
 
 - Windows 10
 - Windows 11
 
-This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps:
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
+This article is specifically targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Update Compliance, within Microsoft Intune itself. Configuring devices for Update Compliance in Microsoft Intune breaks down to the following steps:
 
 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
-1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
+1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
 
 > [!TIP]
 > If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
@@ -30,26 +34,26 @@ This article is specifically targeted at configuring devices enrolled to [Micros
 
 Take the following steps to create a configuration profile that will set required policies for Update Compliance:
 
-1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
+1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**.
 1. On the **Configuration profiles** view, select **Create a profile**.
 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
 1. For **Template name**, select **Custom**, and then press **Create**.
-1. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
-1. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
+1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
+1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
     1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid).
     1. Add a setting for **Commercial ID** with the following values:
         - **Name**: Commercial ID
         - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
         - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
         - **Data type**: String
-        - **Value**: *Set this to your Commercial ID*
+        - **Value**: *Set this value to your Commercial ID*
     1. Add a setting configuring the **Windows Diagnostic Data level** for devices:
         - **Name**: Allow Telemetry
         - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
         - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
         - **Data type**: Integer
         - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
-    1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
+    1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this setting isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
         - **Name**: Disable Telemetry opt-in interface
         - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
         - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
@@ -81,4 +85,4 @@ Take the following steps to create a configuration profile that will set require
 
 The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
 
-When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
+When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices that will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index dfc1c5cae2..5895bd3235 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -3,13 +3,14 @@ title: Update Compliance Configuration Script
 ms.reviewer: 
 manager: aczechowski
 description: Downloading and using the Update Compliance Configuration Script
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
 ms.date: 06/16/2022
+ms.technology: itpro-updates
 ---
 
 # Configuring devices through the Update Compliance Configuration Script
@@ -19,6 +20,8 @@ ms.date: 06/16/2022
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 
 The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. 
 
@@ -49,9 +52,9 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
 ## Script errors
 
 <!--Using include for script errors-->
-[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-script-error-codes.md)]
+[!INCLUDE [Update Compliance script error codes](./includes/wufb-reports-script-error-codes.md)]
 
 ## Verify device configuration
 <!--Using include for verifying device configuration-->
-[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)]:
+[!INCLUDE [Endpoints for Update Compliance](./includes/wufb-reports-verify-device-configuration.md)]:
 
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index 34024f43cb..d58e554f1e 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -3,13 +3,14 @@ title: Delivery Optimization in Update Compliance
 ms.reviewer: 
 manager: aczechowski
 description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Delivery Optimization in Update Compliance
@@ -19,6 +20,9 @@ ms.custom: seo-marvel-apr2020
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 :::image type="content" alt-text="Screenshot of Delivery Optimization information in Update Compliance." source="images/UC_workspace_DO_status.png" lightbox="images/UC_workspace_DO_status.png":::
 
 The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 17b63d9e79..8fdb433a95 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -3,12 +3,13 @@ title: Update Compliance - Feature Update Status report
 ms.reviewer: 
 manager: aczechowski
 description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices.
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Feature Update Status
@@ -18,6 +19,9 @@ ms.custom: seo-marvel-apr2020
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 [ ![The Feature Update Status report.](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox)
 
 The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). 
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 23d4fb68e8..7adaefb575 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -1,16 +1,17 @@
 ---
 title: Get started with Update Compliance
 manager: aczechowski
-description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance 
-ms.prod: w10
+description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
-ms.collection:
+ms.collection: 
   - M365-analytics
   - highpri
 ms.topic: article
 ms.date: 05/03/2022
+ms.technology: itpro-updates
 ---
 
 # Get started with Update Compliance
@@ -20,13 +21,16 @@ ms.date: 05/03/2022
 - Windows 10
 - Windows 11
 
-This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
+This article introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
 
 1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance.
 2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
 3. [Configure devices](#enroll-devices-in-update-compliance)  to send data to Update Compliance.
 
-After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
+After you add the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
 
 ## Update Compliance prerequisites
 
@@ -35,30 +39,30 @@ After adding the solution to Azure and configuring devices, it can take some tim
 
 Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
 
-- **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and is not currently compatible with Windows Server, Surface Hub, IoT, or other versions.
-- **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but does not currently provide detailed deployment insights for them.
+- **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, and [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
+- **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.
 - **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
-- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
-- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
+- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These endpoints are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
+- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names won't appear in Update Compliance unless you individually opt-in devices by using policy. The steps are outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
 - **Azure AD device join** or **hybrid Azure AD join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022.
 
 ## Add Update Compliance to your Azure subscription
 
-Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. Note that, for the following steps, you must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the solution.
+Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. For the following steps, you must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the solution.
 
-To configure this, follow these steps:
-1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to login to your Azure subscription to access this.
+Use the following steps:
+1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to sign in to your Azure subscription to access this page.
 2. Select **Get it now**.
 3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
    - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance.
    - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance.
 4. After your workspace is configured and selected, select **Create**. You'll receive a notification when the solution has been successfully created.
 
-Once the solution is in place, you can leverage one of the following Azure roles with Update Compliance:
+Once the solution is in place, you can use one of the following Azure roles with Update Compliance:
 
-- To edit and write queries we recommend the [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role.
+- To edit and write queries, we recommend the [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role.
 
-- To read and only view data we recommend the [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role.
+- To read and only view data, we recommend the [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role.
 
 |Compatible Log Analytics regions |
 | ------------------------------- |
@@ -114,8 +118,8 @@ A `CommercialID` is a globally unique identifier assigned to a specific Log Anal
 Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance:
 
 1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
-2. If you use [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md).
-3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues.
+2. If you use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Intune](update-compliance-configuration-mem.md).
+3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they're appropriately configured and troubleshoot any enrollment issues.
 
 After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. 
 
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 0ed598274c..699a32f76f 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -3,13 +3,14 @@ title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance
 ms.reviewer: 
 manager: aczechowski
 description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network.
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Monitor Windows Updates with Update Compliance
@@ -19,6 +20,8 @@ ms.custom: seo-marvel-apr2020
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
 ## Introduction
 
 Update Compliance enables organizations to:
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index 680cfffa35..328e1da5de 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -6,7 +6,8 @@ author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
-ms.prod: w10
+ms.prod: windows-client
+ms.technology: itpro-updates
 ---
 
 # Needs attention!
@@ -16,6 +17,9 @@ ms.prod: w10
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 ![Needs attention section.](images/UC_workspace_needs_attention.png)
 
 The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. 
diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md
index 08423ff755..9c144da544 100644
--- a/windows/deployment/update/update-compliance-privacy.md
+++ b/windows/deployment/update/update-compliance-privacy.md
@@ -3,18 +3,19 @@ title: Privacy in Update Compliance
 ms.reviewer: 
 manager: aczechowski
 description: an overview of the Feature Update Status report
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Privacy in Update Compliance
 
 **Applies to**
 
-- Windows 10
+- Windows 10
 - Windows 11
 
 Update Compliance is fully committed to privacy, centering on these tenets:
@@ -54,6 +55,6 @@ See related topics for additional background information on privacy and treatmen
 - [Windows 10 and the GDPR for IT Decision Makers](/windows/privacy/gdpr-it-guidance)
 - [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
 - [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview)
-- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)
+- [Licensing Terms and Documentation](https://www.microsoft.com/licensing/docs/)
 - [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/)
 - [Trust Center](https://www.microsoft.com/trustcenter)
diff --git a/windows/deployment/update/update-compliance-safeguard-holds.md b/windows/deployment/update/update-compliance-safeguard-holds.md
index f45cd6f50d..09af30da57 100644
--- a/windows/deployment/update/update-compliance-safeguard-holds.md
+++ b/windows/deployment/update/update-compliance-safeguard-holds.md
@@ -3,12 +3,13 @@ title: Update Compliance - Safeguard Holds report
 ms.reviewer: 
 manager: aczechowski
 description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Safeguard Holds
@@ -18,6 +19,9 @@ ms.custom: seo-marvel-apr2020
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 The Safeguard Holds report provides information about devices in your population that are affected by a [safeguard hold](/windows/deployment/update/safeguard-holds). 
 
 Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *safeguard hold* is generated to delay the device's upgrade and protect the end-user experience. Safeguard holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all safeguard holds on the Windows client release information pages for any given release.
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index 2dc69aadd8..71b6715fcc 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -3,15 +3,19 @@ title: Update Compliance Schema - WaaSDeploymentStatus
 ms.reviewer: 
 manager: aczechowski
 description: WaaSDeploymentStatus schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # WaaSDeploymentStatus
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 
 WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, and one tracking a Windows Quality Update, at the same time.
 
diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
index 30667a459e..645fc9d551 100644
--- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
@@ -3,15 +3,19 @@ title: Update Compliance Schema - WaaSInsiderStatus
 ms.reviewer: 
 manager: aczechowski
 description: WaaSInsiderStatus schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # WaaSInsiderStatus
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 WaaSInsiderStatus records contain device-centric data and acts as the device record for devices on Windows Insider Program builds in Update Compliance. Each record provided in daily snapshots maps to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. Insider devices have fewer fields than [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md).
 
 
diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
index b1cb215ae1..e6a798932f 100644
--- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
@@ -3,15 +3,19 @@ title: Update Compliance Schema - WaaSUpdateStatus
 ms.reviewer: 
 manager: aczechowski
 description: WaaSUpdateStatus schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # WaaSUpdateStatus
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 WaaSUpdateStatus records contain device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots maps to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention.
 
 |Field |Type |Example |Description |
diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
index c38fe10c37..95e7fa7f84 100644
--- a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
+++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
@@ -3,15 +3,20 @@ title: Update Compliance Schema - WUDOAggregatedStatus
 ms.reviewer: 
 manager: aczechowski
 description: WUDOAggregatedStatus schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # WUDOAggregatedStatus
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
+
 WUDOAggregatedStatus records provide information, across all devices, on their bandwidth utilization for a specific content type in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq), over the past 28 days.
 
 These fields are briefly described in this article, to learn more about Delivery Optimization in general, check out the [Delivery Optimization Reference](../do/waas-delivery-optimization-reference.md).
diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md
index 7635fd97e7..5e944ba263 100644
--- a/windows/deployment/update/update-compliance-schema-wudostatus.md
+++ b/windows/deployment/update/update-compliance-schema-wudostatus.md
@@ -3,15 +3,19 @@ title: Update Compliance Schema - WUDOStatus
 ms.reviewer: 
 manager: aczechowski
 description: WUDOStatus schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # WUDOStatus
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 > [!NOTE]
 > Currently all location-based fields are not working properly. This is a known issue.
 
diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md
index 3f5325e847..af79627add 100644
--- a/windows/deployment/update/update-compliance-schema.md
+++ b/windows/deployment/update/update-compliance-schema.md
@@ -3,15 +3,20 @@ title: Update Compliance Data Schema
 ms.reviewer: 
 manager: aczechowski
 description: an overview of Update Compliance data schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Update Compliance Schema
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
+
 When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
 
 The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries).
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index 3fcd47f35f..308992e24d 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -3,12 +3,13 @@ title: Update Compliance - Security Update Status report
 ms.reviewer: 
 manager: aczechowski
 description: Learn how the Security Update Status section provides information about security updates across all devices.
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Security Update Status
@@ -18,6 +19,9 @@ ms.custom: seo-marvel-apr2020
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 ![The Security Update Status report.](images/UC_workspace_SU_status.png)
 
 The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows client version and the deployment progress toward the latest two security updates.  
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 717bfa6599..89d56d1c49 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -3,13 +3,14 @@ title: Using Update Compliance
 ms.reviewer: 
 manager: aczechowski
 description: Learn how to use Update Compliance to monitor your device's Windows updates.
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Use Update Compliance
@@ -19,6 +20,9 @@ ms.custom: seo-marvel-apr2020
 - Windows 10
 - Windows 11
 
+<!--Using include for recommending Windows Update for Business reports for all Update Compliance v1 docs-->
+[!INCLUDE [Recommend Windows Update for Business reports](./includes/wufb-reports-recommend.md)]
+
 In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md).
 
 
diff --git a/windows/deployment/update/update-compliance-v2-enable.md b/windows/deployment/update/update-compliance-v2-enable.md
deleted file mode 100644
index 2125392ab8..0000000000
--- a/windows/deployment/update/update-compliance-v2-enable.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Enable the Update Compliance solution
-ms.reviewer: 
-manager: dougeby
-description: How to enable the Update Compliance through the Azure portal
-ms.prod: w10
-author: mestew
-ms.author: mstewart
-ms.collection: M365-analytics
-ms.topic: article
-ms.date: 06/06/2022
----
-
-# Enable Update Compliance
-<!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
-> [!Important]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center).
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
-After verifying the [prerequisites](update-compliance-v2-prerequisites.md) are met, you can start to set up Update Compliance. The two main steps for setting up the Update Compliance solution are:
-
-1. [Add Update Compliance](#bkmk_add) to your Azure subscription. This step has the following two phases:
-   1. [Select or create a new Log Analytics workspace](#bkmk_workspace) for use with Update Compliance.
-   1. [Add the Update Compliance solution](#bkmk_solution) to the Log Analytics workspace.
-   1. [Configure Update Compliance](#bkmk_admin-center) from the Microsoft 365 admin center.
-
-1. Configure the clients to send data to Update compliance. You can configure clients in the following three ways:
-    - Use a [script](update-compliance-v2-configuration-script.md)
-    - Use [Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md)
-    - Configure [manually](update-compliance-v2-configuration-manual.md)
-
-> [!IMPORTANT]
-> Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.
-## <a name="bkmk_add"></a> Add Update Compliance to your Azure subscription
-
-Before you configure clients to send data, you'll need to add the Update Compliance solution to your Azure subscription so the data can be received. First, you'll select or create a new Log Analytics workspace to use. Second, you'll add the Update Compliance solution to the workspace.
-
-### <a name="bkmk_workspace"></a> Select or create a new Log Analytics workspace for Update Compliance
-
-Update Compliance uses an [Azure Log Analytics workspaces](/azure/azure-monitor/logs/log-analytics-overview) that you own for storing the client diagnostic data. Identify an existing workspace or create a new one using the following steps:
-
-1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).
-   - Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
-1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input.
-1. Select **Log Analytics workspaces**.
-1. If you already have a Log Analytics workspace, determine which Log Analytics workspace you'd like to use for Update Compliance. Ensure the workspace is in a **Compatible Log Analytics region** from the table listed in the [prerequisites](update-compliance-v2-prerequisites.md#log-analytics-regions).
-   - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance.
-1. If you don't have an existing Log Analytics workspace or you don't want to use a current workspace, [create a new workspace](/azure/azure-monitor/logs/quick-create-workspace) in a [compatible region](update-compliance-v2-prerequisites.md#log-analytics-regions).
-
-
-
-### <a name="bkmk_solution"></a> Add the Update Compliance solution to the Log Analytics workspace
-
-Update Compliance is offered as an Azure Marketplace application that's linked to a new or existing Azure Log Analytics workspace within your Azure subscription. Follow the steps below to add the solution, to the workspace:
-
-1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to sign into your Azure subscription to access this page.
-1. Select **Get it now**.
-1. Select **Continue** to agree to the [terms of use](https://azure.microsoft.com/support/legal/) and the [privacy policy](https://privacy.microsoft.com/en-us/privacystatement) to create the app in Azure.
-1. Sign into the [Azure portal](https://portal.azure.com) to finish creating the Update Compliance solution.
-1. Select the following settings:
-   - **Subscription**: The Azure subscription to use.
-   - **Resource group**: Select or [create a resource group](/azure/azure-resource-manager/management/manage-resource-groups-portal) for the Update Compliance solution.
-   - **Azure Log Analytics Workspace**: The Log Analytics workspace you created or identified for use with Update Compliance.
-1. Select **Review + create** to review your settings.
-1. Select **Create** to add the solution. You'll receive a notification when the Updates Compliance solution has been successfully created.
-
-> [!Note]
-> - You can only map one tenant to one Log Analytics workspace. Mapping one tenant to multiple workspaces isn't supported.
-> - If you change the Log Analytics workspace for Update Compliance, stale data will be displayed for about 24 hours until the new workspace is fully onboarded. You will also need to reconfigure the Update Compliance settings in the Microsoft 365 admin center.
-
-### <a name="bkmk_admin-center"></a> Configure Update Compliance settings through the Microsoft 365 admin center
-
-Finish enabling Updates Compliance by configuring its settings through the Microsoft 365 admin center. Completing the Update Compliance configuration through the admin center removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by the earlier version of Updates Compliance. This step is needed even if you enabled earlier previews of Update Compliance.  
-
-<!--Using include for onboarding Update Compliance through the Microsoft 365 admin center-->
-[!INCLUDE [Onboarding Update Compliance through the Microsoft 365 admin center](./includes/update-compliance-onboard-admin-center.md)]
-
-
-## Next steps
-
-Once you've added Update Compliance to a workspace in your Azure subscription and configured the settings through the Microsoft 365 admin center, you'll need to configure any devices you want to monitor. Enroll devices into Update Compliance using any of the following methods:
-
-- [Configure clients with a script](update-compliance-v2-configuration-script.md)
-- [Configure clients manually](update-compliance-v2-configuration-manual.md)
-- [Configure clients with Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md)
diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md
deleted file mode 100644
index ee51d8c204..0000000000
--- a/windows/deployment/update/update-compliance-v2-overview.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Update Compliance overview
-ms.reviewer: 
-manager: dougeby
-description: Overview of Update Compliance to explain what it's used for and the cloud services it relies on. 
-ms.prod: w10
-author: mestew
-ms.author: mstewart
-ms.collection: M365-analytics
-ms.topic: article
-ms.date: 08/09/2022
----
-
-# Update Compliance overview
-<!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
-> [!Important]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center).
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
-Update Compliance is a cloud-based solution that provides information about the compliance of your Azure Active Directory-joined devices with Windows updates. Update Compliance is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Update Compliance helps you:
-
-- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices
-- Report on devices with update compliance issues
-- Analyze and display your data in multiple ways
-
-
-## Preview information for Update Compliance
-
-The new version of Update Compliance is in preview. Some of the benefits of this new version include:
-
-- Integration with [Windows Update for Business deployment service](deployment-service-overview.md) to enable per deployment reporting, monitoring, and troubleshooting.
-- Compatibility with [Feature updates](/mem/intune/protect/windows-10-feature-updates) and [Expedite Windows quality updates](/mem/intune/protect/windows-10-expedite-updates) policies in Intune.
-- A new **Alerts** data type to assist you with identifying devices that encounter issues during the update process. Error code information is provided to help troubleshoot update issues.
-
-Currently, the preview contains the following features:
-
-- [Update Compliance workbook](update-compliance-v2-workbook.md)
-- Update Compliance status [charts in the Microsoft 365 admin](update-status-admin-center.md)
-- Access to the following new [Update Compliance tables](update-compliance-v2-schema.md):
-    - UCClient
-    - UCClientReadinessStatus
-    - UCClientUpdateStatus
-    - UCDeviceAlert
-    - UCServiceUpdateStatus
-    - UCUpdateAlert
-- Client data collection to populate the new Update Compliance tables
-
-Currently, these new tables are available to all Updates Compliance users. They will be displayed along with the original Updates Compliance tables.
-
-:::image type="content" source="media/update-compliance-v2-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Update Compliance data in Log Analytics." lightbox="media/update-compliance-v2-query-table.png":::
-
-## Limitations
-
-Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.
-
-
-## How Update Compliance works
-
-You'll set up Update Compliance by enrolling into the solution from the Azure portal. Then you'll configure your Azure AD-joined devices to send Windows client diagnostic data to the solution. Update Compliance uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Update Compliance collects system data such as:
-
-- Update deployment progress
-- Delivery Optimization usage data
-- Windows Update for Business configuration data
-
-The Azure Log Analytics ingestion and retention charges aren't incurred on your Azure subscription for Update Compliance data. You also choose an [Azure Log Analytics workspaces](/azure/azure-monitor/logs/log-analytics-overview) that you own for your client diagnostic data. The collected diagnostic data populates the Update Compliance tables so you can easily query your data.
-
-## Use your Update Compliance data
-
-Since the data from your clients is stored in a Log Analytics workspace, you can go beyond the standard reports to analyze and display your data in multiple ways. Some of the ways you could display your data include:
-
-- Using the data in [custom workbooks](/azure/azure-monitor/visualize/workbooks-overview) that you create
-- Building [custom Kusto (KQL) queries](/azure/azure-monitor/logs/log-query-overview)
-- Developing your own custom views by integrating the [Log Analytics data](/azure/azure-monitor/visualize/tutorial-logs-dashboards) into other tools such as:
-   - [Operations Management Suite](/azure/azure-monitor/agents/om-agents)
-   - [Power BI](/azure/azure-monitor/logs/log-powerbi)
-   - Other tools for [querying the data](/azure/azure-monitor/logs/log-query-overview)
-
-
-
-## Next steps
-
-- Review the [Update Compliance prerequisites](update-compliance-v2-prerequisites.md)
diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md
deleted file mode 100644
index 31c046a6b0..0000000000
--- a/windows/deployment/update/update-compliance-v2-prerequisites.md
+++ /dev/null
@@ -1,117 +0,0 @@
----
-title: Update Compliance prerequisites
-ms.reviewer: 
-manager: dougeby
-description: Prerequisites for Update Compliance
-ms.prod: w10
-author: mestew
-ms.author: mstewart
-ms.collection: M365-analytics
-ms.topic: article
-ms.date: 06/30/2022
----
-
-# Update Compliance prerequisites
-<!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
-> [!Important]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center).
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
-## Update Compliance prerequisites
-
-Before you begin the process of adding Update Compliance to your Azure subscription, ensure you meet the prerequisites.
-
-### Azure and Azure Active Directory
-
-- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
-- You must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the Update Compliance solution.
-- Devices must be Azure Active Directory-joined and meet the below OS, diagnostic, and endpoint access requirements.
-- Devices that are Workplace joined only (Azure AD registered) aren't supported with Update Compliance.
-
-### Operating systems and editions
-
-- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
-- Windows 10 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
-
-Update Compliance only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
-
-### Windows client servicing channels
-
-Update Compliance supports Windows client devices on the following channels:
-
-- General Availability Channel
-- Update Compliance *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.
-
-### Diagnostic data requirements
-
-At minimum, Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at the following levels:
-
-- *Optional* level (previously *Full*) for Windows 11 devices
-- *Enhanced* level for Windows 10 devices
-
-    > [!Note]
-    > Device names don't appear in Update Compliance unless you individually opt-in devices by using policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names:
-    > - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata)
-    > - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds**
-
-For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
-
-### Data transmission requirements
-
-<!--Using include for endpoint access requirements-->
-[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-endpoints.md)]
-
-> [!NOTE]
-> Enrolling into Update Compliance from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription.
-
-## Microsoft 365 admin center permissions
-<!--Using include Microsoft 365 admin center permissions-->
-[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-admin-center-permissions.md)]
-
-## Log Analytics prerequisites
-
-### Log Analytics permissions
-
-- To edit and write queries, we recommend the [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role.
-- To read and only view data, we recommend the [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role.
-
-
-### Log Analytics regions
-
-Update Compliance can use a Log Analytics workspace in the following regions:
-
-|Compatible Log Analytics regions |
-| ------------------------------- |
-|Australia Central |
-|Australia East |
-|Australia Southeast |
-|Brazil South |
-|Canada Central |
-|Central India |
-|Central US |
-|East Asia |
-|East US |
-|East US 2 |
-|Eastus2euap(canary) |
-|France Central |
-|Japan East |
-|Korea Central |
-|North Central US |
-|North Europe |
-|South Africa North |
-|South Central US |
-|Southeast Asia |
-|Switzerland North |
-|Switzerland West |
-|UK West |
-|UK south |
-|West Central US |
-|West Europe |
-|West US |
-|West US 2 |
-
-## Next steps
-
-- [Enable the Update Compliance solution](update-compliance-v2-enable.md) in the Azure portal
diff --git a/windows/deployment/update/update-compliance-v2-schema.md b/windows/deployment/update/update-compliance-v2-schema.md
deleted file mode 100644
index add12d9e62..0000000000
--- a/windows/deployment/update/update-compliance-v2-schema.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Update Compliance (preview) data schema
-ms.reviewer: 
-manager: dougeby
-description: An overview of Update Compliance (preview) data schema
-ms.prod: w10
-author: mestew
-ms.author: mstewart
-ms.collection: M365-analytics
-ms.topic: reference
-ms.date: 06/06/2022
----
-
-# Update Compliance version 2 schema 
-<!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
-> [!Important]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center).
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
-When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
-
-## Schema
-
-The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries).
-
-> [!NOTE]
-> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
-
-|Table |Category |Description |
-|--|--|--|
-| [**UCClient**](update-compliance-v2-schema-ucclient.md) | Device record | UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the operating system edition, and active hours (quantitative). |
-|[**UCClientReadinessStatus**](update-compliance-v2-schema-ucclientreadinessstatus.md) | Device record | UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 hardware requirements the device doesn't meet.|
-| [**UCClientUpdateStatus**](update-compliance-v2-schema-ucclientupdatestatus.md) |  Device record |  Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. |
-| [**UCDeviceAlert**](update-compliance-v2-schema-ucdevicealert.md)| Service and device record  |  These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from such as a ServiceDeviceAlert or ClientDeviceAlert. |
-| [**UCServiceUpdateStatus**](update-compliance-v2-schema-ucserviceupdatestatus.md) | Service record  | Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. |
-| [**UCUpdateAlert**](update-compliance-v2-schema-ucupdatealert.md) | Service and device records  |  Alert for both client and service update. Contains information that needs attention, relative to one device (client), one update, and one deployment, if relevant. Certain fields may be blank depending on the UpdateAlert's AlertType field. For example, ServiceUpdateAlert won't necessarily contain client-side statuses and may be blank.  |
diff --git a/windows/deployment/update/update-compliance-v2-use.md b/windows/deployment/update/update-compliance-v2-use.md
deleted file mode 100644
index 9326548d4f..0000000000
--- a/windows/deployment/update/update-compliance-v2-use.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Use the Update Compliance (preview) data
-ms.reviewer: 
-manager: dougeby
-description: How to use the Update Compliance (preview) data.
-ms.prod: w10
-author: mestew
-ms.author: mstewart
-ms.collection: M365-analytics
-ms.topic: article
-ms.date: 06/06/2022
----
-
-# Use Update Compliance (preview)
-<!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10)***
-
-> [!Important]
-> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
-In this article, you'll learn how to use Update Compliance to monitor Windows updates for your devices. To configure your environment for use with Update Compliance, see [Enable Update Compliance](update-compliance-v2-enable.md).
-
-## Display Update Compliance data
-
-1. Sign into the [Azure portal](https://portal.azure.com). 
-1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input.
-1. Select **Log Analytics workspaces**.
-1. Select the workspace that you use for Updates Compliance.
-1. Select **Logs** under the **General** group in your workspace.
-1. If the **Always show Queries** option is enabled in Log Analytics, close the query window to access the schema.
-1. Under **Schemas and filter**, select **Group by: Solution** and then expand the **Update Compliance** schema. If the **Group by: Category** is selected, the **Update Compliance** schema is listed under the **Other** category.
-1. Use the [Update Compliance schema](update-compliance-v2-schema.md) for [custom Kusto (KQL) queries](/azure/data-explorer/kusto/query/), to build [custom workbooks](/azure/azure-monitor/visualize/workbooks-overview), or to build your own solution to display the Update Compliance data. For example, you might query the data to review information for different types of alerts in the past 7 days and how many times each alert occurred.
-
-```kusto
-UCUpdateAlert
-| summarize count=count() by AlertClassification, AlertSubtype, ErrorCode, Description
-```
-
-:::image type="content" source="media/update-compliance-v2-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Update Compliance data in Log Analytics." lightbox="media/update-compliance-v2-query-table.png":::
-
-## Update Compliance data latency
-
-Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.
-
-The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all of your organization's devices that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be ingested again even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data. Device connectivity to the internet and generally how active the device is influences how long it will take before it appears in Update Compliance.
-
-| Data Type | Data upload rate from device | Data Latency |
-|--|--|--|
-| UCClient | Once per day |4 hours |
-| UCClientUpdateStatus|Every update event (Download, install, etc.)|24-36 hours |
-| UCServiceUpdateStatus| Every update event (Download, install, etc.)|24-36 hours |
-| UCUpdateAlert | Every event | 24-36 hours |
-| UCDeviceAlert | Every event | 24-36 hours |
-| UCClientReadinessStatus | After Windows 11 readiness assessment |24-36 hours |
-
-## Using Log Analytics
-
-Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure portal, can deeply enhance your experience and complement Update Compliance.
-
-See below for a few articles related to Log Analytics:
-- Learn how to effectively execute custom Log Searches by referring to Microsoft Azure's excellent documentation on [querying data in Log Analytics](/azure/log-analytics/log-analytics-log-searches).
-- Review the documentation on [analyzing data for use in Log Analytics](/azure/log-analytics/log-analytics-dashboards) to develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/).
-- [Gain an overview of alerts for Log Analytics](/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about.
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index 9d860f73b8..fd4fdeacb6 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -2,13 +2,14 @@
 title: Policies for update compliance, activity, and user experience
 ms.reviewer: 
 description: Explanation and recommendations for settings
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: M365-modern-desktop
+ms.technology: itpro-updates
 ---
 
 # Policies for update compliance, activity, and user experience
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 4e01cdd3ec..9ab24e12bd 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -1,7 +1,7 @@
 ---
 title: Configure BranchCache for Windows client updates
 description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,6 +9,7 @@ ms.reviewer:
 manager: dougeby
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Configure BranchCache for Windows client updates
@@ -21,7 +22,7 @@ ms.custom: seo-marvel-apr2020
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
-BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. 
+BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. 
 
 - Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. 
 
@@ -40,7 +41,7 @@ In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization
 
 ## Configure servers for BranchCache
 
-You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Endpoint Configuration Manager. 
+You can use WSUS and Configuration Manager with BranchCache in Distributed Cache mode. BranchCache in Distributed Cache mode is easy to configure for both WSUS and Microsoft Configuration Manager. 
 
 For a step-by-step guide to configuring BranchCache on Windows Server devices, see the [BranchCache Deployment Guide (Windows Server 2012)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj572990(v=ws.11)) or [BranchCache Deployment Guide (Windows Server 2016)](/windows-server/networking/branchcache/deploy/branchcache-deployment-guide).
 
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 52c86e776b..0565315cf2 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -2,14 +2,14 @@
 title: Configure Windows Update for Business
 manager: dougeby
 description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
-ms.prod: w10
-ms.collection:
+ms.prod: windows-client
+ms.collection: 
   - m365initiative-coredeploy
-  - highpri
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Configure Windows Update for Business
@@ -189,7 +189,7 @@ Starting with Windows 10, version 1709, you can set policies to manage preview b
 The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public.
 * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
 * MDM: **Update/ManagePreviewBuilds**
-* Microsoft Endpoint Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
+* Microsoft Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy**
 
 >[!IMPORTANT]
 >This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here:
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index d35f0cfa52..1018e89ac2 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -1,13 +1,14 @@
 ---
 title: Integrate Windows Update for Business
-description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
-ms.prod: w10
+description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.collection: m365initiative-coredeploy
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Integrate Windows Update for Business with management solutions
@@ -20,7 +21,7 @@ ms.topic: article
 
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
-You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.
+You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS) and Microsoft Configuration Manager.
 
 ## Integrate Windows Update for Business with Windows Server Update Services
 
@@ -87,7 +88,7 @@ In this example, the deferral behavior for updates to Office and other non-Windo
 >[!NOTE]
 > Because the admin enabled **Update/AllowMUUpdateService**, placing the content on WSUS was not needed for the particular device, as the device will always receive Microsoft Update content from Microsoft when configured in this manner.
 
-## Integrate Windows Update for Business with Microsoft Endpoint Configuration Manager
+## Integrate Windows Update for Business with Microsoft Configuration Manager
 
 For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (that is, setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
 
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 7c573b20dc..3fbea85a1b 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,13 +1,14 @@
 ---
 title: Deploy Windows client updates using Windows Server Update Services
 description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-updates
 ---
 
 # Deploy Windows client updates using Windows Server Update Services (WSUS)
@@ -21,7 +22,7 @@ ms.collection: highpri
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 
-WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides.
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides.
 
 When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11. 
 
@@ -336,7 +337,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 | ![done.](images/checklistdone.png) | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
 | ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
 | ![done.](images/checklistdone.png) | [Optimize update delivery for Windows client updates](../do/waas-optimize-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows client updates using Windows Server Update Services (this topic)</br>or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows client updates using Windows Server Update Services (this topic)</br>or [Deploy Windows client updates using Microsoft Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 2c2acee4e5..ce28b14f14 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -2,13 +2,14 @@
 title: Windows Update for Business
 manager: dougeby
 description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri
+ms.technology: itpro-updates
 ---
 
 # What is Windows Update for Business?
@@ -47,7 +48,7 @@ Windows Update for Business enables an IT administrator to receive and manage a
 Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
 
 - **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available.
-- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates.
+- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
 - **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. 
 - **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
 
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index 0e7cf67a8b..f9e1a3a00d 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -1,7 +1,7 @@
 ---
 title: Windows as a service news & resources
 description: The latest news for Windows as a service with resources to help you learn more about them.
-ms.prod: w10
+ms.prod: windows-client
 ms.topic: article
 ms.manager: elizapo
 author: aczechowski
@@ -9,6 +9,7 @@ ms.author: aaroncz
 ms.reviewer: 
 manager: dougeby
 ms.localizationpriority: high
+ms.technology: itpro-updates
 ---
 # Windows as a service - More news
 
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 63c12060d0..f2ed2acdde 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -1,13 +1,14 @@
 ---
 title: Overview of Windows as a service
 description: Windows as a service is a way to build, deploy, and service Windows. Learn how Windows as a service works.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-updates
 ---
 
 # Overview of Windows as a service
@@ -90,7 +91,7 @@ There are three servicing channels. The [Windows Insider Program](#windows-insid
 
 In the General Availability Channel, feature updates are available annually. This servicing model is ideal for pilot deployments and testing of feature updates and for users such as developers who need to work with the latest features. Once the latest release has gone through pilot deployment and testing, you will be able to choose the timing at which it goes into broad deployment.
 
-When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
+When Microsoft officially releases a feature update, we make it available to any device not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the General Availability Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about servicing tools, see [Servicing tools](#servicing-tools).
 
 
 > [!NOTE]
@@ -131,7 +132,7 @@ There are many tools you can use to service Windows as a service. Each option ha
 - **Windows Update (stand-alone)** provides limited control over feature updates, with IT pros manually configuring the device to be in the General Availability Channel. Organizations can target which devices defer updates by selecting the **Defer upgrades** check box in **Start\Settings\Update & Security\Advanced Options** on a Windows client device.
 - **Windows Update for Business** includes control over update deferment and provides centralized management using Group Policy or MDM. Windows Update for Business can be used to defer updates by up to 365 days, depending on the version. These deployment options are available to clients in the General Availability Channel. In addition to being able to use Group Policy to manage Windows Update for Business, either option can be configured without requiring any on-premises infrastructure by using Microsoft Intune.
 - **Windows Server Update Services (WSUS)** provides extensive control over updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. 
-- **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. 
+- **Microsoft Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. 
 
 **Servicing tools comparison**
 
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 80f6a1dbfa..baa37b5307 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -1,13 +1,13 @@
 ---
 title: Quick guide to Windows as a service (Windows 10)
 description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: high
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-updates
 ---
 
 # Quick guide to Windows as a service
@@ -46,7 +46,7 @@ For more information, see [Assign devices to servicing channels for Windows clie
 
 ## Staying up to date
 
-To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
+To stay up to date, deploy feature updates at an appropriate time after their release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
 
 Extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
 
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 46d0719b49..41ea13a0b3 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,16 +1,17 @@
 ---
 title: Manage device restarts after updates (Windows 10)
 description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
-ms.prod: w10
+ms.prod: windows-client
 author: carmenf
 ms.localizationpriority: medium
 ms.author: carmenf
 manager: dougeby
 ms.topic: article
-ms.custom:
-- seo-marvel-apr2020
+ms.custom: 
+  - seo-marvel-apr2020
 ms.collection: highpri
 date: 09/22/2022
+ms.technology: itpro-updates
 ---
 
 # Manage device restarts after updates
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 9fcb3d398e..c5bc2f6f23 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,15 +1,16 @@
 ---
 title: Assign devices to servicing channels for Windows client updates
 description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.reviewer: 
 manager: dougeby
 ms.topic: article
-ms.custom:
-- seo-marvel-apr2020
+ms.custom: 
+  - seo-marvel-apr2020
+ms.technology: itpro-updates
 ---
 
 # Assign devices to servicing channels for Windows 10 updates
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index bac3d71a3a..b5be3068c1 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -1,7 +1,7 @@
 ---
-title: Prepare servicing strategy for Windows client updates
-description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. 
-ms.prod: w10
+title: Prepare a servicing strategy for Windows client updates
+description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
@@ -9,9 +9,10 @@ ms.reviewer:
 manager: dougeby
 ms.topic: article
 ms.collection: m365initiative-coredeploy
+ms.technology: itpro-updates
 ---
 
-# Prepare servicing strategy for Windows client updates
+# Prepare a servicing strategy for Windows client updates
 
 
 **Applies to**
@@ -25,10 +26,10 @@ ms.collection: m365initiative-coredeploy
 Here’s an example of what this process might look like:
 
 - **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
-- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
+- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. 
 - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
 - **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
-- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
 - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview). 
 
 
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index cfe3f8800a..35f4f7a60a 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -1,7 +1,7 @@
 ---
 title: Manage additional Windows Update settings
 description: In this article, learn about additional settings to control the behavior of Windows Update.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: mestew
 ms.author: mstewart
@@ -9,6 +9,7 @@ manager: aaroncz
 ms.topic: article
 ms.collection: highpri
 date: 09/22/2022
+ms.technology: itpro-updates
 ---
 
 # Manage additional Windows Update settings
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index 9c3384d50d..5841a5e312 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -1,13 +1,14 @@
 ---
 title: Configure Windows Update for Business by using CSPs and MDM
 description: Walk-through demonstration of how to configure Windows Update for Business settings using Configuration Service Providers and MDM.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
 ms.reviewer: 
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index e5027dfc14..a3167e3d42 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -1,15 +1,16 @@
 ---
 title: Configure Windows Update for Business via Group Policy
 description: Walk-through demonstration of how to configure Windows Update for Business settings using Group Policy.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.collection:
+ms.collection: 
   - m365initiative-coredeploy
   - highpri
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Walkthrough: Use Group Policy to configure Windows Update for Business
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index ab6cf4079f..f77d24dd02 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -1,15 +1,16 @@
 ---
 title: Windows as a service
-ms.prod: w10 
-ms.topic: landing-page
+ms.prod: windows-client
+ms.topic: article
 ms.manager: dougeby
 author: aczechowski
 ms.author: aaroncz
-description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization. 
+description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization.
 ms.reviewer: 
 manager: dougeby
 ms.localizationpriority: high
 ms.collection: M365-modern-desktop
+ms.technology: itpro-updates
 ---
 
 # Windows as a service
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index abbfea815f..5c1e95ca70 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -1,7 +1,7 @@
 ---
-title: Windows Update error code list by component 
+title: Windows Update error code list by component
 description: Learn about reference information for Windows Update error codes, including automatic update errors, UI errors, and reporter errors.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
 ms.date: 09/18/2018
 ms.topic: article
 ms.custom: seo-marvel-apr2020
-ms.collection: highpri
+ms.technology: itpro-updates
 ---
 
 # Windows Update error codes by component
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 1bb5ed3c64..b6b6d5fe17 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -1,13 +1,14 @@
 ---
-title: Windows Update log files 
+title: Windows Update log files
 description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri
+ms.technology: itpro-updates
 ---
 
 # Windows Update log files
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 1a85b77f1b..223d10783e 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -1,12 +1,13 @@
 ---
-title: Get started with Windows Update 
+title: Get started with Windows Update
 description: An overview of learning resources for Windows Update, including documents on architecture, log files, and common errors.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.date: 09/18/2018
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Get started with Windows Update
diff --git a/windows/deployment/update/windows-update-security.md b/windows/deployment/update/windows-update-security.md
new file mode 100644
index 0000000000..333be3151a
--- /dev/null
+++ b/windows/deployment/update/windows-update-security.md
@@ -0,0 +1,77 @@
+---
+title: Windows Update security
+ms.reviewer: 
+manager: aaroncz
+description: Overview of the security for Windows Update.
+ms.prod: windows-client
+author: mestew
+ms.author: mstewart
+ms.collection: M365-analytics
+ms.topic: article
+ms.date: 10/25/2022
+ms.technology: itpro-updates
+---
+
+# Windows Update security
+
+The Windows Update (WU) system ensures devices are updated securely. Its end-to-end protection prevents manipulation of protocol exchanges and ensures only approved content is installed. Some protected environments may need to update firewall and proxy rules to ensure that Windows updates can be properly accessed. This article provides an overview of the security features of Windows Update.
+
+## Windows Update security overview
+
+The Windows Update system distributes a multitude of content. Some examples of this content include:
+
+- Updates to the Windows operating system
+- Microsoft 365 Apps updates (Office updates)
+- Hardware drivers
+- Antivirus definitions
+- Microsoft Store apps
+
+This system is initiated when a user interacts with the Windows Update settings page or when an application makes a call into the [WU client service API](/windows/win32/api/_wua/). These calls may be made at various times by Microsoft applications and different parts of Windows, such as [Microsoft 365 Apps](/officeupdates/update-history-microsoft365-apps-by-date), [Microsoft Defender](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus), and [Plug and Play (PnP)](/windows-hardware/drivers/kernel/introduction-to-plug-and-play).
+
+When such interactions occur, the Windows Update service running on the device will trigger a series of exchanges over the internet with Microsoft's Windows Update servers. The general workflow is:
+
+1. A Windows device makes multiple connections to Windows Update services using HTTPS (HTTP over TLS, TCP port 443).
+1. Update metadata is exchanged over these connections and results in a list of updates, apps, drivers, and other updates.
+1. The device decides whether and when to download items from the resulting list.
+
+Once the list of downloads has been decided, the actual update binary files are then downloaded. The download is done via the [Delivery Optimization](/windows/deployment/do/waas-delivery-optimization) component over a mix of standard HTTP calls (TCP port 80) and secure peer-to-peer network calls (TCP port 7680). Which method used is based on the device's configuration/group policies.
+
+When downloading updates using Delivery Optimization's peer-to-peer (P2P) networking, the content is integrity validated upon receipt from each peer. If the requested content is unavailable on the P2P network, then the Delivery Optimization component will download it using HTTP.
+
+Regardless of which method is used to download the content, the resulting files are then validated through digital signatures and file hashes before they're installed. The validation confirms that the download is what was intended, is verified as authentic, and hasn't been tampered with.
+
+## Securing metadata connections
+
+When Windows Update scans for updates, it goes through a series of metadata exchanges between the device and Windows Update servers. This exchange is done using HTTPS (HTTP over TLS). These secured connections are certificate-pinned, ensuring that:
+
+- The TLS connection's server certificate is validated (certificate trust, expiry, revocation, SAN entries, etc.)  
+- The certificate's issuer is validated as genuine Microsoft Windows Update
+
+The connection fails if the issuer is unexpected, or not a valid Windows Update intermediate certificate. Certificate pinning ensures that the device is connecting to legitimate Microsoft servers and prevents man-in-the-middle attacks.
+
+Since Windows Update TLS connections are certificate-pinned, it's important that TLS proxies pass these connections without interception. The full list of DNS names that require proxy/firewall exceptions can be found in the [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#device-cannot-access-update-files) article.
+
+Microsoft doesn't provide IP addresses or IP ranges for these exceptions because they may differ over time as changes are made for purposes such as traffic load balancing.
+
+## Expected Windows Update server usage
+
+The Windows Update service's servers are used solely by WU components. There's no expectation that end users will be interacting with these remote endpoints. Therefore, these service endpoints may not resolve as expected in a web browser. A user casually browsing to these endpoints may notice a lack of adherence to the latest web browser expectations such as publicly trusted PKI, certificate transparency logging, or TLS requirements. This behavior is expected and doesn't limit or otherwise impact the safety and security of the Windows Update system.
+
+Users attempting to browse to the service endpoints may see security warnings and even content access failures. Again, this behavior is expected as the service endpoints aren't designed for web browser access or casual user consumption.
+
+## Securing content delivery
+
+The process of downloading update binaries is secured at a layer above the transport. Even though content may be downloaded through standard HTTP (TCP port 80), the content goes through a rigorous security validation process.
+
+Downloads are load balanced through Content Delivery Networks (CDN), so using TLS would break their Microsoft chain-of-custody. Because a TLS connection to a caching CDN terminates at the CDN, not Microsoft, TLS certificates aren't Microsoft specific. This means that the WU client can't prove the trustworthiness of the CDN as Microsoft doesn't control CDN TLS certificates. Additionally, a TLS connection to a CDN doesn't prove content hasn't been manipulated within the CDN's caching network. Therefore, TLS doesn't offer any of the security promises to the end-to-end Windows Update workflow that it otherwise provides.
+
+Regardless of how the content is delivered, once it has been downloaded, it's properly validated. Content is validated for trust, integrity, and intention using various techniques such as digital signature validation and file hash checks. This level of content validation provides even more layers of security than TLS alone.
+
+## Windows Server Update Services (WSUS)
+
+Enterprises using WSUS have a similar workflow. However, the client devices connect to their enterprise's WSUS server instead of over the internet to Microsoft's servers. It's up to the enterprise to decide whether to use HTTP or TLS (HTTPS) connections for the metadata exchange. Microsoft strongly advises using TLS connections and configuring client devices with appropriate TLS certificate pinning configurations for metadata exchange with WSUS. For more information about WSUS TLS certificate-pinning, see:
+
+- [Windows IT Pro Blog: Changes to improve security for Windows devices scanning WSUS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547)
+- [Windows IT Pro Blog: Scan changes and certificates add security for Windows devices using WSUS for updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/scan-changes-and-certificates-add-security-for-windows-devices/ba-p/2053668)
+
+When a WSUS server [updates its own update catalog](/windows-server/administration/windows-server-update-services/manage/setting-up-update-synchronizations), it connects to Microsoft's server sync services and scans for updates. The WSUS server synchronization process is similar to the [metadata exchange process](#securing-metadata-connections) for client devices connecting to Windows Update. The WSUS-to-Microsoft connection is over TLS and is verified by Microsoft certificate, similar to the WU client's TLS certificate-pinning.
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 7fbbd8cecc..1d5e88dec2 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -2,13 +2,14 @@
 title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
 description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
 ms.custom: seo-marvel-apr2020
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.author: aaroncz
-ms.reviewer:
+ms.reviewer: 
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 # Enforcing compliance deadlines for updates
 
diff --git a/windows/deployment/update/update-status-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
similarity index 54%
rename from windows/deployment/update/update-status-admin-center.md
rename to windows/deployment/update/wufb-reports-admin-center.md
index 08f6787ea7..aff23a1e5b 100644
--- a/windows/deployment/update/update-status-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -1,24 +1,21 @@
 ---
-title: Microsoft admin center software updates (preview) page
+title: Microsoft 365 admin center software updates page
 manager: dougeby
-description: Microsoft admin center populates Update Compliance data into the software updates page.
-ms.prod: w10
+description: Microsoft admin center populates Windows Update for Business reports data into the software updates page.
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
-ms.collection:
+ms.collection: 
   - M365-analytics
-  - highpri
 ms.topic: article
-ms.date: 06/20/2022
+ms.date: 11/15/2022
+ms.technology: itpro-updates
 ---
 
-# Microsoft admin center software updates (preview) page
+# Microsoft 365 admin center software updates page
 <!--37063317, 30141258, 37063041, ID2616577, ID2582518 -->
-***(Applies to: Windows 11 & Windows 10 using [Update Compliance](update-compliance-v2-overview.md) and the [Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview))***
-
-> [!Important]
-> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
+***(Applies to: Windows 11 & Windows 10 using [Windows Update for Business reports](wufb-reports-overview.md) and the [Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview))***
 
 The **Software updates** page in the [Microsoft 365 admin center](https://admin.microsoft.com) displays a high-level overview of the installation status for Microsoft 365 Apps and Windows updates in your environment. [Quality updates](quality-updates.md) that contain security fixes are typically released on the second Tuesday of each month. Ensuring these updates are installed is important because they help protect you from known vulnerabilities. The **Software updates** page allows you to easily determine the overall update compliance for your devices.
 
@@ -28,26 +25,28 @@ The **Software updates** page has following tabs to assist you in monitoring upd
    - For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
 - **Windows**: Displays compliance charts for cumulative updates and feature updates for Windows clients. This article contains information about the **Windows** tab.
 
-:::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png":::
+  :::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png":::
 
 ## Permissions
-<!--Using include Microsoft 365 admin center permissions-->
-[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-admin-center-permissions.md)]
 
+<!--Using include Microsoft 365 admin center permissions-->
+[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
+
+> [!NOTE]
+> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
 
 ## Limitations
 
-Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home).
+Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home).
 
 ## Get started
 
-
-<!--Using include for onboarding Update Compliance through the Microsoft 365 admin center-->
-[!INCLUDE [Onboarding Update Compliance through the Microsoft 365 admin center](./includes/update-compliance-onboard-admin-center.md)]
+<!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->
+[!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)]
 
 ## The Windows tab
 
-The **Windows** tab in the **Software updates** page in the Microsoft admin center is populated by data from [Update Compliance](update-compliance-v2-overview.md). The tab contains a high-level overview of update compliance for Windows clients in your environment. The tab displays two charts **Windows update status** and **End of service**. The Update Compliance data that populates these charts refreshes every 24 hours. For more information, see [Update Compliance data latency](update-compliance-v2-use.md#update-compliance-data-latency).
+The **Windows** tab in the **Software updates** page in the Microsoft admin center is populated by data from [Windows Update for Business reports](wufb-reports-overview.md). The tab contains a high-level overview of update compliance for Windows clients in your environment. The tab displays two charts **Windows update status** and **End of service**. The Windows Update for Business reports data that populates these charts refreshes every 24 hours. For more information, see [Windows Update for Business reports data latency](wufb-reports-use.md#data-latency).
 
 ### Windows update status chart
 
@@ -69,4 +68,4 @@ The **End of service** chart list the number of devices running an operating sys
 
 ## Next steps
 
-Use [Update Compliance](update-compliance-v2-overview.md) to display additional data about the status of Windows updates.
+Use [Windows Update for Business reports](wufb-reports-overview.md) to display additional data about the status of Windows updates.
diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/wufb-reports-configuration-intune.md
similarity index 55%
rename from windows/deployment/update/update-compliance-v2-configuration-mem.md
rename to windows/deployment/update/wufb-reports-configuration-intune.md
index 2589190da8..dd24c62801 100644
--- a/windows/deployment/update/update-compliance-v2-configuration-mem.md
+++ b/windows/deployment/update/wufb-reports-configuration-intune.md
@@ -1,76 +1,69 @@
 ---
-title: Configuring Microsoft Endpoint Manager devices for Update Compliance (preview)
+title: Configuring Microsoft Intune devices for Windows Update for Business reports
 ms.reviewer: 
-manager: dougeby
-description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance (preview)
-ms.prod: w10
+manager: aaroncz
+description: Configuring devices that are enrolled in Microsoft Intune for Windows Update for Business reports
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
-ms.date: 08/24/2022
+ms.date: 11/15/2022
+ms.technology: itpro-updates
 ---
 
-# Configuring Microsoft Endpoint Manager devices for Update Compliance (preview)
+# Configuring Microsoft Intune devices for Windows Update for Business reports
 <!--37063317, 30141258, 37063041-->
-***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Endpoint Manager](/mem/endpoint-manager-overview))***
-
-> [!Important]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center).
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
+***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)***
 
 
-This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps:
+This article is targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Windows Update for Business reports, within Microsoft Intune itself. Configuring devices for Windows Update for Business reports in Microsoft Intune breaks down to the following steps:
 
 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll. The configuration profile contains settings for all the Mobile Device Management (MDM) policies that must be configured.
-1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md).
+1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Windows Update for Business reports](wufb-reports-use.md).
 
 > [!TIP]
 > If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
 
 ## Create a configuration profile
 
-Create a configuration profile that will set the required policies for Update Compliance. There are two profile types that can be used to create a configuration profile for Update Compliance:
+Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports:
 - The [settings catalog](#settings-catalog)
-- [Template](#custom-oma-uri-based-profile) for a custom OMA URI based profile
+- [Template](#custom-oma-uri-based-profile) for a custom OMA URI-based profile
 
 ### Settings catalog
 
-1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**.
+1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
 1. On the **Configuration profiles** view, select **Create profile**.
 1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**.
 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
 1. On the **Configuration settings** page, you'll be adding multiple settings from the **System** category. Using the **Settings picker**, select the **System** category, then add the following settings and values:
-    1. Required settings for Update Compliance: 
+    1. Required settings for Windows Update for Business reports: 
         - **Setting**: Allow Commercial Data Pipeline
         - **Value**: Enabled
         - **Setting**: Allow Telemetry
         - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*)
         - **Setting**: Allow Update Compliance Processing
         - **Value**: Enabled
-    1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
         - **Setting**: Configure Telemetry Opt In Change Notification
-        - **Value**: Disable telemetry change notifications
-        - **Setting**: Configure Telemetry Opt In Settings Ux
-        - **Value**: Disable Telemetry opt-in Settings
-    1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Update Compliance:
+    1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports:
         - **Setting**: Allow device name to be sent in Windows diagnostic data
         - **Value**: Allowed
 
-1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
+1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
 1. Review the settings and then select **Create**.
 
-### Custom OMA URI based profile
+### Custom OMA URI-based profile
 
-1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**.
+1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**.
 1. On the **Configuration profiles** view, select **Create profile**.
 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
 1. For **Template name**, select **Custom**, and then select **Create**.
 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
-1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md).
+1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md).
 
-    1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
+    1. Add a setting to **Allow commercial data pipeline**; this policy is required for Windows Update for Business reports:
         - **Name**: Allow commercial data pipeline
         - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
         - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
@@ -78,23 +71,23 @@ Create a configuration profile that will set the required policies for Update Co
         - **Value**: 1 
     1. Add a setting configuring the **Windows Diagnostic Data level** for devices:
         - **Name**: Allow Telemetry
-        - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
+        - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Windows Update for Business reports.
         - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
         - **Data type**: Integer
         - **Value**: 1 (*1 is the minimum value meaning basic, but it can be safely set to a higher value*).
-    1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
+    1. Add a setting to **Allow Update Compliance processing**; this policy is required for Windows Update for Business reports:
         - **Name**: Allow Update Compliance Processing
         - **Description**: Opts device data into Update Compliance processing. Required to see data.
         - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
         - **Data type**: Integer
         - **Value**: 16
-    1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: 
+    1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports: 
         - **Name**: Disable Telemetry opt-in interface
-        - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
+        - **Description**: Disables the ability for end users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
         - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
         - **Data type**: Integer
         - **Value**: 1
-    1. (*Recommended, but not required*) Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Update Compliance:
+    1. (*Recommended, but not required*) Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Windows Update for Business reports:
         - **Name**: Allow device name in Diagnostic Data
         - **Description**: Allows device name in Diagnostic Data.
         - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
@@ -102,15 +95,15 @@ Create a configuration profile that will set the required policies for Update Co
         - **Value**: 1
 
 
-1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
+1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
 1. Review the settings and then select **Create**.
 
 ## Deploy the configuration script
 
-The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
+The [Windows Update for Business reports Configuration Script](wufb-reports-configuration-script.md) is a useful tool for properly enrolling devices in Windows Update for Business reports, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
 
-When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in deployment mode as a Win32 app to all Update Compliance devices.
+When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a subset of devices that you can access. After following this guidance, you can deploy the configuration script in deployment mode as a Win32 app to all Windows Update for Business reports devices.
 
 ## Next steps
 
-[Use Update Compliance](update-compliance-v2-use.md)
+[Use Windows Update for Business reports](wufb-reports-use.md)
diff --git a/windows/deployment/update/update-compliance-v2-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md
similarity index 56%
rename from windows/deployment/update/update-compliance-v2-configuration-manual.md
rename to windows/deployment/update/wufb-reports-configuration-manual.md
index 07c449792b..c6e2de995b 100644
--- a/windows/deployment/update/update-compliance-v2-configuration-manual.md
+++ b/windows/deployment/update/wufb-reports-configuration-manual.md
@@ -1,41 +1,38 @@
 ---
-title: Manually configuring devices for Update Compliance (preview)
+title: Manually configuring devices for Windows Update for Business reports
 ms.reviewer: 
 manager: dougeby
-description: Manually configuring devices for Update Compliance (preview)
-ms.prod: w10
+description: How to manually configure devices for Windows Update for Business reports
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
-ms.date: 06/06/2022
+ms.date: 11/15/2022
+ms.technology: itpro-updates
 ---
 
-# Manually Configuring Devices for Update Compliance (preview)
+# Manually configuring devices for Windows Update for Business reports
 <!--37063317, 30141258, 37063041-->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!Important]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center).
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
-There are a number of requirements to consider when manually configuring devices for Update Compliance. These requirements can potentially change with newer versions of Windows client. The [Update Compliance configuration script](update-compliance-v2-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+There are a number of requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with newer versions of Windows client. The [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
 
 The requirements are separated into different categories:
 
-1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
-2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations, must be able to reach the endpoints.
+1. Ensuring the [**required policies**](#required-policies) for Windows Update for Business reports are correctly configured.
+2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Windows Update for Business reports. For example, devices in both main and satellite offices, which might have different network configurations, must be able to reach the endpoints.
 3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It's recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
 
 
 ## Required policies
 
-Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. Thee policies are listed below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
+Windows Update for Business reports has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Windows Update for Business reports. Thee policies are listed below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
 
 - **Policy** corresponds to the location and name of the policy.
-- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional).
-- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any.
+- **Value** Indicates what value the policy must be set to. Windows Update for Business reports requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional).
+- **Function** details why the policy is required and what function it serves for Windows Update for Business reports. It will also detail a minimum version the policy is required, if any.
 
 ### Mobile Device Management policies
 
@@ -45,20 +42,20 @@ Each MDM Policy links to its documentation in the configuration service provider
 |--------------------------|-|-|------------------------------------------------------------|
 |**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
 |**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
-|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and won't be visible in Update Compliance, showing `#` instead. |
-| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
+|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. |
+| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Windows Update for Business report's data processing system and indicates a device's explicit enrollment to the service. |
 | **System/**[AllowCommercialDataPipeline](/windows/client-management/mdm/policy-csp-system#system-allowcommercialdatapipeline) | Integer | 1 - Enabled | Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. |
 
 ### Group policies
 
-All Group policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.  
+All Group policies that need to be configured for Windows Update for Business reports are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.  
 
 | Policy | Value | Function |
 |---------------------------|-|-----------------------------------------------------------|
 |**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the **Configure telemetry opt-in setting user interface**. |
 |**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. |
-|**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Update Compliance, showing `#` instead. |
-|**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
+|**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. |
+|**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Windows Update for Business report's data processing system and indicates a device's explicit enrollment to the service. |
 | **Allow commercial data pipeline** | 1 - Enabled | Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. |
 
 ## Required endpoints
@@ -66,12 +63,12 @@ All Group policies that need to be configured for Update Compliance are under **
 To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
 
 <!--Using include for endpoint access requirements-->
-[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-endpoints.md)]
+[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-endpoints.md)]
 
 ## Required services
 
-Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It's recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
+Many Windows and Microsoft services are required to ensure that not only the device can function, but Windows Update for Business reports can see device data. It's recommended that you allow all default services from the out-of-box experience to remain running. The [Windows Update for Business reports Configuration Script](wufb-reports-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
 
 ## Next steps
 
-[Use Update Compliance](update-compliance-v2-use.md)
+[Use Windows Update for Business reports](wufb-reports-use.md)
diff --git a/windows/deployment/update/update-compliance-v2-configuration-script.md b/windows/deployment/update/wufb-reports-configuration-script.md
similarity index 56%
rename from windows/deployment/update/update-compliance-v2-configuration-script.md
rename to windows/deployment/update/wufb-reports-configuration-script.md
index ce8b8ff96b..8b2c8fc543 100644
--- a/windows/deployment/update/update-compliance-v2-configuration-script.md
+++ b/windows/deployment/update/wufb-reports-configuration-script.md
@@ -1,30 +1,27 @@
 ---
-title: Update Compliance (preview) Configuration Script
+title: Windows Update for Business reports configuration script
 ms.reviewer: 
 manager: dougeby
-description: Downloading and using the Update Compliance (preview) Configuration Script
-ms.prod: w10
+description: Downloading and using the Windows Update for Business reports configuration script
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.localizationpriority: medium
 ms.collection: M365-analytics
 ms.topic: article
-ms.date: 06/16/2022
+ms.date: 11/15/2022
+ms.technology: itpro-updates
 ---
 
-# Configuring devices through the Update Compliance (preview) Configuration Script
+# Configuring devices through the Windows Update for Business reports configuration script
 <!--37063317, 30141258, 37063041-->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!Important]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center).
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
-The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-v2-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.
+The Windows Update for Business reports configuration script is the recommended method of configuring devices to send data to Microsoft for use with Windows Update for Business reports. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configure devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.
 
 ## About the script
 
-The configuration script configures registry keys directly. Be aware that registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md), device data might not appear in Update Compliance correctly. 
+The configuration script configures registry keys directly. Be aware that registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), device data might not appear in Windows Update for Business reports correctly. 
 
 You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
 
@@ -43,7 +40,7 @@ This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You
 Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`):
 
 1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`.
-1. Don't modify the [Commercial ID](update-compliance-get-started.md#get-your-commercialid) values since they're used for the earlier version of Update Compliance. Leave `setCommercialID=false` and the `commercialIDValue=Unknown`.
+1. Don't modify the [Commercial ID](update-compliance-get-started.md#get-your-commercialid) values since they're used for the earlier version of Windows Update for Business reports (Update Compliance). Leave `setCommercialID=false` and the `commercialIDValue=Unknown`.
 1. Run the script.
 1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`.
 1. If there are issues, gather the logs and provide them to Microsoft Support.
@@ -51,14 +48,14 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
 ## Verify device configuration
 
 <!--Using include for verifying device configuration-->
-[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)]
+[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-verify-device-configuration.md)]
 
 ## Script errors
 
 <!--Using include for script errors-->
-[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-script-error-codes.md)]
+[!INCLUDE [Windows Update for Business reports script error codes](./includes/wufb-reports-script-error-codes.md)]
 
 
 ## Next steps
 
-[Use Update Compliance](update-compliance-v2-use.md)
\ No newline at end of file
+[Use Windows Update for Business reports](wufb-reports-use.md)
\ No newline at end of file
diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md
new file mode 100644
index 0000000000..0da1af6746
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-enable.md
@@ -0,0 +1,85 @@
+---
+title: Enable Windows Update for Business reports
+ms.reviewer: 
+manager: dougeby
+description: How to enable Windows Update for Business reports through the Azure portal
+ms.prod: windows-client
+author: mestew
+ms.author: mstewart
+ms.collection: M365-analytics
+ms.topic: article
+ms.date: 11/15/2022
+ms.technology: itpro-updates
+---
+
+# Enable Windows Update for Business reports
+<!--37063317, 30141258, 37063041-->
+***(Applies to: Windows 11 & Windows 10)***
+
+After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you can start to set up Windows Update for Business reports. The two main steps for setting up  Windows Update for Business reports are:
+
+1. [Add Windows Update for Business reports](#bkmk_add) to your Azure subscription. This step has the following phases:
+   1. [Select or create a new Log Analytics workspace](#bkmk_workspace) for use with Windows Update for Business reports.
+   1. Enroll into Windows Update for Business reports using one of the following methods:
+      - Enroll through the [Azure Workbook](#bkmk_enroll) (preferred method)
+      - Enroll from the [Microsoft 365 admin center](#bkmk_admin-center).
+
+1. Configure the clients to send data to Windows Update for Business reports. You can configure clients in the following three ways:
+    - Use a [script](wufb-reports-configuration-script.md)
+    - Use [Microsoft Intune](wufb-reports-configuration-intune.md)
+    - Configure [manually](wufb-reports-configuration-manual.md)
+
+> [!IMPORTANT]
+> Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business reports doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.
+
+## <a name="bkmk_add"></a> Add Windows Update for Business reports to your Azure subscription
+
+Before you configure clients to send data, you'll need to add Windows Update for Business reports to your Azure subscription so the data can be received. First, you'll select or create a new Log Analytics workspace to use. Second, you'll enroll Windows Update for Business reports to the workspace.
+
+## <a name="bkmk_workspace"></a> Select or create a new Log Analytics workspace for Windows Update for Business reports
+
+Windows Update for Business reports uses an [Azure Log Analytics workspaces](/azure/azure-monitor/logs/log-analytics-overview) that you own for storing the client diagnostic data. Identify an existing workspace or create a new one using the following steps:
+
+1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).
+   - Although an Azure subscription is required, you won't be charged for ingestion of Windows Update for Business reports data.
+1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input.
+1. Select **Log Analytics workspaces**.
+1. If you already have a Log Analytics workspace, determine which Log Analytics workspace you'd like to use for Windows Update for Business reports. Ensure the workspace is in a **Compatible Log Analytics region** from the table listed in the [prerequisites](wufb-reports-prerequisites.md#log-analytics-regions).
+   - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Windows Update for Business reports.
+1. If you don't have an existing Log Analytics workspace or you don't want to use a current workspace, [create a new workspace](/azure/azure-monitor/logs/quick-create-workspace) in a [compatible region](wufb-reports-prerequisites.md#log-analytics-regions).
+
+> [!Note]
+> - You can only map one tenant to one Log Analytics workspace. Mapping one tenant to multiple workspaces isn't supported.
+> - If you change the Log Analytics workspace for Windows Update for Business reports, stale data will be displayed for about 24 hours until the new workspace is fully onboarded. You will also need to reconfigure the Windows Update for Business reports settings to enroll again.
+
+## <a name="bkmk_enroll"></a> Enroll into Windows Update for Business reports
+
+Enroll into Windows Update for Business reports by configuring its settings through either the Azure Workbook or from the Microsoft 365 admin center. Completing the Windows Update for Business reports configuration removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by Update Compliance, the predecessor of Windows Update for Business reports.
+
+Use one of the following methods to enroll into Windows Update for Business reports:
+
+##### <a name="bkmk_enroll-workbook"></a> Enroll through the Azure Workbook (recommended method)
+
+1. In the [Azure portal](https://portal.azure.com), select **Monitor** > **Workbooks** from the menu bar.
+   - You can also type **Monitor** in the search bar. As you begin typing, the list filters based on your input.
+
+1. When the gallery opens, select the **Windows Update for Business reports** workbook. If needed, you can filter workbooks by name in the gallery.
+1. Select the **Get started** button when prompted by the workbook to open the **Windows Update for Business reports enrollment** flyout.
+1. In the flyout, specify which **Subscription** and **Azure Log Analytics Workspace** you want to use for Windows Update for Business reports.
+   - If you need to create a new Log Analytics workspace, select **Create new workspace** and follow the prompts to [create a new workspace](#bkmk_workspace).
+1. Select **Save settings** to save the settings and enroll into Windows Update for Business reports.
+   > [!Tip]
+   > If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports.
+1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**.
+
+##### <a name="bkmk_admin-center"></a> Enroll through the Microsoft 365 admin center
+<!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->
+[!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)]
+
+## Next steps
+
+Once you've added Windows Update for Business reports to a workspace in your Azure subscription and configured the settings through the Microsoft 365 admin center, you'll need to configure any devices you want to monitor. Enroll devices into Windows Update for Business reports using any of the following methods:
+
+- [Configure clients with a script](wufb-reports-configuration-script.md)
+- [Configure clients manually](wufb-reports-configuration-manual.md)
+- [Configure clients with Microsoft Intune](wufb-reports-configuration-intune.md)
diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/wufb-reports-help.md
similarity index 59%
rename from windows/deployment/update/update-compliance-v2-help.md
rename to windows/deployment/update/wufb-reports-help.md
index cbdbab10e9..df48a582a8 100644
--- a/windows/deployment/update/update-compliance-v2-help.md
+++ b/windows/deployment/update/wufb-reports-help.md
@@ -1,62 +1,59 @@
 ---
-title: Update Compliance (preview) feedback, support, and troubleshooting
+title: Windows Update for Business reports feedback, support, and troubleshooting
 ms.reviewer: 
 manager: dougeby
-description: Update Compliance (preview) support information.
-ms.prod: w10
+description: Windows Update for Business reports support information.
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
-ms.date: 08/10/2022
+ms.date: 11/15/2022
+ms.technology: itpro-updates
 ---
 
-# Update Compliance (preview) feedback, support, and troubleshooting
+# Windows Update for Business reports feedback, support, and troubleshooting
 
 <!-- MAX6325272, OS33771278 -->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!IMPORTANT]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center).
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
+There are several resources that you can use to find help with Windows Update for Business reports. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Windows Update for Business reports:
 
-There are several resources that you can use to find help with Update Compliance. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Update Compliance:
-
-- Send [product feedback about Update Compliance](#send-product-feedback)
+- Send [product feedback about Windows Update for Business reports](#send-product-feedback)
 - Open a [Microsoft support case](#open-a-microsoft-support-case)
 
 - [Documentation feedback](#documentation-feedback)
-- [Troubleshooting tips](#troubleshooting-tips) for Update Compliance
-- Follow the [Windows IT Pro blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) to learn about upcoming changes to Update Compliance
+- [Troubleshooting tips](#troubleshooting-tips) for Windows Update for Business reports
+- Follow the [Windows IT Pro blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) to learn about upcoming changes to Windows Update for Business reports
 - Use Microsoft Q&A to [ask product questions](/answers/products/)
 
 ## Send product feedback
 
-Use the product feedback option to offer suggestions for new features and functionality, or for suggesting changes to the current Update Compliance features. You can share feedback directly to the Update Compliance product group. To provide product feedback:
+Use the product feedback option to offer suggestions for new features and functionality, or to suggest changes to the current Windows Update for Business reports features. You can share feedback directly to the Windows Update for Business reports product group. To provide product feedback:
 
 1. In the upper right corner of the Azure portal, select the feedback icon.
 1. Select either the smile or the frown to rate your satisfaction with your experience.
 1. In the text box, describe what you did or didn't like. When providing feedback about a problem, be sure to include enough detail in your description so it can be properly identified by the product group.
 1. Choose if you'd like to allow Microsoft to email you about your feedback.
 1. Select **Submit feedback** when you've completed the feedback form.
-:::image type="content" source="media/33771278-update-compliance-feedback.png" alt-text="Screenshot of the Azure portal showing the product feedback option flyout." lightbox="media/33771278-update-compliance-feedback.png":::
+:::image type="content" source="media/33771278-wufb-reports-feedback.png" alt-text="Screenshot of the Azure portal showing the product feedback option flyout." lightbox="media/33771278-wufb-reports-feedback.png":::
 
 ## Open a Microsoft support case
 
-You can open support requests directly from the Azure portal. If  the **Help + Support** page doesn't display, verify you have access to open support requests. For more information about role-based access controls for support requests, see [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). To create a new support request for Update Compliance:
+You can open support requests directly from the Azure portal. If  the **Help + Support** page doesn't display, verify you have access to open support requests. For more information about role-based access controls for support requests, see [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request). To create a new support request for Windows Update for Business reports:
 
 1. Open the **Help + Support** page from the following locations: 
   - In the [Send product feedback](#send-product-feedback) flyout, select the **contact support** link.
   - From the Azure portal, select **New support request** under the **Support + Troubleshooting** heading.
-1. Select **Create a support request** which opens the new support request page. 
-1. On the **Problem description** tab, provide information about the issue. The below items in ***bold italics*** should be used to help ensure an Update Compliance engineer receives your support request: 
+1. Select **Create a support request**, which opens the new support request page. 
+1. On the **Problem description** tab, provide information about the issue. The following items in ***bold italics*** should be used to help ensure a Windows Update for Business reports engineer receives your support request: 
    - **Summary** - Brief description of the issue
    - **Issue type** - ***Technical***
-   - **Subscription** - Select the subscription used for Update Compliance
+   - **Subscription** - Select the subscription used for Windows Update for Business reports
    - **Service** - ***My services***
-   - **Service type** - ***Log Analytics***
-   - **Problem type** - ***Solutions or Insights***
-   - **Problem subtype** - ***Update Compliance***
+   - **Service type** - ***Monitoring and Management***
+   - **Problem type** - ***Windows Update for Business reports***
+
 1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem.
 1. Complete the **Additional details** tab and then create the request on the **Review + create** tab.
 
@@ -82,29 +79,29 @@ Use GitHub Issues to submit the following types of feedback:
 
 If you create an issue for something not related to documentation, Microsoft will close the issue and redirect you to a better feedback channel. For example:
 
-- [Product feedback](#send-product-feedback) for Update Compliance
+- [Product feedback](#send-product-feedback) for Windows Update for Business reports
 - [Product questions (using Microsoft Q&A)](/answers/products/)
-- [Support requests](#open-a-microsoft-support-case) for Update Compliance
+- [Support requests](#open-a-microsoft-support-case) for Windows Update for Business reports
 
 To share feedback about the Microsoft Learn platform, see [Microsoft Learn feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors.
 
 ## Troubleshooting tips
 
-Use the troubleshooting tips below to resolve commonly encountered problems when using Update Compliance:
+Use the following troubleshooting tips to resolve the most common problems when using Windows Update for Business reports:
 
 ### Verify client configuration
 
 <!--Using include for verifying device configuration-->
-[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)]
+[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-verify-device-configuration.md)]
 
 ### Ensuring devices are configured correctly to send data
 
-The first step in troubleshooting Update Compliance is ensuring that devices are configured. Review [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md) for the settings. We recommend using the [Update Compliance configuration script](update-compliance-v2-configuration-script.md) for troubleshooting and configuring devices.
+The first step in troubleshooting Windows Update for Business reports is ensuring that devices are configured. Review [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md) for the settings. We recommend using the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) for troubleshooting and configuring devices.
 
-### Devices have been correctly configured but aren't showing up in Update Compliance
+### Devices have been correctly configured but aren't showing up in Windows Update for Business reports
 
-It takes some time for data to appear in Update Compliance for the first time or if you moved to a new Log Analytics workspace. To learn more about data latencies for Update Compliance, review [Update  Compliance data latency](update-compliance-v2-use.md#update-compliance-data-latency).
+It takes some time for data to appear in Windows Update for Business reports for the first time, or if you moved to a new Log Analytics workspace. To learn more about data latencies for Windows Update for Business reports, review [Windows Update for Business reports data latency](wufb-reports-use.md#data-latency).
 
 ### Devices are appearing, but without a device name
 
-Device Name is  an opt-in via policy starting in Windows 10 version 1803. Review the required policies for enabling device name in the [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md) article.
+Device Name is  an opt-in via policy. Review the required policies for enabling device name in the [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md) article.
diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md
new file mode 100644
index 0000000000..f4206b0189
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-overview.md
@@ -0,0 +1,82 @@
+---
+title: Windows Update for Business reports overview
+ms.reviewer: 
+manager: dougeby
+description: Overview of Windows Update for Business reports to explain what it's used for and the cloud services it relies on.
+ms.prod: windows-client
+author: mestew
+ms.author: mstewart
+ms.collection: M365-analytics
+ms.topic: article
+ms.date: 11/15/2022
+ms.technology: itpro-updates
+---
+
+# Windows Update for Business reports overview
+<!--37063317, 30141258, 37063041-->
+***(Applies to: Windows 11 & Windows 10)***
+
+Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
+
+- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices
+- Report on devices with update compliance issues
+- Analyze and display your data in multiple ways
+
+
+## Benefits of Windows Update for Business reports
+
+Some of the benefits of Windows Update for Business reports are:
+
+- Integration with [Windows Update for Business deployment service](deployment-service-overview.md) to enable per deployment reporting, monitoring, and troubleshooting.
+- Compatibility with [feature updates](/mem/intune/protect/windows-10-feature-updates) and [Expedite Windows quality updates](/mem/intune/protect/windows-10-expedite-updates) policies in Intune.
+- A new **Alerts** data type to assist you with identifying devices that encounter issues during the update process. Error code information is provided to help troubleshoot update issues.
+
+Currently, Windows Update for Business reports contains the following features:
+
+- [Windows Update for Business reports workbook](wufb-reports-workbook.md)
+- Compliance status [charts in the Microsoft 365 admin](wufb-reports-admin-center.md)
+- Access to the following [Windows Update for Business reports tables](wufb-reports-schema.md):
+    - UCClient
+    - UCClientReadinessStatus
+    - UCClientUpdateStatus
+    - UCDeviceAlert
+    - UCDOAggregatedStatus
+    - UCDOStatus
+    - UCServiceUpdateStatus
+    - UCUpdateAlert
+
+- Client data collection to populate the Windows Update for Business reports tables
+
+:::image type="content" source="media/wufb-reports-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Windows Update for Business reports data in Log Analytics." lightbox="media/wufb-reports-query-table.png":::
+
+## Limitations
+
+Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business reports doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.
+
+
+## How Windows Update for Business reports works
+
+You'll set up Windows Update for Business reports by enrolling into the service from the Azure portal. Then you'll configure your Azure AD-joined devices to send Windows client diagnostic data to the service. Windows Update for Business reports uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Windows Update for Business reports collects system data such as:
+
+- Update deployment progress
+- Delivery Optimization usage data
+- Windows Update for Business configuration data
+
+The Azure Log Analytics ingestion and retention charges aren't incurred on your Azure subscription for Windows Update for Business reports data. You also choose an [Azure Log Analytics workspaces](/azure/azure-monitor/logs/log-analytics-overview) that you own for your client diagnostic data. The collected diagnostic data populates the Windows Update for Business reports tables so you can easily query your data.
+
+## Use your Windows Update for Business reports data
+
+Since the data from your clients is stored in a Log Analytics workspace, you can go beyond the standard reports to analyze and display your data in multiple ways. Some of the ways you could display your data include:
+
+- Using the data in [custom workbooks](/azure/azure-monitor/visualize/workbooks-overview) that you create
+- Building [custom Kusto (KQL) queries](/azure/azure-monitor/logs/log-query-overview)
+- Developing your own custom views by integrating the [Log Analytics data](/azure/azure-monitor/visualize/tutorial-logs-dashboards) into other tools such as:
+   - [Operations Management Suite](/azure/azure-monitor/agents/om-agents)
+   - [Power BI](/azure/azure-monitor/logs/log-powerbi)
+   - Other tools for [querying the data](/azure/azure-monitor/logs/log-query-overview)
+
+
+
+## Next steps
+
+- Review the [Windows Update for Business reports prerequisites](wufb-reports-prerequisites.md)
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
new file mode 100644
index 0000000000..d8b3d96e52
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -0,0 +1,110 @@
+---
+title: Windows Update for Business reports prerequisites
+ms.reviewer: 
+manager: dougeby
+description: Prerequisites for Windows Update for Business reports
+ms.prod: windows-client
+author: mestew
+ms.author: mstewart
+ms.collection: M365-analytics
+ms.topic: article
+ms.date: 11/15/2022
+ms.technology: itpro-updates
+---
+
+# Windows Update for Business reports prerequisites
+<!--37063317, 30141258, 37063041-->
+***(Applies to: Windows 11 & Windows 10)***
+
+Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.
+
+## Azure and Azure Active Directory
+
+- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
+- Devices must be Azure Active Directory-joined and meet the below OS, diagnostic, and endpoint access requirements.
+  - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+- Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports.
+- The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
+
+## Permissions
+
+[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
+
+**Log Analytics permissions**:
+
+- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
+- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
+
+## Operating systems and editions
+
+- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
+- Windows 10 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
+
+Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
+
+## Windows client servicing channels
+
+Windows Update for Business reports supports Windows client devices on the following channels:
+
+- General Availability Channel
+- Windows Update for Business reports *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them.
+
+## Diagnostic data requirements
+
+At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). Some queries in Windows Update for Business reports require devices to send diagnostic data at the following levels:
+
+- *Optional* level (previously *Full*) for Windows 11 devices
+- *Enhanced* level for Windows 10 devices
+
+    > [!Note]
+    > Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names:
+    > - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata)
+    > - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds**
+
+For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
+
+## Data transmission requirements
+
+<!--Using include for endpoint access requirements-->
+[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-endpoints.md)]
+
+> [!NOTE]
+> Enrolling into Windows Update for Business reports from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Windows Update for Business reports to your Azure subscription.
+
+## Log Analytics regions
+
+Windows Update for Business reports can use a Log Analytics workspace in the following regions:
+
+|Compatible Log Analytics regions |
+| ------------------------------- |
+|Australia Central |
+|Australia East |
+|Australia Southeast |
+|Brazil South |
+|Canada Central |
+|Central India |
+|Central US |
+|East Asia |
+|East US |
+|East US 2 |
+|Eastus2euap(canary) |
+|France Central |
+|Japan East |
+|Korea Central |
+|North Central US |
+|North Europe |
+|South Africa North |
+|South Central US |
+|Southeast Asia |
+|Switzerland North |
+|Switzerland West |
+|UK West |
+|UK south |
+|West Central US |
+|West Europe |
+|West US |
+|West US 2 |
+
+## Next steps
+
+- [Enable the Windows Update for Business reports solution](wufb-reports-enable.md) in the Azure portal
diff --git a/windows/deployment/update/update-compliance-v2-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
similarity index 95%
rename from windows/deployment/update/update-compliance-v2-schema-ucclient.md
rename to windows/deployment/update/wufb-reports-schema-ucclient.md
index 6756a30807..4b3720677c 100644
--- a/windows/deployment/update/update-compliance-v2-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -1,23 +1,21 @@
 ---
-title: Update Compliance Data Schema - UCClient
+title: Windows Update for Business reports Data Schema - UCClient
 ms.reviewer: 
 manager: dougeby
 description: UCClient schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: reference
 ms.date: 06/06/2022
+ms.technology: itpro-updates
 ---
 
 # UCClient
 <!--37063317, 30141258, 37063041-->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!Important]
-> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
 UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative).
 
 |Field |Type |Example |Description |
diff --git a/windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
similarity index 92%
rename from windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md
rename to windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index ae2850180a..d625c2745e 100644
--- a/windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -1,23 +1,21 @@
 ---
-title: Update Compliance Data Schema - UCClientReadinessStatus
+title: Windows Update for Business reports Data Schema - UCClientReadinessStatus
 ms.reviewer: 
 manager: dougeby
 description: UCClientReadinessStatus schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: reference
 ms.date: 06/06/2022
+ms.technology: itpro-updates
 ---
 
 # UCClientReadinessStatus
 <!--37063317, 30141258, 37063041-->
 ***(Applies to: Windows 10)***
 
-> [!Important]
-> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
 UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet.
 
 |Field |Type |Example |Description |
diff --git a/windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
similarity index 93%
rename from windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md
rename to windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 3db77ec9fd..534dabde67 100644
--- a/windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -1,23 +1,21 @@
 ---
-title: Update Compliance Data Schema - UCClientUpdateStatus
+title: Windows Update for Business reports Data Schema - UCClientUpdateStatus
 ms.reviewer: 
 manager: dougeby
 description: UCClientUpdateStatus schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: reference
 ms.date: 06/06/2022
+ms.technology: itpro-updates
 ---
 
 # UCClientUpdateStatus
 <!--37063317, 30141258, 37063041-->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!Important]
-> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
 Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update.
 
 | Field | Type | Example | Description |
diff --git a/windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
similarity index 93%
rename from windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md
rename to windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index b908d5f26b..9c737aa85d 100644
--- a/windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -1,28 +1,26 @@
 ---
-title: Update Compliance Data Schema - UCDeviceAlert
+title: Windows Update for Business reports Data Schema - UCDeviceAlert
 ms.reviewer: 
 manager: dougeby
 description: UCDeviceAlert schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: reference
 ms.date: 06/06/2022
+ms.technology: itpro-updates
 ---
 
 # UCDeviceAlert
 <!--37063317, 30141258, 37063041-->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!Important]
-> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
 These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered.
 
 |Field |Type |Example |Description |
 |---|---|---|---|
-| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational. |
+| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
 | **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
 | **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting |
 | **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
new file mode 100644
index 0000000000..7fae5b9b00
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -0,0 +1,35 @@
+---
+title: Windows Update for Business reports Data Schema - UCDOAggregatedStatus
+ms.reviewer: 
+manager: naengler
+description: UCDOAggregatedStatus schema
+ms.prod: windows-client
+author: cmknox
+ms.author: carmenf
+ms.collection: M365-analytics
+ms.topic: reference
+ms.date: 11/17/2022
+ms.technology: itpro-updates
+---
+
+# UCDOAggregatedStatus
+<!--37063317, 30141258, 37063041-->
+***(Applies to: Windows 11 & Windows 10)***
+
+UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
+
+|Field |Type |Example |Description |
+|---|---|---|---|
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **BWOptPercent28Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
+| **BytesFromCache** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
+| **BytesFromCDN** |  [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
+| **BytesFromGroupPeers** |  [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
+| **BytesFromIntPeers** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |
+| **BytesFromPeers** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. |
+| **ContentType** |  [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. |
+| **DeviceCount** |  [long](/azure/kusto/query/scalar-data-types/long) | `27077` | Number of devices. |
+| **TenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID |
+| **TimeGenerated** |  [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** |  [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
new file mode 100644
index 0000000000..01ad6b186a
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -0,0 +1,55 @@
+---
+title: Windows Update for Business reports Data Schema - UCDOStatus
+ms.reviewer: 
+manager: naengler
+description: UCDOStatus schema
+ms.prod: windows-client
+author: cmknox
+ms.author: carmenf
+ms.collection: M365-analytics
+ms.topic: reference
+ms.date: 11/17/2022
+ms.technology: itpro-updates
+---
+
+# UCDOStatus
+<!--37063317, 30141258, 37063041-->
+***(Applies to: Windows 11 & Windows 10)***
+
+UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use [Delivery Optimization and Microsoft Connected Cache](/windows/deployment/do).
+
+|Field |Type |Example |Description |
+|---|---|---|---|
+| **AzureADDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
+| **AzureADTenantId** |  [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **BWOptPercent28Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
+| **BWOptPercent7Days** |  [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
+| **BytesFromCache** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
+| **BytesFromCDN** |  [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
+| **BytesFromGroupPeers** |  [long](/azure/kusto/query/scalar-data-types/long) | `30830657175` | Total number of bytes that were delivered from Group peers, sharing the same GroupId. |
+| **BytesFromIntPeers** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Internet peers. |
+| **BytesFromPeers** |  [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes delivered via all peers. |
+| **City** |  [string](/azure/kusto/query/scalar-data-types/string) | `Redmond` | Approximate city where device was located while downloading content, based on IP address. |
+| **ContentDownloadMode** |  [int](/azure/kusto/query/scalar-data-types/int) | `1` | Device's Delivery Optimization Download Mode used to download content. |
+| **ContentType** |  [string](/azure/kusto/query/scalar-data-types/string) | `Driver Updates` | One of the supported types of content. |
+| **Country** |  [string](/azure/kusto/query/scalar-data-types/string) | `US` | Approximate country where device was located while downloading content, based on IP address. |
+| **DeviceName** |  [string](/azure/kusto/query/scalar-data-types/string) | `DESKTOP-DO` | User or organization provided device name. If the value appears as '#', configure the device to send device name. |
+| **DOStatusDescription** |  [string](/azure/kusto/query/scalar-data-types/string) | `Downloading` | A short description of Delivery Optimization status, if any. |
+| **DownloadMode** |  [string](/azure/kusto/query/scalar-data-types/string) | `LAN (1)`  | Delivery Optimization Download Mode configured on the device. |
+| **DownloadModeSrc** |  [string](/azure/kusto/query/scalar-data-types/string) | `MDM` | The source of the Download Mode configuration. |
+| **GlobalDeviceId** |  [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft global device identifier. This identifier is used by Microsoft internally.  |
+| **GroupID** |  [string](/azure/kusto/query/scalar-data-types/string) | `3suvw1efol0nmy8y9g8tfhtj1onwpsk9g9swpwnvfra=` | Delivery Optimization Group ID GUID value. |
+| **ISP** |  [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft Corporation` | Internet Service Provider estimation. |
+| **LastCensusSeenTime** |  [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
+| **NoPeersCount** |  [long](/azure/kusto/query/scalar-data-types/long) | `4` | Count of peers device interacted with. |
+| **OSVersion** |  [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10/11 operating system version currently installed on the device, such as 20H1, 21H2. |
+| **PeerEligibleTransfers** |  [long](/azure/kusto/query/scalar-data-types/long) | `5` | Total count of eligible transfers by peers. |
+| **PeeringStatus** |  [string](/azure/kusto/query/scalar-data-types/string) | `On` | Delivery Optimization peering status. |
+| **PeersCannotConnectCount** |  [long](/azure/kusto/query/scalar-data-types/long) | `1` | Count of peers Delivery Optimization couldn't connect to. |
+| **PeersSuccessCount** |  [long](/azure/kusto/query/scalar-data-types/long) | `2` | Count of peers Delivery Optimization successfully connected to. |
+| **PeersUnknownCount** |  [long](/azure/kusto/query/scalar-data-types/long) | `0` | Count of peers with an unknown relation. |
+| **TenantId** |  [string](/azure/kusto/query/scalar-data-types/string) |`6yy5y416-2d35-3yyf-ab5f-aea713e489d2` | Tenant ID |
+| **TimeGenerated** |  [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-11-17T22:11:40.1132971Z` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **TotalTimeForDownload** |  [string](/azure/kusto/query/scalar-data-types/string) | `00:02:11` | Total time to download content. |
+| **TotalTransfers** |  [long](/azure/kusto/query/scalar-data-types/long) | `304` | Total count of data transfers needed to download content. |
+| **Type** |  [string](/azure/kusto/query/scalar-data-types/string) | `UCDOAggregatedStatus` | The entity type. |
diff --git a/windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
similarity index 88%
rename from windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md
rename to windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index 8ddfb1000d..8f9c85e225 100644
--- a/windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -1,24 +1,22 @@
 ---
-title: Update Compliance Data Schema - UCServiceUpdateStatus
+title: Windows Update for Business reports Data Schema - UCServiceUpdateStatus
 ms.reviewer: 
 manager: dougeby
 description: UCServiceUpdateStatus schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: reference
 ms.date: 06/06/2022
+ms.technology: itpro-updates
 ---
 
 # UCServiceUpdateStatus
 <!--37063317, 30141258, 37063041-->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!Important]
-> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
-Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real-time.
+Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time.
 
 | Field | Type | Example | Description |
 |---|---|---|---|
diff --git a/windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
similarity index 94%
rename from windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md
rename to windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index ca7af0d50a..93487fbca2 100644
--- a/windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -1,23 +1,21 @@
 ---
-title: Update Compliance Data Schema - UCUpdateAlert
+title: Windows Update for Business reports Data Schema - UCUpdateAlert
 ms.reviewer: 
 manager: dougeby
 description: UCUpdateAlert schema
-ms.prod: w10
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: reference
 ms.date: 06/06/2022
+ms.technology: itpro-updates
 ---
 
 # UCUpdateAlert
 <!--37063317, 30141258, 37063041-->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!Important]
-> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
-
 Alert for both client and service updates. Contains information that needs attention, relative to one device (client), one update, and one deployment (if relevant). Certain fields may be blank depending on the UpdateAlert's AlertType field; for example, ServiceUpdateAlert won't necessarily contain client-side statuses.
 
 |Field |Type |Example |Description |
diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md
new file mode 100644
index 0000000000..27d15d676a
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-schema.md
@@ -0,0 +1,37 @@
+---
+title: Windows Update for Business reports data schema
+ms.reviewer: 
+manager: dougeby
+description: An overview of Windows Update for Business reports data schema
+ms.prod: windows-client
+author: mestew
+ms.author: mstewart
+ms.collection: M365-analytics
+ms.topic: reference
+ms.date: 11/15/2022
+ms.technology: itpro-updates
+---
+
+# Windows Update for Business reports schema 
+<!--37063317, 30141258, 37063041-->
+***(Applies to: Windows 11 & Windows 10)***
+
+When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Windows Update for Business reports and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more.
+
+## Schema
+
+The following table summarizes the different tables that are part of the Windows Update for Business reports solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries).
+
+> [!NOTE]
+> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
+
+|Table |Category |Description |
+|--|--|--|
+| [**UCClient**](wufb-reports-schema-ucclient.md) | Device record | UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the operating system edition, and active hours (quantitative). |
+|[**UCClientReadinessStatus**](wufb-reports-schema-ucclientreadinessstatus.md) | Device record | UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 hardware requirements the device doesn't meet.|
+| [**UCClientUpdateStatus**](wufb-reports-schema-ucclientupdatestatus.md) |  Device record |  Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. |
+| [**UCDeviceAlert**](wufb-reports-schema-ucdevicealert.md)| Service and device record  |  These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from such as a ServiceDeviceAlert or ClientDeviceAlert. |
+| [**UCDOAggregatedStatus**](wufb-reports-schema-ucdoaggregatedstatus.md)| Device record  | UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records across the tenant and summarizes bandwidth savings across all devices enrolled using Delivery Optimization and Microsoft Connected Cache. |
+| [**UCDOStatus**](wufb-reports-schema-ucdostatus.md)| Device record | UCDOStatus provides information, for a single device, on its bandwidth utilization across content types in the event they use Delivery Optimization and Microsoft Connected Cache.  |
+| [**UCServiceUpdateStatus**](wufb-reports-schema-ucserviceupdatestatus.md) | Service record  | Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. |
+| [**UCUpdateAlert**](wufb-reports-schema-ucupdatealert.md) | Service and device records  |  Alert for both client and service update. Contains information that needs attention, relative to one device (client), one update, and one deployment, if relevant. Certain fields may be blank depending on the UpdateAlert's AlertType field. For example, ServiceUpdateAlert won't necessarily contain client-side statuses and may be blank.  |
diff --git a/windows/deployment/update/wufb-reports-use.md b/windows/deployment/update/wufb-reports-use.md
new file mode 100644
index 0000000000..060f404688
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-use.md
@@ -0,0 +1,63 @@
+---
+title: Use the Windows Update for Business reports data
+ms.reviewer: 
+manager: dougeby
+description: How to use the Windows Update for Business reports data for custom solutions using tools like Azure Monitor Logs.
+ms.prod: windows-client
+author: mestew
+ms.author: mstewart
+ms.collection: M365-analytics
+ms.topic: article
+ms.date: 11/15/2022
+ms.technology: itpro-updates
+---
+
+# Use Windows Update for Business reports
+<!--37063317, 30141258, 37063041-->
+***(Applies to: Windows 11 & Windows 10)***
+
+In this article, you'll learn how to use Windows Update for Business reports to monitor Windows updates for your devices. To configure your environment for use with Windows Update for Business reports, see [Enable Windows Update for Business reports](wufb-reports-enable.md).
+
+## Display Windows Update for Business reports data
+
+1. Sign into the [Azure portal](https://portal.azure.com). 
+1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input.
+1. Select **Log Analytics workspaces**.
+1. Select the workspace that you use for Windows Update for Business reports.
+1. Select **Logs** under the **General** group in your workspace.
+1. If the **Always show Queries** option is enabled in Log Analytics, close the query window to access the schema.
+1. Under **Schemas and filter**, select **Group by: Solution** and then expand the **Log Management** schema. If the **Group by: Category** is selected, the schema is listed under the **Other** category.
+1. Use the [Windows Update for Business reports schema](wufb-reports-schema.md) for [custom Kusto (KQL) queries](/azure/data-explorer/kusto/query/), to build [custom workbooks](/azure/azure-monitor/visualize/workbooks-overview), or to build your own solution to display the Windows Update for Business reports data. For example, you might query the data to review information for different types of alerts in the past 7 days and how many times each alert occurred.
+
+```kusto
+UCUpdateAlert
+| summarize count=count() by AlertClassification, AlertSubtype, ErrorCode, Description
+```
+
+:::image type="content" source="media/wufb-reports-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Windows Update for Business reports data in Log Analytics." lightbox="media/wufb-reports-query-table.png":::
+
+## Data latency
+
+Windows Update for Business reports uses Windows client diagnostic data as its data source. After you add Windows Update for Business reports and appropriately configure your devices, it could take 48-72 hours before they first appear.
+
+The data powering Windows Update for Business reports is refreshed every 24 hours, and refreshes with the latest data from all of your organization's devices that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be ingested again even if no new data arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data. Device connectivity to the internet and generally how active the device is influences how long it will take before it appears in Windows Update for Business reports.
+
+| Data Type | Data upload rate from device | Data Latency |
+|--|--|--|
+| UCClient | Once per day |4 hours |
+| UCClientUpdateStatus|Every update event (Download, install, etc.)|24-36 hours |
+| UCServiceUpdateStatus| Every update event (Download, install, etc.)|24-36 hours |
+| UCUpdateAlert | Every event | 24-36 hours |
+| UCDeviceAlert | Every event | 24-36 hours |
+| UCClientReadinessStatus | After Windows 11 readiness assessment |24-36 hours |
+| UCDOStatus | Download Events | 24-36 hours |
+| UCDOAggregatedStatus | Download Events | 24-36 hours |
+
+## Working with Azure Monitor Logs
+
+Windows Update for Business reports is built on the Azure Monitor Logs platform. All Windows Update for Business reports-related data is collected in a Log Analytics workspace, where the data is available for querying. Understanding the Azure Monitor Logs tools and features at your disposal, all integrated within Azure portal, can deeply enhance your experience and complement Windows Update for Business reports.
+
+See the following Azure Monitor Logs articles to learn how to:
+- [Query log data effectively in Azure Monitor Logs](/azure/log-analytics/log-analytics-log-searches).
+- [Create and share dashboards of data in a Log Analytics workspace](/azure/log-analytics/log-analytics-dashboards).
+- [Set up alerts in Azure Monitor](/azure/log-analytics/log-analytics-alerts) to always stay informed about the critical issues you care about most.
diff --git a/windows/deployment/update/update-compliance-v2-workbook.md b/windows/deployment/update/wufb-reports-workbook.md
similarity index 72%
rename from windows/deployment/update/update-compliance-v2-workbook.md
rename to windows/deployment/update/wufb-reports-workbook.md
index b033261a63..cdaf2834c6 100644
--- a/windows/deployment/update/update-compliance-v2-workbook.md
+++ b/windows/deployment/update/wufb-reports-workbook.md
@@ -1,55 +1,54 @@
 ---
-title: Use the workbook for Update Compliance (preview)
+title: Use the workbook for Windows Update for Business reports
 ms.reviewer: 
 manager: dougeby
-description: How to use the Update Compliance (preview) workbook.
-ms.prod: w10
+description: How to use the Windows Update for Business reports workbook.
+ms.prod: windows-client
 author: mestew
 ms.author: mstewart
 ms.collection: M365-analytics
 ms.topic: article
-ms.date: 10/24/2022
+ms.date: 11/15/2022
+ms.technology: itpro-updates
 ---
 
-# Update Compliance (preview) workbook
+# Windows Update for Business reports workbook
 <!-- MAX6325272, OS33771278 -->
 ***(Applies to: Windows 11 & Windows 10)***
 
-> [!IMPORTANT]
-> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). 
-> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available.
 
-[Update Compliance](update-compliance-v2-overview.md) presents information commonly needed by updates administrators in an easy to use format. Update Compliance uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into three tab sections:
+[Windows Update for Business reports](wufb-reports-overview.md) presents information commonly needed by updates administrators in an easy-to-use format. Windows Update for Business reports uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into four tab sections:
 
 - [Summary](#summary-tab)
 - [Quality updates](#quality-updates-tab)
 - [Feature updates](#feature-updates-tab)
+- [Delivery Optimization](#bkmk_do)
 
-:::image type="content" source="media/33771278-update-compliance-workbook-summary.png" alt-text="Screenshot of the summary tab in the Update Compliance workbook with the three tabbed sections outlined in red." lightbox="media/33771278-update-compliance-workbook-summary.png":::
+:::image type="content" source="media/33771278-wufb-reports-workbook-summary.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook with the three tabbed sections outlined in red." lightbox="media/33771278-wufb-reports-workbook-summary.png":::
 
-## Open the Update Compliance workbook
+## Open the Windows Update for Business reports workbook
 
-To access the Update Compliance workbook:
+To access the Windows Update for Business reports workbook:
 
 1. In the [Azure portal](https://portal.azure.com), select **Monitor** > **Workbooks** from the menu bar.
    - You can also type **Monitor** in the search bar. As you begin typing, the list filters based on your input.
 
-1. When the gallery opens, select the **Update Compliance** workbook. If needed, you can filter workbooks by name in the gallery.
-1. When the workbook opens, you may need to specify which **Subscription** and **Workspace** you used when [enabling Update Compliance](update-compliance-v2-enable.md).
+1. When the gallery opens, select the **Windows Update for Business reports** workbook. If needed, you can filter workbooks by name in the gallery.
+1. When the workbook opens, you may need to specify which **Subscription** and **Workspace** you used when [enabling Windows Update for Business reports](wufb-reports-enable.md).
 
 ## Summary tab
 
-The **Summary** tab gives you a brief high-level overview of the devices that you've enrolled into Update Compliance.  The **Summary** tab contains tiles above the **Overall security update status** chart.
+The **Summary** tab gives you a brief high-level overview of the devices that you've enrolled into Windows Update for Business reports.  The **Summary** tab contains tiles above the **Overall security update status** chart.
 
 ### Summary tab tiles
 
 Each of these tiles contains an option to **View details**. When **View details** is selected for a tile, a flyout appears with additional information.
 
-:::image type="content" source="media/33771278-workbook-summary-tab-tiles.png" alt-text="Screenshot of the summary tab tiles in the Update Compliance workbook":::
+:::image type="content" source="media/33771278-workbook-summary-tab-tiles.png" alt-text="Screenshot of the summary tab tiles in the Windows Update for Business reports workbook":::
 
 | Tile name | Description | View details description |
 |---|---|------|
-| **Enrolled devices** | Total number of devices that are enrolled into Update Compliance | Displays multiple charts about the operating systems (OS) for enrolled devices: </br> **OS Version** </br> **OS Edition** </br> **OS Servicing Channel** </br> **OS Architecture**|
+| **Enrolled devices** | Total number of devices that are enrolled into Windows Update for Business reports | Displays multiple charts about the operating systems (OS) for enrolled devices: </br> **OS Version** </br> **OS Edition** </br> **OS Servicing Channel** </br> **OS Architecture**|
 |**Active alerts** | Total number of active alerts on enrolled devices | Displays the top three active alert subtypes and the count of devices in each. </br> </br> Select the count of **Devices** to display a table of the devices. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). </br> </br> Select an **AlertSubtype** to display a list containing: </br> - Each **Error Code** in the alert subtype </br>- A **Description** of the error code </br> - A **Recommendation** to help you remediate the error code </br> - A count of **Devices** with the specific error code |
 |  **Windows 11 eligibility** | Percentage of devices that are capable of running Windows 11 | Displays the following items: </br> - **Windows 11 Readiness Status** chart </br> - **Readiness Reason(s) Breakdown** chart that displays  Windows 11 requirements that aren't met. </br> - A table for **Readiness reason**. Select a reason to display a list of devices that don't meet a specific requirement for Windows 11. |
 
@@ -75,7 +74,7 @@ The **Quality updates** tab displays generalized data at the top by using tiles.
 Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 250 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
 
 
-Below the tiles, the **Quality updates** tab is subdivided into **Update status** and **Device status** groups. These different chart groups allow you to easily discover trends in compliance data. For instance, you may remember that about third of your devices were in the installing state yesterday, but this number didn't change as much as you were expecting. That unexpected trend may cause you to investigate and resolve a potential issue before end-users are impacted.
+Below the tiles, the **Quality updates** tab is subdivided into **Update status** and **Device status** groups. These different chart groups allow you to easily discover trends in compliance data. For instance, you may remember that about third of your devices were in the installing state yesterday, but this number didn't change as much as you were expecting. That unexpected trend may cause you to investigate and resolve a potential issue before end users are impacted.
 
 ### <a name="bkmk_update-group-quality"></a> Update status group for quality updates
 
@@ -131,7 +130,7 @@ The **Update status** group for feature updates contains the following items:
 |**Alerts**| Number of different error codes encountered by devices for the update. | Selecting this number lists the alert name for each error code and a count of devices with the error. Select the device count to display a list of devices that have an active alert for the error code.  |
 | **Total Devices** | Count of devices for each targeted operating system version that have been offered the update, or are installing, have installed, or canceled the feature update.| Selecting the device count opens a device list table. This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
 
-### <a name="bkmk_device-group-feature"></a>Device status group for feature updates
+### <a name="bkmk_device-group-feature"></a> Device status group for feature updates
 
 The **Device status** group for feature updates contains the following items:
 
@@ -140,12 +139,30 @@ The **Device status** group for feature updates contains the following items:
 - **Device compliance status**: Table containing a list of devices getting a feature update and installation information including active alerts for the devices.
   - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
 
+## <a name="bkmk_do"></a> Delivery Optimization (preview tab)
+
+The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information.
+
+At the top of the report, tiles display the following information:
+
+- Total bandwidth savings percentage
+- The percentage of the saved bandwidth broken down by peer-to-peer and MCC
+- Device counts showing percentages of bytes delivered between peer-to-peer and MCC
+- The breakdown of total downloaded GBs.
+
+The Delivery Optimization tab is further divided into the following groups:
+
+- **Device Configuration**: A chart differentiating the number of devices with and without peer-to-peer. And, a table of Download Mode configuration breakdown between numbers of devices. When selected, the devices within that group can be viewed, filtered in a separate table.
+- **Content Distribution**: Includes charts showing percentage volumes and GB volumes by source by content types. All content types are linked to a table for deeper filtering by **ContentType**, **AzureADTenantId**, and **GroupID**.
+- **Efficiency By Group**: This view provides filters commonly used ways of grouping devices. The provided filters include: **GroupID**, **City**, **Country**, and **ISP**.
+
+:::image type="content" source="images/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="images/wufb-do-overview.png":::
+
 ## Customize the workbook
 
-Since the Update Compliance workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started).
-
+Since the Windows Update for Business reports workbook is an [Azure Workbook template](/azure/azure-monitor/visualize/workbooks-templates), it can be customized to suit your needs. If you open a template, make some adjustments, and save it, the template is saved as a workbook. This workbook appears in green. The original template is left untouched. For more information about workbooks, see [Get started with Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started).
 
 ## Next steps
 
-- Explore the [Update Compliance (preview) schema](update-compliance-v2-schema.md)
-- Review [Feedback, support, and troubleshooting](update-compliance-v2-help.md) information for Update Compliance
+- Explore the [Windows Update for Business reports schema](wufb-reports-schema.md)
+- Review [Feedback, support, and troubleshooting](wufb-reports-help.md) information for Windows Update for Business reports
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index 18627b1a76..2e772ed3ce 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -1,15 +1,15 @@
 ---
 title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
-description:  Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
-ms.prod: w10
+description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
+ms.prod: windows-client
 author: arcarley
 ms.localizationpriority: medium
 ms.author: arcarley
-ms.collection:
+ms.collection: 
   - m365initiative-coredeploy
-  - highpri
 manager: dougeby
 ms.topic: article
+ms.technology: itpro-updates
 ---
 
 # Use Windows Update for Business and WSUS together
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index d835835848..2e9259fece 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -1,65 +1,73 @@
 ---
 title: Log files and resolving upgrade errors
-manager: dougeby
-ms.author: aaroncz
-description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process. 
+manager: aaroncz
+ms.author: frankroj
+description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process.
 ms.custom: seo-marvel-apr2020
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
-# Log files
+# Windows upgrade log files
 
 **Applies to**
--   Windows 10
 
->[!NOTE]
->This is a 400 level topic (advanced).<br>
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+- Windows 10
 
+> [!NOTE]
+> This is a 400-level topic (advanced).<br>
+
+> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
 
 Several log files are created during each phase of the upgrade process. These log files are essential for troubleshooting upgrade problems. By default, the folders that contain these log files are hidden on the upgrade target computer. To view the log files, configure Windows Explorer to view hidden items, or use a tool to automatically gather these logs. The most useful log is **setupact.log**. The log files are located in a different folder depending on the Windows Setup phase. Recall that you can determine the phase from the extend code. 
 
->[!NOTE]
->Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files.
+> [!NOTE]
+> Also see the [Windows Error Reporting](windows-error-reporting.md) section in this document for help locating error codes and log files.
+
+The following table describes some log files and how to use them for troubleshooting purposes: 
+
 
-The following table describes some log files and how to use them for troubleshooting purposes:<br>
 
 |Log file |Phase: Location |Description |When to use|
 |---|---|---|---|
-|setupact.log|Down-Level:<br>$Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All down-level failures and starting point for rollback investigations.<br> This is the most important log for diagnosing setup issues.|
-|setupact.log|OOBE:<br>$Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations – 0x4001C, 0x4001D, 0x4001E, 0x4001F.|
+|setupact.log|Down-Level:<br>$Windows.~BT\Sources\Panther|Contains information about setup actions during the downlevel phase. |All down-level failures and starting point for rollback investigations.<br> Setup.act is the most important log for diagnosing setup issues.|
+|setupact.log|OOBE:<br>$Windows.~BT\Sources\Panther\UnattendGC|Contains information about actions during the OOBE phase.|Investigating rollbacks that failed during OOBE phase and operations - 0x4001C, 0x4001D, 0x4001E, 0x4001F.|
 |setupact.log|Rollback:<br>$Windows.~BT\Sources\Rollback|Contains information about actions during rollback.|Investigating generic rollbacks - 0xC1900101.|
 |setupact.log|Pre-initialization (prior to downlevel):<br>Windows|Contains information about initializing setup.|If setup fails to launch.|
 |setupact.log|Post-upgrade (after OOBE):<br>Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.|
 |setuperr.log|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.|
 |miglog.xml|Post-upgrade (after OOBE):<br>Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.|
-|BlueBox.log|Down-Level:<br>Windows\Logs\Mosetup|Contains information communication between setup.exe and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.|
+|BlueBox.log|Down-Level:<br>Windows\Logs\Mosetup|Contains information communication between `setup.exe` and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.|
 |Supplemental rollback logs:<br>Setupmem.dmp<br>setupapi.dev.log<br>Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump.<br>Setupapi: Device install issues - 0x30018<br>Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.|
 
 ## Log entry structure
 
 A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
 
-1.  **The date and time** - 2016-09-08 09:20:05.
+1. **The date and time** - 2016-09-08 09:20:05
 
-2.  **The log level** - Info, Warning, Error, Fatal Error.
 
-3.  **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS.
+2. **The log level** - Info, Warning, Error, Fatal Error
 
-    The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are particularly useful for troubleshooting Windows Setup errors.
 
-4.  **The message** - Operation completed successfully.
+3. **The logging component** - CONX, MOUPG, PANTHR, SP, IBSLIB, MIG, DISM, CSI, CBS
+
+
+   The logging components SP (setup platform), MIG (migration engine), and CONX (compatibility information) are useful for troubleshooting Windows Setup errors.
+
+
+4. **The message** - Operation completed successfully.
 
 See the following example:
 
 | Date/Time | Log level | Component | Message |
 |------|------------|------------|------------|
-|2016-09-08 09:23:50,|  Warning |         MIG  |   Could not replace object C:\Users\name\Cookies. Target Object cannot be removed.|
-
+|2016-09-08 09:23:50,|  Warning |         MIG  |   Couldn't replace object C:\Users\name\Cookies. Target Object can't be removed.|
 
 ## Analyze log files
 
@@ -67,39 +75,43 @@ The following instructions are meant for IT professionals. Also see the [Upgrade
 
 To analyze Windows Setup log files:
 
-1.  Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
+1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it isn't successful with the upgrade process.
 
-2.  Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
+2. Based on the [extend code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#extend-codes) portion of the error code, determine the type and location of a log file to investigate.
 
-3.  Open the log file in a text editor, such as notepad.
+3. Open the log file in a text editor, such as notepad.
 
-4.  Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+4. Using the [result code](/troubleshoot/windows-client/deployment/windows-10-upgrade-error-codes?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
 
-5.  To find the last occurrence of the result code:
+5. To find the last occurrence of the result code:
 
-    1.  Scroll to the bottom of the file and click after the last character.
-    2.  Click **Edit**.
-    3.  Click **Find**.
-    4.  Type the result code.
-    5.  Under **Direction** select **Up**.
-    6.  Click **Find Next**.
+    1. Scroll to the bottom of the file and select after the last character.
+    2. Select **Edit**.
+    3. Select **Find**.
+    4. Type the result code.
+    5. Under **Direction** select **Up**.
+    6. Select **Find Next**.
 
-6.  When you have located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed just prior to generating the result code.
+6. When you've located the last occurrence of the result code, scroll up a few lines from this location in the file and review the processes that failed prior to generating the result code.
 
-7.  Search for the following important text strings:
+7. Search for the following important text strings:
 
-    *   **Shell application requested abort**
-    *   **Abandoning apply due to error for object**
+   - `Shell application requested abort`
+   - `Abandoning apply due to error for object`
 
-8.  Decode Win32 errors that appear in this section.
+8. Decode Win32 errors that appear in this section.
 
-9.  Write down the timestamp for the observed errors in this section.
+9. Write down the timestamp for the observed errors in this section.
 
 10. Search other log files for additional information matching these timestamps or errors.
 
 For example, assume that the error code for an error is 0x8007042B - 0x2000D. Searching for "8007042B" reveals the following content from the setuperr.log file:
 
-Some lines in the text below are shortened to enhance readability. The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds, and the certificate file name which is a long text string is shortened to just "CN."
+> [!NOTE]
+> Some lines in the text below are shortened to enhance readability. For example
+> 
+> - The date and time at the start of each line (ex: 2016-10-05 15:27:08) is shortened to minutes and seconds
+> - The certificate file name, which is a long text string, is shortened to just "CN."
 
 **setuperr.log** content:
 
@@ -122,7 +134,7 @@ The first line indicates there was an error **0x00000570** with the file **C:\Pr
 
 The error 0x00000570 is a [Win32 error code](/openspecs/windows_protocols/ms-erref/18d8fbe8-a967-4f1c-ae50-99ca8e491d2d) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable.
 
-Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**.  This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
+Therefore, Windows Setup failed because it wasn't able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**.  This file is a local system certificate and can be safely deleted. Searching the setupact.log file for more details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure:
 
 **setupact.log** content:
 
@@ -242,7 +254,7 @@ This analysis indicates that the Windows upgrade error can be resolved by deleti
 > [!NOTE]
 > In this example, the full, unshortened file name is  C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. 
 
-## Related topics
+## Related articles
 
 [Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
 <br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index ad321664f7..cf7359540a 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -1,16 +1,17 @@
 ---
 title: Resolve Windows 10 upgrade errors - Windows IT Pro
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
-# Resolve Windows 10 upgrade errors : Technical information for IT Pros
+# Resolve Windows 10 upgrade errors: Technical information for IT Pros
 
 **Applies to**
 -   Windows 10
@@ -20,7 +21,7 @@ ms.collection: highpri
 
 This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. 
 
-The article has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
+The article has been divided into subtopics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
 
 The following four levels are assigned:
 
@@ -50,7 +51,7 @@ See the following topics in this article:
     - [Other error codes](/troubleshoot/windows-client/deployment/windows-10-upgrade-resolution-procedures?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#other-error-codes): Additional causes and mitigation procedures are provided for some error codes.
 - [Submit Windows 10 upgrade errors](submit-errors.md): \Level 100\ Submit upgrade errors to Microsoft for analysis.
 
-## Related topics
+## Related articles
 
 [Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
 <br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 641438bdd0..6db2339eda 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -1,14 +1,16 @@
 ---
 title: SetupDiag
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors.
 ms.custom: seo-marvel-apr2020
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # SetupDiag
@@ -35,7 +37,7 @@ SetupDiag works by examining Windows Setup log files. It attempts to parse these
 
 With the release of Windows 10, version 2004, SetupDiag is included with [Windows Setup](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files#windows-setup-scenario).
 
-During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, **setupdiag.exe** is also installed to this directory. If there is an issue with the upgrade, SetupDiag will automatically run to determine the cause of the failure.
+During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, **setupdiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag will automatically run to determine the cause of the failure.
 
 When run by Windows Setup, the following [parameters](#parameters) are used:
 
@@ -44,7 +46,7 @@ When run by Windows Setup, the following [parameters](#parameters) are used:
 - /Output:%windir%\logs\SetupDiag\SetupDiagResults.xml
 - /RegPath:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupDiag\Results
 
-The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**.  Please note that this is not the same as the default registry path when SetupDiag is run manually. When SetupDiag is run manually, and the /RegPath parameter is not specified, data is stored in the registry at HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag.
+The resulting SetupDiag analysis can be found at **%WinDir%\Logs\SetupDiag\SetupDiagResults.xml** and in the registry under **HKLM\SYSTEM\Setup\SetupDiag\Results**.  Note that the registry path isn't the same as the default registry path when SetupDiag is run manually. When SetupDiag is run manually, and the /RegPath parameter isn't specified, data is stored in the registry at HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag.
 
 > [!IMPORTANT]
 > When SetupDiag indicates that there were multiple failures, the last failure in the log file is typically the fatal error, not the first one.
@@ -58,8 +60,8 @@ To quickly use SetupDiag on your current computer:
 2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
 3. If your web browser asks what to do with the file, choose **Save**. By default, the file will be saved to your **Downloads** folder. You can also save it to a different location if desired by using **Save As**.
 4. When SetupDiag has finished downloading, open the folder where you downloaded the file. By default, this folder is the **Downloads** folder, which is displayed in File Explorer under **Quick access** in the left navigation pane.
-5. Double-click the **SetupDiag** file to run it. Click **Yes** if you are asked to approve running the program.
-    - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You will need to change directories to the location of SetupDiag to run it this way.
+5. Double-click the **SetupDiag** file to run it. Select **Yes** if you're asked to approve running the program.
+    - Double-clicking the file to run it will automatically close the command window when SetupDiag has completed its analysis. If you wish to keep this window open instead, and review the messages that you see, run the program by typing **SetupDiag** at the command prompt instead of double-clicking it. You'll need to change directories to the location of SetupDiag to run it this way.
 6. A command window will open while SetupDiag diagnoses your computer. Wait for this process to finish.
 7. When SetupDiag finishes, two files will be created in the same folder where you double-clicked SetupDiag. One is a configuration file, the other is a log file.
 8. Use Notepad to open the log file: **SetupDiagResults.log**.
@@ -67,12 +69,12 @@ To quickly use SetupDiag on your current computer:
 
 For instructions on how to run the tool in offline mode and with more advanced options, see the [Parameters](#parameters) and [Examples](#examples) sections below.
 
-The [Release notes](#release-notes) section at the bottom of this topic has information about recent updates to this tool. 
+The [Release notes](#release-notes) section at the bottom of this article has information about recent updates to this tool. 
 
 ## Requirements
 
 1. The destination OS must be Windows 10.
-2. [.NET Framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137) must be installed. If you are not sure what version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). You can also use the following command-line query to display the installed v4 versions:
+2. [.NET Framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137) must be installed. If you aren't sure what version of .NET is currently installed, see [How to: Determine Which .NET Framework Versions Are Installed](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed). You can also use the following command-line query to display the installed v4 versions:
 
     ```
     reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s
@@ -83,19 +85,19 @@ The [Release notes](#release-notes) section at the bottom of this topic has info
 | Parameter | Description |
 | --- | --- |
 | /? | <ul><li>Displays interactive help</ul> |
-| /Output:\<path to results file\> | <ul><li>This optional parameter enables you to specify the output file for results. This file is where you will find what SetupDiag was able to determine.  Only text format output is supported.  UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path.  If the path has a space in it, you must enclose the entire path in double quotes (see the example section below). <li>Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same  directory where SetupDiag.exe is run.</ul> |
+| /Output:\<path to results file\> | <ul><li>This optional parameter enables you to specify the output file for results. This file is where you'll find what SetupDiag was able to determine.  Only text format output is supported.  UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path.  If the path has a space in it, you must enclose the entire path in double quotes (see the example section below). <li>Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same  directory where SetupDiag.exe is run.</ul> |
 | /LogsPath:\<Path to logs\> | <ul><li>This optional parameter tells SetupDiag.exe where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories.  SetupDiag will recursively search all child directories.</ul> |
 | /ZipLogs:\<True \| False\> | <ul><li>This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed.  The zip file is created in the same directory where SetupDiag.exe is run.<li>Default: If not specified, a value of 'true' is used.</ul> |
-| /Format:\<xml \| json\> | <ul><li>This optional parameter can be used to output log files in xml or JSON format.  If this parameter is not specified, text format is used by default.</ul> |
+| /Format:\<xml \| json\> | <ul><li>This optional parameter can be used to output log files in xml or JSON format.  If this parameter isn't specified, text format is used by default.</ul> |
 | /Scenario:\[Recovery\] | <ul><li>This optional parameter instructs SetupDiag.exe to look for and process reset and recovery logs and ignore setup/upgrade logs.</ul>|
 | /Verbose | <ul><li>This optional parameter will output much more data to a log file.  By default, SetupDiag will only produce a log file entry for serious errors.  Using **/Verbose** will cause SetupDiag to always produce another log file with debugging details. These details can be useful when reporting a problem with SetupDiag.</ul> |
 | /NoTel | <ul><li>This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.</ul> |
 | /AddReg | <ul><li>This optional parameter instructs SetupDiag.exe to add failure information to the registry in offline mode. By default, SetupDiag will add failure information to the registry in online mode only. Registry data is added to the following location on the system where SetupDiag is run: **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.</ul> |
-| /RegPath | <ul><li>This optional parameter instructs SetupDiag.exe to add failure information to the registry using the specified path. If this parameter is not specified the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
+| /RegPath | <ul><li>This optional parameter instructs SetupDiag.exe to add failure information to the registry using the specified path. If this parameter isn't specified the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
 </ul> |
 
 Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag. 
-- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0, when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed.
+- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0, when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter isn't needed.
 
 ### Examples:
 
@@ -105,7 +107,7 @@ In the following example, SetupDiag is run with default parameters (online mode,
 SetupDiag.exe
 ```
 
-In the following example, SetupDiag is run in online mode (this mode is the default).  It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified.
+In the following example, SetupDiag is run in online mode (this mode is the default).  It will know where to look for logs on the current (failing) system, so there's no need to gather logs ahead of time. A custom location for results is specified.
 
 ```
 SetupDiag.exe /Output:C:\SetupDiag\Results.log
@@ -149,12 +151,12 @@ If you copy the parent folder and all subfolders, SetupDiag will automatically s
 
 ## Setup bug check analysis
 
-When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It is also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error.
+When Microsoft Windows encounters a condition that compromises safe system operation, the system halts. This condition is called a bug check. It's also commonly referred to as a system crash, a kernel error, a Stop error, or BSOD. Typically a hardware device, hardware driver, or related software causes this error.
 
 If crash dumps [are enabled](/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup-related minidumps.
 
 To debug a setup-related bug check, you must:
-- Specify the **/LogsPath** parameter. You cannot debug memory dumps in online mode. 
+- Specify the **/LogsPath** parameter. You can't debug memory dumps in online mode. 
 - Gather the setup memory dump file (setupmem.dmp) from the failing system. 
     - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs.
 - Install the [Windows Debugging Tools](/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag.
@@ -210,34 +212,34 @@ Logs ZipFile created at: c:\setupdiag\Logs_14.zip
 
 ## Rules
 
-When searching log files, SetupDiag uses a set of rules to match known issues. These rules are contained in the rules.xml file which is extracted when SetupDiag is run. The rules.xml file might be updated as new versions of SetupDiag are made available. See the [release notes](#release-notes) section for more information.
+When searching log files, SetupDiag uses a set of rules to match known issues. These rules are contained in the rules.xml file that is extracted when SetupDiag is run. The rules.xml file might be updated as new versions of SetupDiag are made available. For more information, see the [release notes](#release-notes) section.
 
 Each rule name and its associated unique rule identifier are listed with a description of the known upgrade-blocking issue. In the rule descriptions, the term "down-level" refers to the first phase of the upgrade process, which runs under the starting OS.
 
 1. CompatScanOnly - FFDAFD37-DB75-498A-A893-472D49A1311D
-    - This rule indicates that setup.exe was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade.
+    - This rule indicates that `setup.exe` was called with a specific command line parameter that indicated setup was to do a compat scan only, not an upgrade.
 2. BitLockerHardblock - C30152E2-938E-44B8-915B-D1181BA635AE
-    - This is an upgrade block when the target OS does not support BitLocker, yet the host OS has BitLocker enabled.
+    - This is an upgrade block when the target OS doesn't support BitLocker, yet the host OS has BitLocker enabled.
 3. VHDHardblock - D9ED1B82-4ED8-4DFD-8EC0-BE69048978CC
-    - This block happens when the host OS is booted to a VHD image.  Upgrade is not supported when the host OS is booted from a VHD image.
+    - This block happens when the host OS is booted to a VHD image.  Upgrade isn't supported when the host OS is booted from a VHD image.
 4. PortableWorkspaceHardblock - 5B0D3AB4-212A-4CE4-BDB9-37CA404BB280
-    - This indicates that the host OS is booted from a Windows To-Go device (USB key).  Upgrade is not supported in the Windows To-Go environment.
+    - This indicates that the host OS is booted from a Windows To-Go device (USB key).  Upgrade isn't supported in the Windows To-Go environment.
 5. AuditModeHardblock - A03BD71B-487B-4ACA-83A0-735B0F3F1A90
-    - This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state.  Upgrade is not supported from this state.
+    - This block indicates that the host OS is currently booted into Audit Mode, a special mode for modifying the Windows state.  Upgrade isn't supported from this state.
 6. SafeModeHardblock - 404D9523-B7A8-4203-90AF-5FBB05B6579B
-    - This block indicates that the host OS is booted to Safe Mode, where upgrade is not supported.
+    - This block indicates that the host OS is booted to Safe Mode, where upgrade isn't supported.
 7. InsufficientSystemPartitionDiskSpaceHardblock - 3789FBF8-E177-437D-B1E3-D38B4C4269D1
-    - This block is encountered when setup determines the system partition (where the boot loader files are stored) does not have enough space to be serviced with the newer boot files required during the upgrade process.
-8. CompatBlockedApplicationAutoUninstall – BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5
-    - This rule indicates there is an application that needs to be uninstalled before setup can continue.
+    - This block is encountered when setup determines the system partition (where the boot loader files are stored) doesn't have enough space to be serviced with the newer boot files required during the upgrade process.
+8. CompatBlockedApplicationAutoUninstall - BEBA5BC6-6150-413E-8ACE-5E1EC8D34DD5
+    - This rule indicates there's an application that needs to be uninstalled before setup can continue.
 9. CompatBlockedApplicationDismissable - EA52620B-E6A0-4BBC-882E-0686605736D9
-    - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies “/compat ignorewarning”.  This rule indicates setup was executed in /quiet mode but there is an application dismissible block message that has prevented setup from continuing.
+    - When running setup in /quiet mode, there are dismissible application messages that turn into blocks unless the command line also specifies "/compat ignorewarning".  This rule indicates setup was executed in /quiet mode but there's an application dismissible block message that has prevented setup from continuing.
 10. CompatBlockedApplicationManualUninstall - 9E912E5F-25A5-4FC0-BEC1-CA0EA5432FF4
     - This rule indicates that an application without an Add/Remove Programs entry, is present on the system and blocking setup from continuing.  This typically requires manual removal of the files associated with this application to continue.
 11. HardblockDeviceOrDriver - ED3AEFA1-F3E2-4F33-8A21-184ADF215B1B
-    - This error indicates a device driver that is loaded on the host OS is not compatible with the newer OS version and needs to be removed prior to the upgrade.
+    - This error indicates a device driver that is loaded on the host OS isn't compatible with the newer OS version and needs to be removed prior to the upgrade.
 12. HardblockMismatchedLanguage - 60BA8449-CF23-4D92-A108-D6FCEFB95B45
-    - This rule indicates the host OS and the target OS language editions do not match.
+    - This rule indicates the host OS and the target OS language editions don't match.
 13. HardblockFlightSigning - 598F2802-3E7F-4697-BD18-7A6371C8B2F8
     - This rule indicates the target OS is a pre-release, Windows Insider build, and the target machine has Secure Boot enabled.  This will block the pre-release signed build from booting if installed on the machine.
 14. DiskSpaceBlockInDownLevel - 6080AFAC-892E-4903-94EA-7A17E69E549E
@@ -259,15 +261,15 @@ Each rule name and its associated unique rule identifier are listed with a descr
 22. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
     - Finds fatal advanced installer operations that cause setup failures.
 23. FindMigApplyUnitFailure - A4232E11-4043-4A37-9BF4-5901C46FD781
-    - Detects a migration unit failure that caused the update to fail.  This rule will output the name of the migration plug-in as well as the error code it produced for diagnostic purposes.
+    - Detects a migration unit failure that caused the update to fail.  This rule will output the name of the migration plug-in and the error code it produced for diagnostic purposes.
 24. FindMigGatherUnitFailure - D04C064B-CD77-4E64-96D6-D26F30B4EE29
-    - Detects a migration gather unit failure that caused the update to fail.  This rule will output the name of the gather unit/plug-in as well as the error code it produced for diagnostic purposes.
+    - Detects a migration gather unit failure that caused the update to fail.  This rule will output the name of the gather unit/plug-in and the error code it produced for diagnostic purposes.
 25. CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043
     - This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update.  It will indicate the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes.
 26. UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14
     - Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update.  It will indicate the operation and error code associated with the failure for diagnostic purposes.
 27. WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549
-    - This rule indicates the update failed to mount a wim file.  It will show the name of the wim file as well as the error message and error code associated with the failure for diagnostic purposes.
+    - This rule indicates the update failed to mount a WIM file.  It will show the name of the WIM file and the error message and error code associated with the failure for diagnostic purposes.
 28. FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
     - Determines if the given setup was a success or not based off the logs.
 29. FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
@@ -280,21 +282,21 @@ Each rule name and its associated unique rule identifier are listed with a descr
     - Gives last phase and error information when SetupPlatform indicates a critical failure.  This rule will indicate the operation and error associated with the failure for diagnostic purposes.
 33. FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
     - Gives last operation, failure phase and error information when a rollback occurs.
-34. AdvancedInstallerGenericFailure – 4019550D-4CAA-45B0-A222-349C48E86F71
+34. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71
     - A rule to match AdvancedInstaller read/write failures in a generic sense.  Will output the executable being called as well as the error code and exit code reported.
-35. OptionalComponentFailedToGetOCsFromPackage – D012E2A2-99D8-4A8C-BBB2-088B92083D78  (NOTE:  This rule replaces the OptionalComponentInstallFailure rule present in v1.10.
+35. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78  (NOTE:  This rule replaces the OptionalComponentInstallFailure rule present in v1.10.
     - This matches a specific Optional Component failure when attempting to enumerate components in a package.  Will output the package name and error code.
-36. OptionalComponentOpenPackageFailed – 22952520-EC89-4FBD-94E0-B67DF88347F6
+36. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
     - Matches a specific Optional Component failure when attempting to open an OC package.  Will output the package name and error code.
-37. OptionalComponentInitCBSSessionFailed – 63340812-9252-45F3-A0F2-B2A4CA5E9317
-    - Matches a specific failure where the advanced installer service or components aren’t operating or started on the system.  Will output the error code.
-38. UserProfileCreationFailureDuringFinalize – C6677BA6-2E53-4A88-B528-336D15ED1A64
+37. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317
+    - Matches a specific failure where the advanced installer service or components aren't operating or started on the system.  Will output the error code.
+38. UserProfileCreationFailureDuringFinalize - C6677BA6-2E53-4A88-B528-336D15ED1A64
     - Matches a specific User Profile creation error during the finalize phase of setup.  Will output the failure code.
-39. WimApplyExtractFailure – 746879E9-C9C5-488C-8D4B-0C811FF3A9A8
-    - Matches a wim apply failure during wim extraction phases of setup.  Will output the extension, path and error code.
-40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2
+39. WimApplyExtractFailure - 746879E9-C9C5-488C-8D4B-0C811FF3A9A8
+    - Matches a WIM apply failure during WIM extraction phases of setup.  Will output the extension, path and error code.
+40. UpdateAgentExpanderFailure - 66E496B3-7D19-47FA-B19B-4040B9FD17E2
     - Matches DPX expander failures in the down-level phase of update from Windows Update.  Will output the package name, function, expression and error code.
-41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636
+41. FindFatalPluginFailure - E48E3F1C-26F6-4AFB-859B-BF637DA49636
     - Matches any plug-in failure that setupplatform decides is fatal to setup.  Will output the plugin name, operation and error code.
 42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
     - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes.
@@ -350,16 +352,16 @@ Each rule name and its associated unique rule identifier are listed with a descr
 - Fixed an issue with registry output in which the "no match found" result caused a corrupted REG_SZ value.
 
 08/08/2019 - SetupDiag v1.6.0.42 is released with 60 rules, as a standalone tool available from the Download Center.
- - Log detection performance is improved.  What used to take up to a minute should take around 10 seconds or less.
+ - Log detection performance is improved.  Log detection takes around 10 seconds or less where before it could take up to a minute.
  - Added Setup Operation and Setup Phase information to both the results log and the registry information.
      - This is the last Operation and Phase that Setup was in when the failure occurred.
  - Added detailed Setup Operation and Setup Phase information (and timing) to output log when /verbose is specified.
-     - Note, if the issue found is a compat block, no Setup Operation or Phase info exists yet and therefore won’t be available.
+     - Note, if the issue found is a compat block, no Setup Operation or Phase info exists yet and therefore won't be available.
  - Added more info to the Registry output. 
-     - Detailed ‘FailureData’ info where available.  Example: “AppName = MyBlockedApplication” or “DiskSpace = 6603” (in MB)
-         - “Key = Value” data specific to the failure found.
-     - Added ‘UpgradeStartTime’, ‘UpgradeEndTime’ and ‘UpgradeElapsedTime’
-     - Added ‘SetupDiagVersion’, ‘DateTime’ (to indicate when SetupDiag was executed on the system), ‘TargetOSVersion’, ‘HostOSVersion’ and more…
+     - Detailed 'FailureData' info where available.  Example: "AppName = MyBlockedApplication" or "DiskSpace = 6603" (in MB)
+         - "Key = Value" data specific to the failure found.
+     - Added 'UpgradeStartTime', 'UpgradeEndTime' and 'UpgradeElapsedTime'
+     - Added 'SetupDiagVersion', 'DateTime' (to indicate when SetupDiag was executed on the system), 'TargetOSVersion', 'HostOSVersion' and more…
 
 
 06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
@@ -371,10 +373,10 @@ Each rule name and its associated unique rule identifier are listed with a descr
 - Added "no match" reports for xml and json per user request.
 - Formatted Json output for easy readability.
 - Performance improvements when searching for setup logs; this should be much faster now.
-- Added 7 new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information.
+- Added seven new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information.
 - Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**
   - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode.
-  - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it’s always up to date.
+  - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it's always up to date.
   - This registry key also gets deleted when a new update instance is invoked.
   - For an example, see [Sample registry key](#sample-registry-key).
 
@@ -383,33 +385,33 @@ Each rule name and its associated unique rule identifier are listed with a descr
 
 12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center.
 - This release includes major improvements in rule processing performance: ~3x faster rule processing performance!
-  - The FindDownlevelFailure rule is up to 10x faster.
+  - The FindDownlevelFailure rule is up to 10 times faster.
 - New rules have been added to analyze failures upgrading to Windows 10 version 1809.
 - A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure.
 - Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode.
 - Some functional and output improvements were made for several rules.
 
 07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center.
-- This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed.
+- This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but doesn't have debugger binaries installed.
 
 07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center.
 - Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues.
 - New feature: Ability to output logs in JSON and XML format.
   - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic.
-  - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text.
+  - If the "/Format:xml" or "/Format:json" parameter is omitted, the log output format will default to text.
 - New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive.
-- 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
+- Three new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
 
 05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center.
 - Fixed a bug in device install failure detection in online mode.
 - Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate.  This change enables the tool to analyze update failures that occur prior to calling SetupHost.
-- Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing.
+- Telemetry is refactored to only send the rule name and GUID (or "NoRuleMatched" if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing.
 
 05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center.
 - A performance enhancement has been added to result in faster rule processing.
 - Rules output now includes links to support articles, if applicable.
-- SetupDiag now provides the path and name of files that it is processing.
-- You can now run SetupDiag by simply clicking on it and then examining the output log file.
+- SetupDiag now provides the path and name of files that it's processing.
+- You can now run SetupDiag by selecting it and then examining the output log file.
 - An output log file is now always created, whether or not a rule was matched.
 
 03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center.
@@ -564,6 +566,6 @@ Refer to "https://learn.microsoft.com/windows/desktop/Debug/system-error-codes"
 
 ![Example of Addreg.](./../images/addreg.png)
 
-## Related topics
+## Related articles
 
 [Resolve Windows 10 upgrade errors: Technical information for IT Pros](./resolve-windows-10-upgrade-errors.md)
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 78530d857f..2f48ed28eb 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -1,19 +1,21 @@
 ---
 title: Submit Windows 10 upgrade errors using Feedback Hub
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: Download the Feedback Hub app, and then submit Windows 10 upgrade errors for diagnosis using feedback hub.
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Submit Windows 10 upgrade errors using Feedback Hub
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 >[!NOTE]
 >This is a 100 level topic (basic).<br>
@@ -27,11 +29,11 @@ This topic describes how to submit problems with a Windows 10 upgrade to Microso
 
 The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool.  You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0).
 
-The Feedback Hub requires Windows 10. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous version of Windows 10, the Feedback Hub will collect log files automatically.
+The Feedback Hub requires Windows 10. If you're having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information. However, you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you're upgrading to Windows 10 from a previous version of Windows 10, the Feedback Hub will collect log files automatically.
 
 ## Submit feedback
 
-To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md) 
+To submit feedback about a failed Windows 10 upgrade, select the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md) 
 
 The Feedback Hub will open.
 
@@ -43,22 +45,22 @@ The Feedback Hub will open.
     - How did the upgrade fail?
         - Were any error codes visible?
         - Did the computer fail to a blue screen?
-        - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back?
+        - Did the computer automatically rollback or did it hang, requiring you to power cycle it before it rolled back?
 - Additional details
     - What type of security software is installed?
     - Is the computer up to date with latest drivers and firmware?
     - Are there any external devices connected? 
-- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. 
+- If you used the link above, the category and subcategory will be automatically selected. If it isn't selected, choose **Install and Update** and **Windows Installation**. 
 
-You can attach a screenshot or file if desired. This is optional, but can be extremely helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs).
+You can attach a screenshot or file if desired. This is optional, but can be helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs).
 
-Click **Submit** to send your feedback.
+Select **Submit** to send your feedback.
 
 See the following example:
 
 ![feedback example.](../images/feedback.png) 
 
-After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue.  You can check on your feedback periodically to see what solutions have been provided.
+After you select Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue.  You can check on your feedback periodically to see what solutions have been provided.
 
 ## Link to your feedback
 
@@ -66,6 +68,6 @@ After your feedback is submitted, you can email or post links to it by opening t
 
 ![share.](../images/share.jpg) 
 
-## Related topics
+## Related articles
 
 [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx)
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 4ade882a85..2fdbd0beea 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -1,13 +1,15 @@
 ---
 title: Windows 10 edition upgrade (Windows 10)
 description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Windows 10 edition upgrade
@@ -26,7 +28,7 @@ The following table shows the methods and paths available to change the edition
 > The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
 
 > [!TIP]
-> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
+> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Configuration Manager.
 
 ![not supported.](../images/x_blk.png) (X) = not supported</br>
 ![supported, reboot required.](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
@@ -68,21 +70,21 @@ X = unsupported <BR>
 > <br>
 
 ## Upgrade using mobile device management (MDM)
-- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
+- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp).
 
 
 ## Upgrade using a provisioning package
 Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
 
-- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
+- To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings &gt; EditionUpgrade &gt; UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition.
 
-For more info about Windows Configuration Designer, see these topics:
+For more info about Windows Configuration Designer, see these articles:
 - [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package)
 - [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package)
 
 
 ## Upgrade using a command-line tool
-You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
+You can run the changepk.exe command-line tool to upgrade devices to a supported edition of Windows 10:
 
 `changepk.exe /ProductKey <enter your new product key here>`
 
@@ -92,37 +94,37 @@ You can also upgrade using slmgr.vbs and a [KMS client setup key](/windows-serve
 
 
 ## Upgrade by manually entering a product key
-If you are upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
+If you're upgrading only a few devices, you may want to enter a product key for the upgraded edition manually.
 
 **To manually enter a product key**
 
-1.  From either the Start menu or the Start screen, type 'Activation' and click on the Activation shortcut.
+1.  From either the Start menu or the Start screen, type 'Activation' and select on the Activation shortcut.
 
-2.  Click **Change product key**.
+2.  Select **Change product key**.
 
 3.  Enter your product key.
 
 4.  Follow the on-screen instructions.
 
 ## Upgrade by purchasing a license from the Microsoft Store
-If you do not have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store.
+If you don't have a product key, you can upgrade your edition of Windows 10 through the Microsoft Store.
 
 **To upgrade through the Microsoft Store**
 
-1.  From either the **Start** menu or the **Start** screen, type 'Activation' and click on the Activation shortcut.
+1.  From either the **Start** menu or the **Start** screen, type 'Activation' and select on the Activation shortcut.
 
-2.  Click **Go to Store**.
+2.  Select **Go to Store**.
 
 3.  Follow the on-screen instructions.
 
     > [!NOTE]
-    > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
+    > If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/).
 
 ## License expiration
 
-Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path is not supported, then a clean install is required.
+Volume license customers whose license has expired will need to change the edition of Windows 10 to an edition with an active license. Switching to a downgraded edition of Windows 10 is possible using the same methods that were used to perform an edition upgrade. If the downgrade path is supported, then your apps and settings can be migrated from the current edition. If a path isn't supported, then a clean install is required.
 
-Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported.  You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades.
+Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key isn't supported.  You also can't downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This article doesn't discuss version downgrades.
 
 > [!NOTE]
 > If you are using [Windows 10 Enterprise Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation) and a license expires, devices will automatically revert to the original edition when the grace period expires.
@@ -135,7 +137,7 @@ Downgrading from Enterprise
 - Upgrade edition: **Enterprise**
 - Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
 
-You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
+You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you're a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
 
 ### Supported Windows 10 downgrade paths
 
@@ -163,9 +165,9 @@ S = Supported; Not considered a downgrade or an upgrade
 
 > **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
 
-Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
+Some slightly more complex scenarios aren't represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro.
 
-## Related topics
+## Related articles
 
 [Windows 10 upgrade paths](./windows-10-upgrade-paths.md)<br>
 [Windows 10 volume license media](../windows-10-media.md)<br>
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 9bf1d82280..eff1786ff2 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -1,13 +1,15 @@
 ---
 title: Windows 10 upgrade paths (Windows 10)
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
+author: frankroj
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Windows 10 upgrade paths
@@ -18,19 +20,19 @@ ms.collection: highpri
 
 ## Upgrade paths
 
-This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. 
+This article provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. 
 
-If you are also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths, but please note that applications and settings are not maintained when the Windows edition is downgraded.
+If you're also migrating to a different edition of Windows, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). Methods and supported paths are described on this page to change the edition of Windows. These methods require that you input a license or product key for the new Windows edition prior to starting the upgrade process. Edition downgrade is also supported for some paths. However, applications and settings aren't maintained when the Windows edition is downgraded.
 
 - **Windows 10 version upgrade**: You can directly upgrade any General Availability Channel version of Windows 10 to a newer, supported General Availability Channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](/lifecycle/faq/windows) for availability and service information.
 
-- **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC is not supported. Windows 10 LTSC 2015 did not block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
+- **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC isn't supported. Windows 10 LTSC 2015 didn't block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
 
-  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
+  You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel if you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You'll need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
 
-- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
+- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions aren't the same type (for example, Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
 
-- **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
+- **Windows 8.0**: You can't upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
 
 ## Windows 10
 
@@ -85,10 +87,10 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
 
 ---
 
-## Related Topics
+## Related articles
 
 [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
 
 [Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
 
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
\ No newline at end of file
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index c8f3986ed2..ece3ab44a0 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -1,19 +1,21 @@
 ---
 title: Windows error reporting - Windows IT Pro
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup.
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Windows Error Reporting
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 > [!NOTE]
 > This is a 300 level topic (moderately advanced).  
@@ -35,7 +37,7 @@ $event.Event.EventData.Data
 
 To use Event Viewer: 
 1. Open Event Viewer and navigate to **Windows Logs\Application**.
-2. Click **Find**, and then search for **winsetupdiag02**.
+2. Select **Find**, and then search for **winsetupdiag02**.
 3. Double-click the event that is highlighted.
 
 > [!NOTE]
@@ -56,15 +58,14 @@ Ten parameters are listed in the event:
 |P9: New OS build (Ex: 16299}   | 
 |P10: New OS branch (Ex: rs3_release}   | 
 
-
-The event will also contain links to log files that can be used to perform a detailed diagnosis of the error.  An example of this event from a successful upgrade is shown below.
+The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below.
 
 :::image type="content" alt-text="Windows Error Reporting." source="../images/event.png" lightbox="../images/event.png":::
 
-## Related topics
+## Related articles
 
 [Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)  
 [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)  
 [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)  
 [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)  
-[Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors)
+[Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors)
\ No newline at end of file
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index d07d93a95c..d197dc65f1 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -1,56 +1,58 @@
 ---
 title: Windows Upgrade and Migration Considerations (Windows 10)
-description: Discover the Microsoft tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.
+description: Discover the Microsoft tools you can use to move files and settings between installations including special considerations for performing an upgrade or migration.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 10/28/2022
 ---
 
 # Windows upgrade and migration considerations
 Files and application settings can be migrated to new hardware running the Windows® operating system, or they can be maintained during an operating system upgrade on the same computer. This topic summarizes the Microsoft® tools you can use to move files and settings between installations in addition to special considerations for performing an upgrade or migration.
 
 ## Upgrade from a previous version of Windows
-You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings will not be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
+You can upgrade from an earlier version of Windows, which means you can install the new version of Windows and retain your applications, files, and settings as they were in your previous version of Windows. If you decide to perform a custom installation of Windows instead of an upgrade, your applications and settings won't be maintained. Your personal files, and all Windows files and directories, will be moved to a Windows.old folder. You can access your data in the Windows.old folder after Windows Setup is complete.
 
 ## Migrate files and settings
 Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
 
 For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](/previous-versions/windows/server/cc722055(v=ws.10)).
 
-The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer.
+The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a few computers or for individually customized deployments, you can use Windows Easy Transfer.
 
 ### Migrate with Windows Easy Transfer
-Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download.
+Windows Easy Transfer is a software wizard for transferring files and settings from one computer that is running Windows to another. It helps you select what to move to your new computer, enables you to set which migration method to use, and then performs the transfer. When the transfer has completed, Windows Easy Transfer Reports shows you what was transferred and provides a list of programs you might want to install on your new computer, in addition to links to other programs you might want to download.
 
-With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
+With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you can't use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
 
 > [!NOTE]
 > Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10).
 
 ### Migrate with the User State Migration Tool
-You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
+You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they're migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.
 
 ## Upgrade and migration considerations
-Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
+Whether you're upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
 
 ### Application compatibility
 For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
 
 ### Multilingual Windows image upgrades
-When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
+When performing multilingual Windows upgrades, cross-language upgrades aren't supported by USMT. If you're upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
 
-If you are using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you will have to reinstall them after the upgrade is completed.
+If you're using a single-language Windows image that matches the system default UI language of your multilingual operating system, the migration will work. However, all of the language packs will be removed, and you'll have to reinstall them after the upgrade is completed.
 
 ### Errorhandler.cmd
-When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy this file into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
+When upgrading from an earlier version of Windows, if you intend to use Errorhandler.cmd, you must copy Errorhandler.cmd into the %WINDIR%\\Setup\\Scripts directory on the old installation. This makes sure that if there are errors during the down-level phase of Windows Setup, the commands in Errorhandler.cmd will run.
 
 ### Data drive ACL migration
-During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that do not appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
+During the configuration pass of Windows Setup, the root access control list (ACL) on drives formatted for NTFS that don't appear to have an operating system will be changed to the default Windows XP ACL format. The ACLs on these drives are changed to enable authenticated users to modify access on folders and files.
 
-Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
+Changing the ACLs may affect the performance of Windows Setup if the default Windows XP ACLs are applied to a partition with a large amount of data. Because of these performance concerns, you can change the following registry value to disable this feature:
 
 ``` syntax
 Key: HKLM\System\Setup
@@ -58,14 +60,9 @@ Type: REG_DWORD
 Value: "DDACLSys_Disabled" = 1
 ```
 
-This feature is disabled if this registry key value exists and is configured to `1`.
+This feature is disabled if this registry key value exists and is configured to `1`.
 
-## Related topics
+## Related articles
 [User State Migration Tool (USMT) Overview Topics](../usmt/usmt-topics.md)<BR>
 [Windows 10 upgrade paths](windows-10-upgrade-paths.md)<BR>
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-
-
- 
-
- 
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
\ No newline at end of file
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index bd09b57aab..d9550203d8 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -2,82 +2,87 @@
 title: User State Migration Tool (USMT) - Getting Started (Windows 10)
 description: Plan, collect, and prepare your source computer for migration using the User State Migration Tool (USMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/01/2022
 ---
 
-# Getting Started with the User State Migration Tool (USMT)
-This topic outlines the general process that you should follow to migrate files and settings.
+# Getting started with the User State Migration Tool (USMT)
 
-## In this topic
--   [Step 1: Plan Your Migration](#step-1-plan-your-migration)
-
--   [Step 2: Collect files and settings from the source computer](#step-2-collect-files-and-settings-from-the-source-computer)
-
--   [Step 3: Prepare the destination computer and restore files and settings](#step-3-prepare-the-destination-computer-and-restore-files-and-settings)
+This article outlines the general process that you should follow to migrate files and settings.
 
 ## Step 1: Plan your migration
-1.  [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
 
-2.  [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys.
+1. [Plan Your Migration](usmt-plan-your-migration.md). Depending on whether your migration scenario is refreshing or replacing computers, you can choose an online migration or an offline migration using Windows Preinstallation Environment (WinPE) or the files in the Windows.old directory. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
 
-3.  Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md).
+2. [Determine What to Migrate](usmt-determine-what-to-migrate.md). Data you might consider migrating includes end-user information, applications settings, operating-system settings, files, folders, and registry keys.
 
-4.  Use the **/GenMigXML** command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information see [ScanState Syntax](usmt-scanstate-syntax.md)
+3. Determine where to store data. Depending on the size of your migration store, you can store the data remotely, locally in a hard-link migration store or on a local external storage device, or directly on the destination computer. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md).
 
-5.  Modify copies of the Migration.xml and MigDocs.xml files and create custom .xml files, if it is required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or **MigXmlHelper.GenerateDocPatterns** helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files.
+4. Use the `/GenMigXML` command-line option to determine which files will be included in your migration, and to determine whether any modifications are necessary. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md)
 
-    **Important**  
-    We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files.
-    
-    You can use the MigXML.xsd file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
+5. Modify copies of the `Migration.xml` and `MigDocs.xml` files and create custom .xml files, if it's required. To modify the migration behavior, such as migrating the **Documents** folder but not the **Music** folder, you can create a custom .xml file or modify the rules in the existing migration .xml files. The document finder, or `MigXmlHelper.GenerateDocPatterns` helper function, can be used to automatically find user documents on a computer without creating extensive custom migration .xml files.
 
-6.  Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the **ScanState** command. For example, the following command creates a Config.xml file by using the MigDocs and MigApp.xml files:
+    > [!IMPORTANT]
+    > We recommend that you always make and modify copies of the .xml files included in User State Migration Tool (USMT) 10.0. Never modify the original .xml files.
 
-    `scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log`
+    You can use the `MigXML.xsd` file to help you write and validate the .xml files. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
 
-7.  Review the migration state of the components listed in the Config.xml file, and specify `migrate=no` for any components that you do not want to migrate.
+6. Create a [Config.xml File](usmt-configxml-file.md) if you want to exclude any components from the migration. To create this file, use the [ScanState Syntax](usmt-scanstate-syntax.md) option together with the other .xml files when you use the `ScanState.exe` command. For example, the following command creates a `Config.xml` file by using the `MigDocs.xml` and `MigApp.xml` files:
+
+    ```cmd
+    ScanState.exe /genconfig:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
+    ```
+
+7. Review the migration state of the components listed in the `Config.xml` file, and specify `migrate=no` for any components that you don't want to migrate.
 
 ## Step 2: Collect files and settings from the source computer
-1.  Back up the source computer.
 
-2.  Close all applications. If some applications are running when you run the **ScanState** command, USMT might not migrate all of the specified data. For example, if Microsoft&reg; Office Outlook&reg; is open, USMT might not migrate PST files.
+1. Back up the source computer.
 
-    **Note**  
-    USMT will fail if it cannot migrate a file or setting unless you specify the **/C** option. When you specify the **/C** option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the **&lt;ErrorControl&gt;** section in the Config.xml file to specify which errors should be ignored, and which should cause the migration to fail.
+2. Close all applications. If some applications are running when you run the `ScanState.exe` command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files.
 
-3.  Run the **ScanState** command on the source computer to collect files and settings. You should specify all of the .xml files that you want the **ScanState** command to use. For example,
+     > [!NOTE]
+     > USMT will fail if it cannot migrate a file or setting unless you specify the `/C` option. When you specify the `/C` option, USMT will ignore the errors, and log an error every time that it encounters a file that is being used that USMT did not migrate. You can use the `<ErrorControl>` section in the `Config.xml` file to specify which errors should be ignored, and which should cause the migration to fail.
 
-    `scanstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log`
+3. Run the `ScanState.exe` command on the source computer to collect files and settings. You should specify all of the .xml files that you want the `ScanState.exe` command to use. For example,
 
-    **Note**  
-    If the source computer is running Windows 7, or Windows 8, you must run the **ScanState** command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then click **Run As Administrator**. If the source computer is running Windows XP, you must run the **ScanState** command from an account that has administrative credentials. For more information about the how the **ScanState** command processes and stores the data, see [How USMT Works](usmt-how-it-works.md).
+     ```cmd
+        ScanState.exe \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log
+     ```
 
-4.  Run the **USMTUtils** command with the **/Verify** option to ensure that the store you created is not corrupted.
+     > [!NOTE]
+     > If the source computer is running Windows 7, or Windows 8, you must run the `ScanState.exe` command in **Administrator** mode. To run in **Administrator** mode, right-click **Command Prompt**, and then select **Run As Administrator**. For more information about the how the `ScanState.exe` command processes and stores the data, see [How USMT Works](usmt-how-it-works.md).
+
+4. Run the `UsmtUtils.exe` command with the `/Verify` option to ensure that the store you created isn't corrupted.
 
 ## Step 3: Prepare the destination computer and restore files and settings
-1.  Install the operating system on the destination computer.
 
-2.  Install all applications that were on the source computer. Although it is not always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved.
+1. Install the operating system on the destination computer.
 
-    **Note**  
-    The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft&reg; Office, which USMT can migrate from an older version to a newer version.
+2. Install all applications that were on the source computer. Although it isn't always required, we recommend installing all applications on the destination computer before you restore the user state. This makes sure that migrated settings are preserved.
 
-3.  Close all applications. If some applications are running when you run the **LoadState** command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files.
+     > [!NOTE]
+     > The application version that is installed on the destination computer should be the same version as the one on the source computer. USMT does not support migrating the settings for an older version of an application to a newer version. The exception to this is Microsoft Office, which USMT can migrate from an older version to a newer version.
 
-    **Note**  
-    Use **/C** to continue your migration if errors are encountered, and use the **&lt;ErrorControl&gt;** section in the Config.xml file to specify which errors should be ignored, and which errors should cause the migration to fail.
+3. Close all applications. If some applications are running when you run the `LoadState.exe ` command, USMT might not migrate all of the specified data. For example, if Microsoft Office Outlook is open, USMT might not migrate PST files.
 
-4.  Run the **LoadState** command on the destination computer. Specify the same set of .xml files that you specified when you used the **ScanState** command. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file by using the **LoadState** command. Then, the **LoadState** command will migrate only the files and settings that you want to migrate. For more information about the how the **LoadState** command processes and migrates data, see [How USMT Works](usmt-how-it-works.md).
+     > [!NOTE]
+     > Use `/C` to continue your migration if errors are encountered, and use the `<ErrorControl>` section in the `Config.xml` file to specify which errors should be ignored, and which errors should cause the migration to fail.
+
+4. Run the `LoadState.exe ` command on the destination computer. Specify the same set of .xml files that you specified when you used the `ScanState.exe` command. However, you don't have to specify the `Config.xml` file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the `Config.xml` file and specify the updated file by using the `LoadState.exe ` command. Then, the `LoadState.exe ` command will migrate only the files and settings that you want to migrate. For more information about how the `LoadState.exe ` command processes and migrates data, see [How USMT Works](usmt-how-it-works.md).
 
     For example, the following command migrates the files and settings:
 
-    `loadstate \\server\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log`
+    ```cmd
+    LoadState.exe  \\server\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log
+    ```
 
-    **Note**  
-    Run the **LoadState** command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**.
+     > [!NOTE]
+     > Run the `LoadState.exe ` command in administrator mode. To do this, right-click **Command Prompt**, and then click **Run As Administrator**.
 
-5.  Log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screen saver settings) will not take effect until the next time that the user logs on.
+5. Sign out after you run the `LoadState.exe ` command. Some settings, such as fonts, wallpaper, and screen saver settings, won't take effect until the next time that the user logs on.
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 1f3b261ab9..677f59ca0c 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -2,162 +2,147 @@
 title: Migrate Application Settings (Windows 10)
 description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Migrate Application Settings
 
+You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines.
 
-You can create a custom .xml file to migrate specific line-of-business application settings or to change the default migration behavior of the User State Migration Tool (USMT) 10.0. For ScanState and LoadState to use this file, you must specify the custom .xml file on both command lines.
+This article defines how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using `MigApp.xml`. You should migrate the settings after you install the application, but before the user runs the application for the first time.
 
-This topic defines how to author a custom migration .xml file that migrates the settings of an application that is not migrated by default using MigApp.xml. You should migrate the settings after you install the application, but before the user runs the application for the first time.
+This article doesn't contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also doesn't contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this article doesn't discuss how to migrate the .doc files and templates themselves.
 
-This topic does not contain information about how to migrate applications that store settings in an application-specific store, only the applications that store the information in files or in the registry. It also does not contain information about how to migrate the data that users create using the application. For example, if the application creates .doc files using a specific template, this topic does not discuss how to migrate the .doc files and templates themselves.
+## Before you begin
 
-## <a href="" id="createxmlmigappsettings"></a>In this Topic
+You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you're planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application.
 
+## Step 1: Verify that the application is installed on the source computer, and that it's the same version as the version to be installed on the destination computer
 
--   [Before You Begin](#bkmk-beforebegin)
+Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it's the correct version. If the application isn't installed on the source computer, you probably don't want USMT to spend time searching for the application's settings. More importantly, if USMT collects settings for an application that isn't installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there's more than one version of the application because the new version may not store the settings in the same place.  Mismatched application versions may lead to unexpected results on the destination computer.
 
--   [Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer](#bkmk-step1).
+There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It's important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want.
 
--   [Step 2: Identify settings to collect and determine where each setting is stored on the computer](#bkmk-step2).
+### Check the registry for an application uninstall key
 
--   [Step 3: Identify how to apply the gathered settings](#bkmk-step3).
+When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under:
 
--   [Step 4: Create the migration XML component for the application](#bkmk-step4).
+`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`
 
--   [Step 5: Test the application settings migration](#bkmk-step5).
+For example, when Adobe Acrobat Reader 7 is installed, it creates a key named:
 
-## <a href="" id="bkmk-beforebegin"></a>Before You Begin
+`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall \{AC76BA86-7AD7-1033-7B44-A70000000000}`
 
+Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the `DoesObjectExist` helper function.
 
-You should identify a test computer that contains the operating system of your source computers, and the application whose settings you want to migrate. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 7 on your test computer and then install the application.
+Usually, you can find this key by searching under
 
-## <a href="" id="bkmk-step1"></a>Step 1: Verify that the application is installed on the source computer, and that it is the same version as the version to be installed on the destination computer.
+`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`
 
+for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor, `Regedit.exe` located in the `%SystemRoot%`, to search the registry.
 
-Before USMT migrates the settings, you need it to check whether the application is installed on the source computer, and that it is the correct version. If the application is not installed on the source computer, you probably do not want USMT to spend time searching for the application’s settings. More importantly, if USMT collects settings for an application that is not installed, it may migrate settings that will cause the destination computer to function incorrectly. You should also investigate whether there is more than one version of the application. This is because the new version may not store the settings in the same place, which may lead to unexpected results on the destination computer.
+### Check the file system for the application executable file
 
-There are many ways to detect if an application is installed. The best practice is to check for an application uninstall key in the registry, and then search the computer for the executable file that installed the application. It is important that you check for both of these items, because sometimes different versions of the same application share the same uninstall key. So even if the key is there, it may not correspond to the version of the application that you want.
+You should also check the application binaries for the executable that installed the application. To check for application binaries, you'll first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you've determined the path to the application executable, you can use the `DoesFileVersionMatch` helper function to check for the correct version of the application executable. For an example of how to use the `DoesFileVersionMatch` helper function, see the Windows Live™ Messenger section of the `MigApp.xml` file.
 
-### Check the registry for an application uninstall key.
+## Step 2: Identify settings to collect and determine where each setting is stored on the computer
 
-When many applications are installed (especially those installed using the Microsoft® Windows® Installer technology), an application uninstall key is created under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall**. For example, when Adobe Acrobat Reader 7 is installed, it creates a key named **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall \\{AC76BA86-7AD7-1033-7B44-A70000000000}**. Therefore, if a computer contains this key, then Adobe Acrobat Reader 7 is installed on the computer. You can check for the existence of a registry key using the **DoesObjectExist** helper function.
+Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you don't want to migrate. To determine where each setting is stored, you'll need to change each setting and monitor the activity on the registry and the file system. You don't need to migrate the binary files and registry settings that are made when the application is installed because you'll need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable.
 
-Usually, you can find this key by searching under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** for the name of the application, the name of the application executable file, or for the name of the company that makes the application. You can use the Registry Editor (**Regedit.exe** located in the %**SystemRoot**%) to search the registry.
+### How to determine where each setting is stored
 
-### Check the file system for the application executable file.
+1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](/sysinternals/).
 
-You should also check the application binaries for the executable that installed the application. To do this, you will first need to determine where the application is installed and what the name of the executable is. Most applications store the installation location of the application binaries in the registry. You should search the registry for the name of the application, the name of the application executable, or for the name of the company that makes the application, until you find the registry value that contains the installation path. Once you have determined the path to the application executable, you can use the **DoesFileVersionMatch** helper function to check for the correct version of the application executable. For an example of how to do this, see the Windows Live™ Messenger section of the MigApp.xml file.
+2. Shut down as many applications as possible to limit the registry and file system activity on the computer.
 
-## <a href="" id="bkmk-step2"></a>Step 2: Identify settings to collect and determine where each setting is stored on the computer.
+3. Filter the output of the tools so it only displays changes being made by the application.
 
+     > [!NOTE]
+     > Most applications store their settings under the user profile. That is, the settings stored in the file system are under the `%UserProfile%` directory, and the settings stored in the registry are under the `HKEY_CURRENT_USER` hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine.
 
-Next, you should go through the user interface and make a list of all of the available settings. You can reduce the list if there are settings that you do not want to migrate. To determine where each setting is stored, you will need to change each setting and monitor the activity on the registry and the file system. You do not need to migrate the binary files and registry settings that are made when the application is installed. This is because you will need to reinstall the application onto the destination computer. You only need to migrate those settings that are customizable.
+4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you're changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically won't take effect until you close the dialog box by clicking **OK**.
 
-### <a href="" id="bkmkdetermine"></a>
+5. When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting.
 
-**How To Determine Where Each Setting is Stored**
+     > [!NOTE]
+     > Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values.
 
-1.  Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](/sysinternals/).
+## Step 3: Identify how to apply the gathered settings
 
-2.  Shut down as many applications as possible to limit the registry and file system activity on the computer.
+If the version of the application on the source computer is the same as the one on the destination computer, then you don't have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the `C:\Documents and Settings\User1\My Documents` folder and the profile directory on the destination computer is located at `D:\Users\User1`, then USMT will automatically migrate the file to `D:\Users\User1\My Documents`. However, you may need to modify the location of some settings in the following three cases:
 
-3.  Filter the output of the tools so it only displays changes being made by the application.
+### Case 1: The version of the application on the destination computer is newer than the one on the source computer
 
-    **Note**  
-    Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine.
+In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following conditions is true:
 
-     
+- **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications import settings automatically after settings are migrated. However, other applications will only do import settings if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer doesn't contain this set of files and registry keys so the mapping doesn't occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer.
 
-4.  Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**.
+    To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How to determine where each setting is stored](#how-to-determine-where-each-setting-is-stored). Once you know the set of files that the computer needs, you can use the **&lt;addObjects&gt;** element to add them to the destination computer.
 
-5.  When the setting is changed, note the changes to the file system and registry. There may be more than one file or registry values for each setting. You should identify the minimal set of file and registry changes that are required to change this setting. This set of files and registry keys is what you will need to migrate in order to migrate the setting.
+- **The newer version of the application can't read settings from the source computer and it's also unable to import the settings into the new format.** In this case, you'll need to create a mapping for each setting from the old locations to the new locations. To create the mapping, determine where the newer version stores each setting using the process described in [How to determine where each setting is stored](#how-to-determine-where-each-setting-is-stored). After you've created the mapping, apply the settings to the new location on the destination computer using the **&lt;locationModify&gt;** element, and the `RelativeMove` and `ExactMove` helper functions.
 
-    **Note**  
-    Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values.
+### Case 2: The destination computer already contains settings for the application
 
-     
+We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this process because this process ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the **&lt;destinationCleanup&gt;** element. If for any reason you want to preserve the settings that are on the destination computer, you can use the **&lt;merge&gt;** element and `DestinationPriority` helper function.
 
-## <a href="" id="bkmk-step3"></a>Step 3: Identify how to apply the gathered settings.
+### Case 3: The application overwrites settings when it's installed
 
+We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this process because this process ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This scenario is common for applications that store settings in locations that are outside of the user profile (typically these settings are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they're replaced by default values. To avoid this problem, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer.
 
-If the version of the application on the source computer is the same as the one on the destination computer, then you do not have to modify the collected files and registry keys. By default, USMT migrates the files and registry keys from the source location to the corresponding location on the destination computer. For example, if a file was collected from the C:\\Documents and Settings\\User1\\My Documents folder and the profile directory on the destination computer is located at D:\\Users\\User1, then USMT will automatically migrate the file to D:\\Users\\User1\\My Documents. However, you may need to modify the location of some settings in the following three cases:
+## Step 4: Create the migration XML component for the application
 
-### Case 1: The version of the application on the destination computer is newer than the one on the source computer.
+After you have completed steps 1 through 3, you'll need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the `MigApp.xml` file as a model because it contains examples of many of the concepts discussed in this article. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file.
 
-In this case, the newer version of the application may be able to read the settings from the source computer without modification. That is, the data collected from an older version of the application is sometimes compatible with the newer version of the application. However, you may need to modify the setting location if either of the following is true:
+ > [!NOTE]
+ > We recommend that you create a separate .xml file instead of adding your script to the `MigApp.xml` file. This is because the `MigApp.xml` file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the `MigApp.xml` file will be overwritten by the default version of the file and you will lose your customized version.
 
--   **The newer version of the application has the ability to import settings from an older version.** This mapping usually happens the first time a user runs the newer version after the settings have been migrated. Some applications do this automatically after settings are migrated; however, other applications will only do this if the application was upgraded from the older version. When the application is upgraded, a set of files and/or registry keys is installed that indicates the older version of the application was previously installed. If you perform a clean installation of the newer version (which is the case in most migrations), the computer does not contain this set of files and registry keys so the mapping does not occur. In order to trick the newer version of the application into initiating this import process, your migration script may need to create these files and/or registry keys on the destination computer.
+> [!IMPORTANT]
+> Some applications store information in the user profile, such as application installation paths, the computer name, etc., should not be migrated. You should make sure to exclude these files and registry keys from the migration.
 
-    To identify which files and/or registry keys/values need to be created to cause the import, you should upgrade the older version of the application to the newer one and monitor the changes made to the file system and registry by using the same process described in [How To determine where each setting is stored](#bkmkdetermine). Once you know the set of files that the computer needs, you can use the &lt;`addObjects`&gt; element to add them to the destination computer.
+Your script should do the following actions:
 
--   [The newer version of the application cannot read settings from the source computer and it is also unable to import the settings into the new format.](#bkmkdetermine) In this case, you will need to create a mapping for each setting from the old locations to the new locations. To do this, determine where the newer version stores each setting using the process described in How to determine where each setting is stored. After you have created the mapping, apply the settings to the new location on the destination computer using the &lt;`locationModify`&gt; element, and the **RelativeMove** and **ExactMove** helper functions.
+1. Check whether the application and correct version is installed by:
 
-### Case 2: The destination computer already contains settings for the application.
+    - Searching for the installation uninstall key under `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` using the `DoesObjectExist` helper function.
 
-We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. If you must install the application before the migration, you should delete any existing settings using the &lt;`destinationCleanup`&gt; element. If for any reason you want to preserve the settings that are on the destination computer, you can use the &lt;`merge`&gt; element and **DestinationPriority** helper function.
+    - Checking for the correct version of the application executable file using the `DoesFileVersionMatch` helper function.
 
-### Case 3: The application overwrites settings when it is installed.
+2. If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer.
 
-We recommend that you migrate the settings after you install the application, but before the user runs the application for the first time. We recommend this because this ensures that there are no settings on the destination computer when you migrate the settings. Also, when some applications are installed, they overwrite any existing settings that are on the computer. In this scenario, if you migrated the data before you installed the application, your customized settings would be overwritten. This is common for applications that store settings in locations that are outside of the user profile (typically these are settings that apply to all users). These universal settings are sometimes overwritten when an application is installed, and they are replaced by default values. To avoid this, you must install these applications before migrating the files and settings to the destination computer. By default with USMT, data from the source computer overwrites data that already exists in the same location on the destination computer.
+    - If the versions of the applications are the same on both the source and destination computers, migrate each setting using the **&lt;include&gt;** and **&lt;exclude&gt;** elements.
 
-## <a href="" id="bkmk-step4"></a>Step 4: Create the migration XML component for the application
+    - If the version of the application on the destination computer is newer than the one on the source computer, and the application can't import the settings, your script should either:
+        1. Add the set of files that trigger the import using the **&lt;addObjects&gt;** element
+        2. Create a mapping that applies the old settings to the correct location on the destination computer using the **&lt;locationModify&gt;** element, and the `RelativeMove` and `ExactMove` helper functions.
 
-
-After you have completed steps 1 through 3, you will need to create a custom migration .xml file that migrates the application based on the information that you now have. You can use the MigApp.xml file as a model because it contains examples of many of the concepts discussed in this topic. You can also see [Custom XML Examples](usmt-custom-xml-examples.md) for another sample .xml file.
-
-**Note**  
-We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version.
-
- 
-
-**Important**  
-Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration.
-
- 
-
-Your script should do the following:
-
-1.  Check whether the application and correct version is installed by:
-
-    -   Searching for the installation uninstall key under **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall** using the **DoesObjectExist** helper function.
-
-    -   Checking for the correct version of the application executable file using the **DoesFileVersionMatch** helper function.
-
-2.  If the correct version of the application is installed, then ensure that each setting is migrated to the appropriate location on the destination computer.
-
-    -   If the versions of the applications are the same on both the source and destination computers, migrate each setting using the &lt;`include`&gt; and &lt;`exclude`&gt; elements.
-
-    -   If the version of the application on the destination computer is newer than the one on the source computer, and the application cannot import the settings, your script should either 1) add the set of files that trigger the import using the &lt;`addObjects`&gt; element or 2) create a mapping that applies the old settings to the correct location on the destination computer using the &lt;`locationModify`&gt; element, and the **RelativeMove** and **ExactMove** helper functions.
-
-    -   If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the &lt;`destinationCleanup`&gt; element.
+    - If you must install the application before migrating the settings, delete any settings that are already on the destination computer using the **&lt;destinationCleanup&gt;** element.
 
 For information about the .xml elements and helper functions, see [XML Elements Library](usmt-xml-elements-library.md).
 
-## <a href="" id="bkmk-step5"></a>Step 5: Test the application settings migration
+## Step 5: Test the application settings migration
 
+On a test computer, install the operating system that will be installed on the destination computers. For example, if you're planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly.
 
-On a test computer, install the operating system that will be installed on the destination computers. For example, if you are planning on migrating from Windows 7 to Windows 10, install Windows 10 and the application. Next, run LoadState on the test computer and verify that all settings migrate. Make corrections if necessary and repeat the process until all the necessary settings are migrated correctly.
+To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you're testing. To specify only **User1** in the migration, enter:
 
-To speed up the time it takes to collect and migrate the data, you can migrate only one user at a time, and you can exclude all other components from the migration except the application that you are testing. To specify only User1 in the migration, type: **/ue:\*\\\* /ui:user1**. For more information, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md) and User options in the [ScanState Syntax](usmt-scanstate-syntax.md) topic. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration.
+```cmd
+/ue:*\* /ui:user1
+```
 
-## Related topics
+For more information, see the [Exclude files and settings](usmt-exclude-files-and-settings.md) article and the [User options](usmt-scanstate-syntax.md#user-options) section in the [ScanState syntax](usmt-scanstate-syntax.md) article. To troubleshoot a problem, check the progress log, and the ScanState and LoadState logs, which contain warnings and errors that may point to problems with the migration.
 
+## Related articles
 
-[USMT XML Reference](usmt-xml-reference.md)
+[USMT XML reference](usmt-xml-reference.md)
 
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
+[Conflicts and precedence](usmt-conflicts-and-precedence.md)
 
-[XML Elements Library](usmt-xml-elements-library.md)
-
-[Log Files](usmt-log-files.md)
-
- 
+[XML elements library](usmt-xml-elements-library.md)
 
+[Log files](usmt-log-files.md)
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 4ad81de369..9059505be0 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -2,77 +2,60 @@
 title: Migration Store Types Overview (Windows 10)
 description: Learn about the migration store types and how to determine which migration store type best suits your needs.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Migration Store Types Overview
 
+When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you're using a local share, network share, or storage device.
 
-When planning your migration, you should determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers. You should also determine the space needed to create and host the migration store, whether you are using a local share, network share, or storage device.
-
-## In This Topic
-
-
-[Migration Store Types](#bkmk-types)
-
-[Local Store vs. Remote Store](#bkmk-localvremote)
-
-[The /localonly Command-Line Option](#bkmk-localonly)
-
-## <a href="" id="bkmk-types"></a>Migration Store Types
-
+## Migration store types
 
 This section describes the three migration store types available in USMT.
 
 ### Uncompressed (UNC)
 
-The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer.
+The uncompressed (UNC) migration store is an uncompressed directory with a mirror image of the folder hierarchy being migrated. Each directory and file retains the same access permissions that it has on the local file system. You can use Windows Explorer to view this migration store type. Settings are stored in a catalog file that also describes how to restore files on the destination computer.
 
 ### Compressed
 
-The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and cannot be navigated with Windows Explorer.
+The compressed migration store is a single image file that contains all files being migrated and a catalog file. This image file is often encrypted and protected with a password, and can't be navigated with Windows Explorer.
 
 ### Hard-Link
 
-A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are “wired” into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. This is because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration.
+A hard-link migration store functions as a map that defines how a collection of bits on the hard disk are "wired" into the file system. You use the new USMT hard-link migration store in the PC Refresh scenario only. You only use hard-link migration stores in Refresh scenarios because the hard-link migration store is maintained on the local computer while the old operating system is removed and the new operating system is installed. Using a hard-link migration store saves network bandwidth and minimizes the server use needed to accomplish the migration.
 
-You use a command-line option,**/hardlink** , to create a hard-link migration store, which functions the same as an uncompressed migration store. Files are not duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md).
+You use the command-line option `/hardlink` to create a hard-link migration store, which functions the same as an uncompressed migration store. Files aren't duplicated on the local computer when user state is captured, nor are they duplicated when user state is restored. For more information, see [Hard-Link Migration Store](usmt-hard-link-migration-store.md).
 
 The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
 
 ![migration store comparison.](images/dep-win8-l-usmt-migrationcomparemigstores.gif)
 
-## <a href="" id="bkmk-localvremote"></a>Local Store vs. Remote Store
+## Local store vs. remote store
 
+If you have enough space and you're migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you're using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It's also good practice to ensure that the migration is the only task the server is performing.
 
-If you have enough space and you are migrating the user state back to the same computer, storing data on a local device is normally the best option to reduce server storage costs and network performance issues. You can store the data locally either on a different partition or on a removable device such as a USB flash drive (UFD). Also, depending on the imaging technology that you are using, you might be able to store the data on the partition that is being re-imaged, if the data will be protected from deletion during the process. To increase performance, store the data on high-speed drives that use a high-speed network connection. It is also good practice to ensure that the migration is the only task the server is performing.
+If there isn't enough local disk space, or if you're moving the user state to another computer, then you must store the data remotely such as on a shared folder, on removable media, or you can store it directly on the destination computer. For example:
 
-If there is not enough local disk space, or if you are moving the user state to another computer, then you must store the data remotely. For example, you can store it in on a shared folder, on removable media such as a UFD drive, or you can store it directly on the destination computer. For example, create and share C:\\store on the destination computer. Then run the ScanState command on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store. Then, run the **LoadState** command on the destination computer and specify **C:\\Store** as the store location. By doing this, you do not need to save the files to a server.
+1. Create and share `C:\store` on the destination computer
+2. Run the `ScanState.exe` command on the source computer and save the files and settings to `\\<DestinationComputerName>\store`
+3. Run the `LoadState.exe ` command on the destination computer and specify `C:\Store` as the store location.
 
-**Important**  
-If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check.
-
- 
-
-### <a href="" id="bkmk-localonly"></a>The /localonly Command-Line Option
-
-You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify **/LocalOnly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
- 
-
- 
+By doing this process, you don't need to save the files to a server.
 
+> [!IMPORTANT]
+> If possible, have users store their data within their `%UserProfile%\My Documents` and `%UserProfile%\Application Data` folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check.
 
+### The /localonly command-line option
 
+You should use this option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify `/LocalOnly`, see [ScanState Syntax](usmt-scanstate-syntax.md).
 
+## Related articles
 
+[Plan your migration](usmt-plan-your-migration.md)
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index 00215fe853..390cc4ad37 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -2,79 +2,66 @@
 title: Offline Migration Reference (Windows 10)
 description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Offline Migration Reference
 
-Offline migration enables the ScanState tool to run inside a different Windows&reg; operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios:
+Offline migration enables the ScanState tool to run inside a different Windows operating system than the Windows operating system from which ScanState is gathering files and settings. There are two primary offline scenarios:
 
--   **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine.
+- **Windows PE.** The ScanState tool can be run from within Windows PE, gathering files and settings from the offline Windows operating system on that machine.
 
--   **Windows.old.** The ScanState tool can now gather files and settings from the Windows.old directory that is created during Windows installation on a partition that contains a previous installation of Windows. For example, the ScanState tool can run in Windows 10, gathering files from a previous Windows 7or Windows 8 installation contained in the Windows.old directory.
+- **Windows.old.** The ScanState tool can now gather files and settings from the Windows.old directory that is created during Windows installation on a partition that contains a previous installation of Windows. For example, the ScanState tool can run in Windows 10, gathering files from a previous Windows 7or Windows 8 installation contained in the Windows.old directory.
 
-When you use User State Migration Tool (USMT) 10.0 to gather and restore user state, offline migration reduces the cost of deployment by:
+When you use User State Migration Tool (USMT) 10.0 to gather and restore user state, offline migration reduces the cost of deployment by:
 
--   **Reducing complexity.** In computer-refresh scenarios, migrations from the Windows.old directory reduce complexity by eliminating the need for the ScanState tool to be run before the operating system is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadState to be run successively.
+- **Reducing complexity.** In computer-refresh scenarios, migrations from the Windows.old directory reduce complexity by eliminating the need for the ScanState tool to be run before the operating system is deployed. Also, migrations from the Windows.old directory enable ScanState and LoadState to be run successively.
 
--   **Improving performance.** When USMT runs in an offline Windows Preinstallation Environment (WinPE) environment, it has better access to the hardware resources. This may increase performance on older machines with limited hardware resources and numerous installed software applications.
+- **Improving performance.** When USMT runs in an offline Windows Preinstallation Environment (WinPE) environment, it has better access to the hardware resources. Running USMT in WinPE may increase performance on older machines with limited hardware resources and numerous installed software applications.
 
--   **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE.
+- **New recovery scenario.** In scenarios where a machine no longer restarts properly, it might be possible to gather user state with the ScanState tool from within WinPE.
 
-## In This topic
-
--   [What Will Migrate Offline?](#bkmk-whatwillmigrate)
-
--   [What Offline Environments are Supported?](#bkmk-offlineenvironments)
-
--   [User-Group Membership and Profile Control](#bkmk-usergroupmembership)
-
--   [Command-Line Options](#bkmk-commandlineoptions)
-
--   [Environment Variables](#bkmk-environmentvariables)
-
--   [Offline.xml Elements](#bkmk-offlinexml)
-
-## <a href="" id="bkmk-whatwillmigrate"></a>What Will Migrate Offline?
+## What will migrate offline?
 
 The following user data and settings migrate offline, similar to an online migration:
 
--   Data and registry keys specified in MigXML
+- Data and registry keys specified in MigXML
 
--   User accounts
+- User accounts
 
--   Application settings
+- Application settings
 
--   Limited set of operating-system settings
+- Limited set of operating-system settings
 
--   EFS files
+- EFS files
 
--   Internet Explorer&reg; Favorites
+- Internet Explorer Favorites
 
 For exceptions to what you can migrate offline, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
 
-## <a href="" id="bkmk-offlineenvironments"></a>What Offline Environments are Supported?
+## What offline environments are supported?
 
 The following table defines the supported combination of online and offline operating systems in USMT.
 
 |Running Operating System|Offline Operating System|
 |--- |--- |
-|WinPE 5.0 or greater, with the MSXML library|Windows Vista, Windows 7, Windows 8, Windows 10|
-|Windows 7, Windows 8, Windows 10|Windows.old directory|
+|WinPE 5.0 or greater, with the MSXML library|Windows 7, Windows 8, Windows 10|
+|Windows 7, Windows 8, Windows 10|Windows.old directory|
 
-**Note**  
-It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](/previous-versions/windows/it-pro/windows-7/ee424315(v=ws.10)).
+> [!NOTE]
+> It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](/previous-versions/windows/it-pro/windows-7/ee424315(v=ws.10)).
 
-## <a href="" id="bkmk-usergroupmembership"></a>User-Group Membership and Profile Control
+## User-group membership and profile control
 
-User-group membership is not preserved during offline migrations. You must configure a **&lt;ProfileControl&gt;** section in the Config.xml file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
+User-group membership isn't preserved during offline migrations. You must configure a **&lt;ProfileControl&gt;** section in the `Config.xml` file to specify the groups that the migrated users should be made members of. The following example places all migrated users into the Users group:
 
-``` xml
+```xml
 <Configuration>
 <ProfileControl>
     <localGroups>
@@ -90,72 +77,76 @@ User-group membership is not preserved during offline migrations. You must confi
 </Configuration>
 ```
 
-For information about the format of a Config.xml file, see [Config.xml File](usmt-configxml-file.md).
+For information about the format of a `Config.xml` file, see [Config.xml File](usmt-configxml-file.md).
 
-## <a href="" id="bkmk-commandlineoptions"></a>Command-Line Options
+## Command-line options
 
 An offline migration can either be enabled by using a configuration file on the command line, or by using one of the following command line options:
 
 |Component|Option|Description|
 |--- |--- |--- |
-|ScanState.exe|**/offline:***&lt;path to offline.xml&gt;*|This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file.|
-|ScanState.exe|**/offlineWinDir:***&lt;Windows directory&gt;*|This command-line option enables the offline-migration mode and starts the migration from the location specified. It is only for use in WinPE offline scenarios where the migration is occurring from a Windows directory.|
-|ScanState.exe|**/OfflineWinOld:***&lt;Windows.old directory&gt;*|This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.|
+|*ScanState.exe*|**/offline:***&lt;path to Offline.xml&gt;*|This command-line option enables the offline-migration mode and requires a path to an Offline.xml configuration file.|
+|*ScanState.exe*|**/offlineWinDir:***&lt;Windows directory&gt;*|This command-line option enables the offline-migration mode and starts the migration from the location specified. It's only for use in WinPE offline scenarios where the migration is occurring from a Windows directory.|
+|*ScanState.exe*|**/OfflineWinOld:***&lt;Windows.old directory&gt;*|This command-line option enables the offline migration mode and starts the migration from the location specified. It's only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.|
 
-You can use only one of the **/offline**, **/offlineWinDir**, or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together.
+You can use only one of the `/offline`, `/offlineWinDir`, or `/OfflineWinOld` command-line options at a time. USMT doesn't support using more than one together.
 
-## <a href="" id="bkmk-environmentvariables"></a>Environment Variables
+## Environment variables
 
 The following system environment variables are necessary in the scenarios outlined below.
 
 |Variable|Value|Scenario|
 |--- |--- |--- |
-|USMT_WORKING_DIR|Full path to a working directory|Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following: <br/><pre class="syntax"><code>Set USMT_WORKING_DIR=[path to working directory]</code></pre>|
-|MIG_OFFLINE_PLATFORM_ARCH|32 or 64|While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn't function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following: <br/><pre class="syntax"><code>Set MIG_OFFLINE_PLATFORM_ARCH=32</code></pre>|
+|*USMT_WORKING_DIR*|Full path to a working directory|Required when USMT binaries are located on read-only media, which doesn't support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following command: <br/><pre class="syntax"><code>Set USMT_WORKING_DIR=[path to working directory]</code></pre>|
+*|MIG_OFFLINE_PLATFORM_ARCH*|32 or 64|While operating offline, this environment variable defines the architecture of the offline system, if the system doesn't match the WinPE and `ScanState.exe` architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. Specifying the architecture is required when auto-detection of the offline architecture doesn't function properly. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following command: <br/><pre class="syntax"><code>Set MIG_OFFLINE_PLATFORM_ARCH=32</code></pre>|
 
-## <a href="" id="bkmk-offlinexml"></a>Offline.xml Elements
+## Offline.xml elements
 
-Use an offline.xml file when running the ScanState tool on a computer that has multiple Windows directories. The offline.xml file specifies which directories to scan for windows files. An offline.xml file can be used with the /offline option as an alternative to specifying a single Windows directory path with the /offlineDir option.
+Use an `Offline.xml` file when running the ScanState tool on a computer that has multiple Windows directories. The `Offline.xml` file specifies which directories to scan for windows files. An `Offline.xml` file can be used with the `/offline` option as an alternative to specifying a single Windows directory path with the `/offlineDir` option.
 
-### <a href="" id="-offline-"></a>&lt;offline&gt;
+### &lt;offline&gt;
 
 This element contains other elements that define how an offline migration is to be performed.
 
-Syntax: &lt;offline&gt; &lt;/offline&gt;
+Syntax: `<offline>` `</offline>`
 
-### <a href="" id="-windir-"></a>&lt;winDir&gt;
+### &lt;winDir&gt;
 
 This element is a required child of **&lt;offline&gt;** and contains information about how the offline volume can be selected. The migration will be performed from the first element of **&lt;winDir&gt;** that contains a valid Windows system volume.
 
-Syntax: &lt; winDir &gt; &lt;/ winDir &gt;
+Syntax: `<winDir>` `</winDir>`
 
-### <a href="" id="-path-"></a>&lt;path&gt;
+### &lt;path&gt;
 
 This element is a required child of **&lt;winDir&gt;** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool's working directory.
 
-Syntax: &lt;path&gt; c:\\windows &lt;/path&gt;
+Syntax: `<path> C:\Windows </path>`
 
 -or-
 
-Syntax, when used with the **&lt;mappings&gt;** element: &lt;path&gt; C:\\, D:\\ &lt;/path&gt;
+Syntax, when used with the **&lt;mappings&gt;** element: `<path> C:\, D:\ </path>`
 
-### <a href="" id="-mappings-"></a>&lt;mappings&gt;
+### &lt;mappings&gt;
 
 This element is an optional child of **&lt;offline&gt;**. When specified, the **&lt;mappings&gt;** element will override the automatically detected WinPE drive mappings. Each child **&lt;path&gt;** element will provide a mapping from one system volume to another. Additionally, mappings between folders can be provided, since an entire volume can be mounted to a specific folder.
 
-Syntax: &lt;mappings&gt; &lt;/mappings&gt;
+Syntax: `<mappings>` `</mappings>`
 
-### <a href="" id="-failonmultiplewindir-"></a>&lt;failOnMultipleWinDir&gt;
+### &lt;failOnMultipleWinDir&gt;
 
-This element is an optional child of **&lt;offline&gt;**. The **&lt;failOnMultipleWinDir&gt;** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **&lt;failOnMultipleWinDir&gt;** element isn't present, the default behavior is that the migration does not fail.
+This element is an optional child of **&lt;offline&gt;**. The **&lt;failOnMultipleWinDir&gt;** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **&lt;failOnMultipleWinDir&gt;** element isn't present, the default behavior is that the migration doesn't fail.
 
-Syntax: &lt;failOnMultipleWinDir&gt;1&lt;/failOnMultipleWinDir&gt; or Syntax: &lt;failOnMultipleWinDir&gt;0&lt;/failOnMultipleWinDir&gt;
+Syntax: `<failOnMultipleWinDir>1</failOnMultipleWinDir>`
+
+-or-
+
+Syntax: `<failOnMultipleWinDir>0</failOnMultipleWinDir>`
 
 ### Offline .xml Example
 
-The following XML example illustrates some of the elements discussed earlier in this topic.
+The following XML example illustrates some of the elements discussed earlier in this article.
 
-``` xml
+```xml
 <offline>
      <winDir>
           <path>C:\Windows</path> 
@@ -166,6 +157,6 @@ The following XML example illustrates some of the elements discussed earlier in
 </offline>
 ```
 
-## Related topics
+## Related articles
 
-[Plan Your Migration](usmt-plan-your-migration.md)
+[Plan your migration](usmt-plan-your-migration.md)
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 01aac53236..64fe549a96 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -2,241 +2,228 @@
 title: Understanding Migration XML Files (Windows 10)
 description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/23/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Understanding Migration XML Files
+# Understanding migration XML files
 
-You can modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files; these files provide instructions on where and how the USMT tools should gather and apply files and settings. USMT includes three XML files that you can use to customize a basic migration: the MigDocs.xml and MigUser.xml files, which modify how files are discovered on the source computer, and the MigApps.xml file, which is required in order to migrate supported application settings. You can also create and edit custom XML files and a Config.xml file to further customize your migration.
+You can modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files; these files provide instructions on where and how the USMT tools should gather and apply files and settings. USMT includes three XML files that you can use to customize a basic migration: the `MigDocs.xml` and `MigUser.xml` files, which modify how files are discovered on the source computer, and the MigApps.xml file, which is required in order to migrate supported application settings. You can also create and edit custom XML files and a `Config.xml` file to further customize your migration.
 
-This topic provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. The MigDocs.xml file uses the new **GenerateDocPatterns** function available in USMT to automatically find user documents on a source computer.
+This article provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the `MigDocs.xml` file. The `MigDocs.xml` file uses the new `GenerateDocPatterns` function available in USMT to automatically find user documents on a source computer.
 
-## In This topic
+## Overview of the Config.xml file
 
-[Overview of the Config.xml file](#bkmk-config)
+The `Config.xml` file is the configuration file created by the `/genconfig` option of the ScanState tool; it can be used to modify which operating-system components are migrated by USMT. The `Config.xml` file can be used with other XML files, such as in the following example:
 
-[Overview of the MigApp.xml file](#bkmk-migapp)
+`ScanState.exe /i:migapps.xml /i:MigDocs.xml /genconfig:c:\myFolder\Config.xml`
 
-[Overview of the MigDocs.xml file](#bkmk-migdocs)
-
-[Overview of the MigUser.xml file](#bkmk-miguser)
-
-[Using multiple XML files](#bkmk-multiple)
-
-[XML rules for migrating user files](#bkmk-userfiles)
-
-[The GenerateDocPatterns function](#bkmk-generate)
-
-[Understanding the system and user context](#bkmk-context)
-
-[Sample migration rules for customized versions of XML files](#bkmk-samples)
-
-[Exclude rules usage examples](#bkmk-exclude)
-
-[Include rules usage examples](#bkmk-include)
-
-[Next Steps](#bkmk-next)
-
-## <a href="" id="bkmk-config"></a>Overview of the Config.xml file
-
-The Config.xml file is the configuration file created by the `/genconfig` option of the ScanState tool; it can be used to modify which operating-system components are migrated by USMT. The Config.xml file can be used with other XML files, such as in the following example: `scanstate /i:migapps.xml /i:migdocs.xml /genconfig:c:\myFolder\config.xml`. When used this way, the Config.xml file tightly controls aspects of the migration, including user profiles, data, and settings, without modifying or creating other XML files. For more information about the Config.xml file, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).
+When used this way, the `Config.xml` file tightly controls aspects of the migration, including user profiles, data, and settings, without modifying or creating other XML files. For more information about the `Config.xml` file, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).
 
 > [!NOTE]
-> When modifying the XML elements in the Config.xml file, you should edit an element and set the **migrate** property to **no**, rather than deleting the element from the file. If you delete the element instead of setting the property, the component may still be migrated by rules in other XML files.
+> When modifying the XML elements in the `Config.xml` file, you should edit an element and set the **migrate** property to **no**, rather than deleting the element from the file. If you delete the element instead of setting the property, the component may still be migrated by rules in other XML files.
 
-## <a href="" id="bkmk-migapp"></a>Overview of the MigApp.xml file
+## Overview of the MigApp.xml file
 
-The MigApp.xml file installed with USMT includes instructions to migrate the settings for the applications listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md). You must include the MigApp.xml file when using the ScanState and LoadState tools, by using the `/i` option in order to migrate application settings. The MigDocs.xml and MigUser.xml files do not migrate application settings. You can create a custom XML file to include additional applications. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
+The `MigApp.xml` file installed with USMT includes instructions to migrate the settings for the applications listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md). You must include the `MigApp.xml` file when using the ScanState and LoadState tools, by using the `/i` option in order to migrate application settings. The `MigDocs.xml` and `MigUser.xml` files don't migrate application settings. You can create a custom XML file to include additional applications. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
 
-> [!Important]
-> The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. For more information about migrating .pst files that are not linked to Outlook, see the [Sample migration rules for customized versions of XML files](#bkmk-samples).
+> [!IMPORTANT]
+> The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. For more information about migrating .pst files that are not linked to Outlook, see [Sample migration rules for customized versions of XML files](#sample-migration-rules-for-customized-versions-of-xml-files).
 
-## <a href="" id="bkmk-migdocs"></a>Overview of the MigDocs.xml file
+## Overview of the MigDocs.xml file
 
-The MigDocs.xml file uses the new **GenerateDocPatterns** helper function to create instructions for USMT to migrate files from the source computer, based on the location of the files. You can use the MigDocs.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions.
+The `MigDocs.xml` file uses the new `GenerateDocPatterns` helper function to create instructions for USMT to migrate files from the source computer, based on the location of the files. You can use the `MigDocs.xml` file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions.
 
-The default MigDocs.xml file migrates the following:
+The default `MigDocs.xml` file migrates the following data:
 
--   All files on the root of the drive except %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA%, or %USERS%.
+- All files on the root of the drive except `%WINDIR%`, `%PROGRAMFILES%`, `%PROGRAMDATA%`, or `%USERS%`.
 
--   All folders in the root directory of all fixed drives. For example: c:\\data\_mail\\\*\[\*\]
+- All folders in the root directory of all fixed drives. For example: `c:\data_mail\*[*]`
 
--   All files from the root of the Profiles folder, except for files in the system profile. For example: c:\\users\\name\[mail.pst\]
+- All files from the root of the Profiles folder, except for files in the system profile. For example: `c:\users\name[mail.pst]`
 
--   All folders from the root of the Profiles folder, except for the system-profile folders. For example: c:\\users\\name\\new folder\\\*\[\*\]
+- All folders from the root of the Profiles folder, except for the system-profile folders. For example: `c:\users\name\new folder\*[*]`
 
--   Standard shared folders:
+- Standard shared folders:
 
-    -   CSIDL\_COMMON\_DESKTOPDIRECTORY
+  - CSIDL_COMMON_DESKTOPDIRECTORY
 
-    -   CSIDL\_COMMON\_FAVORITES
+  - CSIDL_COMMON_FAVORITES
 
-    -   CSIDL\_COMMON\_DOCUMENTS
+  - CSIDL_COMMON_DOCUMENTS
 
-    -   CSIDL\_COMMON\_MUSIC
+  - CSIDL_COMMON_MUSIC
 
-    -   CSIDL\_COMMON\_PICTURES
+  - CSIDL_COMMON_PICTURES
 
-    -   CSIDL\_COMMON\_VIDEO
+  - CSIDL_COMMON_VIDEO
 
-    -   FOLDERID\_PublicDownloads
+  - FOLDERID_PublicDownloads
 
--   Standard user-profile folders for each user:
+- Standard user-profile folders for each user:
 
-    -   CSIDL\_MYDOCUMENTS
+  - CSIDL_MYDOCUMENTS
 
-    -   CSIDL\_MYPICTURES
+  - CSIDL_MYPICTURES
 
-    -   FOLDERID\_OriginalImages
+  - FOLDERID_OriginalImages
 
-    -   CSIDL\_MYMUSIC
+  - CSIDL_MYMUSIC
 
-    -   CSIDL\_MYVIDEO
+  - CSIDL_MYVIDEO
 
-    -   CSIDL\_FAVORITES
+  - CSIDL_FAVORITES
 
-    -   CSIDL\_DESKTOP
+  - CSIDL_DESKTOP
 
-    -   CSIDL\_QUICKLAUNCH
+  - CSIDL_QUICKLAUNCH
 
-    -   FOLDERID\_Contacts
+  - FOLDERID_Contacts
 
-    -   FOLDERID\_Libraries
+  - FOLDERID_Libraries
 
-    -   FOLDERID\_Downloads
+  - FOLDERID_Downloads
 
-    -   FOLDERID\_SavedGames
+  - FOLDERID_SavedGames
 
-    -   FOLDERID\_RecordedTV
+  - FOLDERID_RecordedTV
 
-The default MigDocs.xml file will not migrate the following:
+The default `MigDocs.xml` file won't migrate the following data:
 
--   Files tagged with both the **hidden** and **system** attributes.
+- Files tagged with both the **hidden** and **system** attributes.
 
--   Files and folders on removable drives.
+- Files and folders on removable drives.
 
--   Data from the %WINDIR%, %PROGRAMDATA%, and %PROGRAMFILES% folders.
+- Data from the %WINDIR%, %PROGRAMDATA%, and %PROGRAMFILES% folders.
 
--   Folders that contain installed applications.
+- Folders that contain installed applications.
 
-You can also use the **/genmigxml** option with the ScanState tool to review and modify what files will be migrated.
+You can also use the `/genmigxml` option with the ScanState tool to review and modify what files will be migrated.
 
-## <a href="" id="bkmk-miguser"></a>Overview of the MigUser.xml file
+## Overview of the MigUser.xml file
 
-The MigUser.xml file includes instructions for USMT to migrate user files based on file name extensions. You can use the MigUser.xml file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. The MigUser.xml file will gather all files from the standard user-profile folders, and any files on the computer with the specified file name extensions.
+The `MigUser.xml` file includes instructions for USMT to migrate user files based on file name extensions. You can use the `MigUser.xml` file with the ScanState and LoadState tools to perform a more targeted migration than using USMT without XML instructions. The `MigUser.xml` file will gather all files from the standard user-profile folders, and any files on the computer with the specified file name extensions.
 
-The default MigUser.xml file migrates the following:
+The default `MigUser.xml` file migrates the following data:
 
--   All files from the standard user-profile folders, which are described as:
+- All files from the standard user-profile folders, which are described as:
 
-    -   CSIDL\_MYVIDEO
+  - CSIDL_MYVIDEO
 
-    -   CSIDL\_MYMUSIC
+  - CSIDL_MYMUSIC
 
-    -   CSIDL\_DESKTOP
+  - CSIDL_DESKTOP
 
-    -   CSIDL\_STARTMENU
+  - CSIDL_STARTMENU
 
-    -   CSIDL\_PERSONAL
+  - CSIDL_PERSONAL
 
-    -   CSIDL\_MYPICTURES
+  - CSIDL_MYPICTURES
 
-    -   CSIDL\_FAVORITES
+  - CSIDL_FAVORITES
 
-    -   CSIDL\_QUICK LAUNCH
+  - CSIDL_QUICK LAUNCH
 
--   Files with the following extensions:
+- Files with the following extensions:
 
-    `.qdf`, `.qsd`, `.qel`, `.qph`, `.doc\*`, `.dot\*`, `.rtf`, `.mcw`, `.wps`, `.scd`, `.wri`, `.wpd`, `.xl\*`, `.csv`, `.iqy`, `.dqy`, `.oqy`, `.rqy`, `.wk\*`, `.wq1`, `.slk`, `.dif`, `.ppt\*`, `.pps\*`, `.pot\*`, `.sh3`, `.ch3`, `.pre`, `.ppa`, `.txt`, `.pst`, `.one\*`, `.vl\*`, `.vsd`, `.mpp`, `.or6`, `.accdb`, `.mdb`, `.pub`
+   `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*`
 
-The default MigUser.xml file does not migrate the following:
+  > [!NOTE]
+  > The asterisk (`*`) stands for zero or more characters.
 
--   Files tagged with both the **hidden** and **system** attributes.
+  > [!NOTE]
+  > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
 
--   Files and folders on removable drives,
+The default `MigUser.xml` file doesn't migrate the following data:
 
--   Data from the %WINDIR%, %PROGRAMFILES%, %PROGRAMDATA% folders.
+- Files tagged with both the **Hidden** and **System** attributes.
 
--   ACLS for files in folders outside the user profile.
+- Files and folders on removable drives,
 
-You can make a copy of the MigUser.xml file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the MigUser.xml file to move all of your relevant data, regardless of the location of the files. However, this provision may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer.
+- Data from the `%WINDIR%`, `%PROGRAMFILES%`, `%PROGRAMDATA%` folders.
+
+- ACLS for files in folders outside the user profile.
+
+You can make a copy of the `MigUser.xml` file and modify it to include or exclude standard user-profile folders and file name extensions. If you know all of the extensions for the files you want to migrate from the source computer, use the `MigUser.xml` file to move all of your relevant data, regardless of the location of the files. However, this provision may result in a migration that contains more files than intended. For example, if you choose to migrate all .jpg files, you may migrate image files such as thumbnails and logos from legacy applications that are installed on the source computer.
 
 > [!NOTE]
-> Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than 300 file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document.
+> Each file name extension you include in the rules within the `MigUser.xml` file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than 300 file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#using-multiple-xml-files) section of this article.
 
-## <a href="" id="bkmk-multiple"></a>Using multiple XML files
+## Using multiple XML files
 
 You can use multiple XML files with the ScanState and LoadState tools. Each of the default XML files included with or generated by USMT is configured for a specific component of the migration. You can also use custom XML files to supplement these default files with more migration rules.
 
 |XML migration file|Modifies the following components:|
 |--- |--- |
-|Config.xml file|Operating-system components such as desktop wallpaper and background theme. <br/>You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).|
-|MigApps.xml file|Applications settings.|
-|MigUser.xml or MigDocs.xml files|User files and profile settings.|
-|Custom XML files|Application settings, user profile settings, or user files, beyond the rules contained in the other XML files.|
+|*Config.xml file*|Operating-system components such as desktop wallpaper and background theme.<br/> You can also overload `Config.xml` to include some application and document settings by generating the `Config.xml` file with the other default XML files. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).|
+|*MigApps.xml file*|Applications settings.|
+|*MigUser.xml* or *MigDocs.xml* files|User files and profile settings.|
+|*Custom XML files*|Application settings, user profile settings, or user files, beyond the rules contained in the other XML files.|
 
 For example, you can use all of the XML migration file types for a single migration, as in the following example:
 
-```console
-Scanstate <store> /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml /i:customrules.xml
+```cmd
+ScanState.exe <store> /config:c:\myFolder\Config.xml /i:migapps.xml /i:MigDocs.xml /i:CustomRules.xml
 ```
 
-### <a href="" id="bkmk-userfiles"></a>XML rules for migrating user files
+### XML rules for migrating user files
 
 > [!IMPORTANT]
-> You should not use the MigUser.xml and MigDocs.xml files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer.
+> You should not use the `MigUser.xml` and `MigDocs.xml` files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer.
 
-If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location. The MigUser.xml file migrates only the files with the specified file name extensions.
+If your data set is unknown or if many files are stored outside of the standard user-profile folders, the `MigDocs.xml` is a better choice than the `MigUser.xml` file, because the `MigDocs.xml` file will gather a broader scope of data. The `MigDocs.xml` file migrates folders of data based on location. The `MigUser.xml` file migrates only the files with the specified file name extensions.
 
-If you want more control over the migration, you can create custom XML files. See the [Creating and editing a custom ,xml file](#bkmk-createxml) section of this document.
+If you want more control over the migration, you can create custom XML files. See [Creating and editing a custom XML file](#creating-and-editing-a-custom-xml-file) for more information.
 
-## <a href="" id="bkmk-createxml"></a>Creating and editing a custom XML file
+## Creating and editing a custom XML file
 
-You can use the **/genmigxml** command-line option to determine which files will be included in your migration. The **/genmigxml** option creates a file in a location you specify, so that you can review the XML rules and make modifications as necessary.
+You can use the `/genmigxml` command-line option to determine which files will be included in your migration. The `/genmigxml` option creates a file in a location you specify, so that you can review the XML rules and make modifications as necessary.
 
 > [!NOTE]
 > If you reinstall USMT, the default migration XML files will be overwritten and any customizations you make directly to these files will be lost. Consider creating separate XML files for your custom migration rules and saving them in a secure location.
 
 To generate the XML migration rules file for a source computer:
 
-1.  Click **Start**, click **All Programs**, click **Accessories**, right-click **Command Prompt**, and then click **Run as**.
+1. Select **Start** > **All Programs** > **Accessories**
 
-2.  Select an account with administrator privileges, supply a password, and then click **OK**.
+2. Right-click **Command Prompt**, and then select **Run as**.
 
-3.  At the command prompt, type:
+3. Select an account with administrator privileges, supply a password, and then select **OK**.
 
-    ```console
+4. At the command prompt, enter:
+
+    ```cmd
     cd /d <USMTpath>
-    scanstate.exe /genmigxml: <filepath.xml>
+    ScanState.exe /genmigxml: <filepath.xml>
     ```
 
-    Where *&lt;USMTpath&gt;* is the location on your source computer where you have saved the USMT files and tools, and *&lt;filepath.xml&gt;* is the full path to a file where you can save the report. For example, type:
+    Where *&lt;USMTpath&gt;* is the location on your source computer where you've saved the USMT files and tools, and *&lt;filepath.xml&gt;* is the full path to a file where you can save the report. For example, enter:
 
-    ```console
+    ```cmd
     cd /d c:\USMT
-    scanstate.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
+    ScanState.exe /genmigxml:"C:\Documents and Settings\USMT Tester\Desktop\genMig.xml"
     ```
 
-### <a href="" id="bkmk-generate"></a>The GenerateDocPatterns function
+### The GenerateDocPatterns function
 
-The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes three Boolean values. You can change the settings to modify the way the MigDocs.xml file generates the XML rules for migration.
+The `MigDocs.xml` file calls the `GenerateDocPatterns` function, which takes three Boolean values. You can change the settings to modify the way the `MigDocs.xml` file generates the XML rules for migration.
 
-- `ScanProgramFiles`: This argument is valid only when the **GenerateDocPatterns** function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications.
+- `ScanProgramFiles`: This argument is valid only when the `GenerateDocPatterns` function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications.
 
   **Default value**: False
 
-  For example, when set to **TRUE**, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The **GenerateDocPatterns** function generates this inclusion pattern for `.doc` files:
+  For example, when set to **TRUE**, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The `GenerateDocPatterns` function generates this inclusion pattern for `.doc` files:
 
   `<pattern type="File">C:\Program Files\Microsoft Office[.doc]</pattern>`
 
   If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions.
 
-- `IncludePatterns`: This argument determines whether to generate exclude or include patterns in the XML. When this argument is set to **TRUE**, the **GenerateDocPatterns** function generates include patterns and the function must be added under the `<include>` element. Changing this argument to **FALSE** generates exclude patterns and the function must be added under the `<exclude>` element.
+- `IncludePatterns`: This argument determines whether to generate exclude or include patterns in the XML. When this argument is set to **TRUE**, the `GenerateDocPatterns` function generates include patterns, and the function must be added under the `<include>` element. Changing this argument to **FALSE** generates exclude patterns and the function must be added under the `<exclude>` element.
 
   **Default value**: True
 
@@ -246,13 +233,13 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr
 
 **Usage:**
 
-```console
+```cmd
 MigXmlHelper.GenerateDocPatterns ("<ScanProgramFiles>", "<IncludePatterns>", "<SystemDrive>")
 ```
 
 To create include data patterns for only the system drive:
 
-``` xml
+```xml
 <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
      <objectSet>
         <script>MigXmlHelper.GenerateDocPatterns ("FALSE","TRUE","TRUE")</script>
@@ -262,7 +249,7 @@ To create include data patterns for only the system drive:
 
 To create an include rule to gather files for registered extensions from the %PROGRAMFILES% directory:
 
-``` xml
+```xml
 <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
      <objectSet>
         <script>MigXmlHelper.GenerateDocPatterns ("TRUE","TRUE","FALSE")</script>
@@ -272,7 +259,7 @@ To create an include rule to gather files for registered extensions from the %PR
 
 To create exclude data patterns:
 
-``` xml
+```xml
 <exclude filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
      <objectSet>
         <script>MigXmlHelper.GenerateDocPatterns ("FALSE","FALSE","FALSE")</script>
@@ -280,82 +267,82 @@ To create exclude data patterns:
 </exclude>
 ```
 
-### <a href="" id="bkmk-context"></a>Understanding the system and user context
+### Understanding the system and user context
 
-The migration XML files contain two &lt;component&gt; elements with different **context** settings. The system context applies to files on the computer that are not stored in the User Profiles directory, while the user context applies to files that are particular to an individual user.
+The migration XML files contain two &lt;component&gt; elements with different **context** settings. The system context applies to files on the computer that aren't stored in the User Profiles directory, while the user context applies to files that are particular to an individual user.
 
-**System context**
+#### System context
 
-The system context includes rules for data outside of the User Profiles directory. For example, when called in a system context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all common shell folders, files in the root directory of hard drives, and folders located at the root of hard drives. The following folders are included:
+The system context includes rules for data outside of the User Profiles directory. For example, when called in a system context in the `MigDocs.xml` file, the `GenerateDocPatterns` function creates patterns for all common shell folders, files in the root directory of hard drives, and folders located at the root of hard drives. The following folders are included:
 
--   CSIDL\_COMMON\_DESKTOPDIRECTORY
+- CSIDL_COMMON_DESKTOPDIRECTORY
 
--   CSIDL\_COMMON\_FAVORITES
+- CSIDL_COMMON_FAVORITES
 
--   CSIDL\_COMMON\_DOCUMENTS
+- CSIDL_COMMON_DOCUMENTS
 
--   CSIDL\_COMMON\_MUSIC
+- CSIDL_COMMON_MUSIC
 
--   CSIDL\_COMMON\_PICTURES
+- CSIDL_COMMON_PICTURES
 
--   CSIDL\_COMMON\_VIDEO
+- CSIDL_COMMON_VIDEO
 
--   FOLDERID\_PublicDownloads
+- FOLDERID_PublicDownloads
 
-**User context**
+#### User context
 
-The user context includes rules for data in the User Profiles directory. When called in a user context in the MigDocs.xml file, the **GenerateDocPatterns** function creates patterns for all user shell folders, files located at the root of the profile, and folders located at the root of the profile. The following folders are included:
+The user context includes rules for data in the User Profiles directory. When called in a user context in the `MigDocs.xml` file, the `GenerateDocPatterns` function creates patterns for all user shell folders, files located at the root of the profile, and folders located at the root of the profile. The following folders are included:
 
--   CSIDL\_MYDOCUMENTS
+- CSIDL_MYDOCUMENTS
 
--   CSIDL\_MYPICTURES
+- CSIDL_MYPICTURES
 
--   FOLDERID\_OriginalImages
+- FOLDERID_OriginalImages
 
--   CSIDL\_MYMUSIC
+- CSIDL_MYMUSIC
 
--   CSIDL\_MYVIDEO
+- CSIDL_MYVIDEO
 
--   CSIDL\_FAVORITES
+- CSIDL_FAVORITES
 
--   CSIDL\_DESKTOP
+- CSIDL_DESKTOP
 
--   CSIDL\_QUICKLAUNCH
+- CSIDL_QUICKLAUNCH
 
--   FOLDERID\_Contacts
+- FOLDERID_Contacts
 
--   FOLDERID\_Libraries
+- FOLDERID_Libraries
 
--   FOLDERID\_Downloads
+- FOLDERID_Downloads
 
--   FOLDERID\_SavedGames
+- FOLDERID_SavedGames
 
--   FOLDERID\_RecordedTV
+- FOLDERID_RecordedTV
 
 > [!NOTE]
-> Rules contained in a component that is assigned the user context will be run for each user profile on the computer. Files that are scanned multiple times by the MigDocs.xml files will only be copied to the migration store once; however, a large number of rules in the user context can slow down the migration. Use the system context when it is applicable.
+> Rules contained in a component that is assigned the user context will be run for each user profile on the computer. Files that are scanned multiple times by the `MigDocs.xml` files will only be copied to the migration store once; however, a large number of rules in the user context can slow down the migration. Use the system context when it is applicable.
 
- ### <a href="" id="bkmk-samples"></a>Sample migration rules for customized versions of XML files
+### Sample migration rules for customized versions of XML files
 
 > [!NOTE]
 > For best practices and requirements for customized XML files in USMT, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [General Conventions](usmt-general-conventions.md).
 
-### <a href="" id="bkmk-exclude"></a>Exclude rules usage examples
+### Exclude rules usage examples
 
-In the examples below, the source computer has a .txt file called "new text document" in a directory called "new folder". The default MigDocs.xml behavior migrates the new text document.txt file and all files contained in the "new folder" directory. The rules generated by the function are:
+In the examples below, the source computer has a .txt file called "new text document" in a directory called "new folder". The default `MigDocs.xml` behavior migrates the new text document.txt file and all files contained in the "new folder" directory. The rules generated by the function are:
 
 | Rule | Syntax |
 |--- |--- |
 |Rule 1|`<pattern type="File">d:\new folder[new text document.txt]</pattern>`|
 |Rule 2|`<pattern type="File">d:\new folder[]</pattern>`|
 
-To exclude the new text document.txt file and any .txt files in "new folder", you can do the following:
+To exclude the new text document.txt file and any .txt files in "new folder", you can do the following modification:
 
-**Example 1: Exclude all .txt files in a folder**
+#### Example 1: Exclude all .txt files in a folder
 
 To exclude Rule 1, there needs to be an exact match of the file name. However, for Rule 2, you can create a pattern to exclude files by using the file name extension.
 
-``` xml
+```xml
 <exclude>
      <objectSet>
         <pattern type="File">D:\Newfolder\[new text document.txt]</pattern>
@@ -364,11 +351,11 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f
 </exclude>
 ```
 
-**Example 2: Use the UnconditionalExclude element to give a rule precedence over include rules**
+#### Example 2: Use the UnconditionalExclude element to give a rule precedence over include rules
 
-If you do not know the file name or location of the file, but you do know the file name extension, you can use the **GenerateDrivePatterns** function. However, the rule will be less specific than the default include rule generated by the MigDocs.xml file, so it will not have precedence. You must use the &lt;UnconditionalExclude&gt; element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+If you don't know the file name or location of the file, but you do know the file name extension, you can use the `GenerateDrivePatterns` function. However, the rule will be less specific than the default include rule generated by the `MigDocs.xml` file, so it will not have precedence. You must use the &lt;UnconditionalExclude&gt; element to give this rule precedence over the default include rule. For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
 
-``` xml
+```xml
 <unconditionalExclude>
      <objectSet>
         <script>MigXmlHelper.GenerateDrivePatterns ("*[*.txt]", "Fixed")</script>
@@ -376,11 +363,11 @@ If you do not know the file name or location of the file, but you do know the fi
 </unconditionalExclude>
 ```
 
-**Example 3 : Use a UserandSystem context component to run rules in both contexts**
+#### Example 3: Use a UserandSystem context component to run rules in both contexts
 
-If you want the &lt;UnconditionalExclude&gt; element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
+If you want the **&lt;UnconditionalExclude&gt;** element to apply to both the system and user context, you can create a third component using the **UserandSystem** context. Rules in this component will be run in both contexts.
 
-``` xml
+```xml
 <component type="Documents" context="UserandSystem">
    <displayName>MigDocExcludes</displayName>
    <role role="Data">
@@ -397,15 +384,15 @@ If you want the &lt;UnconditionalExclude&gt; element to apply to both the system
 
 For more examples of exclude rules that you can use in custom migration XML files, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
 
-### <a href="" id="bkmk-include"></a>Include rules usage examples
+### Include rules usage examples
 
-The application data directory is the most common location that you would need to add an include rule for. The **GenerateDocPatterns** function excludes this location by default. If your company uses an application that saves important data to this location, you can create include rules to migrate the data. For example, the default location for .pst files is: `%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook`. The Migapp.xml file contains migration rules to move only those .pst files that are linked to Microsoft Outlook. To include .pst files that are not linked, you can do the following:
+The application data directory is the most common location that you would need to add an include rule for. The `GenerateDocPatterns` function excludes this location by default. If your company uses an application that saves important data to this location, you can create include rules to migrate the data. For example, the default location for .pst files is: `%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook`. The `MigApp.xml` file contains migration rules to move only those .pst files that are linked to Microsoft Outlook. To include .pst files that aren't linked, you can do the following modification:
 
-**Example 1: Include a file name extension in a known user folder**
+#### Example 1: Include a file name extension in a known user folder
 
-This rule will include .pst files that are located in the default location, but are not linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
+This rule will include .pst files that are located in the default location, but aren't linked to Microsoft Outlook. Use the user context to run this rule for each user on the computer.
 
-``` xml
+```xml
 <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
      <objectSet>
         <pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst]</pattern>
@@ -413,11 +400,11 @@ This rule will include .pst files that are located in the default location, but
 </include>
 ```
 
-**Example 2: Include a file name extension in Program Files**
+#### Example 2: Include a file name extension in Program Files
 
 For locations outside the user profile, such as the Program Files folder, you can add the rule to the system context component.
 
-``` xml
+```xml
 <include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
      <objectSet>
         <pattern type="File">%CSIDL_PROGRAM_FILES%\*[*.pst]</pattern>
@@ -430,14 +417,14 @@ For more examples of include rules that you can use in custom migration XML file
 > [!NOTE]
 > For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
 
-## <a href="" id="bkmk-next"></a>Next steps
+## Next steps
 
-You can include additional rules for the migration in the MigDocs.xml file or other XML migration files. For example, you can use the `<locationModify>` element to move files from the folder where they were gathered to a different folder, when they are applied to the destination computer.
+You can include additional rules for the migration in the `MigDocs.xml` file or other XML migration files. For example, you can use the `<locationModify>` element to move files from the folder where they were gathered to a different folder, when they're applied to the destination computer.
 
 You can use an XML schema (MigXML.xsd) file to validate the syntax of your customized XML files. For more information, see [USMT Resources](usmt-resources.md).
 
-## Related topics
+## Related articles
 
-[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+[Exclude files and settings](usmt-exclude-files-and-settings.md)
 
-[Include Files and Settings](usmt-include-files-and-settings.md)
+[Include files and settings](usmt-include-files-and-settings.md)
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index ec06b1b5ab..cebdc6bf49 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -1,117 +1,112 @@
 ---
 title: USMT Best Practices (Windows 10)
-description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
+description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
 ms.custom: seo-marvel-apr2020
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# USMT Best Practices
+# USMT best practices
 
+This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
 
-This topic discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
+## General best practices
 
-## General Best Practices
+- **Install applications before running the LoadState tool**
 
+    Though it isn't always essential, it's best practice to install all applications on the destination computer before restoring the user state. Installing applications before restoring user state helps ensure that migrated settings are preserved.
 
--   **Install applications before running the LoadState tool**
+- **Don't use MigUser.xml and MigDocs.xml together**
 
-    Though it is not always essential, it is best practice to install all applications on the destination computer before restoring the user state. This helps ensure that migrated settings are preserved.
+    If you use both .xml files, some migrated files may be duplicated if conflicting instructions are given about target locations. You can use the `/genmigxml` command-line option to determine which files will be included in your migration, and to determine if any modifications are necessary. For more information, see [Identify file types, files, and folders](usmt-identify-file-types-files-and-folders.md).
 
--   **Do not use MigUser.xml and MigDocs.xml together**
+- **Use MigDocs.xml for a better migration experience**
 
-    If you use both .xml files, some migrated files may be duplicated if conflicting instructions are given about target locations. You can use the **/genmigxml** command-line option to determine which files will be included in your migration, and to determine if any modifications are necessary. For more information, see [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md).
+    If your data set is unknown or if many files are stored outside of the standard user-profile folders, the `MigDocs.xml` file is a better choice than the `MigUser.xml` file, because the `MigDocs.xml` file will gather a broader scope of data. The `MigDocs.xml` file migrates folders of data based on location, and on registered file type by querying the registry for registered application extensions. The `MigUser.xml` file migrates only the files with the specified file extensions.
 
--   **Use MigDocs.xml for a better migration experience**
+- **Close all applications before running either the ScanState or LoadState tools**
 
-    If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml file is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location, and on registered file type by querying the registry for registered application extensions. The MigUser.xml file migrates only the files with the specified file extensions.
+    Although using the `/vsc` switch can allow the migration of many files that are open with another application, it's a best practice to close all applications in order to ensure all files and settings migrate. Without the `/vsc` or `/c` switch USMT will fail when it can't migrate a file or setting. When you use the `/c` option, USMT will ignore any files or settings that it can't migrate and log an error each time.
 
--   **Close all applications before running either the ScanState or LoadState tools**
+- **Log off after you run the LoadState**
 
-    Although using the **/vsc** switch can allow the migration of many files that are open with another application it is a best practice to close all applications in order to ensure all files and settings migrate. Without the **/vsc** or **/c** switch USMT will fail when it cannot migrate a file or setting. When you use the **/c** option USMT will ignore any files or settings that it cannot migrate and log an error each time.
+    Some settings, such as fonts, wallpaper, and screensaver settings, won't take effect until the next time the user logs on. For this reason, you should sign out after you run the LoadState tool.
 
--   **Log off after you run the LoadState**
+- **Managed environment**
 
-    Some settings, such as fonts, wallpaper, and screensaver settings, will not take effect until the next time the user logs on. For this reason, you should log off after you run the LoadState tool.
+    To create a managed environment, you can move all of the end user's documents into My Documents (%CSIDL\_PERSONAL%). We recommend that you migrate files into the smallest-possible number of folders on the destination computer. Minimizing folders will help you to clean up files on the destination computer, if the `LoadState.exe` command fails before completion.
 
--   **Managed environment**
+- **Chkdsk.exe**
 
-    To create a managed environment, you can move all of the end user’s documents into My Documents (%CSIDL\_PERSONAL%). We recommend that you migrate files into the smallest-possible number of folders on the destination computer. This will help you to clean up files on the destination computer, if the LoadState command fails before completion.
+    We recommend that you run **Chkdsk.exe** before running the ScanState and LoadState tools. **Chkdsk.exe** creates a status report for a hard disk drive and lists and corrects common errors. For more information about the **Chkdsk.exe** tool, see [Chkdsk](/previous-versions/windows/it-pro/windows-xp/bb490876(v=technet.10)).
 
--   **Chkdsk.exe**
+- **Migrate in groups**
 
-    We recommend that you run Chkdsk.exe before running the ScanState and LoadState tools. Chkdsk.exe creates a status report for a hard disk drive and lists and corrects common errors. For more information about the Chkdsk.exe tool, see [Chkdsk](/previous-versions/windows/it-pro/windows-xp/bb490876(v=technet.10)).
-
--   **Migrate in groups**
-
-    If you decide to perform the migration while users are using the network, it is best to migrate user accounts in groups. To minimize the impact on network performance, determine the size of the groups based on the size of each user account. Migrating in phases also allows you to make sure each phase is successful before starting the next phase. Using this method, you can make any necessary modifications to your plan between groups.
-
-## Security Best Practices
+    If you decide to perform the migration while users are using the network, it's best to migrate user accounts in groups. To minimize the impact on network performance, determine the size of the groups based on the size of each user account. Migrating in phases also allows you to make sure each phase is successful before starting the next phase. Using this method, you can make any necessary modifications to your plan between groups.
 
+## Security best practices
 
 As the authorized administrator, it is your responsibility to protect the privacy of the users and maintain security during and after the migration. In particular, you must consider the following issues:
 
--   **Encrypting File System (EFS)**
+- **Encrypting File System (EFS)**
 
-    Take extreme caution when migrating encrypted files, because the end user does not need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
+    Take extreme caution when migrating encrypted files, because the end user doesn't need to be logged on to capture the user state. By default, USMT fails if an encrypted file is found. For specific instructions about EFS best practices, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
 
-    **Important**  
-    If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
+    > [!NOTE]
+    > If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
 
-     
+- **Encrypt the store**
 
--   **Encrypt the store**
+    Consider using the `/encrypt` option with the `ScanState.exe` command and the `/decrypt` option with the `LoadState.exe` command. However, use extreme caution with this set of options, because anyone who has access to the `ScanState.exe` command-line script also has access to the encryption key.
 
-    Consider using the **/encrypt** option with the ScanState command and the **/decrypt** option with the LoadState command. However, use extreme caution with this set of options, because anyone who has access to the ScanState command-line script also has access to the encryption key.
-
--   **Virus Scan**
+- **Virus Scan**
 
     We recommend that you scan both the source and destination computers for viruses before running USMT. In addition, you should scan the destination computer image. To help protect data from viruses, we strongly recommend running an antivirus utility before migration.
 
--   **Maintain security of the file server and the deployment server**
+- **Maintain security of the file server and the deployment server**
 
-    We recommend that you manage the security of the file and deployment servers. It is important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files is not exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657).
+    We recommend that you manage the security of the file and deployment servers. It's important to make sure that the file server where you save the store is secure. You must also secure the deployment server, to ensure that the user data that is in the log files isn't exposed. We also recommend that you only transmit data over a secure Internet connection, such as a virtual private network. For more information about network security, see [Microsoft Security Compliance Manager](https://go.microsoft.com/fwlink/p/?LinkId=215657).
 
--   **Password Migration**
+- **Password Migration**
 
-    To ensure the privacy of the end users, USMT does not migrate passwords, including those for applications such as Windows Live™ Mail, Microsoft Internet Explorer®, as well as Remote Access Service (RAS) connections and mapped network drives. It is important to make sure that end users know their passwords.
+    To ensure the privacy of the end users, USMT doesn't migrate passwords, including passwords for applications such as Windows Live™ Mail, Microsoft Internet Explorer®, and Remote Access Service (RAS) connections and mapped network drives. It's important to make sure that end users know their passwords.
 
--   **Local Account Creation**
+- **Local Account Creation**
 
-    Before you migrate local accounts, see the Migrating Local Accounts section in the [Identify Users](usmt-identify-users.md) topic.
+    Before you migrate local accounts, see the Migrating Local Accounts section in the [Identify Users](usmt-identify-users.md) article.
 
-## <a href="" id="bkmk-bestpractices"></a>XML File Best Practices
+## XML file best practices
 
+- **Specify the same set of mig\*.xml files in both the ScanState and the LoadState tools**
 
--   **Specify the same set of mig\*.xml files in both the ScanState and the LoadState tools**
+    If you used a particular set of mig\*.xml files in the ScanState tool, either called through the `/auto` option, or individually through the `/i` option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool.
 
-    If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool.
+- **The &lt;CustomFileName&gt; in the migration urlid should match the name of the file**
 
--   **The &lt;CustomFileName&gt; in the migration urlid should match the name of the file**
+    Although it isn't a requirement, it's good practice for **&lt;CustomFileName&gt;** to match the name of the file. For example, the following example is from the `MigApp.xml` file:
 
-    Although it is not a requirement, it is good practice for &lt;CustomFileName&gt; to match the name of the file. For example, the following is from the MigApp.xml file:
-
-    ``` xml
+    ```xml
     <?xml version="1.0" encoding="UTF-8"?>
     <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
     ```
 
--   **Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax**
+- **Use the XML Schema (MigXML.xsd) when authoring .xml files to validate syntax**
 
-    The MigXML.xsd schema file should not be included on the command line or in any of the .xml files.
+    The `MigXML.xsd` schema file shouldn't be included on the command line or in any of the .xml files.
 
--   **Use the default migration XML files as models**
+- **Use the default migration XML files as models**
 
-    To create a custom .xml file, you can use the migration .xml files as models to create your own. If you need to migrate user data files, model your custom .xml file on MigUser.xml. To migrate application settings, model your custom .xml file on the MigApp.xml file.
+    To create a custom .xml file, you can use the migration .xml files as models to create your own. If you need to migrate user data files, model your custom .xml file on `MigUser.xml`. To migrate application settings, model your custom .xml file on the `MigApp.xml` file.
 
--   **Consider the impact on performance when using the &lt;context&gt; parameter**
+- **Consider the impact on performance when using the &lt;context&gt; parameter**
 
-    Your migration performance can be affected when you use the &lt;context&gt; element with the &lt;component&gt; element; for example, as in when you want to encapsulate logical units of file- or path-based &lt;include&gt; and &lt;exclude&gt; rules.
+    Your migration performance can be affected when you use the **&lt;context&gt;** element with the **&lt;component&gt;** element; for example, as in when you want to encapsulate logical units of file- or path-based **&lt;include&gt;** and **&lt;exclude&gt;** rules.
 
     In the **User** context, a rule is processed one time for each user on the system.
 
@@ -119,32 +114,24 @@ As the authorized administrator, it is your responsibility to protect the privac
 
     In the **UserAndSystem** context, a rule is processed one time for each user on the system and one time for the system.
 
-    **Note**  
-    The number of times a rule is processed does not affect the number of times a file is migrated. The USMT migration engine ensures that each file migrates only once.
+    > [!NOTE]
+    > The number of times a rule is processed does not affect the number of times a file is migrated. The USMT migration engine ensures that each file migrates only once.
 
-     
+- **We recommend that you create a separate .xml file instead of adding your .xml code to one of the existing migration .xml files**
 
--   **We recommend that you create a separate .xml file instead of adding your .xml code to one of the existing migration .xml files**
+    For example, if you have code that migrates the settings for an application, you shouldn't just add the code to the `MigApp.xml` file.
 
-    For example, if you have code that migrates the settings for an application, you should not just add the code to the MigApp.xml file.
+- **You should not create custom .xml files to alter the operating system settings that are migrated**
 
--   **You should not create custom .xml files to alter the operating system settings that are migrated**
+    These settings are migrated by manifests and you can't modify those files. If you want to exclude certain operating system settings from the migration, you should create and modify a `Config.xml` file.
 
-    These settings are migrated by manifests and you cannot modify those files. If you want to exclude certain operating system settings from the migration, you should create and modify a Config.xml file.
+- **You can use the asterisk (\*) wildcard character in any migration XML file that you create**
 
--   **You can use the asterisk (\*) wildcard character in any migration XML file that you create**
+    > [!NOTE]
+    > The question mark is not valid as a wildcard character in USMT .xml files.
 
-    **Note**  
-    The question mark is not valid as a wildcard character in USMT .xml files.
+## Related articles
 
-     
-
-## Related topics
-
-
-[Migration Store Encryption](usmt-migration-store-encryption.md)
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
- 
+[Migration store encryption](usmt-migration-store-encryption.md)
 
+[Plan your migration](usmt-plan-your-migration.md)
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 9b20c0385e..72982b364a 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -2,29 +2,30 @@
 title: Choose a Migration Store Type (Windows 10)
 description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in your organization.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Choose a Migration Store Type
+# Choose a migration store type
 
-One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you are using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store.
+One of the main considerations for planning your migration is to determine which migration store type best meets your needs. As part of these considerations, determine how much space is required to run the User State Migration Tool (USMT) 10.0 components on your source and destination computers, and how much space is needed to create and host the migration store, whether you're using a local share, network share, or storage device. The final consideration is ensuring that user date integrity is maintained by encrypting the migration store.
 
-## In This Section
+## In this section
 
 | Link | Description |
 |--- |--- |
-|[Migration Store Types Overview](migration-store-types-overview.md)|Choose the migration store type that works best for your needs and migration scenario.|
-|[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)|Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.|
-|[Hard-Link Migration Store](usmt-hard-link-migration-store.md)|Learn about hard-link migration stores and the scenarios in which they are used.|
-|[Migration Store Encryption](usmt-migration-store-encryption.md)|Learn about the using migration store encryption to protect user data integrity during a migration.|
+|[Migration store types overview](migration-store-types-overview.md)|Choose the migration store type that works best for your needs and migration scenario.|
+|[Estimate migration store size](usmt-estimate-migration-store-size.md)|Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.|
+|[Hard-link migration store](usmt-hard-link-migration-store.md)|Learn about hard-link migration stores and the scenarios in which they're used.|
+|[Migration store encryption](usmt-migration-store-encryption.md)|Learn about the using migration store encryption to protect user data integrity during a migration.|
 
-## Related topics
+## Related articles
 
-[Plan Your Migration](usmt-plan-your-migration.md)
+[Plan your migration](usmt-plan-your-migration.md)
 
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+[User State Migration Tool (USMT) how-to topics](usmt-how-to.md)
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 95be767505..d7332ed880 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -2,22 +2,23 @@
 title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
 description: Learn about the User State Migration Tool (USMT) command-line syntax for using the ScanState tool, LoadState tool, and UsmtUtils tool.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# User State Migration Tool (USMT) Command-line Syntax
+# User State Migration Tool (USMT) command-line syntax
 
-The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation.
+The User State Migration Tool (USMT) 10.0 migrates user files and settings during large deployments of Windows. To improve and simplify the migration process, USMT captures desktop, network, and application settings in addition to a user's files. USMT then migrates these items to a new Windows installation.
 
-## In This Section
+## In this Section
 
 | Link | Description |
 |--- |--- |
-|[ScanState Syntax](usmt-scanstate-syntax.md)|Lists the command-line options for using the ScanState tool.|
-|[LoadState Syntax](usmt-loadstate-syntax.md)|Lists the command-line options for using the LoadState tool.|
-|[UsmtUtils Syntax](usmt-utilities.md)|Lists the command-line options for using the UsmtUtils tool.|
+|[ScanState syntax](usmt-scanstate-syntax.md)|Lists the command-line options for using the ScanState tool.|
+|[LoadState syntax](usmt-loadstate-syntax.md)|Lists the command-line options for using the LoadState tool.|
+|[UsmtUtils syntax](usmt-utilities.md)|Lists the command-line options for using the UsmtUtils tool.|
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
deleted file mode 100644
index ade22cbde7..0000000000
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ /dev/null
@@ -1,331 +0,0 @@
----
-title: Common Issues (Windows 10)
-description: Learn about common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools.
-ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-ms.date: 09/19/2017
-author: aczechowski
-ms.topic: article
----
-
-# Common Issues
-
-
-The following sections discuss common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools. USMT produces log files that describe in further detail any errors that occurred during the migration process. These logs can be used to troubleshoot migration failures.
-
-## In This Topic
-
-
-[User Account Problems](#user)
-
-[Command-line Problems](#command)
-
-[XML File Problems](#xml)
-
-[Migration Problems](#migration)
-
-[Offline Migration Problems](#bkmk-offline)
-
-[Hard Link Migration Problems](#bkmk-hardlink)
-
-[USMT does not migrate the Start layout](#usmt-does-not-migrate-the-start-layout)
-
-## General Guidelines for Identifying Migration Problems
-
-
-When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem:
-
-- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line.
-
-  In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**<em>:5</em> option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger.
-
-  **Note**  
-  Running the ScanState and LoadState tools with the **/v**<em>:5</em> option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred.
-
-     
-
-- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
-
-- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
-
-- Create a progress log using the **/Progress** option to monitor your migration.
-
-- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment.
-
-- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on.
-
-- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files.
-
-  **Note**  
-  USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate.
-
-     
-
-## <a href="" id="user"></a>User Account Problems
-
-
-The following sections describe common user account problems. Expand the section to see recommended solutions.
-
-### I'm having problems creating local accounts on the destination computer.
-
-**Resolution:** For more information about creating accounts and migrating local accounts, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
-
-### Not all of the user accounts were migrated to the destination computer.
-
-**Causes/Resolutions** There are two possible causes for this problem:
-
-When running the ScanState tool on Windows Vista, or the ScanState and LoadState tools on Windows 7, Windows 8, or Windows 10, you must run them in Administrator mode from an account with administrative credentials to ensure that all specified users are migrated. To run in Administrator mode:
-
-1.  Click **Start**.
-
-2.  Click **All Programs**.
-
-3.  Click **Accessories**.
-
-4.  Right-click **Command Prompt**.
-
-5.  Click **Run as administrator**.
-
-Then specify your LoadState or ScanState command. If you do not run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
-
-Any user accounts on the computer that have not been used will not be migrated. For example, if you add User1 to the computer, but User1 never logs on, then USMT will not migrate the User1 account.
-
-### User accounts that I excluded were migrated to the destination computer.
-
-**Cause:** The command that you specified might have had conflicting **/ui** and **/ue** options. If a user is specified with the **/ui** option and is also specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:domain1\* /ue:domain1\user1`, then User1 will be migrated because the **/ui** option takes precedence.
-
-**Resolution:** For more information about how to use the **/ui** and **/ue** options together, see the examples in the [ScanState Syntax](usmt-scanstate-syntax.md) topic.
-
-### I am using the /uel option, but many accounts are still being included in the migration.
-
-**Cause** The **/uel** option depends on the last modified date of the users' NTUser.dat file. There are scenarios in which this last modified date might not match the users' last logon date.
-
-**Resolution** This is a limitation of the **/uel** option. You might need to exclude these users manually with the **/ue** option.
-
-### The LoadState tool reports an error as return code 71 and fails to restore a user profile during a migration test.
-
-**Cause:** During a migration test, if you run the ScanState tool on your test computer and then delete user profiles in order to test the LoadState tool on the same computer, you may have a conflicting key present in the registry. Using the **net use** command to remove a user profile will delete folders and files associated with that profile, but will not remove the registry key.
-
-**Resolution:** To delete a user profile, use the **User Accounts** item in Control Panel. To correct an incomplete deletion of a user profile:
-
-1.  Open the registry editor by typing `regedit` at an elevated command prompt.
-
-2.  Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`.
-
-    Each user profile is stored in a System Identifier key under `ProfileList`.
-
-3.  Delete the key for the user profile you are trying to remove.
-
-### Files that were not encrypted before the migration are now encrypted with the account used to run the LoadState tool.
-
-**Cause:** The ScanState tool was run using the **/EFS: copyraw** option to migrate encrypted files and Encrypting File System (EFS) certificates. The encryption attribute was set on a folder that was migrated, but the attribute was removed from file contents of that folder prior to migration.
-
-**Resolution:** Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you can run the Cipher tool at the command prompt to review and change encryption settings on files and folders. You must remove the encryption attribute from folders that contain unencrypted files or encrypt the contents of all files within an encrypted folder.
-
-To remove encryption from files that have already been migrated incorrectly, you must log on to the computer with the account that you used to run the LoadState tool and then remove the encryption from the affected files.
-
-### The LoadState tool reports an error as return code 71 and a Windows Error 2202 in the log file.
-
-**Cause:** The computer name was changed during an offline migration of a local user profile.
-
-**Resolution:** You can use the **/mu** option when you run the LoadState tool to specify a new name for the user. For example,
-
-``` syntax
-loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore 
-/progress:prog.log /l:load.log /mu:fareast\user1:farwest\user1
-```
-
-## <a href="" id="command"></a>Command-line Problems
-
-
-The following sections describe common command-line problems. Expand the section to see recommended solutions.
-
-### I received the following error message: "Usage Error: You cannot specify a file path with any of the command-line options that exceeds 256 characters."
-
-**Cause:** You might receive this error message in some cases even if you do not specify a long store or file path, because the path length is calculated based on the absolute path. For example, if you run the **scanstate.exe /o store** command from C:\\Program Files\\USMT40, then each character in "`C:\Program Files\USMT40`" will be added to the length of "store" to get the length of the path.
-
-**Resolution:** Ensure that the total path length—the store path plus the current directory—does not exceed 256 characters.
-
-### I received the following error message: "USMT was unable to create the log file(s). Ensure that you have write access to the log directory."
-
-**Cause:** If you are running the ScanState or LoadState tools from a shared network resource, you will receive this error message if you do not specify **/l**.
-
-**Resolution:** To fix this issue in this scenario, specify the **/l:scan.log** or **/l:load.log** option.
-
-## <a href="" id="xml"></a>XML File Problems
-
-
-The following sections describe common XML file problems. Expand the section to see recommended solutions.
-
-### I used the /genconfig option to create a Config.xml file, but I see only a few applications and components that are in MigApp.xml. Why does Config.xml not contain all of the same applications?
-
-**Cause:** Config.xml will contain only operating system components, applications, and the user document sections that are in both of the .xml files and are installed on the computer when you run the **/genconfig** option. Otherwise, these applications and components will not appear in the Config.xml file.
-
-**Resolution:** Install all of the desired applications on the computer before running the **/genconfig** option. Then run ScanState with all of the .xml files. For example, run the following:
-
-`scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:scanstate.log`
-
-### I am having problems with a custom .xml file that I authored, and I cannot verify that the syntax is correct.
-
-**Resolution:** You can load the XML schema (MigXML.xsd), included with USMT, into your XML authoring tool. For examples, see the [Visual Studio Development Center](https://go.microsoft.com/fwlink/p/?LinkId=74513). Then, load your .xml file in the authoring tool to see if there is a syntax error. In addition, see [USMT XML Reference](usmt-xml-reference.md) for more information about using the XML elements.
-
-### <a href="" id="i-am-using-a-migxml-helper-function--but-the-migration-isn-t-working-the-way-i-expected-it-to---how-do-i-troubleshoot-this-issue-"></a>I am using a MigXML helper function, but the migration isn’t working the way I expected it to.  How do I troubleshoot this issue?
-
-**Cause:** Typically, this issue is caused by incorrect syntax used in a helper function. You receive a Success return code, but the files you wanted to migrate did not get collected or applied, or weren’t collected or applied in the way you expected.
-
-**Resolution:** You should search the ScanState or LoadState log for either the component name which contains the MigXML helper function, or the MigXML helper function title, so that you can locate the related warning in the log file.
-
-## <a href="" id="migration"></a>Migration Problems
-
-
-The following sections describe common migration problems. Expand the section to see recommended solutions.
-
-### Files that I specified to exclude are still being migrated.
-
-**Cause:** There might be another rule that is including the files. If there is a more specific rule or a conflicting rule, the files will be included in the migration.
-
-**Resolution:** For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md) and the Diagnostic Log section in [Log Files](usmt-log-files.md).
-
-### I specified rules to move a folder to a specific location on the destination computer, but it has not migrated correctly.
-
-**Cause:** There might be an error in the XML syntax.
-
-**Resolution:** You can use the USMT XML schema (MigXML.xsd) to write and validate migration .xml files. Also see the XML examples in the following topics:
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[Exclude Files and Settings](usmt-exclude-files-and-settings.md)
-
-[Reroute Files and Settings](usmt-reroute-files-and-settings.md)
-
-[Include Files and Settings](usmt-include-files-and-settings.md)
-
-[Custom XML Examples](usmt-custom-xml-examples.md)
-
-### After LoadState completes, the new desktop background does not appear on the destination computer.
-
-There are three typical causes for this issue.
-
-**Cause \#1:**: Some settings such as fonts, desktop backgrounds, and screen-saver settings are not applied by LoadState until after the destination computer has been restarted.
-
-**Resolution:** To fix this issue, log off, and then log back on to see the migrated desktop background.
-
-**Cause \#2:** If the source computer was running Windows® XP and the desktop background was stored in the *Drive*:\\WINDOWS\\Web\\Wallpaper folder—the default folder where desktop backgrounds are stored in Windows XP—the desktop background will not be migrated. Instead, the destination computer will have the default Windows® desktop background. This will occur even if the desktop background was a custom picture that was added to the \\WINDOWS\\Web\\Wallpaper folder. However, if the end user sets a picture as the desktop background that was saved in another location, for example, My Pictures, then the desktop background will migrate.
-
-**Resolution:** Ensure that the desktop background images that you want to migrate are not in the \\WINDOWS\\Web\\Wallpaper folder on the source computer.
-
-**Cause \#3:** If ScanState was not run on Windows XP from an account with administrative credentials, some operating system settings will not migrate. For example, desktop background settings, screen-saver selections, modem options, media-player settings, and Remote Access Service (RAS) connection phone book (.pbk) files and settings will not migrate.
-
-**Resolution:** Run the ScanState and LoadState tools from within an account with administrative credentials.
-
-### <a href="" id="i-included-migapp-xml-in-the-migration--but-some-pst-files-aren-t-migrating-"></a>I included MigApp.xml in the migration, but some PST files aren’t migrating.
-
-**Cause:** The MigApp.xml file migrates only the PST files that are linked to Outlook profiles.
-
-**Resolution:** To migrate PST files that are not linked to Outlook profiles, you must create a separate migration rule to capture these files.
-
-### USMT does not migrate the Start layout
-
-**Description:** You are using USMT to migrate profiles from one installation of Windows 10 to another installation of Windows 10 on different hardware. After migration, the user signs in on the new device and does not have the Start menu layout they had previously configured.
-
-**Cause:** A code change in the Start Menu with Windows 10 version 1607 and later is incompatible with this USMT function.
-
-**Resolution:** The following workaround is available:
-
-1. With the user signed in, back up the Start layout using the following Windows PowerShell command. You can specify a different path if desired:
-
-    ```
-    Export-StartLayout -Path "C:\Layout\user1.xml"
-    ```
-2. Migrate the user's profile with USMT.
-3. Before the user signs in on the new device, import the Start layout using the following Windows PowerShell command:
-
-    ```
-    Import-StartLayout –LayoutPath "C:\Layout\user1.xml" –MountPath %systemdrive%
-    ```
-
-This workaround changes the Default user's Start layout. The workaround does not scale to a mass migrations or multiuser devices, but it can potentially unblock some scenarios. If other users will sign on to the device you should delete layoutmodification.xml from the Default user profile. Otherwise, all users who sign on to that device will use the imported Start layout.
-
-## <a href="" id="bkmk-offline"></a>Offline Migration Problems
-
-
-The following sections describe common offline migration problems. Expand the section to see recommended solutions.
-
-### Some of my system settings do not migrate in an offline migration.
-
-**Cause:** Some system settings, such as desktop backgrounds and network printers, are not supported in an offline migration. For more information, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-**Resolution:** In an offline migration, these system settings must be restored manually.
-
-### The ScanState tool fails with return code 26.
-
-**Cause:** A common cause of return code 26 is that a temp profile is active on the source computer. This profile maps to c:\\users\\temp. The ScanState log shows a MigStartupOfflineCaught exception that includes the message "User profile duplicate SID error".
-
-**Resolution:** You can reboot the computer to get rid of the temp profile or you can set MIG\_FAIL\_ON\_PROFILE\_ERROR=0 to skip the error and exclude the temp profile.
-
-### Include and Exclude rules for migrating user profiles do not work the same offline as they do online.
-
-**Cause:** When offline, the DNS server cannot be queried to resolve the user name and SID mapping.
-
-**Resolution:** Use a Security Identifier (SID) to include a user when running the ScanState tool. For example:
-
-``` syntax
-Scanstate /ui:S1-5-21-124525095-708259637-1543119021*
-```
-
-The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
-
-You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](/troubleshoot/windows-server/identity/security-identifiers-in-windows).
-
-### My script to wipe the disk fails after running the ScanState tool on a 64-bit system.
-
-**Cause:** The HKLM registry hive is not unloaded after the ScanState tool has finished running.
-
-**Resolution:** Reboot the computer or unload the registry hive at the command prompt after the ScanState tool has finished running. For example, at a command prompt, type:
-
-``` syntax
-reg.exe unload hklm\$dest$software
-```
-
-## <a href="" id="bkmk-hardlink"></a>Hard-Link Migration Problems
-
-
-The following sections describe common hard-link migration problems. Expand the section to see recommended solutions.
-
-### EFS files are not restored to the new partition.
-
-**Cause:** EFS files cannot be moved to a new partition with a hard link. The **/efs:hardlink** command-line option is only applicable to files migrated on the same partition.
-
-**Resolution:** Use the **/efs:copyraw** command-line option to copy EFS files during the migration instead of creating hard links, or manually copy the EFS files from the hard-link store.
-
-### The ScanState tool cannot delete a previous hard-link migration store.
-
-**Cause:** The migration store contains hard links to locked files.
-
-**Resolution:** Use the UsmtUtils tool to delete the store or change the store name. For example, at a command prompt, type:
-
-``` syntax
-USMTutils /rd <storedir>
-```
-
-You should also reboot the machine.
-
-
-
-
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Frequently Asked Questions](usmt-faq.yml)
-
-[Return Codes](usmt-return-codes.md)
-
-[UsmtUtils Syntax](usmt-utilities.md)
-
- 
-
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 854bc6b73f..4f68b4b46e 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -1,151 +1,110 @@
 ---
 title: Common Migration Scenarios (Windows 10)
-description: See how the User State Migration Tool (USMT) 10.0 is used when planning hardware and/or operating system upgrades.
+description: See how the User State Migration Tool (USMT) 10.0 is used when planning hardware and/or operating system upgrades.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Common Migration Scenarios
 
+You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred.
 
-You use the User State Migration Tool (USMT) 10.0 when hardware and/or operating system upgrades are planned for a large number of computers. USMT manages the migration of an end-user's digital identity by capturing the user's operating-system settings, application settings, and personal files from a source computer and reinstalling them on a destination computer after the upgrade has occurred.
-
-One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system.
-
-## In this topic
-
-
-[PC Refresh](#bkmk-pcrefresh)
-
-[Scenario One: PC-refresh offline using Windows PE and a hard-link migration store](#bkmk-onepcrefresh)
-
-[Scenario Two: PC-refresh using a compressed migration store](#bkmk-twopcrefresh)
-
-[Scenario Three: PC-refresh using a hard-link migration store](#bkmk-threepcrefresh)
-
-[Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store](#bkmk-fourpcrefresh)
-
-[PC Replacement](#bkmk-pcreplace)
-
-[Scenario One: Offline migration using Windows PE and an external migration store](#bkmk-onepcreplace)
-
-[Scenario Two: Manual network migration](#bkmk-twopcreplace)
-
-[Scenario Three: Managed network migration](#bkmk-threepcreplace)
-
-## <a href="" id="bkmk-pcrefresh"></a>PC-Refresh
+One common scenario is when the operating system is upgraded on existing hardware without the hardware being replaced. This scenario is referred to as *PC-refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system.
 
+## PC-refresh
 
 The following diagram shows a PC-refresh migration, also known as a computer refresh migration. First, the administrator migrates the user state from a source computer to an intermediate store. After installing the operating system, the administrator migrates the user state back to the source computer.
 
- 
-
 ![usmt pc refresh scenario.](images/dep-win8-l-usmt-pcrefresh.jpg)
 
- 
+### Scenario One: PC-refresh offline using Windows PE and a hard-link migration store
 
-### <a href="" id="bkmk-onepcrefresh"></a>Scenario One: PC-refresh offline using Windows PE and a hard-link migration store
+A company has received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer.
 
-A company has just received funds to update the operating system on all of its computers in the accounting department to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, the update is being handled completely offline, without a network connection. An administrator uses Windows Preinstallation Environment (WinPE) and a hard-link migration store to save each user state to their respective computer.
+1. On each computer, the administrator boots the machine into WinPE and runs the **ScanState** command-line tool, specifying the `/hardlink /nocompress` command-line options. **ScanState** saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic and minimizing migration failures on computers with limited space available on the hard drive.
 
-1.  On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
+2. On each computer, the administrator installs the company's standard operating environment (SOE) which includes Windows 10 and other company applications.
 
-2.  On each computer, the administrator installs the company's standard operating environment (SOE) which includes Windows 10 and other company applications.
+3. The administrator runs the **LoadState** command-line tool on each computer. **LoadState** restores each user state back to each computer.
 
-3.  The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer.
+### Scenario Two: PC-refresh using a compressed migration store
 
-### <a href="" id="bkmk-twopcrefresh"></a>Scenario Two: PC-refresh using a compressed migration store
+A company has received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server.
 
-A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a compressed migration store to save the user states to a server.
+1. The administrator runs the **ScanState** command-line tool on each computer. **ScanState** saves each user state to a server.
 
-1.  The administrator runs the ScanState command-line tool on each computer. ScanState saves each user state to a server.
+2. On each computer, the administrator installs the company's standard SOE that includes Windows 10 and other company applications.
 
-2.  On each computer, the administrator installs the company's standard SOE which includes Windows 10 and other company applications.
+3. The administrator runs the **LoadState** command-line tool on each source computer, and **LoadState** restores each user state back to the computer.
 
-3.  The administrator runs the LoadState command-line tool on each source computer, and LoadState restores each user state back to the computer.
+### Scenario Three: PC-refresh using a hard-link migration store
 
-### <a href="" id="bkmk-threepcrefresh"></a>Scenario Three: PC-refresh using a hard-link migration store
+A company has received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer.
 
-A company has just received funds to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses a hard-link migration store to save each user state to their respective computer.
+1. The administrator runs the **ScanState** command-line tool on each computer, specifying the `/hardlink /nocompress` command-line options. **ScanState** saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic and minimizing migration failures on computers with limited space available on the hard drive.
 
-1.  The administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
+2. On each computer, the administrator installs the company's SOE that includes Windows 10 and other company applications.
 
-2.  On each computer, the administrator installs the company's SOE which includes Windows 10 and other company applications.
+3. The administrator runs the **LoadState** command-line tool on each computer. **LoadState** restores each user state back on each computer.
 
-3.  The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back on each computer.
+### Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store
 
-### <a href="" id="bkmk-fourpcrefresh"></a>Scenario Four: PC-refresh using Windows.old folder and a hard-link migration store
+A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer.
 
-A company has decided to update the operating system on all of its computers to Windows 10. Each employee will keep the same computer, but the operating system on each computer will be updated. In this scenario, an administrator uses Windows.old and a hard-link migration store to save each user state to their respective computer.
+1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows.
 
-1.  The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows.
+2. On each computer, the administrator installs the company's SOE that includes company applications.
 
-2.  On each computer, the administrator installs the company's SOE which includes company applications.
-
-3.  The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options.
-
-## <a href="" id="bkmk-pcreplace"></a>PC-Replacement
+3. The administrator runs the **ScanState** and **LoadState** command-line tools successively on each computer while specifying the `/hardlink /nocompress` command-line options.
 
+## PC-replacement
 
 The following diagram shows a PC-replacement migration. First, the administrator migrates the user state from the source computer to an intermediate store. After installing the operating system on the destination computer, the administrator migrates the user state from the store to the destination computer.
 
- 
-
 ![usmt pc replace scenario.](images/dep-win8-l-usmt-pcreplace.jpg)
 
- 
+### Scenario One: Offline migration using Windows PE and an external migration store
 
-### <a href="" id="bkmk-onepcreplace"></a>Scenario One: Offline migration using WinPE and an external migration store
+A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled offline, without a network connection.
 
-A company is allocating 20 new computers to users in the accounting department. The users each have a source computer with their files and settings. In this scenario, migration is being handled completely offline, without a network connection.
+1. On each source computer, an administrator boots the machine into WinPE and runs **ScanState** to collect the user state to either a server or an external hard disk.
 
-1.  On each source computer, an administrator boots the machine into WinPE and runs ScanState to collect the user state to either a server or an external hard disk.
+2. On each new computer, the administrator installs the company's SOE that includes Windows 10 and other company applications.
 
-2.  On each new computer, the administrator installs the company's SOE which includes Windows 10 and other company applications.
+3. On each of the new computers, the administrator runs the **LoadState** tool, restoring each user state from the migration store to one of the new computers.
 
-3.  On each of the new computers, the administrator runs the LoadState tool, restoring each user state from the migration store to one of the new computers.
+### Scenario Two: Manual network migration
 
-### <a href="" id="bkmk-twopcreplace"></a>Scenario Two: Manual network migration
+A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the **ScanState** tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store.
 
-A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store.
+1. The administrator runs the **ScanState** tool on each of the manager's old laptops, and saves each user state to a server.
 
-1.  The administrator runs the ScanState tool on each of the manager's old laptops, and saves each user state to a server.
+2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
 
-2.  On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
+3. The administrator runs the **LoadState** tool on the new laptops to migrate the managers' user states to the appropriate computer. The new laptops are now ready for the managers to use.
 
-3.  The administrator runs the LoadState tool on the new laptops to migrate the managers' user states to the appropriate computer. The new laptops are now ready for the managers to use.
+4. On the old computers, the administrator installs the company's SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use.
 
-4.  On the old computers, the administrator installs the company's SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use.
+### Scenario Three: Managed network migration
 
-### <a href="" id="bkmk-threepcreplace"></a>Scenario Three: Managed network migration
+A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a sign-in script or a batch file to run **ScanState** on each source computer to collect the user states and save them to a server in a compressed migration store.
 
-A company is allocating 20 new computers to users in the accounting department. The users each have a source computer that contains their files and settings. An administrator uses a management technology such as a logon script or a batch file to run ScanState on each source computer to collect the user states and save them to a server in a compressed migration store.
+1. On each source computer, the administrator runs the **ScanState** tool using Microsoft Configuration Manager, Microsoft Deployment Toolkit (MDT), a sign-in script, a batch file, or a non-Microsoft management technology. **ScanState** collects the user state from each source computer and then saves it to a server.
 
-1.  On each source computer, the administrator runs the ScanState tool using Microsoft Endpoint Configuration Manager, Microsoft Deployment Toolkit (MDT), a logon script, a batch file, or a non-Microsoft management technology. ScanState collects the user state from each source computer and then saves it to a server.
-
-2.  On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
-
-3.  On each of the new computers, the administrator runs the LoadState tool using Microsoft Endpoint Configuration Manager, a logon script, a batch file, or a non-Microsoft management technology. LoadState migrates each user state from the migration store to one of the new computers.
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-[Choose a Migration Store Type](usmt-choose-migration-store-type.md)
-
-[Offline Migration Reference](offline-migration-reference.md)
-
- 
-
- 
+2. On each new computer, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
 
+3. On each of the new computers, the administrator runs the **LoadState** tool using Microsoft Configuration Manager, a sign-in script, a batch file, or a non-Microsoft management technology. **LoadState** migrates each user state from the migration store to one of the new computers.
 
+## Related articles
 
+[Plan your migration](usmt-plan-your-migration.md)
 
+[Choose a migration store type](usmt-choose-migration-store-type.md)
 
+[Offline migration reference](offline-migration-reference.md)
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index 63388ac85d..96846a8e88 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -1,91 +1,56 @@
 ---
 title: Config.xml File (Windows 10)
-description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool.
+description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Config.xml File
 
-## Config.xml File
+The `Config.xml` file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the `/genconfig` option with the ScanState tool. If you want to include all of the default components, and don't want to change the default store-creation or profile-migration behavior, you don't need to create a `Config.xml` file.
 
-The Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the **/genconfig** option with the ScanState.exe tool. If you want to include all of the default components, and do not want to change the default store-creation or profile-migration behavior, you do not need to create a Config.xml file.
+However, if you're satisfied with the default migration behavior defined in the `MigApp.xml`, `MigUser.xml` and `MigDocs.xml` files, but you want to exclude certain components, you can create and modify a `Config.xml` file and leave the other .xml files unchanged. For example, you must create and modify the `Config.xml` file if you want to exclude any of the operating-system settings that are migrated. It's necessary to create and modify this file if you want to change any of the default store-creation or profile-migration behavior.
 
-However, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigUser.xml and MigDocs.xml files, but you want to exclude certain components, you can create and modify a Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the Config.xml file if you want to exclude any of the operating-system settings that are migrated. It is necessary to create and modify this file if you want to change any of the default store-creation or profile-migration behavior.
+The `Config.xml` file has a different format than the other migration .xml files, because it doesn't contain any migration rules. It contains only a list of the operating-system components, applications, user documents that can be migrated, and user-profile policy and error-control policy. For this reason, excluding components using the `Config.xml` file is easier than modifying the migration .xml files, because you don't need to be familiar with the migration rules and syntax. However, you can't use wildcard characters in this file.
 
-The Config.xml file has a different format than the other migration .xml files, because it does not contain any migration rules. It contains only a list of the operating-system components, applications, user documents that can be migrated, as well as user-profile policy and error-control policy. For this reason, excluding components using the Config.xml file is easier than modifying the migration .xml files, because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in this file.
+For more information about using the `Config.xml` file with other migration files, such as the `MigDocs.xml` and `MigApps.xml` files, see [Understanding Migration XML Files](understanding-migration-xml-files.md).
 
-For more information about using the Config.xml file with other migration files, such as the MigDocs.xml and MigApps.xml files, see [Understanding Migration XML Files](understanding-migration-xml-files.md).
+> [!NOTE]
+> To exclude a component from the `Config.xml` file, set the **migrate** value to **no**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration.
 
-**Note**  
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+## Migration Policies
 
-## In this topic
+In USMT there are new migration policies that can be configured in the `Config.xml` file. For example, you can configure additional **&lt;ErrorControl&gt;**, **&lt;ProfileControl&gt;**, and **&lt;HardLinkStoreControl&gt;** options. The following elements and parameters are for use in the `Config.xml` file only.
 
-In USMT there are new migration policies that can be configured in the Config.xml file. For example, you can configure additional **&lt;ErrorControl&gt;**, **&lt;ProfileControl&gt;**, and **&lt;HardLinkStoreControl&gt;** options. The following elements and parameters are for use in the Config.xml file only.
-
-[&lt;Policies&gt;](#bkmk-policies)
-
-[&lt;ErrorControl&gt;](#bkmk-errorcontrol)
-
-[&lt;fatal&gt;](#bkmk-fatal)
-
-[&lt;fileError&gt;](#bkmk-fileerror)
-
-[&lt;nonfatal&gt;](#bkmk-nonfatal)
-
-[&lt;registryError&gt;](#bkmk-registryerror)
-
-[&lt;HardLinkStoreControl&gt;](#bkmk-hardlinkstorecontrol)
-
-[&lt;fileLocked&gt;](#bkmk-filelock)
-
-[&lt;createHardLink&gt;](#bkmk-createhardlink)
-
-[&lt;errorHardLink&gt;](#bkmk-errorhardlink)
-
-[&lt;ProfileControl&gt;](#bkmk-profilecontrol)
-
-[&lt;localGroups&gt;](#bkmk-localgroups)
-
-[&lt;mappings&gt;](#bkmk-mappings)
-
-[&lt;changeGroup&gt;](#bkmk-changegrou)
-
-[&lt;include&gt;](#bkmk-include)
-
-[&lt;exclude&gt;](#bkmk-exclude)
-
-[Sample Config.xml File](#bkmk-sampleconfigxjmlfile)
-
-## <a href="" id="bkmk-policies"></a>&lt;Policies&gt;
+### &lt;Policies&gt;
 
 The **&lt;Policies&gt;** element contains elements that describe the policies that USMT follows while creating a migration store. Valid children of the **&lt;Policies&gt;** element are **&lt;ErrorControl&gt;** and **&lt;HardLinkStoreControl&gt;**. The **&lt;Policies&gt;** element is a child of **&lt;Configuration&gt;**.
 
-Syntax: `<Policies> </Policies>`
+Syntax: `<Policies>` `</Policies>`
 
-## <a href="" id="bkmk-errorcontrol"></a>&lt;ErrorControl&gt;
+### &lt;ErrorControl&gt;
 
-The **&lt;ErrorControl&gt;** element is an optional element you can configure in the Config.xml file. The configurable **&lt;ErrorControl&gt;** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
+The **&lt;ErrorControl&gt;** element is an optional element you can configure in the `Config.xml` file. The configurable **&lt;ErrorControl&gt;** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
 
--   **Number of occurrences**: Once for each component
+- **Number of occurrences**: Once for each component
 
--   **Parent elements**: The **&lt;Policies&gt;** element
+- **Parent elements**: The **&lt;Policies&gt;** element
 
--   **Child elements**: The **&lt;fileError&gt;** and **&lt;registryError&gt;** element
+- **Child elements**: The **&lt;fileError&gt;** and **&lt;registryError&gt;** element
 
-Syntax: `<ErrorControl></ErrorControl>`
+Syntax: `<ErrorControl>` `</ErrorControl>`
 
-The following example specifies that all locked files, regardless of their location (including files in C:\\Users), should be ignored. However, the migration fails if any file in C:\\Users cannot be accessed because of any other reason. In the example below, the **&lt;ErrorControl&gt;** element ignores any problems in migrating registry keys that match the supplied pattern, and it resolves them to an **Access denied** error.
+The following example specifies that all locked files, regardless of their location (including files in C:\\Users), should be ignored. However, the migration fails if any file in C:\\Users can't be accessed because of any other reason. In the example below, the **&lt;ErrorControl&gt;** element ignores any problems in migrating registry keys that match the supplied pattern, and it resolves them to an **Access denied** error.
 
 Additionally, the order in the **&lt;ErrorControl&gt;** section implies priority. In this example, the first **&lt;nonFatal&gt;** tag takes precedence over the second **&lt;fatal&gt;** tag. This precedence is applied, regardless of how many tags are listed.
 
-``` xml
+```xml
 <ErrorControl>
   <fileError>
     <nonFatal errorCode="33">* [*]</nonFatal>
@@ -100,17 +65,17 @@ Additionally, the order in the **&lt;ErrorControl&gt;** section implies priority
 > [!IMPORTANT]
 > The configurable **&lt;ErrorControl&gt;** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character.
 
-### <a href="" id="bkmk-fatal"></a>&lt;fatal&gt;
+### &lt;fatal&gt;
 
-The **&lt;fatal&gt;** element is not required.
+The **&lt;fatal&gt;** element isn't required.
 
--   **Number of occurrences**: Once for each component
+- **Number of occurrences**: Once for each component
 
--   **Parent elements**: **&lt;fileError&gt;** and **&lt;registryError&gt;**
+- **Parent elements**: **&lt;fileError&gt;** and **&lt;registryError&gt;**
 
--   **Child elements**: None.
+- **Child elements**: None.
 
-Syntax: `<fatal errorCode="any">`*&lt;pattern&gt;*`</fatal>`
+Syntax: `<fatal errorCode="any">` *&lt;pattern&gt;* `</fatal>`
 
 |Parameter|Required|Value|
 |--- |--- |--- |
@@ -118,76 +83,76 @@ Syntax: `<fatal errorCode="any">`*&lt;pattern&gt;*`</fatal>`
 
 You use the **&lt;fatal&gt;** element to specify that errors matching a specific pattern should cause USMT to halt the migration.
 
-## <a href="" id="bkmk-fileerror"></a>&lt;fileError&gt;
+### &lt;fileError&gt;
 
-The **&lt;fileError&gt;** element is not required.
+The **&lt;fileError&gt;** element isn't required.
 
--   **Number of occurrences**: Once for each component
+- **Number of occurrences**: Once for each component
 
--   **Parent elements**: **&lt;ErrorControl&gt;**
+- **Parent elements**: **&lt;ErrorControl&gt;**
 
--   **Child elements**: **&lt;nonFatal&gt;** and **&lt;fatal&gt;**
+- **Child elements**: **&lt;nonFatal&gt;** and **&lt;fatal&gt;**
 
-Syntax: `<fileError></fileError>`
+Syntax: `<fileError>` `</fileError>`
 
 You use the **&lt;fileError&gt;** element to represent the behavior associated with file errors.
 
-## <a href="" id="bkmk-nonfatal"></a>&lt;nonFatal&gt;
+### &lt;nonFatal&gt;
 
-The **&lt;nonFatal&gt;** element is not required.
+The **&lt;nonFatal&gt;** element isn't required.
 
--   **Number of occurrences**: Once for each component
+- **Number of occurrences**: Once for each component
 
--   **Parent elements**: The **&lt;fileError&gt;** and **&lt;registryError&gt;** elements.
+- **Parent elements**: The **&lt;fileError&gt;** and **&lt;registryError&gt;** elements.
 
--   **Child elements**: None.
+- **Child elements**: None.
 
-Syntax: `<nonfatal errorCode="any">`*&lt;pattern&gt;*`</nonFatal>`
+Syntax: `<nonfatal errorCode="any">` *&lt;pattern&gt;* `</nonFatal>`
 
 |Parameter|Required|Value|
 |--- |--- |--- |
-|**&lt;errorCode&gt;**|No|"any" or "*specify system error message here*". If system error messages are not specified, the default behavior applies the parameter to all system error messages.|
+|**&lt;errorCode&gt;**|No|"any" or "*specify system error message here*". If system error messages aren't specified, the default behavior applies the parameter to all system error messages.|
 
-You use the **&lt;nonFatal&gt;** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
+You use the **&lt;nonFatal&gt;** element to specify that errors matching a specific pattern shouldn't cause USMT to halt the migration.
 
-## <a href="" id="bkmk-registryerror"></a>&lt;registryError&gt;
+### &lt;registryError&gt;
 
-The <strong>&lt;registryError&gt;</strong>element is not required.
+The **&lt;registryError&gt;** element isn't required.
 
--   **Number of occurrences**: Once for each component
+- **Number of occurrences**: Once for each component
 
--   **Parent elements**: **&lt;ErrorControl&gt;**
+- **Parent elements**: **&lt;ErrorControl&gt;**
 
--   **Child elements**: **&lt;nonfatal&gt;** and **&lt;fatal&gt;**
+- **Child elements**: **&lt;nonfatal&gt;** and **&lt;fatal&gt;**
 
-Syntax: `<registryError></registryError>`
+Syntax: `<registryError>` `</registryError>`
 
 |Parameter|Required|Value|
 |--- |--- |--- |
-|**&lt;errorCode&gt;**|No|"any" or "*specify system error message here*". If system error messages are not specified, the default behavior applies the parameter to all system error messages.|
+|**&lt;errorCode&gt;**|No|"any" or "*specify system error message here*". If system error messages aren't specified, the default behavior applies the parameter to all system error messages.|
 
-You use the **&lt;registryError&gt;** element to specify that errors matching a specific pattern should not cause USMT to halt the migration.
+You use the **&lt;registryError&gt;** element to specify that errors matching a specific pattern shouldn't cause USMT to halt the migration.
 
-## <a href="" id="bkmk-hardlinkstorecontrol"></a>&lt;HardLinkStoreControl&gt;
+### &lt;HardLinkStoreControl&gt;
 
 The **&lt;HardLinkStoreControl&gt;** element contains elements that describe how to handle files during the creation of a hard-link migration store. Its only valid child is **&lt;fileLocked&gt;**.
 
-Syntax: `<HardLinkStoreControl> </HardLinkStoreControl>`
+Syntax: `<HardLinkStoreControl>` `</HardLinkStoreControl>`
 
--   **Number of occurrences**: Once for each component
+- **Number of occurrences**: Once for each component
 
--   **Parent elements**: **&lt;Policies&gt;**
+- **Parent elements**: **&lt;Policies&gt;**
 
--   **Child elements**: **&lt;fileLocked&gt;**
+- **Child elements**: **&lt;fileLocked&gt;**
 
-Syntax: `<HardLinkStoreControl></HardLinkStoreControl>`
+Syntax: `<HardLinkStoreControl>` `</HardLinkStoreControl>`
 
-The **&lt;HardLinkStoreControl&gt;** sample code below specifies that hard links can be created to locked files only if the locked file resides somewhere under C:\\Users\\. Otherwise, a file-access error occurs when a locked file is encountered that cannot be copied, even though is technically possible for the link to be created.
+The **&lt;HardLinkStoreControl&gt;** sample code below specifies that hard links can be created to locked files only if the locked file resides somewhere under C:\\Users\\. Otherwise, a file-access error occurs when a locked file is encountered that can't be copied, even though is technically possible for the link to be created.
 
 > [!IMPORTANT]
-> The **&lt;ErrorControl&gt;** section can be configured to conditionally ignore file access errors, based on the file’s location.
+> The **&lt;ErrorControl&gt;** section can be configured to conditionally ignore file access errors, based on the file's location.
 
-``` xml
+```xml
 <Policy>
    <HardLinkStoreControl>
       <fileLocked>
@@ -201,45 +166,45 @@ The **&lt;HardLinkStoreControl&gt;** sample code below specifies that hard links
 </Policy>
 ```
 
-## <a href="" id="bkmk-filelock"></a>&lt;fileLocked&gt;
+### &lt;fileLocked&gt;
 
 The **&lt;fileLocked&gt;** element contains elements that describe how to handle files that are locked for editing. The rules defined by the **&lt;fileLocked&gt;** element are processed in the order in which they appear in the XML file.
 
-Syntax: `<fileLocked></fileLocked>`
+Syntax: `<fileLocked>` `</fileLocked>`
 
-## <a href="" id="bkmk-createhardlink"></a>&lt;createHardLink&gt;
+### &lt;createHardLink&gt;
 
 The **&lt;createHardLink&gt;** element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application.
 
-Syntax: `<createHardLink>`*&lt;pattern&gt;*`</createHardLink>`
+Syntax: `<createHardLink>` *&lt;pattern&gt;* `</createHardLink>`
 
-## <a href="" id="bkmk-errorhardlink"></a>&lt;errorHardLink&gt;
+### &lt;errorHardLink&gt;
 
-The **&lt;errorHardLink&gt;** element defines a standard MigXML pattern that describes file paths where hard links should not be created if the file is locked for editing by another application. USMT will attempt to copy files under these paths into the migration store. However, if that is not possible, **Error\_Locked** is thrown. This is a standard Windows application programming interface (API) error that can be captured by the **&lt;ErrorControl&gt;** section to either cause USMT to skip the file or abort the migration.
+The **&lt;errorHardLink&gt;** element defines a standard MigXML pattern that describes file paths where hard links shouldn't be created if the file is locked for editing by another application. USMT will attempt to copy files under these paths into the migration store. However, if that isn't possible, **Error\_Locked** is thrown. This error is a standard Windows application programming interface (API) error that can be captured by the **&lt;ErrorControl&gt;** section to either cause USMT to skip the file or abort the migration.
 
-Syntax: `<errorHardLink>`*&lt;pattern&gt;*`</errorHardLink>`
+Syntax: `<errorHardLink>` *&lt;pattern&gt;* `</errorHardLink>`
 
-## <a href="" id="bkmk-profilecontrol"></a>&lt;ProfileControl&gt;
+### &lt;ProfileControl&gt;
 
 This element is used to contain other elements that establish rules for migrating profiles, users, and policies around local group membership during the migration. **&lt;ProfileMigration&gt;** is a child of **&lt;Configuration&gt;**.
 
-Syntax: &lt;`ProfileControl> </ProfileControl>`
+Syntax: &lt;`ProfileControl>` `</ProfileControl>`
 
-## <a href="" id="bkmk-localgroups"></a>&lt;localGroups&gt;
+### &lt;localGroups&gt;
 
 This element is used to contain other elements that establish rules for how to migrate local groups. **&lt;localGroups&gt;** is a child of **&lt;ProfileControl&gt;**.
 
-Syntax: `<localGroups> </localGroups>`
+Syntax: `<localGroups>` `</localGroups>`
 
-## <a href="" id="bkmk-mappings"></a>&lt;mappings&gt;
+### &lt;mappings&gt;
 
 This element is used to contain other elements that establish mappings between groups.
 
-Syntax: `<mappings> </mappings>`
+Syntax: `<mappings>` `</mappings>`
 
-## <a href="" id="bkmk-changegrou"></a>&lt;changeGroup&gt;
+### &lt;changeGroup&gt;
 
-This element describes the source and destination groups for a local group membership change during the migration. It is a child of **&lt;localGroups&gt;**. The following parameters are defined:
+This element describes the source and destination groups for a local group membership change during the migration. It's a child of **&lt;localGroups&gt;**. The following parameters are defined:
 
 |Parameter|Required|Value|
 |--- |--- |--- |
@@ -249,23 +214,27 @@ This element describes the source and destination groups for a local group membe
 
 The valid and required children of **&lt;changeGroup&gt;** are **&lt;include&gt;** and **&lt;exclude&gt;**. Although both can be children at the same time, only one is required.
 
-Syntax: `<changeGroup From="Group1" To= "Group2"> </changeGroup>`
+Syntax: `<changeGroup From="Group1" To= "Group2">` `</changeGroup>`
 
-## <a href="" id="bkmk-include"></a>&lt;include&gt;
+### &lt;include&gt;
 
 This element specifies that its required child, *&lt;pattern&gt;*, should be included in the migration.
 
-Syntax: `<include>``</include>`
+Syntax: `<include>` `</include>`
 
-## <a href="" id="bkmk-exclude"></a>&lt;exclude&gt;
+### &lt;exclude&gt;
 
 This element specifies that its required child, *&lt;pattern&gt;*, should be excluded from the migration.
 
-Syntax: `<exclude>`` </exclude>`
+Syntax: `<exclude>` `</exclude>`
 
-## <a href="" id="bkmk-sampleconfigxjmlfile"></a>Sample Config.xml File
+## Sample Config.xml File
 
-Refer to the following sample Config.xml file for additional details about items you can choose to exclude from a migration.
+Refer to the following sample `Config.xml` file for more details about items you can choose to exclude from a migration.
+<br>
+<br>
+<details>
+  <summary>Expand for sample Config.xml file:</summary>
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@@ -458,6 +427,8 @@ Refer to the following sample Config.xml file for additional details about items
 </Configuration>
 ```
 
-## Related topics
+</details>
 
-[USMT XML Reference](usmt-xml-reference.md)
+## Related articles
+
+[USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index 2af6d73993..e12ed6ff62 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -1,68 +1,43 @@
 ---
 title: Conflicts and Precedence (Windows 10)
-description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence.
+description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Conflicts and Precedence
+# Conflicts and precedence
 
-When you include, exclude, and reroute files and settings, it is important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind.
+When you include, exclude, and reroute files and settings, it's important to know how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence. When working with USMT, the following are the most important conflicts and precedence guidelines to keep in mind.
 
--   **If there are conflicting rules within a component, the most specific rule is applied.** However, the &lt;unconditionalExclude&gt; rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting include and exclude rules?](#bkmk1) and the first example in [Include and exclude precedence examples](#precexamples)****later in this topic.
+- **If there are conflicting rules within a component, the most specific rule is applied.** However, the **&lt;unconditionalExclude&gt;** rule is an exception because it takes precedence over all others. Directory names take precedence over file extensions. For examples, see [What happens when there are conflicting &lt;include&gt; and &lt;exclude&gt; rules?](#what-happens-when-there-are-conflicting-include-and-exclude-rules) and the first example in [&lt;include&gt; and &lt;exclude&gt; rules precedence examples](#include-and-exclude-rules-precedence-examples) later in this article.
 
--   **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components do not affect each other, except for the &lt;unconditionalExclude&gt; rule.
+- **Only rules inside the same component can affect each other, depending on specificity.** Rules that are in different components don't affect each other, except for the **&lt;unconditionalExclude&gt;** rule.
 
--   **If the rules are equally specific, &lt;exclude&gt; takes precedence over &lt;include&gt;.** For example, if you use the &lt;exclude&gt; rule to exclude a file and use the &lt;include&gt; rule to include the same file, the file will be excluded.
+- **If the rules are equally specific, &lt;exclude&gt; takes precedence over &lt;include&gt;.** For example, if you use the **&lt;exclude&gt;** rule to exclude a file and use the **&lt;include&gt;** rule to include the same file, the file will be excluded.
 
--   **The ordering of components does not matter.** It does not matter which components are listed in which .xml file, because each component is processed independently of the other components across all of the .xml files.
+- **The ordering of components does not matter.** It doesn't matter which components are listed in which .xml file, because each component is processed independently of the other components across all of the .xml files.
 
--   **The ordering of the &lt;include&gt; and &lt;exclude&gt; rules within a component does not matter.**
+- **The ordering of the &lt;include&gt; and &lt;exclude&gt; rules within a component does not matter.**
 
--   **You can use the &lt;unconditionalExclude&gt; element to globally exclude data.** This element excludes objects, regardless of any other &lt;include&gt; rules that are in the .xml files. For example, you can use the &lt;unconditionalExclude&gt; element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData.
-
-## In this topic
-
-**General**
-
--   [What is the relationship between rules that are located within different components?](#bkmk2)
-
--   [How does precedence work with the Config.xml file?](#bkmk3)
-
--   [How does USMT process each component in an .xml file with multiple components?](#bkmk4)
-
--   [How are rules processed?](#bkmk5)
-
--   [How does USMT combine all of the .xml files that I specify on the command line?](#bkmk6)
-
-**The &lt;include&gt; and &lt;exclude&gt; rules**
-
--   [What happens when there are conflicting include and exclude rules?](#bkmk1)
-
--   [&lt;include&gt; and &lt;exclude&gt; precedence examples](#precexamples)
-
-**File collisions**
-
--   [What is the default behavior when there are file collisions?](#collisions)
-
--   [How does the &lt;merge&gt; rule work when there are file collisions?](#bkmk11)
+- **You can use the &lt;unconditionalExclude&gt; element to globally exclude data.** This element excludes objects, regardless of any other **&lt;include&gt;** rules that are in the .xml files. For example, you can use the **&lt;unconditionalExclude&gt;** element to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`.
 
 ## General
 
-### <a href="" id="bkmk2"></a>What is the relationship between rules that are located within different components?
+### What is the relationship between rules that are located within different components?
 
-Only rules inside the same component can affect each other, depending on specificity, except for the &lt;unconditionalExclude&gt; rule. Rules that are in different components do not affect each other. If there is an &lt;include&gt; rule in one component and an identical &lt;exclude&gt; rule in another component, the data will be migrated because the two rules are independent of each other.
+Only rules inside the same component can affect each other, depending on specificity, except for the **&lt;unconditionalExclude&gt;** rule. Rules that are in different components don't affect each other. If there's an **&lt;include&gt;** rule in one component and an identical **&lt;exclude&gt;** rule in another component, the data will be migrated because the two rules are independent of each other.
 
-If you have an &lt;include&gt; rule in one component and a &lt;locationModify&gt; rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the &lt;include&gt; rule, and it will be migrated based on the &lt;locationModify&gt; rule.
+If you have an **&lt;include&gt;** rule in one component and a **&lt;locationModify&gt;** rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the **&lt;include&gt;** rule, and it will be migrated based on the **&lt;locationModify&gt;** rule.
 
-The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the &lt;exclude&gt; rule is specified in a separate component.
+The following .xml file migrates all files from C:\\Userdocs, including .mp3 files, because the **&lt;exclude&gt;** rule is specified in a separate component.
 
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/UserDocs">
 <component type="Documents" context="System">
 <displayName>User Documents</displayName>
@@ -92,11 +67,11 @@ The following .xml file migrates all files from C:\\Userdocs, including .mp3 fil
 </migration>
 ```
 
-### <a href="" id="bkmk3"></a>How does precedence work with the Config.xml file?
+### How does precedence work with the Config.xml file?
 
-Specifying `migrate="no"` in the Config.xml file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
+Specifying `migrate="no"` in the `Config.xml` file is the same as deleting the corresponding component from the migration .xml file. However, if you set `migrate="no"` for My Documents, but you have a rule similar to the one shown below in a migration .xml file (which includes all of the .doc files from My Documents), then only the .doc files will be migrated, and all other files will be excluded.
 
-``` xml
+```xml
 <include>
    <objectSet>
       <pattern type="File">%CSIDL_PERSONAL%\* [*.doc] </pattern>
@@ -104,31 +79,31 @@ Specifying `migrate="no"` in the Config.xml file is the same as deleting the cor
 </include> 
 ```
 
-### <a href="" id="bkmk4"></a>How does USMT process each component in an .xml file with multiple components?
+### How does USMT process each component in an .xml file with multiple components?
 
-The ordering of components does not matter. Each component is processed independently of other components. For example, if you have an &lt;include&gt; rule in one component and a &lt;locationModify&gt; rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the &lt;include&gt; rule, and it will be migrated based on the &lt;locationModify&gt; rule.
+The ordering of components doesn't matter. Each component is processed independently of other components. For example, if you have an **&lt;include&gt;** rule in one component and a **&lt;locationModify&gt;** rule in another component for the same file, the file will be migrated in both places. That is, it will be included based on the **&lt;include&gt;** rule, and it will be migrated based on the **&lt;locationModify&gt;** rule.
 
-### <a href="" id="bkmk5"></a>How are rules processed?
+### How are rules processed?
 
 There are two broad categories of rules.
 
--   **Rules that affect the behavior of both the ScanState and LoadState tools**. For example, the &lt;include&gt;, &lt;exclude&gt;, and &lt;unconditionalExclude&gt; rules are processed for each component in the .xml files. For each component, USMT creates an include list and an exclude list. Some of the rules in the component might be discarded due to specificity, but all of the remaining rules are processed. For each &lt;include&gt; rule, USMT iterates through the elements to see if any of the locations need to be excluded. USMT enumerates all of the objects and creates a list of objects it is going to collect for each user. Once the list is complete, each of the objects is stored or migrated to the destination computer.
+- **Rules that affect the behavior of both the ScanState and LoadState tools**. For example, the **&lt;include&gt;**, **&lt;exclude&gt;**, and **&lt;unconditionalExclude&gt;** rules are processed for each component in the .xml files. For each component, USMT creates an include list and an exclude list. Some of the rules in the component might be discarded due to specificity, but all of the remaining rules are processed. For each **&lt;include&gt;** rule, USMT iterates through the elements to see if any of the locations need to be excluded. USMT enumerates all of the objects and creates a list of objects it's going to collect for each user. Once the list is complete, each of the objects is stored or migrated to the destination computer.
 
--   **Rules that affect the behavior of only the LoadState tool**. For example, the &lt;locationModify&gt;, &lt;contentModify&gt;, and &lt;destinationCleanup&gt; rules do not affect ScanState. They are processed only with LoadState. First, the LoadState tool determines the content and location of each component based on the &lt;locationModify&gt;and &lt;contentModify&gt; rules. Then, LoadState processes all of the &lt;destinationCleanup&gt; rules and deletes data from the destination computer. Lastly, LoadState applies the components to the computer.
+- **Rules that affect the behavior of only the LoadState tool**. For example, the **&lt;locationModify&gt;**, **&lt;contentModify&gt;**, and **&lt;destinationCleanup&gt;** rules don't affect ScanState. They're processed only with LoadState. First, the LoadState tool determines the content and location of each component based on the **&lt;locationModify&gt;** and **&lt;contentModify&gt;** rules. Then, LoadState processes all of the **&lt;destinationCleanup&gt;** rules and deletes data from the destination computer. Lastly, LoadState applies the components to the computer.
 
-### <a href="" id="bkmk6"></a>How does USMT combine all of the .xml files that I specify on the command line?
+### How does USMT combine all of the .xml files that I specify on the command line?
 
-USMT does not distinguish the .xml files based on their name or content. It processes each component within the files separately. USMT supports multiple .xml files only to make it easier to maintain and organize the components within them. Because USMT uses a urlid to distinguish each component from the others, be sure that each .xml file that you specify on the command line has a unique migration urlid.
+USMT doesn't distinguish the .xml files based on their name or content. It processes each component within the files separately. USMT supports multiple .xml files only to make it easier to maintain and organize the components within them. Because USMT uses a urlid to distinguish each component from the others, be sure that each .xml file that you specify on the command line has a unique migration urlid.
 
-## <a href="" id="the--include--and--exclude--rules"></a>The &lt;include&gt; and &lt;exclude&gt; rules
+## The &lt;include&gt; and &lt;exclude&gt; rules
 
-### <a href="" id="bkmk1"></a>What happens when there are conflicting &lt;include&gt; and &lt;exclude&gt; rules?
+### What happens when there are conflicting &lt;include&gt; and &lt;exclude&gt; rules?
 
-If there are conflicting rules within a component, the most specific rule is applied, except with the &lt;unconditionalExclude&gt; rule, which takes precedence over all other rules. If the rules are equally specific, then the data will be not be migrated. For example if you exclude a file, and include the same file, the file will not be migrated. If there are conflicting rules within different components, the rules do not affect each other because each component is processed independently.
+If there are conflicting rules within a component, the most specific rule is applied, except with the **&lt;unconditionalExclude&gt;** rule, which takes precedence over all other rules. If the rules are equally specific, then the data won't be migrated. For example if you exclude a file, and include the same file, the file won't be migrated. If there are conflicting rules within different components, the rules don't affect each other because each component is processed independently.
 
-In the following example, mp3 files will not be excluded from the migration. This is because directory names take precedence over the file extensions.
+In the following example, mp3 files won't be excluded from the migration. The mp3 files won't be excluded because directory names take precedence over the file extensions.
 
-``` xml
+```xml
 <include>
      <objectSet>
           <pattern type="File">C:\Data\* [*]</pattern>
@@ -141,72 +116,72 @@ In the following example, mp3 files will not be excluded from the migration. Thi
 </exclude>  
 ```
 
-### <a href="" id="precexamples"></a>&lt;include&gt; and &lt;exclude&gt; rules precedence examples
+### &lt;include&gt; and &lt;exclude&gt; rules precedence examples
 
-These examples explain how USMT deals with &lt;include&gt; and &lt;exclude&gt; rules. When the rules are in different components, the resulting behavior will be the same regardless of whether the components are in the same or in different migration .xml files.
+These examples explain how USMT deals with **&lt;include&gt;** and **&lt;exclude&gt;** rules. When the rules are in different components, the resulting behavior will be the same regardless of whether the components are in the same or in different migration .xml files.
 
--   [Including and excluding files](#filesex)
+- [Including and excluding files](#including-and-excluding-files)
 
--   [Including and excluding registry objects](#regex)
+- [Including and excluding registry objects](#including-and-excluding-registry-objects)
 
-### <a href="" id="filesex"></a>Including and excluding files
+### Including and excluding files
 
 | If you have the following code in the same component | Resulting behavior | Explanation |
 |-----|-----|-----|
-| <ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1* []&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:* [.txt]&lt;/pattern&gt;</li></ul> | Migrates all files and subfolders in Dir1 (including all .txt files in C:). | The &lt;exclude&gt; rule does not affect the migration because the &lt;include&gt; rule is more specific. |
+| <ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1* []&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:* [.txt]&lt;/pattern&gt;</li></ul> | Migrates all files and subfolders in Dir1 (including all .txt files in C:). | The **&lt;exclude&gt;** rule doesn't affect the migration because the **&lt;include&gt;** rule is more specific. |
 | <ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1* []&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li></ul> | Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1\Dir2 and its subfolders. | Both rules are processed as intended. |
 | <ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1* []&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\ * [.txt]&lt;/pattern&gt;</li></ul> | Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1 and its subfolders. | Both rules are processed as intended. |
-| <ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li></ul> | Nothing will be migrated. | The rules are equally specific, so the &lt;exclude&gt; rule takes precedence over the &lt;include&gt; rule. |
+| <ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li></ul> | Nothing will be migrated. | The rules are equally specific, so the **&lt;exclude&gt;** rule takes precedence over the **&lt;include&gt;** rule. |
 | <ul><li>Include rule: C:\Dir1* [.txt]</li><li>Exclude rule: C:\Dir1\Dir2* []</li></ul> | Migrates the .txt files in Dir1 and the .txt files from subfolders other than Dir2. <br/>No files are migrated from Dir2 or its subfolders. | Both rules are processed as intended. |
 | <ul><li>Include rule: C:\Dir1\Dir2* []</li><li>Exclude rule: C:\Dir1* [.txt]</li></ul> | Migrates all files and subfolders of Dir2, except the .txt files from Dir1 and any subfolders of Dir1 (including Dir2). | Both rules are processed as intended. |
 
 | If you have the following code in different components | Resulting behavior | Explanation |
 |-----|----|----|
-| Component 1:<ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1* []&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li></ul> <br/>Component 2:<ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1* []&lt;/pattern&gt;</li></ul> | Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2). | Rules that are in different components do not affect each other, except for the &lt;unconditionalExclude&gt; rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed. |
+| Component 1:<ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1* []&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li></ul> <br/>Component 2:<ul><li>Include rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1\Dir2* [.txt]&lt;/pattern&gt;</li><li>Exclude rule: &lt;pattern type=&quot;File&quot;&gt;C:\Dir1* []&lt;/pattern&gt;</li></ul> | Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2). | Rules that are in different components don't affect each other, except for the **&lt;unconditionalExclude&gt;** rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed. |
 | Component 1:<ul><li>Include rule: C:\Dir1\Dir2* []</li></ul> <br/>Component 2:<ul><li>Exclude rule: C:\Dir1* [.txt]</li></ul> | Migrates all files and subfolders from Dir2 except the .txt files in C:\Dir1 and its subfolders. | Both rules are processed as intended. |
-| Component 1:<ul><li>Exclude rule: C:\Dir1\Dir2* []</li></ul> <br/>Component 2:<ul><li>Include rule: C:\Dir1* [.txt]</li></ul> | Migrates all .txt files in Dir1 and any subfolders. | Component 1 does not contain an &lt;include&gt; rule, so the &lt;exclude&gt; rule is not processed. |
+| Component 1:<ul><li>Exclude rule: C:\Dir1\Dir2* []</li></ul> <br/>Component 2:<ul><li>Include rule: C:\Dir1* [.txt]</li></ul> | Migrates all .txt files in Dir1 and any subfolders. | Component 1 doesn't contain an **&lt;include&gt;** rule, so the **&lt;exclude&gt;** rule isn't processed. |
 
-### <a href="" id="regex"></a>Including and excluding registry objects
+### Including and excluding registry objects
 
 | If you have the following code in the same component | Resulting behavior | Explanation |
 |-----|-----|-----|
 | <ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor* []</li><li>Exclude Rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li></ul> | Migrates all keys in HKLM\Software\Microsoft\Command Processor except DefaultColor. | Both rules are processed as intended. |
-| <ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li><li>Exclude Rule: <br/>HKLM\Software\Microsoft\Command Processor* []</li></ul> | Migrates only DefaultColor in HKLM\Software\Microsoft\Command Processor. | DefaultColor is migrated because the &lt;include&gt; rule is more specific than the &lt;exclude&gt; rule. |
-| <ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li><li>Exclude rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li></ul> | Does not migrate DefaultColor. | The rules are equally specific, so the &lt;exclude&gt; rule takes precedence over the &lt;include&gt; rule. |
+| <ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li><li>Exclude Rule: <br/>HKLM\Software\Microsoft\Command Processor* []</li></ul> | Migrates only DefaultColor in HKLM\Software\Microsoft\Command Processor. | DefaultColor is migrated because the **&lt;include&gt;** rule is more specific than the **&lt;exclude&gt;** rule. |
+| <ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li><li>Exclude rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li></ul> | Doesn't migrate DefaultColor. | The rules are equally specific, so the **&lt;exclude&gt;** rule takes precedence over the &lt;include&gt; rule. |
 
 | If you have the following code in different components | Resulting behavior | Explanation |
 |-----|-----|-----|
-| Component 1:<ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li><li>Exclude rule: <br/>HKLM\Software\Microsoft\Command Processor* []</li></ul> <br/>Component 2:<ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor* []</li><li>Exclude rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li></ul> | Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor. | Rules that are in different components do not affect each other, except for the &lt;unconditionalExclude&gt; rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed. |
+| Component 1:<ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li><li>Exclude rule: <br/>HKLM\Software\Microsoft\Command Processor* []</li></ul> <br/>Component 2:<ul><li>Include rule: <br/>HKLM\Software\Microsoft\Command Processor* []</li><li>Exclude rule: <br/>HKLM\Software\Microsoft\Command Processor [DefaultColor]</li></ul> | Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor. | Rules that are in different components don't affect each other, except for the **&lt;unconditionalExclude&gt;** rule. Therefore, in this example, the objects that were excluded when Component 1 was processed were included when Component 2 was processed. |
 
 ## File collisions
 
-### <a href="" id="collisions"></a>What is the default behavior when there are file collisions?
+### What is the default behavior when there are file collisions?
 
-If there is not a &lt;merge&gt; rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on.
+If there isn't a **&lt;merge&gt;** rule, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally: for example, OriginalFileName(1).OriginalExtension, OriginalFileName(2).OriginalExtension, and so on.
 
-### <a href="" id="bkmk11"></a>How does the &lt;merge&gt; rule work when there are file collisions?
+### How does the &lt;merge&gt; rule work when there are file collisions?
 
-When a collision is detected, USMT will select the most specific &lt;merge&gt; rule and apply it to resolve the conflict. For example, if you have a &lt;merge&gt; rule for C:\\\* \[\*\] set to **sourcePriority()** and another &lt;merge&gt; rule for C:\\subfolder\\\* \[\*\] set to **destinationPriority()** , then USMT uses the destinationPriority() rule because it is the most specific.
+When a collision is detected, USMT will select the most specific **&lt;merge&gt;** rule and apply it to resolve the conflict. For example, if you have a **&lt;merge&gt;** rule for **C:\\\* \[\*\]** set to **sourcePriority()** and another **&lt;merge&gt;** rule for **C:\\subfolder\\\* \[\*\]** set to **destinationPriority()** , then USMT uses the **destinationPriority()** rule because it's the most specific.
 
 ### Example scenario
 
 The source computer contains the following files:
 
--   C:\\Data\\SampleA.txt
+- `C:\Data\SampleA.txt`
 
--   C:\\Data\\SampleB.txt
+- `C:\Data\SampleB.txt`
 
--   C:\\Data\\Folder\\SampleB.txt
+- `C:\Data\Folder\SampleB.txt`
 
 The destination computer contains the following files:
 
--   C:\\Data\\SampleB.txt
+- `C:\Data\SampleB.txt`
 
--   C:\\Data\\Folder\\SampleB.txt
+- `C:\Data\SampleB.txt`
 
 You have a custom .xml file that contains the following code:
 
-``` xml
+```xml
 <include> 
    <objectSet> 
       <pattern type="File">c:\data\* [*]</pattern> 
@@ -216,7 +191,7 @@ You have a custom .xml file that contains the following code:
 
 For this example, the following information describes the resulting behavior if you add the code to your custom .xml file.
 
-**Example 1**
+#### Example 1
 
 ```xml
 <merge script="MigXmlHelper.DestinationPriority()">
@@ -226,9 +201,9 @@ For this example, the following information describes the resulting behavior if
 </merge>
 ```
 
-**Result**: During ScanState, all the files will be added to the store. During LoadState, only C:\Data\SampleA.txt will be restored.
+**Result**: During ScanState, all the files will be added to the store. During LoadState, only `C:\Data\SampleA.txt` will be restored.
 
-**Example 2**
+#### Example 2
 
 ```xml
 <merge script="MigXmlHelper.SourcePriority()">
@@ -241,7 +216,7 @@ For this example, the following information describes the resulting behavior if
 **Result**: During ScanState, all the files will be added to the store.
 During LoadState, all the files will be restored, overwriting the existing files on the destination computer.
 
-**Example 3**
+#### Example 3
 
 ```xml
 <merge script="MigXmlHelper.SourcePriority()">
@@ -251,12 +226,12 @@ During LoadState, all the files will be restored, overwriting the existing files
 </merge>
 ```
 
-**Result**: During ScanState, all the files will be added to the store. During LoadState, the following will occur:
+**Result**: During ScanState, all the files will be added to the store. During LoadState, the following actions will occur:
 
-- C:\Data\SampleA.txt will be restored.
-- C:\Data\SampleB.txt will be restored, overwriting the existing file on the destination computer.
-- C:\Data\Folder\SampleB.txt will not be restored.
+- `C:\Data\SampleA.txt` will be restored.
+- `C:\Data\SampleB.txt` will be restored, overwriting the existing file on the destination computer.
+- `C:\Data\Folder\SampleB.txt` won't be restored.
 
-## Related topics
+## Related articles
 
-[USMT XML Reference](usmt-xml-reference.md)
+[USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 1d0f8da736..88db104333 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -2,20 +2,27 @@
 title: Custom XML Examples (Windows 10)
 description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the My Videos folder.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/01/2022
 ---
 
 # Custom XML Examples
 
-## <a href="" id="example"></a>Example 1: Migrating an Unsupported Application
+## Example 1: Migrating an unsupported application
 
-The following is a template for the sections that you need to migrate your application. The template isn't functional on its own, but you can use it to write your own .xml file.
+The following template is a template for the sections that you need to migrate your application. The template isn't functional on its own, but you can use it to write your own .xml file.
 
-``` xml
+**Template**
+<br>
+<details>
+  <summary>Expand to show <b>Example 1</b> application template:</summary>
+
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migtestapp">
   <component type="Application">
     <!-- Name of the application -->
@@ -79,25 +86,30 @@ The following is a template for the sections that you need to migrate your appli
 </migration>
 ```
 
-## <a href="" id="example2"></a>Example 2: Migrating the My Videos Folder
+</details>
 
-The following sample is a custom .xml file named CustomFile.xml that migrates My Videos for all users, if the folder exists on the source computer.
+## Example 2: Migrating the My Videos folder
 
-- **Sample condition**: Verifies that My Videos exists on the source computer:
+The following sample is a custom .xml file named `CustomFile.xml` that migrates **My Videos** for all users, if the folder exists on the source computer.
+
+- **Sample condition**: Verifies that **My Videos** exists on the source computer:
 
   `<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>`
 
-- **Sample filter**: Filters out the shortcuts in My Videos that don't resolve on the destination computer:
+- **Sample filter**: Filters out the shortcuts in **My Videos** that don't resolve on the destination computer:
 
   `<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>`
 
-  This has no effect on files that aren't shortcuts. For example, if there's a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering.
+  This filter has no effect on files that aren't shortcuts. For example, if there's a shortcut in **My Videos** on the source computer that points to `C:\Folder1`, that shortcut will be migrated only if `C:\Folder1` exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering.
 
-- **Sample pattern**: Migrates My Videos for all users:
+- **Sample pattern**: Migrates **My Videos** for all users:
 
   `<pattern type="File">%CSIDL_MYVIDEO%* [*]</pattern>`
 
 **XML file**
+<br>
+<details>
+  <summary>Expand to show <b>Example 2</b> XML file:</summary>
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@@ -122,11 +134,13 @@ The following sample is a custom .xml file named CustomFile.xml that migrates My
 </migration>
 ```
 
-## <a href="" id="example3"></a>Example 3: Migrating Files and Registry Keys
+</details>
+
+## Example 3: Migrating files and registry keys
 
 The sample patterns describe the behavior in the following example .xml file.
 
-- **Sample pattern**: Migrates all instances of the file Usmttestfile.txt from all subdirectories under `%ProgramFiles%\USMTTestFolder`:
+- **Sample pattern**: Migrates all instances of the file `Usmttestfile.txt` from all subdirectories under `%ProgramFiles%\USMTTestFolder`:
 
   `<pattern type="File">%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]</pattern>`
 
@@ -143,8 +157,11 @@ The sample patterns describe the behavior in the following example .xml file.
   `<pattern type="Registry">HKLM\Software\USMTTESTKEY* []</pattern>`
 
 **XML file**
+<br>
+<details>
+  <summary>Expand to show <b>Example 3</b> XML file:</summary>
 
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/testfilemig">
   <component type="Application" context="System">
    <displayName>File Migration Test</displayName>
@@ -175,12 +192,18 @@ The sample patterns describe the behavior in the following example .xml file.
 </migration>
 ```
 
-## <a href="" id="example4"></a>Example 4: Migrating Specific Folders from Various Locations
+</details>
 
+## Example 4: Migrating specific folders from various locations
 
 The behavior for this custom .xml file is described within the `<displayName>` tags in the code.
 
-``` xml
+**XML file**
+<br>
+<details>
+  <summary>Expand to show <b>Example 4</b> XML file:</summary>
+
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 
 <component type="Documents" context="System">
@@ -249,8 +272,10 @@ The behavior for this custom .xml file is described within the `<displayName>` t
 </migration>
 ```
 
-## Related topics
+</details>
 
-[USMT XML Reference](usmt-xml-reference.md)
+## Related articles
 
-[Customize USMT XML Files](usmt-customize-xml-files.md)
+[USMT XML reference](usmt-xml-reference.md)
+
+[Customize USMT XML files](usmt-customize-xml-files.md)
diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md
index cc06b5e0ea..9b4a91454c 100644
--- a/windows/deployment/usmt/usmt-customize-xml-files.md
+++ b/windows/deployment/usmt/usmt-customize-xml-files.md
@@ -2,134 +2,102 @@
 title: Customize USMT XML Files (Windows 10)
 description: Learn how to customize USMT XML files. Also, learn about the migration XML files that are included with USMT.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Customize USMT XML Files
+# Customize USMT XML files
 
+## Overview
 
-## In This Topic
+If you want the ScanState and LoadState tools to use any of the migration .xml files, specify these files at the command line using the `/i` option. Because the ScanState and LoadState tools need the .xml files to control the migration, specify the same set of .xml files for both the `ScanState.exe` and `LoadState.exe` commands. However, you don't have to specify the `Config.xml` file with the `/config` option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To achieve this scenario, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. Then the `LoadState.exe` command will migrate only the files and settings that you want to migrate.
 
+If you leave out an .xml file from the `LoadState.exe` command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the `ScanState.exe` command won't apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as:
 
-[Overview](#bkmk-overview)
+`MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`
 
-[Migration .xml Files](#bkmk-migxml)
-
-[Custom .xml Files](#bkmk-customxmlfiles)
-
-[The Config.xml File](#bkmk-configxml)
-
-[Examples](#bkmk-examples)
-
-[Additional Information](#bkmk-addlinfo)
-
-## <a href="" id="bkmk-overview"></a>Overview
-
-
-If you want the **ScanState** and **LoadState** tools to use any of the migration .xml files, specify these files at the command line using the **/i** option. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, specify the same set of .xml files for both the **ScanState** and **LoadState** commands. However, you do not have to specify the Config.xml file with the **/config** option, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. Then the **LoadState** command will migrate only the files and settings that you want to migrate.
-
-If you leave out an .xml file from the **LoadState** command, all of the data in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified with the **ScanState** command will not apply. For example, if you leave out an .xml file, and it contains a rerouting rule such as: `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files, and they will be migrated to C:\\data.
+USMT won't reroute the files, and they'll be migrated to `C:\data`.
 
 To modify the migration, do one or more of the following.
 
--   **Modify the migration .xml files.** If you want to exclude a portion of a component—for example, you want to migrate C:\\ but exclude all of the .mp3 files—or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want **ScanState** and **LoadState** to use these files, specify them at the command line when each command is entered.
+- **Modify the migration .xml files.** If you want to exclude a portion of a component, for example, you want to migrate C:\\ but exclude all of the .mp3 files, or if you want to move data to a new location on the destination computer, modify the .xml files. To modify these files, you must be familiar with the migration rules and syntax. If you want ScanState and LoadState to use these files, specify them at the command line when each command is entered.
 
--   **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For **ScanState** and **LoadState** to use this file, specify them on both command lines.
+- **Create a custom .xml file.** You can also create a custom .xml file to migrate settings for another application, or to change the migration behavior to suit your needs. For ScanState and LoadState to use this file, specify them on both command lines.
 
--   **Create and modify a Config.xml file.** Do this if you want to exclude an entire component from the migration. For example, you can use a Config.xml file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a Config.xml file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. In addition, using a Config.xml file is the only way to exclude the operating system settings from being migrated.
+- **Create and modify a Config.xml file.** Create and modify a `Config.xml` file if you want to exclude an entire component from the migration. For example, you can use a `Config.xml` file to exclude the entire My Documents folder, or exclude the settings for an application. Excluding components using a `Config.xml` file is easier than modifying the migration .xml files because you don't need to be familiar with the migration rules and syntax. In addition, using a `Config.xml` file is the only way to exclude the operating system settings from being migrated.
 
-For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
+For more information about excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) article.
 
-## <a href="" id="bkmk-migxml"></a>Migration .xml Files
+## Migration .xml files
 
+This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they're migrated to on the destination computer.
 
-This section describes the migration .xml files that are included with USMT. Each file contains migration rules that control which components are migrated and where they are migrated to on the destination computer.
+> [!NOTE]
+> You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character.
 
-**Note**  
-You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character.
+- **The MigApp.xml file.** Specify this file with both the `ScanState.exe` and `LoadState.exe` commands to migrate application settings.
 
- 
+- **The MigDocs.xml file.** Specify this file with both the ScanState and LoadState tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it doesn't find and migrate any application data, program files, or any files in the Windows directory. You can modify the `MigDocs.xml` file.
 
--   **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings.
+- **The MigUser.xml file.** Specify this file with both the `ScanState.exe` and `LoadState.exe` commands to migrate user folders, files, and file types. You can modify the `MigUser.xml` file. This file doesn't contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the ScanState and the LoadState user options.
 
--   **The MigDocs.xml file.** Specify this file with both the **ScanState** and **LoadState** tools to migrate all user folders and files that are found by the **MigXmlHelper.GenerateDocPatterns** helper function. This helper function finds user data that resides on the root of any drive and in the Users directory. However, it does not find and migrate any application data, program files, or any files in the Windows directory. You can modify the MigDocs.xml file.
+> [!NOTE]
+> Don't use the `MigUser.xml` and `MigDocs.xml` files together. For more information, see the [Identify file types, files, and folders](usmt-identify-file-types-files-and-folders.md) and [USMT best practices](usmt-best-practices.md) articles.
 
--   **The MigUser.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate user folders, files, and file types. You can modify the MigUser.xml file. This file does not contain rules that migrate specific user accounts. The only way to specify which user accounts to migrate is on the command line using the **ScanState** and the **LoadState** user options.
+## Custom .xml files
 
-    **Note**  
-    Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics.
+You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want `ScanState.exe` and `LoadState.exe` to use this file, specify it with both commands. For more information, see the [Custom XML examples](usmt-custom-xml-examples.md) article.
 
-     
+## The Config.xml file
 
-## <a href="" id="bkmk-customxmlfiles"></a>Custom .xml Files
+The `Config.xml` file is an optional file that you create using the `/genconfig` option with the `ScanState.exe` command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The `Config.xml` file format is different from the migration .xml files because it doesn't contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) article. For this reason, excluding components using this file is easier than modifying the migration .xml files because you don't need to be familiar with the migration rules and syntax. However, you can't use wildcard characters in a `Config.xml` file.
 
+If you want to include all of the default components, you don't need to create the `Config.xml` file. Alternatively, if you're satisfied with the default migration behavior defined in the `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml` files, and you want to exclude only some components, you can create and modify a `Config.xml` file and leave the other .xml files in their original state.
 
-You can create custom .xml files to customize the migration for your unique needs. For example, you may want to create a custom file to migrate a line-of-business application or to modify the default migration behavior. If you want **ScanState** and **LoadState** to use this file, specify it with both commands. For more information, see the How to Create a Custom .xml File topic.
+When you run the `ScanState.exe` command with the `/genconfig` option, `ScanState.exe` reads the other .xml files that you specify using the `/i` option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the `ScanState.exe` command with the `/genconfig` option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. Creating the file on the source computer will ensure that this file contains every component that can be migrated. The components are organized into sections: &lt;Applications&gt;, &lt;WindowsComponents&gt;, and &lt;Documents&gt;. To choose not to migrate a component, change its entry to `migrate="no"`.
 
-## <a href="" id="bkmk-configxml"></a>The Config.xml File
+After you create this file, you need to specify it only with the `ScanState.exe` command using the `/Config` option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. For example, if you collected the My Documents folder in the store, but you decide that you don't want to migrate the My Documents folder to a destination computer, you can modify the `Config.xml` file to indicate `migrate="no"` before you run the `LoadState.exe` command, and the file won't be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude files and settings](usmt-exclude-files-and-settings.md) article.
 
+In addition, note the following functionality with the `Config.xml` file:
 
-The Config.xml file is an optional file that you create using the **/genconfig** option with the **ScanState** command. You should create and modify this file if you want to exclude certain components from the migration. In addition, you must create and modify this file if you want to exclude any of the operating system settings from being migrated. The Config.xml file format is different from that of the migration .xml files because it does not contain any migration rules. It contains only a list of the operating system components, applications, and the user documents that can be migrated. For an example, see the [Config.xml File](usmt-configxml-file.md) topic. For this reason, excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard characters in a Config.xml file.
+- If a parent component is removed from the migration in the `Config.xml` file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`.
 
-If you want to include all of the default components, you do not need to create the Config.xml file. Alternatively, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigDocs.xml, and MigUser.xml files, and you want to exclude only some components, you can create and modify a Config.xml file and leave the other .xml files in their original state.
+- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated.
 
-When you run the **ScanState** command with the **/genconfig** option, **ScanState** reads the other .xml files that you specify using the **/i** option to create a custom list of components that can be migrated from the computer. This file will contain only operating system components, applications, and the user document sections that are in both of the .xml files and that are installed on the computer when you run the **ScanState** command with the **/genconfig** option. Therefore, you should create this file on a source computer that contains all of the components, applications, and settings that will be present on the destination computers. This will ensure that this file contains every component that can be migrated. The components are organized into sections: &lt;Applications&gt;, &lt;WindowsComponents&gt;, and &lt;Documents&gt;. To choose not to migrate a component, change its entry to `migrate="no"`.
+- In USMT, there are several migration policies that can be configured in the `Config.xml` file. For example, you can configure additional **&lt;ErrorControl&gt;**, **&lt;ProfileControl&gt;**, and **&lt;HardLinkStoreControl&gt;** options. For more information, see the [Config.xml File](usmt-configxml-file.md) article.
 
-After you create this file, you need to specify it only with the **ScanState** command using the **/Config** option for it to affect the migration. However, if you want to exclude additional data that you migrated to the store, modify the Config.xml file and specify the updated file with the **LoadState** command. For example, if you collected the My Documents folder in the store, but you decide that you do not want to migrate the My Documents folder to a destination computer, you can modify the Config.xml file to indicate `migrate="no"` before you run the **LoadState** command, and the file will not be migrated. For more information about the precedence that takes place when excluding data, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic.
+> [!NOTE]
+> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration.
 
-In addition, note the following functionality with the Config.xml file:
+### Examples
 
--   If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`.
+- The following command creates a `Config.xml` file in the current directory, but it doesn't create a store:
 
--   If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated.
+    `ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:5`
 
--   In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **&lt;ErrorControl&gt;**, **&lt;ProfileControl&gt;**, and **&lt;HardLinkStoreControl&gt;** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic.
+- The following command creates an encrypted store using the `Config.xml` file and the default migration .xml files:
 
-**Note**  
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
+    `ScanState.exe \\server\share\migration\mystore /i:MigApp.xml /i:MigDocs.xml /o /config:Config.xml /v:5 /encrypt /key:"mykey"`
 
- 
+- The following command decrypts the store and migrates the files and settings:
 
-### <a href="" id="bkmk-examples"></a>Examples
+    `LoadState.exe \\server\share\migration\mystore /i:MigApp.xml /i:MigDocs.xml /v:5 /decrypt /key:"mykey"`
 
--   The following command creates a Config.xml file in the current directory, but it does not create a store:
+## Additional information
 
-    `scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:5`
-
--   The following command creates an encrypted store using the Config.xml file and the default migration .xml files:
-
-    `scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:5 /encrypt /key:"mykey"`
-
--   The following command decrypts the store and migrates the files and settings:
-
-    `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:5 /decrypt /key:"mykey"`
-
-## <a href="" id="bkmk-addlinfo"></a>Additional Information
-
-
--   For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
-
--   For more information about each .xml element, see the [XML Elements Library](usmt-xml-elements-library.md) topic.
-
--   For answers to common questions, see ".xml files" in the [Frequently Asked Questions](usmt-faq.yml) topic.
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
-[USMT Resources](usmt-resources.md)
-
- 
-
- 
+- For more information about how to change the files and settings that are migrated, see the [User State Migration Tool (USMT) how-to topics](usmt-how-to.md).
 
+- For more information about each .xml element, see the [XML elements library](usmt-xml-elements-library.md) article.
 
+- For answers to common questions, see ".xml files" in the [Frequently asked questions](usmt-faq.yml) article.
 
+## Related articles
 
+[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md)
 
+[USMT resources](usmt-resources.md)
diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
index 19d8cf1875..ed6b5bc177 100644
--- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md
+++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md
@@ -1,32 +1,41 @@
 ---
 title: Determine What to Migrate (Windows 10)
-description: Determine migration settings for standard or customized for the User State Migration Tool (USMT) 10.0.
+description: Determine migration settings for standard or customized for the User State Migration Tool (USMT) 10.0.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Determine What to Migrate
+# Determine what to migrate
 
-By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration.
+By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration.
 
 However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize.
 
-To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. This means selecting a baseline for all computers, including standard hardware drivers; core operating system features; core productivity applications, especially if they are under volume licensing; and core utilities. This environment should also include a standard set of security features, as outlined in the organization’s corporate policy. Using a standard operating environment can vastly simplify the migration and reduce overall deployment challenges.
+To reduce complexity and increase standardization, your organization should consider creating a *standard operating environment (SOE)*. An SOE is a combination of hardware and software that you distribute to all users. Creating an SOE means selecting:
 
-## In This Section
+- A baseline for all computers, including standard hardware drivers
+- Core operating system features
+- Core productivity applications, especially if they are under volume licensing
+- Core utilities.
+- A standard set of security features, as outlined in the organization's corporate policy
+
+Using an SOE can vastly simplify the migration and reduce overall deployment challenges.
+
+## In this section
 
 | Link | Description |
 |--- |--- |
-|[Identify Users](usmt-identify-users.md)|Use command-line options to specify which users to migrate and how they should be migrated.|
-|[Identify Applications Settings](usmt-identify-application-settings.md)|Determine which applications you want to migrate and prepare a list of application settings to be migrated.|
-|[Identify Operating System Settings](usmt-identify-operating-system-settings.md)|Use migration to create a new standard environment on each of the destination computers.|
-|[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)|Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.|
+|[Identify users](usmt-identify-users.md)|Use command-line options to specify which users to migrate and how they should be migrated.|
+|[Identify applications settings](usmt-identify-application-settings.md)|Determine which applications you want to migrate and prepare a list of application settings to be migrated.|
+|[Identify operating system settings](usmt-identify-operating-system-settings.md)|Use migration to create a new standard environment on each of the destination computers.|
+|[Identify file types, files, and folders](usmt-identify-file-types-files-and-folders.md)|Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.|
 
-## Related topics
+## Related articles
 
-[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
+[What does USMT migrate?](usmt-what-does-usmt-migrate.md)
diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
index 16457cd210..2e1ddfc773 100644
--- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md
+++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md
@@ -2,90 +2,77 @@
 title: Estimate Migration Store Size (Windows 10)
 description: Estimate the disk space requirement for a migration so that you can use User State Migration Tool (USMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Estimate Migration Store Size
-
+# Estimate migration store size
 
 The disk space requirements for a migration are dependent on the size of the migration store and the type of migration. You can estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. You can also calculate the disk space requirements using the ScanState tool.
 
-## In This Topic
+## Hard disk space requirements
 
+- **Store**: For non-hard-link migrations, you should ensure that there's enough available disk space at the location where you'll save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md).
 
--   [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers.
+- **Source Computer**: The source computer needs enough available space for the following items:
 
--   [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how large the migration store will be on a particular computer.
+  - **E250 megabytes (MB) minimum of hard disk space**: Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools won't create the migration store if 250 MB of disk space isn't available.
 
--   [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure.
+  - **Temporary space for USMT to run**: Extra disk space for the USMT tools to operate is required. This disk space requirement doesn't include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool.
 
-## <a href="" id="bkmk-spacereqs"></a>Hard Disk Space Requirements
+  - **Hard-link migration store**: It isn't necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be large is when non-NTFS file volumes exist on the system and those volumes contain data being migrated.
 
+- **Destination computer**: The destination computer needs enough available space for the following components:
 
--   **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md).
+  - **Operating system**
 
--   **Source Computer.** The source computer needs enough available space for the following:
+  - **Applications**
 
-    -   [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available.
+  - **Data being migrated**: Data being migrated includes files and registry information.
 
-    -   [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool.
+  - **Temporary space for USMT to run**: Extra disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool.
 
-    -   [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be large is when non-NTFS file systems exist on the system and contain data being migrated.
+## Calculate disk space requirements using the ScanState tool
 
--   [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following components:
+You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It isn't necessary to estimate the migration store size for a hard-link migration since this method doesn't create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day-to-day use so it's recommended that you use the calculations as an estimate when planning your migration.
 
-    -   [Operating system.](#bkmk-estmigstoresize)
+To run the ScanState tool on the source computer with USMT installed:
 
-    -   [Applications.](#bkmk-estmigstoresize)
+1. Open a command prompt with administrator privileges.
 
-    -   [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage.
+2. Navigate to the USMT tools. For example, enter:
 
-    -   [Temporary space for USMT to run.](#bkmk-estmigstoresize) Extra disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool.
-
-## <a href="" id="bkmk-calcdiskspace"></a>Calculate Disk Space Requirements using the ScanState Tool
-
-
-You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day-to-day use so it is recommended that you use the calculations as an estimate when planning your migration.
-
-**To run the ScanState tool on the source computer with USMT installed,**
-
-1.  Open a command prompt with administrator privileges.
-
-2.  Navigate to the USMT tools. For example, type
-
-    ``` syntax
+    ```cmd
     cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\<architecture>"
     ```
 
-    Where *&lt;architecture&gt;* is x86 or amd64.
+    where *&lt;architecture&gt;* is x86 or amd64.
 
-3.  Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, type
+3. Run the **ScanState** tool to generate an XML report of the space requirements. At the command prompt, enter:
 
-    ``` syntax
+    ```cmd
     ScanState.exe <StorePath> /p:<path to a file>
     ```
 
-    Where *&lt;StorePath&gt;* is a path to a directory where the migration store will be saved and *&lt;path to a file&gt;* is the path and filename where the XML report for space requirements will be saved. For example,
+    Where *&lt;StorePath&gt;* is a path to a directory where the migration store will be saved and *&lt;path to a file&gt;* is the path and filename where the XML report for space requirements will be saved. For example:
 
-    ``` syntax
+    ```cmd
     ScanState.exe c:\store /p:c:\spaceRequirements.xml
     ```
 
-    The migration store will not be created by running this command, but `StorePath` is a required parameter.
+    Although a migration store isn't created by running this command, the *&lt;StorePath&gt;* is still a required parameter.
 
-The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this condition in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md).
+The ScanState tool also allows you to estimate disk space requirements based on a customized migration. For example, you might not want to migrate the My Documents folder to the destination computer. You can specify this condition in a configuration file when you run the ScanState tool. For more information, see [Customize USMT XML files](usmt-customize-xml-files.md).
 
-**Note**  
-To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *&lt;path to a file&gt;* is still available in USMT.
+> [!NOTE]
+> To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the `/p` option is still available in USMT without having to specify the path to a file. See [Monitoring Options](usmt-scanstate-syntax.md#monitoring-options) for more information.
 
- 
-
-The space requirements report provides two elements, &lt;**storeSize**&gt; and &lt;**temporarySpace**&gt;. The &lt;**temporarySpace**&gt; value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The &lt;**storeSize**&gt; value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***&lt;path to a file&gt;*.
+The space requirements report provides two elements, &lt;**storeSize**&gt; and &lt;**temporarySpace**&gt;. The &lt;**temporarySpace**&gt; value shows the disk space, in bytes, that USMT uses to operate during the migration but it doesn't include the minimum 250 MB needed to support USMT. The &lt;**storeSize**&gt; value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using `/p:`*&lt;path to a file&gt;*.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@@ -99,38 +86,25 @@ The space requirements report provides two elements, &lt;**storeSize**&gt; and &
 </PreMigration>
 ```
 
-Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and will not create a store if the compliance check fails.
+Additionally, USMT performs a compliance check for a required minimum of 250 MB of available disk space and won't create a store if the compliance check fails.
 
-## <a href="" id="bkmk-estmigstoresize"></a>Estimate Migration Store Size
+## Estimating migration store size
 
-
-Determine how much space you will need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate the required space is to survey several computers to arrive at an average for the size of the store that you will need.
+Determine how much space you'll need to store the migrated data. You should base your calculations on the volume of e-mail, personal documents, and system settings for each user. The best way to estimate the required space is to survey several computers to arrive at an average for the size of the store that you'll need.
 
 The amount of space that is required in the store will vary, depending on the local storage strategies your organization uses. For example, one key element that determines the size of migration data sets is e-mail storage. If e-mail is stored centrally, data sets will be smaller. If e-mail is stored locally, such as offline-storage files, data sets will be larger. Mobile users will typically have larger data sets than workstation users. You should perform tests and inventory the network to determine the average data set size in your organization.
 
-**Note**  
-You can create a space-estimate file (Usmtsize.txt), by using the legacy **/p** command-line option to estimate the size of the store.
+> [!NOTE]
+> You can create a space-estimate file (`Usmtsize.txt`) to estimate the size of the store by using the legacy `/p` command-line option .
 
- 
-
-When trying to determine how much disk space you will need, consider the following issues:
-
--   **E-mail** : If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server.
-
--   **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You do not need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration.
-
--   **User system settings** Five megabytes is adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It is rare, however, for the user-specific portion of the registry to exceed 5 MB.
-
-## Related topics
-
-
-[Common Migration Scenarios](usmt-common-migration-scenarios.md)
-
- 
-
- 
+When trying to determine how much disk space you'll need, consider the following issues:
 
+- **E-mail**: If users deal with a large volume of e-mail or keep e-mail on their local computers instead of on a mail server, the e-mail can take up as much disk space as all other user files combined. Prior to migrating user data, make sure that users who store e-mail locally synchronize their inboxes with their mail server.
 
+- **User documents**: Frequently, all of a user's documents fit into less than 50 MB of space, depending on the types of files involved. This estimate assumes typical office work, such as word-processing documents and spreadsheets. This estimate can vary substantially based on the types of documents that your organization uses. For example, an architectural firm that predominantly uses computer-aided design (CAD) files needs much more space than a law firm that primarily uses word-processing documents. You don't need to migrate the documents that users store on file servers through mechanisms such as Folder Redirection, as long as users will have access to these locations after the migration.
 
+- **User system settings**: Five megabytes is adequate space to save the registry settings. This requirement can fluctuate, however, based on the number of applications that have been installed. It's rare, however, for the user-specific portion of the registry to exceed 5 MB.
 
+## Related articles
 
+[Common migration scenarios](usmt-common-migration-scenarios.md)
diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
index d3db14a398..0956d47d63 100644
--- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md
@@ -1,51 +1,56 @@
 ---
 title: Exclude Files and Settings (Windows 10)
-description: In this article, learn how to exclude files and settings when creating a custom .xml file and a config.xml file.
+description: In this article, learn how to exclude files and settings when creating a custom .xml file and a Config.xml file.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Exclude Files and Settings
-When you specify the migration .xml files, MigApp.xml, Migdocs, and MigUser.xml, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a Config.xml file to exclude an entire component from a migration. You cannot, however, exclude users by using the migration .xml files or the Config.xml file. The only way to specify which users to include and exclude is by using the User options on the command line in the ScanState tool. For more information, see [ScanState Syntax](usmt-scanstate-syntax.md).
+# Exclude files and settings
 
-In this topic:
+When you specify the migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, the User State Migration Tool (USMT) 10.0 migrates the settings and components listed, as discussed in [What does USMT migrate?](usmt-what-does-usmt-migrate.md) You can create a custom .xml file to further specify what to include or exclude in the migration. In addition you can create a `Config.xml` file to exclude an entire component from a migration. You can't, however, exclude users by using the migration .xml files or the `Config.xml` file. The only way to specify which users to include and exclude is by using the user options on the command line in the ScanState tool. For more information, see the [User options](usmt-scanstate-syntax.md#user-options) section of the [ScanState syntax](usmt-scanstate-syntax.md) article.
 
--   [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude:
+Methods to customize the migration and include and exclude files and settings include:
 
-    -   include and exclude: You can use the &lt;include&gt; and &lt;exclude&gt; elements to exclude objects with conditions. For example, you can migrate all files located in the C:\\ drive, except any .mp3 files. It is important to remember that [Conflicts and Precedence](usmt-conflicts-and-precedence.md) apply to these elements.
+- [Create a custom .xml file](#create-a-custom-xml-file). You can use the following elements to specify what to exclude:
 
-    -   [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the &lt;unconditionalExclude&gt; element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other &lt;include&gt; rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData.
+  - [Include and exclude](#include-and-exclude): You can use the **&lt;include&gt;** and **&lt;exclude&gt;** elements to exclude objects with conditions. For example, you can migrate all files located in the `C:\` drive, except any `.mp3` files. It's important to remember that [Conflicts and precedence](usmt-conflicts-and-precedence.md) apply to these elements.
 
--   [Create a Config.xml File](#create-a-config-xml-file): You can create and modify a Config.xml file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a Config.xml file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax.
+  - [unconditionalExclude](#example-1-how-to-migrate-all-files-from-c-except-mp3-files): You can use the **&lt;unconditionalExclude&gt;** element to globally exclude data. This element takes precedence over all other include and exclude rules in the .xml files. Therefore, this element excludes objects regardless of any other **&lt;include&gt;** rules that are in the .xml files. For example, you can exclude all .mp3 files on the computer, or you can exclude all files from C:\\UserData.
+
+- [Create a Config.xml file](#create-a-config-xml-file): You can create and modify a `Config.xml` file to exclude an entire component from the migration. For example, you can use this file to exclude the settings for one of the default applications. In addition, creating and modifying a `Config.xml` file is the only way to exclude the operating-system settings that are migrated to computers running Windows. Excluding components using this file is easier than modifying the migration .xml files because you don't need to be familiar with the migration rules and syntax.
 
 ## Create a custom .xml file
-We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
+
+We recommend that you create a custom .xml file instead of modifying the default migration .xml files. When you use a custom .xml file, you can keep your changes separate from the default .xml file, which makes it easier to track your modifications.
 
 ### &lt;include&gt; and &lt;exclude&gt;
-The migration .xml files, MigApp.xml, MigDocs, and MigUser.xml, contain the &lt;component&gt; element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the &lt;include&gt; and &lt;exclude&gt; elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
 
-**Note**  
-If you specify an &lt;exclude&gt; rule, always specify a corresponding &lt;include&gt; rule. Otherwise, if you do not specify an &lt;include&gt; rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied &lt;exclude&gt; rule is unnecessary.
+The migration .xml files, `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`, contain the **&lt;component&gt;** element, which typically represents a self-contained component or an application such as Microsoft® Office Outlook® and Word. To exclude the files and registry settings that are associated with these components, use the **&lt;include&gt;** and **&lt;exclude&gt;** elements. For example, you can use these elements to migrate all files and settings with pattern X except files and settings with pattern Y, where Y is more specific than X. For the syntax of these elements, see [USMT XML Reference](usmt-xml-reference.md).
 
--   [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
+> [!NOTE]
+> If you specify an **&lt;exclude&gt;** rule, always specify a corresponding **&lt;include&gt;** rule. Otherwise, if you do not specify an **&lt;include&gt;** rule, the specific files or settings will not be included. They will already be excluded from the migration. Thus, an unaccompanied **&lt;exclude&gt;** rule is unnecessary.
 
--   [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
+- [Example 1: How to migrate all files from C:\\ except .mp3 files](#example-1-how-to-migrate-all-files-from-c-except-mp3-files)
 
--   [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
+- [Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp](#example-2-how-to-migrate-all-files-located-in-cdata-except-files-in-cdatatmp)
 
--   [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder)
+- [Example 3: How to exclude the files in a folder but include all subfolders](#example-3-how-to-exclude-the-files-in-a-folder-but-include-all-subfolders)
 
--   [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location)
+- [Example 4: How to exclude a file from a specific folder](#example-4-how-to-exclude-a-file-from-a-specific-folder)
+
+- [Example 5: How to exclude a file from any location](#example-5-how-to-exclude-a-file-from-any-location)
+
+### Example 1: How to migrate all files from `C:\` except `.mp3` files
 
-### Example 1: How to migrate all files from C:\\ except .mp3 files
 The following .xml file migrates all files located on the C: drive, except any .mp3 files.
 
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/mp3files">
     <!-- This component migrates all files except those with .mp3 extension-->
     <component type="Documents" context="UserAndSystem">
@@ -67,10 +72,12 @@ The following .xml file migrates all files located on the C: drive, except any .
     </component>
 </migration>
 ```
-### Example 2: How to migrate all files located in C:\\Data except files in C:\\Data\\tmp
-The following .xml file migrates all files and subfolders in C:\\Data, except the files and subfolders in C:\\Data\\tmp.
 
-``` xml
+### Example 2: How to migrate all files located in `C:\Data` except files in `C:\Data\tmp`
+
+The following .xml file migrates all files and subfolders in `C:\Data`, except the files and subfolders in `C:\Data\tmp`.
+
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
     <component type="Documents" context="System">
         <displayName _locID="miguser.sharedvideo">Test component</displayName>
@@ -93,9 +100,10 @@ The following .xml file migrates all files and subfolders in C:\\Data, except th
 ```
 
 ### Example 3: How to exclude the files in a folder but include all subfolders
-The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but excludes all files that are in C:\\EngineeringDrafts.
 
-``` xml
+The following .xml file migrates any subfolders in `C:\`EngineeringDrafts`, but excludes all files that are in `C:\EngineeringDrafts`.
+
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 <component type="Documents" context="System">
   <displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
@@ -118,9 +126,10 @@ The following .xml file migrates any subfolders in C:\\EngineeringDrafts, but ex
 ```
 
 ### Example 4: How to exclude a file from a specific folder
-The following .xml file migrates all files and subfolders in C:\\EngineeringDrafts, except for the Sample.doc file in C:\\EngineeringDrafts.
 
-``` xml
+The following .xml file migrates all files and subfolders in `C:\EngineeringDrafts`, except for the `Sample.doc` file in `C:\EngineeringDrafts`.
+
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 <component type="Documents" context="System">
   <displayName>Component to migrate all Engineering Drafts Documents except Sample.doc</displayName>
@@ -143,24 +152,28 @@ The following .xml file migrates all files and subfolders in C:\\EngineeringDraf
 ```
 
 ### Example 5: How to exclude a file from any location
-To exclude a Sample.doc file from any location on the C: drive, use the &lt;pattern&gt; element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
 
-``` xml
+To exclude a Sample.doc file from any location on the C: drive, use the **&lt;pattern&gt;** element. If multiple files exist with the same name on the C: drive, all of these files will be excluded.
+
+```xml
 <pattern type="File"> C:\* [Sample.doc] </pattern>
 ```
 
-To exclude a Sample.doc file from any drive on the computer, use the &lt;script&gt; element. If multiple files exist with the same name, all of these files will be excluded.
+To exclude a Sample.doc file from any drive on the computer, use the **&lt;script&gt;** element. If multiple files exist with the same name, all of these files will be excluded.
 
-``` xml
+```xml
 <script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
 ```
+
 #### Examples of how to use XML to exclude files, folders, and registry keys
+
 Here are some examples of how to use XML to exclude files, folders, and registry keys. For more info, see [USMT XML Reference](usmt-xml-reference.md)
 
-**Example 1: How to exclude all .mp3 files**<br>
-The following .xml file excludes all .mp3 files from the migration:
+##### Example 1: How to exclude all `.mp3` files
 
-``` xml
+The following .xml file excludes all `.mp3` files from the migration:
+
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
   <component context="System" type="Documents">
         <displayName>Test</displayName>
@@ -176,10 +189,12 @@ The following .xml file excludes all .mp3 files from the migration:
     </component>
 </migration>
 ```
-**Example 2: How to exclude all of the files on a specific drive**<br>
+
+##### Example 2: How to exclude all of the files on a specific drive
+
 The following .xml file excludes only the files located on the C: drive.
 
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/allfiles">
     <component type="Documents" context="System">
         <displayName>Test</displayName>
@@ -195,10 +210,12 @@ The following .xml file excludes only the files located on the C: drive.
     </component>
 </migration>
 ```
-**Example 3: How to exclude registry keys**<br>
-The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry key and all of its subkeys.
 
-``` xml
+##### Example 3: How to exclude registry keys
+
+The following .xml file unconditionally excludes the `HKEY_CURRENT_USER` registry key and all of its subkeys.
+
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
    <component type="Documents" context="User">
@@ -220,10 +237,12 @@ The following .xml file unconditionally excludes the HKEY_CURRENT_USER registry
    </component>
 </migration>
 ```
-**Example 4: How to Exclude `C:\Windows` and `C:\Program Files`**<br>
-The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all \*.docx, \*.xls and \*.ppt files will not be migrated because the &lt;unconditionalExclude&gt; element takes precedence over the &lt;include&gt; element.
 
-``` xml
+##### Example 4: How to Exclude `C:\Windows` and `C:\Program Files`
+
+The following .xml file unconditionally excludes the system folders of `C:\Windows` and `C:\Program Files`. Note that all `*.docx`, `*.xls` and `*.ppt` files won't be migrated because the **&lt;unconditionalExclude&gt;** element takes precedence over the **&lt;include&gt;** element.
+
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/miguser">
    <component type="Documents" context="System">
@@ -248,29 +267,24 @@ The following .xml file unconditionally excludes the system folders of `C:\Windo
    </component>
 </migration>
 ```
+
 ## Create a Config XML File
-You can create and modify a Config.xml file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you do not need to be familiar with the migration rules and syntax. Config.xml is an optional file that you can create using the **/genconfig** command-line option with the ScanState tool. For example, you can use the Config.xml file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
 
--   **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the &lt;Applications&gt; section of the Config.xml file.
+You can create and modify a `Config.xml` file if you want to exclude components from the migration. Excluding components using this file is easier than modifying the migration .xml files because you don't need to be familiar with the migration rules and syntax. `Config.xml` is an optional file that you can create using the `/genconfig` command-line option with the ScanState tool. For example, you can use the `Config.xml` file to exclude the settings for one of the default applications. In addition, creating and modifying this file is the only way to exclude the operating-system settings that are migrated to computers running Windows.
 
--   **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the &lt;WindowsComponents&gt; section.
+- **To exclude the settings for a default application:** Specify `migrate="no"` for the application under the **&lt;Applications&gt;** section of the `Config.xml` file.
 
--   **To exclude My Documents:** Specify `migrate="no"` for My Documents under the &lt;Documents&gt; section. Note that any &lt;include&gt; rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files will not.
+- **To exclude an operating system setting:** Specify `migrate="no"` for the setting under the **&lt;WindowsComponents&gt;** section.
 
-See [Config.xml File](usmt-configxml-file.md) for more information.
-
-**Note**  
-To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration.
-
-## Related topics
-- [Customize USMT XML Files](usmt-customize-xml-files.md)
-- [USMT XML Reference](usmt-xml-reference.md)
-
- 
-
- 
+- **To exclude My Documents:** Specify `migrate="no"` for **My Documents** under the **&lt;Documents&gt;** section. Note that any **&lt;include&gt;** rules in the .xml files will still apply. For example, if you have a rule that includes all the .docx files in My Documents, then only the .docx files will be migrated, but the rest of the files won't.
 
+For more information, see [Config.xml File](usmt-configxml-file.md).
 
+> [!NOTE]
+> To exclude a component from the `Config.xml` file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the `Config.xml` file will not exclude the component from your migration.
 
+## Related articles
 
+- [Customize USMT XML files](usmt-customize-xml-files.md)
 
+- [USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
index 5d06760857..b5b02016d8 100644
--- a/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/usmt-extract-files-from-a-compressed-migration-store.md
@@ -2,118 +2,97 @@
 title: Extract Files from a Compressed USMT Migration Store (Windows 10)
 description: In this article, learn how to extract files from a compressed User State Migration Tool (USMT) migration store.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Extract Files from a Compressed USMT Migration Store
+# Extract files from a compressed USMT migration store
 
+When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **UsmtUtils** command with the `/extract` option to recover the files from the compressed migration store. You can also use the **UsmtUtils** command with the `/extract` option any time you need to recover data from a migration store.
 
-When you migrate files and settings during a typical PC-refresh migration, you usually create a compressed migration store file on the intermediate store. This migration store is a single image file that contains all files being migrated as well as a catalog file. To protect the compressed file, you can encrypt it by using different encryption algorithms. When you migrate the file back to the source computer after the operating system is installed, you can run the **Usmtutils** command with the **/extract** option to recover the files from the compressed migration store. You can also use the **Usmtutils** command with the **/extract** option any time you need to recover data from a migration store.
+Options used with the `/extract` option can specify:
 
-Options used with the **/extract** option can specify:
+- The cryptographic algorithm that was used to create the migration store.
 
--   The cryptographic algorithm that was used to create the migration store.
+- The encryption key or the text file that contains the encryption key.
 
--   The encryption key or the text file that contains the encryption key.
+- Include and exclude patterns for selective data extraction.
 
--   Include and exclude patterns for selective data extraction.
+In addition, you can specify the file patterns that you want to extract by using the `/i` option to include file patterns or the `/e` option to exclude file patterns. When both the `/i` option and the `/e` option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the **ScanState** and **LoadState** tools.
 
-In addition, you can specify the file patterns that you want to extract by using the **/i** option to include file patterns or the **/e** option to exclude file patterns. When both the **/i** option and the **/e** option are used in the same command, include patterns take precedence over exclude patterns. Note that this is different from the include and exclude rules used in the ScanState and LoadState tools.
+## To run the UsmtUtils tool with the /extract option
 
-## In this topic
+To extract files from the compressed migration store onto the destination computer, use the following UsmtUtils syntax:
 
-
--   [To run the USMTutils tool with the /extract option](#bkmk-extractsyntax)
-
--   [To extract all files from a compressed migration store](#bkmk-extractallfiles)
-
--   [To extract specific file types from an encrypted compressed migration store](#bkmk-extractspecificfiles)
-
--   [To extract all but one, or more, file types from an encrypted compressed migration store](#bkmk-excludefilepattern)
-
--   [To extract file types using the include pattern and the exclude pattern](#bkmk-includeexcludefiles)
-
-### <a href="" id="bkmk-extractsyntax"></a>To run the USMTutils tool with the /extract option
-
-To extract files from the compressed migration store onto the destination computer, use the following USMTutils syntax:
-
-Cd /d &lt;USMTpath&gt; usmtutils /extract &lt;filePath&gt; &lt;destinationPath&gt; \[/i:&lt;includePattern&gt;\] \[/e:&lt;excludePattern&gt;\] \[/l:&lt;logfile&gt;\] \[/decrypt\[:&lt;AlgID&gt;\] {/key:&lt;keystring&gt; | /keyfile:&lt;filename&gt;}\] \[/o\]
+```cmd
+UsmtUtils.exe /extract <filePath> <destinationPath> [/i:<includePattern>] [/e:<excludePattern>] [/l:<logfile>] [/decrypt[:<AlgID>] {/key:<keystring> | /keyfile:<filename>}] [/o]
+```
 
 Where the placeholders have the following values:
 
--   *&lt;USMTpath&gt;* is the location where you have saved the USMT files and tools.
+- **&lt;USMTpath&gt;** is the location where you have saved the USMT files and tools.
 
--   *&lt;filePath&gt;* is the location of the migration store.
+- **&lt;filePath&gt;** is the location of the migration store.
 
--   *&lt;destination path&gt;* is the location of the file where you want the **/extract** option to put the extracted migration store contents.
+- **&lt;destination path&gt;** is the location of the file where you want the **/extract** option to put the extracted migration store contents.
 
--   *&lt;includePattern&gt;* specifies the pattern for the files to include in the extraction.
+- **&lt;includePattern&gt;** specifies the pattern for the files to include in the extraction.
 
--   *&lt;excludePattern&gt;* specifies the pattern for the files to omit from the extraction.
+- **&lt;excludePattern&gt;** specifies the pattern for the files to omit from the extraction.
 
--   *&lt;AlgID&gt;* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
+- **&lt;AlgID&gt;** is the cryptographic algorithm that was used to create the migration store on the `ScanState.exe` command line.
 
--   *&lt;logfile&gt;* is the location and name of the log file.
+- **&lt;logfile&gt;** is the location and name of the log file.
 
--   *&lt;keystring&gt;* is the encryption key that was used to encrypt the migration store.
+- **&lt;keystring&gt;** is the encryption key that was used to encrypt the migration store.
 
--   *&lt;filename&gt;* is the location and name of the text file that contains the encryption key.
+- **&lt;filename&gt;** is the location and name of the text file that contains the encryption key.
 
-### <a href="" id="bkmk-extractallfiles"></a>To extract all files from a compressed migration store
+### To extract all files from a compressed migration store
 
-To extract everything from a compressed migration store to a file on the C:\\ drive, type:
+To extract everything from a compressed migration store to a file on the `C:\` drive, enter:
 
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
+```cmd
+UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore
 ```
 
-### <a href="" id="bkmk-extractspecificfiles"></a>To extract specific file types from an encrypted compressed migration store
+### To extract specific file types from an encrypted compressed migration store
 
-To extract specific files, such as .txt and .pdf files, from an encrypted compressed migration store, type:
+To extract specific files, such as `.txt` and `.pdf` files, from an encrypted compressed migration store, enter:
 
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
+```cmd
+UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt,*.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt
 ```
 
 In this example, the file is encrypted and the encryption key is located in a text file called encryptionKey.
 
-### <a href="" id="bkmk-excludefilepattern"></a>To extract all but one, or more, file types from an encrypted compressed migration store
+### To extract all but one, or more, file types from an encrypted compressed migration store
 
-To extract all files except for one file type, such as .exe files, from an encrypted compressed migration store, type:
+To extract all files except for one file type, such as `.exe` files, from an encrypted compressed migration store, enter:
 
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
+```cmd
+UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtutilslog.txt
 ```
 
-### <a href="" id="bkmk-includeexcludefiles"></a>To extract file types using the include pattern and the exclude pattern
+### To extract file types using the include pattern and the exclude pattern
 
 To extract files from a compressed migration store, and to exclude files of one type (such as .exe files) while including only specific files, use both the include pattern and the exclude pattern, as in this example:
 
-``` syntax
-usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
+```cmd
+UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o
 ```
 
 In this example, if there is a myProject.exe file, it will also be extracted because the include pattern option takes precedence over the exclude pattern option.
 
-## Related topics
-
-
-[UsmtUtils Syntax](usmt-utilities.md)
-
-[Return Codes](usmt-return-codes.md)
-
-[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
-
- 
-
- 
-
-
+## Related articles
 
+[UsmtUtils syntax](usmt-utilities.md)
 
+[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)
 
+[Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md)
diff --git a/windows/deployment/usmt/usmt-faq.yml b/windows/deployment/usmt/usmt-faq.yml
index 024d9e89be..f22b052e29 100644
--- a/windows/deployment/usmt/usmt-faq.yml
+++ b/windows/deployment/usmt/usmt-faq.yml
@@ -1,21 +1,21 @@
 ### YamlMime:FAQ
 metadata:
   title: 'Frequently Asked Questions (Windows 10)'
-  description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.'
+  description: 'Learn about frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.'
   ms.assetid: 813c13a7-6818-4e6e-9284-7ee49493241b
-  ms.reviewer: 
-  author: aczechowski
-  ms.author: aaroncz
-  manager: dougeby
-  ms.prod: w10
+  ms.prod: windows-client
+  ms.technology: itpro-deploy
+  author: frankroj
+  ms.author: frankroj
+  manager: aaroncz
   ms.mktglfcycl: deploy
   ms.sitesec: library
   audience: itpro
-  ms.date: 04/19/2017
+  ms.date: 11/01/2022
   ms.topic: faq
 title: Frequently Asked Questions
 summary: |
-  The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
+  The following sections provide frequently asked questions and recommended solutions for migrations using User State Migration Tool (USMT) 10.0.
 
 
 sections:
@@ -24,7 +24,7 @@ sections:
       - question: |
           How much space is needed on the destination computer?
         answer: |
-          The destination computer needs enough available space for the following:
+          The destination computer needs enough available space for the following items:
           
           -   Operating system
           
@@ -35,100 +35,100 @@ sections:
       - question: |
           Can I store the files and settings directly on the destination computer or do I need a server?
         answer: |
-          You do not need to save the files to a server. If you are moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
+          You don't need to save the files to a server. If you're moving the user state to a new computer, you can create the store on a shared folder, on media that you can remove, such as a USB flash drive (UFD), or you can store it directly on the destination computer, as in the following steps:
           
-          1.  Create and share the directory C:\\store on the destination computer.
+          1.  Create and share the directory `C:\store` on the destination computer.
           
-          2.  Run the ScanState tool on the source computer and save the files and settings to \\\\*DestinationComputerName*\\store
+          2.  Run the **ScanState** tool on the source computer and save the files and settings to `\\<DestinationComputerName>\store`
           
-          3.  Run the LoadState tool on the destination computer and specify C:\\store as the store location.
+          3.  Run the **LoadState** tool on the destination computer and specify `C:\store` as the store location.
           
       - question: |
           Can I migrate data between operating systems with different languages?
         answer: |
-          No. USMT does not support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
+          No. USMT doesn't support migrating data between operating systems with different languages; the source computer's operating-system language must match the destination computer's operating-system language.
 
       - question: |
           Can I change the location of the temporary directory on the destination computer?
         answer: |
-          Yes. The environment variable USMT\_WORKING\_DIR can be changed to an alternative temporary directory. There are some offline migration scenarios where this is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
+          Yes. The environment variable `USMT\_WORKING\_DIR` can be changed to an alternative temporary directory. There are some offline migration scenarios where changing the temporary directory is necessary, for example, when the USMT binaries are located on read-only Windows Preinstallation Environment (WinPE) boot media.
 
       - question: |
           How do I install USMT?
         answer: |
-          Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. However, the USMT binaries are designed to be deployed using xcopy. This means that they are installed on a computer simply by recursively copying the USMT directory from the computer containing the Windows ADK to each client computer.
+          Because USMT is included in Windows Assessment and Deployment Kit (Windows ADK), you need to install the Windows ADK package on at least one computer in your environment. The USMT binaries can then be copied from the USMT directory located on the original computer where the Windows ADK was installed to additional client computers.
 
       - question: |
           How do I uninstall USMT?
         answer: |
-          If you have installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that do not have the Windows ADK installed, you can simply delete the USMT directory to uninstall USMT.
+          If you've installed the Windows ADK on the computer, uninstalling Windows ADK will uninstall USMT. For client computers that don't have the Windows ADK installed, you can delete the USMT directory to uninstall USMT.
 
   - name: Files and Settings
     questions:
       - question: |
           How can I exclude a folder or a certain type of file from the migration?
         answer: |
-          You can use the **&lt;unconditionalExclude&gt;** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData. This element excludes objects regardless of any other &lt;include&gt; rules that are in the .xml files. For an example, see &lt;unconditionalExclude&gt; in the [Exclude Files and Settings](usmt-exclude-files-and-settings.md) topic. For the syntax of this element, see [XML Elements Library](usmt-xml-elements-library.md).
+          You can use the **&lt;unconditionalExclude&gt;** element to globally exclude data from the migration. For example, you can use this element to exclude all MP3 files on the computer or to exclude all files from `C:\UserData`. This element excludes objects regardless of any other **&lt;include&gt;** rules that are in the .xml files. For an example, see **&lt;unconditionalExclude&gt;** in the [Exclude files and settings](usmt-exclude-files-and-settings.md) article. For the syntax of this element, see [XML elements library](usmt-xml-elements-library.md).
           
       - question: |
-          What happens to files that were located on a drive that does not exist on the destination computer?
+          What happens to files that were located on a drive that don't exist on the destination computer?
         answer: |
-          USMT migrates the files to the %SystemDrive% while maintaining the correct folder hierarchy. For example, if E:\\data\\File.pst is on the source computer, but the destination computer does not have an E:\\ drive, the file will be migrated to C:\\data\\File.pst, if C:\\ is the system drive. This holds true even when &lt;locationModify&gt; rules attempt to move data to a drive that does not exist on the destination computer.
+          USMT migrates the files to the `%SystemDrive%` while maintaining the correct folder hierarchy. For example, if `E:\data\File.pst` is on the source computer, but the destination computer doesn't have an E:\\ drive, the file will be migrated to `C:\data\File.pst`, if C:\\ is the system drive. This behavior holds true even when **&lt;locationModify&gt;** rules attempt to move data to a drive that doesn't exist on the destination computer.
           
   - name: USMT .xml Files
     questions:
       - question: |
           Where can I get examples of USMT .xml files?
         answer: |
-          The following topics include examples of USMT .xml files:
+          The following articles include examples of USMT .xml files:
           
-          -   [Exclude Files and Settings](usmt-exclude-files-and-settings.md)
+          -   [Exclude files and settings](usmt-exclude-files-and-settings.md)
           
-          -   [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+          -   [Reroute files and settings](usmt-reroute-files-and-settings.md)
           
-          -   [Include Files and Settings](usmt-include-files-and-settings.md)
+          -   [Include files and settings](usmt-include-files-and-settings.md)
           
-          -   [Custom XML Examples](usmt-custom-xml-examples.md)
+          -   [Custom XML examples](usmt-custom-xml-examples.md)
           
       - question: |
           Can I use custom .xml files that were written for USMT 5.0?
         answer: |
-          Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
+          Yes. You can use custom .xml files that were written for USMT 5.0 with USMT for Windows 10. However, in order to use new USMT functionality, you must revisit your custom USMT files and refresh them to include the new command-line options and XML elements.
 
       - question: |
           How can I validate the .xml files?
         answer: |
-          You can use the USMT XML Schema (MigXML.xsd) to write and validate migration .xml files.
+          You can use the USMT XML Schema (`MigXML.xsd`) to write and validate migration .xml files.
 
       - question: |
-          Why must I list the .xml files with both the ScanState and LoadState commands?
+          Why must I list the .xml files with both the `ScanState.exe` and `LoadState.exe` commands?
         answer: |
-          The .xml files are not copied to the store as in previous versions of USMT. Because the ScanState and LoadState tools need the .xml files to control the migration, you must specify the same set of .xml files for the **ScanState** and **LoadState** commands. If you used a particular set of mig\*.xml files in the ScanState tool, either called through the "/auto" option, or individually through the "/i" option, then you should use same option to call the exact same mig\*.xml files in the LoadState tool. However, you do not have to specify the Config.xml file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the My Documents folder to the store, but not to the destination computer. To do this, modify the Config.xml file and specify the updated file with the **LoadState** command. **LoadState** will migrate only the files and settings that you want to migrate.
+          The .xml files aren't copied to the store as in previous versions of USMT. Because the **ScanState** and **LoadState** tools need the .xml files to control the migration, you must specify the same set of .xml files for the `ScanState.exe` and `LoadState.exe` commands. If you used a particular set of mig\*.xml files in the **ScanState** tool, either called through the `/auto` option, or individually through the `/i` option, then you should use same option to call the exact same mig\*.xml files in the **LoadState** tool. However, you don't have to specify the `Config.xml` file, unless you want to exclude some of the files and settings that you migrated to the store. For example, you might want to migrate the **My Documents** folder to the store, but not to the destination computer. To do this type of migration, modify the `Config.xml` file and specify the updated file with the `LoadState.exe` command. **LoadState** will migrate only the files and settings that you want to migrate.
           
-          If you exclude an .xml file from the **LoadState** command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+          If you exclude an .xml file from the `LoadState.exe` command, then all of the data that is in the store that was migrated with the missing .xml files will be migrated. However, the migration rules that were specified for the `ScanState.exe` command won't apply. For example, if you exclude a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT won't reroute the files. Instead, it will migrate them to `C:\data`.
           
       - question: |
           Which files can I modify and specify on the command line?
         answer: |
-          You can specify the MigUser.xml and MigApp.xml files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you cannot modify. If you want to exclude certain operating-system settings or any other components, create and modify the Config.xml file.
+          You can specify the `MigUser.xml` and `MigApp.xml` files on the command line. You can modify each of these files. The migration of operating system settings is controlled by the manifests, which you can't modify. If you want to exclude certain operating-system settings or any other components, create and modify the `Config.xml` file.
 
       - question: |
-          What happens if I do not specify the .xml files on the command line?
+          What happens if I don't specify the .xml files on the command line?
         answer: |
           -   **ScanState**
           
-              If you do not specify any files with the **ScanState** command, all user accounts and default operating system components are migrated.
+              If you don't specify any files with the `ScanState.exe` command, all user accounts and default operating system components are migrated.
           
           -   **LoadState**
           
-              If you do not specify any files with the **LoadState** command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the **ScanState** command will not apply. For example, if you exclude a MigApp.xml file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT will not reroute the files. Instead, it will migrate them to C:\\data.
+              If you don't specify any files with the `LoadState.exe` command, all data that is in the store is migrated. However, any target-specific migration rules that were specified in .xml files with the `ScanState.exe` command won't apply. For example, if you exclude a `MigApp.xml` file that has a rerouting rule such as `MigsysHelperFunction.RelativeMove("c:\data", "%CSIDL_PERSONAL%")`, USMT won't reroute the files. Instead, it will migrate them to `C:\data`.
           
   - name: Conflicts and Precedence
     questions:
       - question: |
           What happens when there are conflicting XML rules or conflicting objects on the destination computer?
         answer: |
-          For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+          For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
           
 
 additionalContent: |
@@ -137,6 +137,6 @@ additionalContent: |
 
   [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
 
-  [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)
+  [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md)
 
-  [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)
+  [Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md)
diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md
index 824ca75074..98148b856d 100644
--- a/windows/deployment/usmt/usmt-general-conventions.md
+++ b/windows/deployment/usmt/usmt-general-conventions.md
@@ -2,61 +2,52 @@
 title: General Conventions (Windows 10)
 description: Learn about general XML guidelines and how to use XML helper functions in the XML Elements library to change migration behavior.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# General Conventions
-
+# General conventions
 
 This topic describes the XML helper functions.
 
-## In This Topic
-
-
-[General XML Guidelines](#bkmk-general)
-
-[Helper Functions](#bkmk-helperfunctions)
-
-## <a href="" id="bkmk-general"></a>General XML Guidelines
-
+## General XML guidelines
 
 Before you modify the .xml files, become familiar with the following guidelines:
 
--   **XML schema**
+- **XML schema**
 
-    You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
+    You can use the User State Migration Tool (USMT) 10.0 XML schema, MigXML.xsd, to write and validate migration .xml files.
 
--   **Conflicts**
+- **Conflicts**
 
-    In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+    In general, when there are conflicts within the XML schema, the most specific pattern takes precedence. For more information, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
 
--   **Required elements**
+- **Required elements**
 
     The required elements for a migration .xml file are **&lt;migration&gt;**, **&lt;component&gt;**, **&lt;role&gt;**, and **&lt;rules&gt;**.
 
--   **Required child elements**
+- **Required child elements**
 
-    -   USMT does not fail with an error if you do not specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
+  - USMT doesn't fail with an error if you don't specify the required child elements. However, you must specify the required child elements for the parent element to affect the migration.
 
-    -   The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `<detects name="Example">` in **&lt;namedElements&gt;**, and you specify `<detects name="Example"/>` in **&lt;component&gt;** to refer to this element, the definition inside **&lt;namedElements&gt;** must have the required child elements, but the **&lt;component&gt;** element does not need to have the required child elements.
+  - The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements don't apply. For example, if you define `<detects name="Example">` in **&lt;namedElements&gt;**, and you specify `<detects name="Example"/>` in **&lt;component&gt;** to refer to this element, the definition inside **&lt;namedElements&gt;** must have the required child elements, but the **&lt;component&gt;** element doesn't need to have the required child elements.
 
--   **File names with brackets**
+- **File names with brackets**
 
-    If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.
+    If you're migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there's a file named **file].txt**, you must specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.
 
--   **Using quotation marks**
+- **Using quotation marks**
 
     When you surround code in quotation marks, you can use either double ("") or single (') quotation marks.
 
-## <a href="" id="bkmk-helperfunctions"></a> Helper Functions
+## Helper functions
 
-
-You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following:
+You can use the XML helper functions in the [XML elements library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following items:
 
 - **All of the parameters are strings**
 
@@ -64,40 +55,30 @@ You can use the XML helper functions in the [XML Elements Library](usmt-xml-elem
 
   As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function:
 
-  ``` syntax
+  ```cmd
   SomeFunction("My String argument",NULL,NULL)
   ```
 
   is equivalent to:
 
-  ``` syntax
+  ```cmd
   SomeFunction("My String argument")
   ```
 
 - **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object**
 
-  It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
+  It's composed of the node part, optionally followed by the leaf enclosed in square brackets. This format makes a clear distinction between nodes and leaves.
 
-  For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters.
+  For example, specify the file `C:\Windows\Notepad.exe`: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory `C:\Windows\System32` like this: **c:\\Windows\\System32**; note the absence of the **\[\]** characters.
 
-  The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
+  The registry is represented in a similar way. The default value of a registry key is represented as an empty **\[\]** construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key is **HKLM\\SOFTWARE\\MyKey\[\]**.
 
 - **You specify a location pattern in a way that is similar to how you specify an actual location**
 
-  The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
-
-  For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
-
-## Related topics
-
-
-[USMT XML Reference](usmt-xml-reference.md)
-
- 
-
- 
-
-
+  The exception is that both the node and leaf part accept patterns. However, a pattern from the node doesn't extend to the leaf.
 
+  For example, the pattern **c:\\Windows\\\\\*** will match the `\Windows` directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**.
 
+## Related articles
 
+[USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index 8bcb20e216..b4790b2a5a 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -2,170 +2,149 @@
 title: Hard-Link Migration Store (Windows 10)
 description: Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Hard-Link Migration Store
 
-A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this functionality is what makes *hard-link migration store* best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios.
+A **hard-link migration store** enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed. This functionality is what makes **hard-link migration store** best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs, and enables entirely new migration scenarios.
 
-## In this topic
-
-[When to Use a Hard-Link Migration](#bkmk-when)
-
-[Understanding a Hard-Link Migration](#bkmk-understandhardlinkmig)
-
-[Scenario](#bkmk-scenario)
-
-[Hard-Link Migration Store Details](#bkmk-hardlinkstoredetails)
-
-[Hard Disk Space](#bkmk-harddiskspace)
-
-[Hard-Link Store Size Estimation](#bkmk-hardlinkstoresizeest)
-
-[Migration Store Path on Multiple Volumes](#bkmk-migstoremultvolumes)
-
-[Location Modifications](#bkmk-locationmodify)
-
-[Migrating Encrypting File System (EFS) Certificates and Files](#bkmk-efs)
-
-[Migrating Locked Files With the Hard-Link Migration Store](#bkmk-miglockedfiles)
-
-[XML Elements in the Config.xml File](#bkmk-xmlelementsinconfig)
-
-## <a href="" id="bkmk-when"></a>When to Use a Hard-Link Migration
+## When to use a hard-link migration
 
 You can use a hard-link migration store when your planned migration meets both of the following criteria:
 
--   You are upgrading the operating system on existing hardware rather than migrating to new computers.
+- You're upgrading the operating system on existing hardware rather than migrating to new computers.
 
--   You are upgrading the operating system on the same volume of the computer.
+- You're upgrading the operating system on the same volume of the computer.
 
-You cannot use a hard-link migration store if your planned migration includes any of the following tasks:
+You can't use a hard-link migration store if your planned migration includes any of the following tasks:
 
--   You are migrating data from one computer to a second computer.
+- You're migrating data from one computer to a second computer.
 
--   You are migrating data from one volume on a computer to another volume, for example from `C:` to `D:`.
+- You're migrating data from one volume on a computer to another volume, for example from `C:` to `D:`.
 
--   You are formatting or repartitioning the disk outside of Windows Setup, or specifying a disk format or repartition during Windows Setup that will remove the migration store.
+- You're formatting or repartitioning the disk outside of Windows Setup, or specifying a disk format or repartition during Windows Setup that will remove the migration store.
 
-## <a href="" id="bkmk-understandhardlinkmig"></a>Understanding a Hard-Link Migration
+## Understanding a hard-link migration
 
-The hard-link migration store is created using the command-line option, **/hardlink**, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario.
+The hard-link migration store is created using the command-line option, `/hardlink`, and is equivalent to other migration-store types. However, it differs in that hard links are utilized to keep files stored on the source computer during the migration. Keeping the files in place on the source computer eliminates the redundant work of duplicating files. It also enables the performance benefits and reduction in disk utilization that define this scenario.
 
-When you create a hard link, you give an existing file one more path. For instance, you could create a hard link to c:\\file1.txt called c:\\hard link\\myFile.txt. These two paths relate to the same file. If you open c:\\file1.txt, make changes, and save the file, you will see those changes when you open c:\\hard link\\myFile.txt. If you delete c:\\file1.txt, the file still exists on your computer as c:\\hardlink\\myFile.txt. You must delete both references to the file in order to delete the file.
+When you create a hard link, you give an existing file one more path. For instance, you could create a hard link to `c:\file1.txt` called `c:\hard link\myFile.txt`. These two paths relate to the same file. If you open `c:\file1.txt`, make changes, and save the file, you'll see those changes when you open `c:\hard link\myFile.txt`. If you delete `c:\file1.txt`, the file still exists on your computer as `c:\hardlink\myFile.txt`. You must delete both references to the file in order to delete the file.
 
 > [!NOTE]
 > A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario.
 
 For more information about hard links, see [Hard Links and Junctions](/windows/win32/fileio/hard-links-and-junctions)
 
-In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows&reg; Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place.
+In most aspects, a hard-link migration store is identical to an uncompressed migration store. It's located where specified by the **ScanState.exe** command-line tool and you can view the contents of the store by using Windows Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store. However, as with creating the store, the same hard-link functionality is used to keep files in-place.
 
-As a best practice, we recommend that you delete the hard-link migration store after you confirm that the Loadstate tool has successfully migrated the files. Since Loadstate has created new paths to the files on your new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files and will not delete the actual files or the paths to them from your new operating system.
+As a best practice, it's recommended that you delete the hard-link migration store after you confirm that the **LoadState** tool has successfully migrated the files. Since **LoadState** has created new paths to the files on the new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files, and won't delete the actual files or the paths to them from the new operating system.
 
 > [!IMPORTANT]
-> Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss.
+> Using the `/c` option will force the **LoadState** tool to continue applying files when non-fatal errors occur. If you use the `/c` option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss.
 
 Keeping the hard-link migration store can result in extra disk space being consumed or problems with some applications for the following reasons:
 
--   Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file.
+- Applications reporting file-system statistics, for example, space used and free space, might incorrectly report these statistics while the hard-link migration store is present. The file may be reported twice because of the two paths that reference that file.
 
--   A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that was not used to open the file in this application will continue to refer to the unmodified file. The unmodified file that is not in use is taking up more disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you are migrating the latest versions of all files.
+- A hard link may lose its connection to the original file. Some applications save changes to a file by creating a temporary file and then renaming the original to a backup filename. The path that wasn't used to open the file in this application will continue to refer to the unmodified file. The unmodified file that isn't in use is taking up more disk space. You should create the hard-link migration store just before you perform the migration, and not use applications once the store is created, in order to make sure you're migrating the latest versions of all files.
 
--   Editing the file by using different paths simultaneously may result in data corruption.
+- Editing the file by using different paths simultaneously may result in data corruption.
 
 > [!IMPORTANT]
 > The read-only file attribute on migrated files is lost when the hard-link migration store is deleted. This is due to a limitation in NTFS file system hard links.
 
-## <a href="" id="bkmk-scenario"></a>Hard-Link Migration Scenario
+## Hard-link migration scenario
 
-For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated.
+For example, a company has decided to deploy Windows 10 on all of their computers. Each employee will keep the same computer, but the operating system on each computer will be updated.
 
-1.  An administrator runs the ScanState command-line tool on each computer, specifying the **/hardlink** command-line option. The ScanState tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances.
+1. An administrator runs the  **ScanState** command-line tool on each computer, specifying the `/hardlink` command-line option. The  **ScanState** tool saves the user state to a hard-link migration store on each computer, improving performance by reducing file duplication, except in certain specific instances.
 
     > [!NOTE]
-    > As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with Loadstate.
+    > As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with  **LoadState**.
 
-2.  On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses.
+2. On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses.
 
-3.  An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer.
+3. An administrator runs the  **LoadState** command-line tool on each computer. The  **LoadState** tool restores user state back on each computer.
 
 > [!NOTE]
 > During the update of a domain-joined computer, the profiles of users whose SID cannot be resolved will not be migrated. When using a hard-link migration store, it could cause a data loss.
 
-## <a href="" id="bkmk-hardlinkstoredetails"></a>Hard-Link Migration Store Details
+## Hard-link migration store details
 
 This section provides details about hard-link migration stores.
 
-### <a href="" id="bkmk-harddiskspace"></a>Hard Disk Space
+### Hard disk space
 
-The **/hardlink** command-line option proceeds with creating the migration store only if there are 250 megabytes (MB) of free space on the hard disk. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless on the size of the migration.
+The `/hardlink` command-line option proceeds with creating the migration store only if there are 250 megabytes (MB) of free space on the hard disk. If every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless on the size of the migration.
 
-### <a href="" id="bkmk-hardlinkstoresizeest"></a>Hard-Link Store Size Estimation
+### Hard-link store size estimation
 
-It is not necessary to estimate the size of a hard-link migration store. Estimating the size of a migration store is only useful in scenarios where the migration store is large, and on NTFS volumes the hard-link migration store will require much less incremental space than other store options. The only case where the local store can be large is when non-NTFS file systems exist on the system and contain data being migrated. Since NTFS has been the default file system format for Windows XP and newer operating systems, this situation is unusual.
+It isn't necessary to estimate the size of a hard-link migration store since hard-link migration store on NTFS volumes will be relatively small and require much less incremental space than other store options. Estimating the size of a migration store is only useful in scenarios where the migration store is large. The only case where the local store can be large with hard-link migrations is when non-NTFS file systems exist on the system and the non-NTFS files system contain data that needs to be migrated. Since NTFS has been the default file system format for Windows XP and newer operating systems, this situation is unusual.
 
-### <a href="" id="bkmk-migstoremultvolumes"></a>Migration Store Path on Multiple Volumes
+### Migration store path on multiple volumes
 
 Separate hard-link migration stores are created on each NTFS volume that contain data being migrated. In this scenario, the primary migration-store location will be specified on the command line, and should be the operating-system volume. Migration stores with identical names and directory names will be created on every volume containing data being migrated. For example:
 
-`Scanstate /hardlink c:\USMTMIG […]`
+  ```cmd 
+  ScanState.exe /hardlink c:\USMTMIG […]
+  ```
 
 Running this command on a system that contains the operating system on the C: drive and the user data on the D: drive will generate migration stores in the following locations, assuming that both drives are NTFS:
 
-C:\\USMTMIG\\
+`C:\USMTMIG\`
 
-D:\\USMTMIG\\
+`D:\USMTMIG\`
 
-The drive you specify on the command line for the hard-link migration store is important, because it defines where the *master migration store* should be placed. The *master migration store* is the location where data migrating from non-NTFS volumes is stored. This volume must have enough space to contain all of the data that comes from non-NTFS volumes. As in other scenarios, if a migration store already exists at the specified path, the **/o** option must be used to overwrite the existing data in the store.
+The drive you specify on the command line for the hard-link migration store is important, because it defines where the **master migration store** should be placed. The **master migration store** is the location where data migrating from non-NTFS volumes is stored. This volume must have enough space to contain all of the data that comes from non-NTFS volumes. As in other scenarios, if a migration store already exists at the specified path, the `/o` option must be used to overwrite the existing data in the store.
 
-### <a href="" id="bkmk-locationmodify"></a>Location Modifications
+### Location modifications
 
-Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This impact is because the migrating data that must cross system volumes cannot remain in the hard-link migration store, and must be copied across the system volumes.
+Location modifications that redirect migrated content from one volume to a different volume have an adverse impact on the performance of a hard-link migration. This impact is because the migrating data that must cross system volumes can't remain in the hard-link migration store, and must be copied across the system volumes.
 
-### <a href="" id="bkmk-efs"></a>Migrating Encrypting File System (EFS) Certificates and Files
+### Migrating Encrypting File System (EFS) certificates and files
 
-To migrate Encrypting File System (EFS) files to a new installation of an operating system on the same volume of the computer, specify the **/efs:hardlink** option in the Scanstate command-line syntax.
+To migrate Encrypting File System (EFS) files to a new installation of an operating system on the same volume of the computer, specify the `/efs:hardlink` option in the `ScanState.exe` command-line syntax.
 
-If the EFS files are being restored to a different partition, you should use the **/efs:copyraw** option instead of the **/efs:hardlink** option. Hard links can only be created for files on the same volume. Moving the files to another partition during the migration requires a copy of the files to be created on the new partition. The **/efs:copyraw** option will copy the files to the new partition in encrypted format.
+If the EFS files are being restored to a different partition, you should use the `/efs:copyraw` option instead of the `/efs:hardlink` option. Hard links can only be created for files on the same volume. Moving the files to another partition during the migration requires a copy of the files to be created on the new partition. The `/efs:copyraw` option will copy the files to the new partition in encrypted format.
 
-For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md) and the Encrypted File Options in [ScanState Syntax](usmt-scanstate-syntax.md).
+For more information, see [Migrate EFS files and certificates](usmt-migrate-efs-files-and-certificates.md) and [Encrypted file options](usmt-scanstate-syntax.md#encrypted-file-options).
 
-### <a href="" id="bkmk-miglockedfiles"></a>Migrating Locked Files with the Hard-Link Migration Store
+### Migrating locked files with the hard-link migration store
 
 Files that are locked by an application or the operating system are handled differently when using a hard-link migration store.
 
-Files that are locked by the operating system cannot remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you do not migrate any files out of the \\Windows directory, which minimizes performance-related issues.
+Files that are locked by the operating system can't remain in place and must be copied into the hard-link migration store. As a result, selecting many operating-system files for migration significantly reduces performance during a hard-link migration. As a best practice, we recommend that you don't migrate any files out of the `\Windows directory`, which minimizes performance-related issues.
 
-Files that are locked by an application are treated the same in hard-link migrations as in other scenarios when the volume shadow-copy service is not being utilized. The volume shadow-copy service cannot be used with hard-link migrations. However, by modifying the new `<HardLinkStoreControl>` section in the Config.xml file, it is possible to enable the migration of files locked by an application.
+Files that are locked by an application are treated the same in hard-link migrations as in other scenarios when the volume shadow-copy service isn't being utilized. The volume shadow-copy service can't be used with hard-link migrations. However, by modifying the new **&lt;HardLinkStoreControl&gt;** section in the `Config.xml` file, it's possible to enable the migration of files locked by an application.
 
 > [!IMPORTANT]
-> There are some scenarios in which modifying the `<HardLinkStoreControl>` section in the Config.xml file makes it more difficult to delete a hard-link migration store. In these scenarios, you must use USMTutils.exe to schedule the migration store for deletion on the next restart.
+> There are some scenarios in which modifying the **&lt;HardLinkStoreControl&gt;** section in the `Config.xml` file makes it more difficult to delete a hard-link migration store. In these scenarios, you must use `UsmtUtils.exe` to schedule the migration store for deletion on the next restart.
 
-## <a href="" id="bkmk-xmlelementsinconfig"></a>XML Elements in the Config.xml File
+## XML elements in the Config.xml file
 
-A new section in the Config.xml file allows optional configuration of some of the hard-link migration behavior introduced with the **/HardLink** option.
+A new section in the `Config.xml` file allows optional configuration of some of the hard-link migration behavior introduced with the `/HardLink` option.
 
 | Element | Description |
 |--- |--- |
-| `<Policies>` | This element contains elements that describe the policies that USMT follows while creating a migration store. |
-| `<HardLinkStoreControl>` | This element contains elements that describe how to handle files during the creation of a hard link migration store. |
-| `<fileLocked>` | This element contains elements that describe how to handle files that are locked for editing. |
-| `<createHardLink>` | This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application. <br/><br/>Syntax: `<createHardLink>` [pattern] `</createHardLink>` |
-| `<errorHardLink>` | This element defines a standard MigXML pattern that describes file paths where hard links should not be created, if the file is locked for editing by another application. <br/><br/>`<errorHardLink>` [pattern] `</errorHardLink>` |
+| **&lt;Policies&gt;** | This element contains elements that describe the policies that USMT follows while creating a migration store. |
+| **&lt;HardLinkStoreControl&gt;** | This element contains elements that describe how to handle files during the creation of a hard link migration store. |
+| **&lt;fileLocked&gt;** | This element contains elements that describe how to handle files that are locked for editing. |
+| **&lt;createHardLink&gt;** | This element defines a standard MigXML pattern that describes file paths where hard links should be created, even if the file is locked for editing by another application. <br/><br/>Syntax: `<createHardLink>` [pattern] `</createHardLink>` |
+| **&lt;errorHardLink&gt;** | This element defines a standard MigXML pattern that describes file paths where hard links shouldn't be created, if the file is locked for editing by another application. <br/><br/>`<errorHardLink>` [pattern] `</errorHardLink>` |
 
 > [!IMPORTANT]
-> You must use the **/nocompress** option with the **/HardLink** option.
+> You must use the `/nocompress` option with the `/HardLink` option.
 
-The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use`<createhardlink>`** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
+The following XML sample specifies that files locked by an application under the `\Users` directory can remain in place during the migration. It also specifies that locked files that aren't located in the `\Users` directory should result in the **File in Use** error. It's important to exercise caution when specifying the paths using the `<createhardlink>`** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete.
 
-``` xml
+```xml
 <Policies>
     <HardLinkStoreControl>
           <fileLocked>
@@ -176,6 +155,6 @@ The following XML sample specifies that files locked by an application under the
 </Policies>
 ```
 
-## Related topics
+## Related articles
 
-[Plan Your Migration](usmt-plan-your-migration.md)
+[Plan your migration](usmt-plan-your-migration.md)
diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md
index a2a9939439..23bb493204 100644
--- a/windows/deployment/usmt/usmt-how-it-works.md
+++ b/windows/deployment/usmt/usmt-how-it-works.md
@@ -2,130 +2,121 @@
 title: How USMT Works (Windows 10)
 description: Learn how USMT works and how it includes two tools that migrate settings and data - ScanState and LoadState.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
+ms.date: 11/01/2022
 ---
 
-# How USMT Works
+# How USMT works
 
+USMT includes two tools that migrate settings and data: **ScanState** and **LoadState**. **ScanState** collects information from the source computer, and **LoadState** applies that information to the destination computer.
 
-USMT includes two tools that migrate settings and data: ScanState and LoadState. ScanState collects information from the source computer, and LoadState applies that information to the destination computer.
+- [How USMT works](#how-usmt-works)
+  - [The ScanState process](#the-scanstate-process)
+  - [The LoadState process](#the-loadstate-process)
+  - [Related articles](#related-articles)
 
--   [ScanState Process](#the-scanstate-process)
--   [LoadState Process](#the-loadstate-process)
+    > [!NOTE]
+    > For more information about how USMT processes the rules and the XML files, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
 
-    **Note**  
-    For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).   
+## The ScanState process
 
-## The ScanState Process
+When you run the **ScanState** tool on the source computer, it goes through the following process:
 
-When you run the ScanState tool on the source computer, it goes through the following process:
+1. It parses and validates the command-line parameters, creates the `ScanState.log` file, and then begins logging.
 
-1.  It parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
-
-2.  It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
+2. It collects information about all of the migration components that need to be migrated. A *migration component* is a logical group of files, registry keys, and values. For example, the set of files, registry keys, and values that store the settings of Adobe Acrobat is grouped into a single migration component.
 
     There are three types of components:
 
-    -   Components that migrate the operating system settings
-    -   Components that migrate application settings
-    -   Components that migrate users’ files
+    - Components that migrate the operating system settings
+  
+    - Components that migrate application settings
 
-    The ScanState tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
+    - Components that migrate users' files
 
-    In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+    The **ScanState** tool collects information about the application settings and user data components from the .xml files that are specified on the command line.
 
-3.  ScanState determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you cannot exclude these profiles from the migration.
+    In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You can't modify these files. If you want to exclude certain operating-system settings, you must create and modify a `Config.xml` file.
 
-4.  In the "Scanning" phase, ScanState does the following for each user profile selected for migration:
+3. **ScanState** determines which user profiles should be migrated. By default, all user profiles on the source computer are migrated. However, you can include and exclude users using the User Options. The public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated, and you can't exclude these profiles from the migration.
 
-    1.  For each component, ScanState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+4. In the **Scanning** phase, **ScanState** does the following for each user profile selected for migration:
 
-        **Note**  
-        From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way.
+    1. For each component, **ScanState** checks the type of the component. If the current user profile is the system profile and the component type is **System** or **UserAndSystem**, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile isn't the system profile and the component type is **User** or **UserAndSystem**, the component is selected for this user. Otherwise, this component is ignored.
 
-    2.  Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory.
+        > [!NOTE]
+        > From this point on, **ScanState** does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users' files. **ScanState** processes all components in the same way.
 
-    3.  For each selected component, ScanState evaluates the &lt;detects&gt; section. If the condition in the &lt;detects&gt; section evaluates to false, the component is not processed any further. Otherwise, the processing of this component continues.
+    2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as **CSIDL_PERSONAL**) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to **User1**, then **CSIDL_PERSONAL** would expand to `C:\Users\User1\Documents`, assuming that the user profiles are stored in the `C:\Users` directory.
 
-    4.  For each selected component, ScanState evaluates the &lt;rules&gt; sections. For each &lt;rules&gt; section, if the current user profile is the system profile and the context of the &lt;rules&gt; section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the &lt;rules&gt; section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
+    3. For each selected component, **ScanState** evaluates the **&lt;detects&gt;** section. If the condition in the **&lt;detects&gt;** section evaluates to false, the component isn't processed any further. Otherwise, the processing of this component continues.
 
-    5.  ScanState creates a list of migration units that need to be migrated by processing the various subsections under this &lt;rules&gt; section. Each unit is collected if it is mentioned in an &lt;include&gt; subsection, as long as there is not a more specific rule for it in an &lt;exclude&gt; subsection in the same &lt;rules&gt; section. For more information about precedence in the .xml files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+    4. For each selected component, **ScanState** evaluates the **&lt;rules&gt;** sections. For each **&lt;rules&gt;** section, if the current user profile is the system profile and the context of the **&lt;rules&gt;** section is **System** or **UserAndSystem**, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile isn't the system profile and the context of the **&lt;rules&gt;** section is **User** or **UserAndSystem**, the rule is processed further. Otherwise, this rule is ignored.
 
-        In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an &lt;UnconditionalExclude&gt; section is not migrated.
+    5. **ScanState** creates a list of migration units that need to be migrated by processing the various subsections under this **&lt;rules&gt;** section. Each unit is collected if it's mentioned in an **&lt;include&gt;** subsection, as long as there isn't a more specific rule for it in an **&lt;exclude&gt;** subsection in the same **&lt;rules&gt;** section. For more information about precedence in the .xml files, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
 
-        **Note**  
-        ScanState ignores some subsections such as &lt;destinationCleanup&gt; and &lt;locationModify&gt;. These sections are evaluated only on the destination computer.
+        In addition, any migration unit (such as a file, registry key, or set of registry values) that is in an &lt;UnconditionalExclude&gt; section isn't migrated.
 
-5.  In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile.
+        > [!NOTE]
+        > **ScanState** ignores some subsections such as &lt;destinationCleanup&gt; and &lt;locationModify&gt;. These sections are evaluated only on the destination computer.
 
-6.  In the "Saving" phase, ScanState writes the migration units that were collected to the store location.
+5. In the **Collecting** phase, **ScanState** creates a master list of the migration units by combining the lists that were created for each selected user profile.
 
-    **Note**  
-    ScanState does not modify the source computer in any way.
+6. In the **Saving** phase, **ScanState** writes the migration units that were collected to the store location.
 
-## The LoadState Process
+    > [!NOTE]
+    > **ScanState** does not modify the source computer in any way.
 
+## The LoadState process
 
-The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer.
+The **LoadState** process is similar to the **ScanState** process. The **ScanState** tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the **LoadState** tool collects migration units from the store and applies them to the destination computer.
 
-1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging.
+1. **ScanState** parses and validates the command-line parameters, creates the `ScanState.log` file, and then begins logging.
 
-2. LoadState collects information about the migration components that need to be migrated.
+2. **LoadState** collects information about the migration components that need to be migrated.
 
-   LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command.
+   **LoadState** obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the `LoadState.exe` command.
 
-   In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file.
+   In Windows 7, Windows 8, and Windows 10, the manifest files control how the operating-system settings are migrated. You can't modify these files. If you want to exclude certain operating-system settings, you must create and modify a `Config.xml` file.
 
-3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration.
+3. **LoadState** determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the **User Options**. The system profile, the Public profile in a source computer running Windows 7, Windows 8, and Windows 10 is always migrated and you can't exclude these profiles from the migration.
 
-   - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the<strong>/lac</strong> command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated.
+   - If you're migrating local user accounts and if the accounts don't already exist on the destination computer, you must use the `/lac` command-line option. If you don't specify the `/lac` option, any local user accounts that aren't already present on the destination computer, aren't migrated.
 
-   - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified.
+   - The `/md` and `/mu` options are processed to rename the user profile on the destination computer, if they've been included when the `LoadState.exe` command was specified.
 
-   - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
+   - For each user profile selected from the store, **LoadState** creates a corresponding user profile on the destination computer. The destination computer doesn't need to be connected to the domain for domain user profiles to be created. If USMT can't determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md).
 
-4. In the "Scanning" phase, LoadState does the following for each user profile:
+4. In the **Scanning** phase, **LoadState** does the following for each user profile:
 
-   1.  For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored.
+   1. For each component, **LoadState** checks the type of the component. If the current user profile is the system profile and the component type is **System** or **UserAndSystem**, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile isn't the system profile and the component type is **User** or **UserAndSystem**, the component is selected for this user. Otherwise, this component is ignored.
 
-       **Note**  
-       From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way.
+       > [!NOTE]
+       > From this point on, **LoadState** does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users' files. **LoadState** evaluates all components in the same way.
 
-         
+   2. Each component that is selected is processed further. Any profile-specific variables (such as **CSIDL_PERSONAL**) are evaluated in the context of the current profile. For example, if the profile being processed belongs to **User1**, then **CSIDL_PERSONAL** would expand to `C:\Users\User1\Documents` (assuming that the user profiles are stored in the `C:\Users` directory).
 
-   2.  Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory).
+       > [!NOTE]
+       > **LoadState** ignores the **&lt;detects&gt;** section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
 
-       **Note**  
-       LoadState ignores the &lt;detects&gt; section specified in a component. At this point, all specified components are considered to be detected and are selected for migration.
+   3. For each selected component, **LoadState** evaluates the **&lt;rules&gt;** sections. For each **&lt;rules&gt;** section, if the current user profile is the system profile and the context of the **&lt;rules&gt;** section is **System** or **UserAndSystem**, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile isn't the system profile and the context of the **&lt;rules&gt;** section is **User** or **UserAndSystem**, the rule is processed further. Otherwise, this rule is ignored.
 
-         
+   4. **LoadState** creates a master list of migration units by processing the various subsections under the **&lt;rules&gt;** section. Each migration unit that is in an **&lt;include&gt;** subsection is migrated as long, as there isn't a more specific rule for it in an **&lt;exclude&gt;** subsection in the same **&lt;rules&gt;** section. For more information about precedence, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
 
-   3.  For each selected component, LoadState evaluates the &lt;rules&gt; sections. For each &lt;rules&gt; section, if the current user profile is the system profile and the context of the &lt;rules&gt; section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the &lt;rules&gt; section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored.
-
-   4.  LoadState creates a master list of migration units by processing the various subsections under the &lt;rules&gt; section. Each migration unit that is in an &lt;include&gt; subsection is migrated as long, as there is not a more specific rule for it in an &lt;exclude&gt; subsection in the same &lt;rules&gt; section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
-
-   5.  LoadState evaluates the destination computer-specific subsections; for example, the &lt;destinationCleanup&gt; and &lt;locationModify&gt; subsections.
-
-   6.  If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState.
-
-       **Important**  
-       It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as &lt;locationModify&gt;, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran.
-
-5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a &lt;merge&gt; rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed.
-
-## Related topics
-
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
-
- 
-
- 
+   5. **LoadState** evaluates the destination computer-specific subsections, for example, the **&lt;destinationCleanup&gt;** and **&lt;locationModify&gt;** subsections.
 
+   6. If the destination computer is running Windows 7, Windows 8, or Windows 10, then the migunits that were collected by **ScanState** using downlevel manifest files are processed by **LoadState** using the corresponding Component Manifest for Windows 7. The downlevel manifest files aren't used during **LoadState**.
 
+       > [!IMPORTANT]
+       > It is important to specify the .xml files with the `LoadState.exe` command if you want **LoadState** to use them. Otherwise, any destination-specific rules, such as **&lt;locationModify&gt;**, in these .xml files are ignored, even if the same .xml files were provided when the `ScanState.exe` command ran.
 
+5. In the **Apply** phase, **LoadState** writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there isn't a **&lt;merge&gt;** rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, don't take effect until the next time the user logs on. For this reason, you should sign out when the `LoadState.exe` command actions have completed.
 
+## Related articles
 
+[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md)
diff --git a/windows/deployment/usmt/usmt-how-to.md b/windows/deployment/usmt/usmt-how-to.md
index c22457f303..e234211ca1 100644
--- a/windows/deployment/usmt/usmt-how-to.md
+++ b/windows/deployment/usmt/usmt-how-to.md
@@ -1,32 +1,35 @@
 ---
-title: User State Migration Tool (USMT) How-to topics (Windows 10)
-description: Reference the topics in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
+title: User State Migration Tool (USMT) How-to articles (Windows 10)
+description: Reference the articles in this article to learn how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# User State Migration Tool (USMT) How-to topics
-The following table lists topics that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
+# User State Migration Tool (USMT) how-to articles
 
-## In This Section
+The following table lists articles that describe how to use User State Migration Tool (USMT) 10.0 to perform specific tasks.
 
-|Topic |Description|
-|------|-----------|
-|[Exclude Files and Settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.|
-|[Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.|
-|[Include Files and Settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.|
-|[Migrate Application Settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file does not include by default.|
-|[Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.|
-|[Migrate User Accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.|
-|[Reroute Files and Settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.|
-|[Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.|
+## In this section
 
-## Related topics
-- [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+| Link | Description |
+|------ |----------- |
+|[Exclude files and settings](usmt-exclude-files-and-settings.md)|Create a custom .xml file to exclude files, file types, folders, or registry settings from your migration.|
+|[Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md)|Recover files from a compressed migration store after installing the operating system.|
+|[Include files and settings](usmt-include-files-and-settings.md)|Create a custom .xml file to include files, file types, folders, or registry settings in your migration.|
+|[Migrate application settings](migrate-application-settings.md)|Migrate the settings of an application that the MigApp.xml file doesn't include by default.|
+|[Migrate EFS files and certificates](usmt-migrate-efs-files-and-certificates.md)|Migrate Encrypting File System (EFS) certificates by using USMT.|
+|[Migrate user accounts](usmt-migrate-user-accounts.md)|Specify the users to include and exclude in your migration.|
+|[Reroute files and settings](usmt-reroute-files-and-settings.md)|Create a custom .xml file to reroute files and settings during a migration.|
+|[Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md)|Determine whether a compressed migration store is intact, or whether it contains corrupt files or a corrupt catalog.|
+
+## Related articles
+
+- [User State Migration Tool (USMT) overview topics](usmt-topics.md)
+- [User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)
+- [User State Migration Toolkit (USMT) reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-identify-application-settings.md b/windows/deployment/usmt/usmt-identify-application-settings.md
index d6287b456f..24278e020b 100644
--- a/windows/deployment/usmt/usmt-identify-application-settings.md
+++ b/windows/deployment/usmt/usmt-identify-application-settings.md
@@ -1,59 +1,46 @@
 ---
 title: Identify Applications Settings (Windows 10)
-description: Identify which applications and settings you want to migrate before using the User State Migration Tool (USMT).
+description: Identify which applications and settings you want to migrate before using the User State Migration Tool (USMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Identify Applications Settings
+# Identify applications settings
 
-
-When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML Files](usmt-customize-xml-files.md).
+When planning for your migration, you should identify which applications and settings you want to migrate. For more information about how to create a custom .xml file to migrate the settings of another application, see [Customize USMT XML files](usmt-customize-xml-files.md).
 
 ## Applications
 
+First, create and prioritize a list of applications that need to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, what applications are migrated are prioritized based on a combination of how widely the application is used and how complex the application is.
 
-First, create and prioritize a list of applications that to be migrated. It may be helpful to review the application lists and decide which applications will be redeployed and which applications will be retired. Often, the applications are prioritized based on a combination of how widely the application is used and how complex the application is.
+Next, identify an application owner to be in charge of each application. Application ownership identification is necessary because the developers won't be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application.
 
-Next, identify an application owner to be in charge of each application. This is necessary because the developers will not be experts on all of the applications in the organization. The application owner should have the most experience with an application. The application owner provides insight into how the organization installs, configures, and uses the application.
+## Application settings
 
-## Application Settings
+Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you're testing the new applications for compatibility with the new operating system.
 
+After completing the list of applications to be migrated, review the list, and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located, for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully:
 
-Next, determine and locate the application settings to be migrated. You can acquire much of the information that you need for this step when you are testing the new applications for compatibility with the new operating system.
+- Is the destination version of the application newer than the source version?
 
-After completing the list of applications to be migrated, review the list and work with each application owner on a list of settings to be migrated. For each setting, determine whether it needs to be migrated or if the default settings are adequate. Then, determine where the setting is located; for example, in the registry or in an .ini file. Next, consider the following questions to determine what needs to be done to migrate the setting successfully:
+- Do these settings work with the new version?
 
--   Is the destination version of the application newer than the source version?
+- Do the settings need to be moved or altered?
 
--   Do these settings work with the new version?
-
--   Do the settings need to be moved or altered?
-
--   Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application?
+- Can the first-run process force the application to appear as if it had run already? If so, does this work correctly, or does it break the application?
 
 After answering these questions, create a custom .xml file to migrate settings. Work with the application owner to develop test cases and to determine the file types that need to be migrated for the application.
 
-## Locating Where Settings Are Stored
-
-
-See [Migrate Application Settings](migrate-application-settings.md) and follow the directions.
-
-## Related topics
-
-
-[Determine What to Migrate](usmt-determine-what-to-migrate.md)
-
- 
-
- 
-
-
+## Locating where settings are stored
 
+See [Migrate application settings](migrate-application-settings.md) and follow the directions.
 
+## Related articles
 
+[Determine what to migrate](usmt-determine-what-to-migrate.md)
diff --git a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
index d3f89466ee..01625d4d37 100644
--- a/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
+++ b/windows/deployment/usmt/usmt-identify-file-types-files-and-folders.md
@@ -2,47 +2,40 @@
 title: Identify File Types, Files, and Folders (Windows 10)
 description: Learn how to identify the file types, files, folders, and settings that you want to migrate when you're planning your migration.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Identify File Types, Files, and Folders
+# Identify file types, files, and folders
 
+When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents** , `C:\Data` , and company-specified locations, such as `\\EngineeringDrafts`. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following items:
 
-When planning for your migration, if not using MigDocs.xml, you should identify the file types, files, folders, and settings that you want to migrate. First, you should determine the standard file locations on each computer, such as **My Documents.** , **C:\\Data** , and company-specified locations, such as **\\EngineeringDrafts**. Next, you should determine and locate the non-standard locations. For non-standard locations, consider the following:
+- **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses `.doc`, `.docx` and `.dotx` file name extension. However, it also uses other file types, such as templates (`.dot` files), on a less frequent basis.
 
--   **File types**. Consider which file types need to be included and excluded from the migration. You can create this list based on common applications used in your organization. Applications normally use specific file name extensions. For example, Microsoft Office Word primarily uses .doc, .docx and .dotx file name extension. However, it also uses other file types, such as templates (.dot files), on a less frequent basis.
+- **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, `%WINDIR%` and **Program Files**).
 
--   **Excluded locations**. Consider the locations on the computer that should be excluded from the migration (for example, %WINDIR% and Program Files).
+- **New locations**. Decide where files should be migrated to on the destination computer, such as **My Documents**, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. Redirection can be accomplished with location modify rules.
 
--   **New locations**. Decide where files should be migrated to on the destination computer for example, \\My Documents, a designated folder, or a folder matching the files' name and location on the source computer. For example, you might have shared data on source machine or you might wish to clean up documents outside the user profiles on the source system. Identify any data that needs to be redirected to a new location in the apply phase. This can be accomplished with location modify rules.
+Once you've verified which files and file types that the end users work with regularly, you'll need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
 
-Once you have verified which files and file types that the end users work with regularly, you will need to locate them. Files may be saved to a single folder or scattered across a drive. A good starting point for finding files types to include is to look at the registered file types on the computer.
+To find the registered file types on a computer running Windows 7, Windows 8, Windows 10, or Windows 11:
 
-**To find the registered file types on a computer running Windows 7 or Windows 8**
+1. Open **Control Panel**
+2. Make sure **View by:** is set to **Category** and then select **Programs**.
 
-1.  Click **Start**. Open **Control Panel**, click **Control Panel Home**, and click **Programs**.
-
-2.  Click **Default Programs**, and click **Associate a file type or protocol with a program**.
-
-3.  On this screen, the registered file types are displayed.
-
-For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
-
-## Related topics
-
-
-[Determine What to Migrate](usmt-determine-what-to-migrate.md)
-
- 
-
- 
+3. Select **Default Programs**
 
+4. select **Associate a file type or protocol with a program**.
 
+5. On this screen, the registered file types are displayed.
 
+For more information about how to change the file types, files, and folders that are migrated when you specify the MigUser.xml file, see [User State Migration Tool (USMT) how-to topics](usmt-how-to.md).
 
+## Related articles
 
+[Determine what to migrate](usmt-determine-what-to-migrate.md)
diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
index afea6979e6..9b3d93da8e 100644
--- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md
+++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md
@@ -2,56 +2,44 @@
 title: Identify Operating System Settings (Windows 10)
 description: Identify which system settings you want to migrate, then use the User State Migration Tool (USMT) to select settings and keep the default values for all others.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Identify Operating System Settings
+# Identify operating system settings
 
+When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following parameters:
 
-When planning for your migration, you should identify which operating system settings you want to migrate and to what extent you want to create a new standard environment on each of the computers. User State Migration Tool (USMT) 10.0 enables you to migrate select settings and keep the default values for all others. The operating system settings include the following parameters:
-
--   **Appearance.**
+- **Appearance**
 
     The appearance factor includes items such as wallpaper, colors, sounds, and the location of the taskbar.
 
--   **Action.**
+- **Action**
 
     The action factor includes items such as the key-repeat rate, whether double-clicking a folder opens it in a new window or the same window, and whether you need to single-click or double-click an item to open it.
 
--   **Internet.**
+- **Internet**
 
     The Internet factor includes the settings that let you connect to the Internet and control how your browser operates. The settings include items such as your home page URL, favorites, bookmarks, cookies, security settings, dial-up connections, and proxy settings.
 
--   **Mail.**
+- **Mail**
 
     The mail factor includes the information that you need to connect to your mail server, your signature file, views, mail rules, local mail, and contacts.
 
-To help you decide which settings to migrate, you should consider any previous migration experiences and the results of any surveys and tests that you have conducted. You should also consider the number of help-desk calls related to operating-system settings that you have had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of.
+To help you decide which settings to migrate, you should consider any previous migration experiences and the results of any surveys and tests that you've conducted. You should also consider the number of help-desk calls related to operating-system settings that you've had in the past, and are able to handle in the future. Also decide how much of the new operating-system functionality you want to take advantage of.
 
-You should migrate any settings that users need to get their jobs done, those settings that make the work environment comfortable, and those settings that will reduce help-desk calls after the migration. Although it is easy to dismiss migrating user preferences, you should consider the factor of users spending a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users do not remember how these settings were applied. Although these items are not critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process.
+You should migrate any settings that users need to get their jobs done, those settings that make the work environment comfortable, and those settings that will reduce help-desk calls after the migration. Although it's easy to dismiss migrating user preferences, you should consider the factor of users spending a significant amount of time restoring items such as wallpaper, screen savers, and other customizable user-interface features. Most users don't remember how these settings were applied. Although these items aren't critical to migration success, migrating these items increases user productivity and overall satisfaction of the migration process.
 
-**Note**  
-For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) How-to topics](usmt-how-to.md).
+> [!NOTE]
+> For more information about how to change the operating-system settings that are migrated, see [User State Migration Tool (USMT) how-to topics](usmt-how-to.md).
 
-For information about the operating-system settings that USMT migrates, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
- 
-
-## Related topics
+For information about the operating-system settings that USMT migrates, see [What does USMT migrate?](usmt-what-does-usmt-migrate.md)
 
+## Related articles
 
 [Determine What to Migrate](usmt-determine-what-to-migrate.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index 294142210c..270b1902c3 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -1,62 +1,58 @@
 ---
 title: Identify Users (Windows 10)
-description: Learn how to identify users you plan to migrate, as well as how to migrate local accounts and domain accounts.
+description: Learn how to identify users you plan to migrate, and how to migrate local accounts and domain accounts.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.topic: article
 ms.localizationpriority: medium
+ms.technology: itpro-deploy
+ms.date: 11/01/2022
 ---
 
-# Identify Users
+# Identify users
 
-It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
+It's important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You can't specify users in the .xml files. For instructions on how to migrate users, see [Migrate user accounts](usmt-migrate-user-accounts.md).
 
-## In this topic
+## Migrating local accounts
 
-- [Migrating Local Accounts](#bkmk-8)
-- [Migrating Domain Accounts](#bkmk-9)
-- [Command-Line Options](#bkmk-7)
+Before migrating local accounts, be aware of the following items:
 
-## <a href="" id="bkmk-8"></a>Migrating Local Accounts
+- **You must explicitly specify that local accounts that are not on the destination computer should be migrated**. If you're migrating local accounts and the local account doesn't exist on the destination computer, you must use the `/lac` option when using the `LoadState.exe` command. If the `/lac` option isn't specified, no local user accounts will be migrated.
 
-Before migrating local accounts, note the following:
+- **Consider whether to enable user accounts that are new to the destination computer.** The `/lae` option enables the account that was created with the `/lac` option. However, if you create a disabled local account by using only the `/lac` option, a local administrator must enable the account on the destination computer.
 
-- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the **/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated.
+- **Be careful when specifying a password for local accounts.** If you create the local account with a blank password, anyone could sign in that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools.
 
-- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer.
+> [!NOTE]
+> If there are multiple users on a computer, and you specify a password with the `/lac` option, all migrated users will have the same password.
 
-- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools.
+## Migrating domain accounts
 
->[!NOTE]
->If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password.
+The source and destination computers don't need to be connected to the domain for domain user profiles to be migrated.
 
-## <a href="" id="bkmk-9"></a>Migrating Domain Accounts
-
-The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated.
-
-## <a href="" id="bkmk-7"></a>Command-Line Options
+## Command-line options
 
 USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate.
 
-- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools.
+- **Specifying users.** You can specify which users to migrate with the `/all`, `/ui`, `/uel`, and `/ue` options with both the  **ScanState** and **LoadState** command-line tools.
 
-  >[!IMPORTANT]
-  >The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations.
+  > [!IMPORTANT]
+  > The `/uel` option excludes users based on the **LastModified** date of the `Ntuser.dat` file. The `/uel` option is not valid in offline migrations.
 
-- [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool.
+- **Moving users to another domain.** You can move user accounts to another domain using the `/md` option with the **LoadState** command-line tool.
 
-- [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool.
+- **Creating local accounts.** You can create and enable local accounts using the `/lac` and `/lae` options with the **LoadState** command-line tool.
 
-- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option.
+- **Renaming user accounts.** You can rename user accounts using the `/mu` option.
 
-  >[!NOTE]
+  > [!NOTE]
   >By default, if a user name is not specified in any of the command-line options, the user will be migrated.
 
-## Related topics
+## Related articles
 
-[Determine What to Migrate](usmt-determine-what-to-migrate.md)<br>
-[ScanState Syntax](usmt-scanstate-syntax.md)<br>
-[LoadState Syntax](usmt-loadstate-syntax.md)
+- [Determine what to migrate](usmt-determine-what-to-migrate.md)
+- [ScanState syntax](usmt-scanstate-syntax.md)
+- [LoadState syntax](usmt-loadstate-syntax.md)
diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md
index 1ff3740fc6..7249c768be 100644
--- a/windows/deployment/usmt/usmt-include-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-include-files-and-settings.md
@@ -1,40 +1,25 @@
 ---
 title: Include Files and Settings (Windows 10)
-description: Specify the migration .xml files you want, then use the User State Migration Tool (USMT) 10.0  to migrate the settings and components specified.
+description: Specify the migration .xml files you want, then use the User State Migration Tool (USMT) 10.0  to migrate the settings and components specified.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Include Files and Settings
 
+When you specify the migration .xml files, User State Migration Tool (USMT) 10.0 migrates the settings and components specified in [What does USMT migrate?](usmt-what-does-usmt-migrate.md). To include additional files and settings, we recommend that you create a custom .xml file, and then include this file when using both the `ScanState.exe` and `LoadState.exe` commands. By creating a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
 
-When you specify the migration .xml files, User State Migration Tool (USMT) 10.0 migrates the settings and components specified in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) To include additional files and settings, we recommend that you create a custom .xml file and then include this file when using both the ScanState and LoadState commands. By creating a custom .xml file, you can keep your changes separate from the default .xml files, which makes it easier to track your modifications.
-
-In this topic:
-
-[Migrate a Single Registry Key](#bkmk-migsingleregkey)
-
-[Migrate a Specific Folder](#bkmk-migspecificfolder)
-
-[Migrate a Folder from a Specific Drive](#bkmk-migfoldspecdrive)
-
-[Migrate a Folder from Any Location](#bkmk-migfolderanyloc)
-
-[Migrate a File Type Into a Specific Folder](#bkmk-migfiletypetospecificfolder)
-
-[Migrate a Specific File](#bkmk-migspecificfile)
-
-## <a href="" id="bkmk-migsingleregkey"></a> Migrate a Single Registry Key
-
+## Migrate a single registry key
 
 The following .xml file migrates a single registry key.
 
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
      <component type="Application" context="System">
           <displayName>Component to migrate only registry value string</displayName> 
@@ -51,56 +36,55 @@ The following .xml file migrates a single registry key.
 </migration>
 ```
 
-## <a href="" id="bkmk-migspecificfolder"></a>Migrate a Specific Folder
-
+## Migrate a specific folder
 
 The following examples show how to migrate a folder from a specific drive, and from any location on the computer.
 
-### <a href="" id="bkmk-migfoldspecdrive"></a> Migrate a Folder from a Specific Drive
+### Migrate a folder from a specific drive
 
--   **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer.
+- **Including subfolders.** The following .xml file migrates all files and subfolders from `C:\EngineeringDrafts` to the destination computer.
 
-    ``` xml
+    ```xml
     <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
     <component type="Documents" context="System">
       <displayName>Component to migrate all Engineering Drafts Documents including subfolders</displayName>
       <role role="Data">
-        <rules>
-          <include>
+        <rules>
+          <include>
             <objectSet>
               <pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
             </objectSet>
           </include>
-        </rules>
-      </role>
+        </rules>
+      </role>
     </component>
     </migration>
     ```
 
--   **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts.
+- **Excluding subfolders.** The following .xml file migrates all files from `C:\EngineeringDrafts`, but it doesn't migrate any subfolders within `C:\EngineeringDrafts`.
 
-    ``` xml
+    ```xml
     <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
     <component type="Documents" context="System">
       <displayName>Component to migrate all Engineering Drafts Documents without subfolders</displayName>
       <role role="Data">
-        <rules>
-          <include>
+        <rules>
+          <include>
             <objectSet>
               <pattern type="File"> C:\EngineeringDrafts\ [*]</pattern>
             </objectSet>
           </include>
-        </rules>
-      </role>
+        </rules>
+      </role>
     </component>
     </migration>
     ```
 
-### <a href="" id="bkmk-migfolderanyloc"></a>Migrate a Folder from Any Location
+### Migrate a folder from any location
 
-The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
+The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated.
 
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 <component type="Documents" context="System">
   <displayName>Component to migrate all Engineering Drafts Documents folder on any drive on the computer </displayName>
@@ -118,9 +102,9 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf
 </migration>
 ```
 
-The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated.
+The following .xml file migrates all files and subfolders of the `EngineeringDrafts` folder from any location on the `C:\` drive. If multiple folders exist with the same name, they're all migrated.
 
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 <component type="Documents" context="System">
   <displayName>Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive </displayName>
@@ -138,12 +122,11 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf
 </migration>
 ```
 
-## <a href="" id="bkmk-migfiletypetospecificfolder"></a>Migrate a File Type Into a Specific Folder
+## Migrate a file type into a specific folder
 
+The following .xml file migrates `.mp3` files located in the specified drives on the source computer into the `C:\Music` folder on the destination computer.
 
-The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer.
-
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 <component type="Documents" context="System">
   <displayName>All .mp3 files to My Documents</displayName>
@@ -166,58 +149,47 @@ The following .xml file migrates .mp3 files located in the specified drives on t
 </migration> 
 ```
 
-## <a href="" id="bkmk-migspecificfile"></a>Migrate a Specific File
-
+## Migrate a specific file
 
 The following examples show how to migrate a file from a specific folder, and how to migrate a file from any location.
 
--   **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer.
+- **To migrate a file from a folder.** The following .xml file migrates only the `Sample.doc` file from `C:\EngineeringDrafts` on the source computer to the destination computer.
 
-    ``` xml
+    ```xml
     <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
     <component type="Documents" context="System">
       <displayName>Component to migrate all Engineering Drafts Documents</displayName>
       <role role="Data">
-        <rules>
-          <include>
+        <rules>
+          <include>
             <objectSet>
               <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
             </objectSet>
           </include>
-        </rules>
-      </role>
+        </rules>
+      </role>
     </component>
     </migration>
     ```
 
--   **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the &lt;pattern&gt; element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated.
+- **To migrate a file from any location.** To migrate the `Sample.doc` file from any location on the `C:\` drive, use the **&lt;pattern&gt;** element, as the following example shows. If multiple files exist with the same name on the `C:\` drive, all of files with this name are migrated.
 
-    ``` xml
+    ```xml
     <pattern type="File"> C:\* [Sample.doc] </pattern>
     ```
 
     To migrate the Sample.doc file from any drive on the computer, use &lt;script&gt; as the following example shows. If multiple files exist with the same name, all files with this name are migrated.
 
-    ``` xml
+    ```xml
     <script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>
     ```
 
-## Related topics
-
-
-[Customize USMT XML Files](usmt-customize-xml-files.md)
-
-[Custom XML Examples](usmt-custom-xml-examples.md)
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[USMT XML Reference](usmt-xml-reference.md)
-
- 
-
- 
-
+## Related articles
 
+[Customize USMT XML files](usmt-customize-xml-files.md)
 
+[Custom XML examples](usmt-custom-xml-examples.md)
 
+[Conflicts and precedence](usmt-conflicts-and-precedence.md)
 
+[USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index d019f64f93..b6238044f2 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -2,98 +2,101 @@
 title: LoadState Syntax (Windows 10)
 description: Learn about the syntax and usage of the command-line options available when you use the LoadState command.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# LoadState Syntax
+# LoadState syntax
 
-This topic discusses the **LoadState** command syntax and options available with it.
+The `LoadState.exe` command is used with the User State Migration Tool (USMT) 10.0 to restore a store previously captured by the `ScanState.exe` command onto a destination computer. This article discusses the `LoadState.exe` command syntax and the options available with it.
 
-## <a href="" id="before"></a>Before You Begin
+## Before you begin
 
-Before you run the **LoadState** command, note the following:
+Before you run the `LoadState.exe` command, note the following items:
 
--   To ensure that all operating system settings migrate, we recommend that you run the **LoadState** commands in administrator mode from an account with administrative credentials.
+- To ensure that all operating system settings migrate, we recommend that you run the `LoadState.exe` commands in administrator mode from an account with administrative credentials.
 
--   For information about software requirements for running the **LoadState** command, see [USMT Requirements](usmt-requirements.md).
+- For information about software requirements for running the `LoadState.exe` command, see [USMT requirements](usmt-requirements.md).
 
--   You should log off after you run the **LoadState** command. Some settings (for example, fonts, wallpaper, and screensaver settings) will not take effect until the next time the user logs in.
+- You should sign out after you run the `LoadState.exe` command. Some settings, such as example, fonts, wallpaper, and screensaver settings, won't take effect until the next time the user logs in.
 
--   Unless otherwise specified, you can use each option only once when running a tool on the command line.
+- Unless otherwise specified, you can use each option only once when running a tool on the command line.
 
--   **LoadState** does not require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It is not necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain.
+- **LoadState** doesn't require domain controller access to apply domain profiles. This functionality is available without any additional configuration. It isn't necessary for the source computer to have had domain controller access when the user profile was gathered using **ScanState**. However, domain profiles are inaccessible until the destination computer is joined to the domain.
 
--   The [Incompatible Command-Line Options](#bkmk-cloi) table lists which options you can use together and which command-line options are incompatible.
+- The [Incompatible command-line options](#incompatible-command-line-options) table lists which options you can use together and which command-line options are incompatible.
 
-## <a href="" id="bkmk-s"></a>Syntax
+## Syntax
 
-This section explains the syntax and usage of the command-line options available when you use the **LoadState** command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator.
+This section explains the syntax and usage of the command-line options available when you use the `LoadState.exe` command. The options can be specified in any order. If the option contains a parameter, you can specify either a colon or space separator.
 
-The **LoadState** command's syntax is:
+The `LoadState.exe` command's syntax is:
 
-loadstate *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
+<!--
+`LoadState.exe  StorePath [/i:[Path\]FileName] [/v:VerbosityLevel] [/nocompress] [/decrypt /key:KeyString|/keyfile:[Path\]FileName] [/l:[Path\]FileName] [/progress:[Path\]FileName] [/r:TimesToRetry] [/w:SecondsToWait] [/c] [/all] [/ui:[DomainName|ComputerName\]UserName] [/ue:[[DomainName|ComputerName\]UserName] [/uel:NumberOfDays|YYYY/MM/DD|0] [/md:OldDomain:NewDomain] [/mu:OldDomain\OldUserName:[NewDomain\]NewUserName] [/lac:[Password]] [/lae] [/config:[Path\]FileName] [/?|help]`
+-->
 
-For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line:
+> LoadState.exe  *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
 
-`loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"`
+For example, to decrypt the store and migrate the files and settings to a computer, type the following command:
 
-## <a href="" id="bkmk-st"></a>Storage Options
+`LoadState.exe  \\server\share\migration\mystore /i:MigApp.xml /i:MigDocs.xml /v:13 /decrypt /key:"mykey"`
 
+## Storage options
 
 USMT provides the following options that you can use to specify how and where the migrated data is stored.
 
 | Command-Line Option | Description |
 |--- |--- |
-| `StorePath` | Indicates the folder where the files and settings data are stored. You must specify *StorePath* when using the **LoadState** command. You cannot specify more than one *StorePath*. |
-| `/decrypt /key`:*KeyString* <br/>or <br/>`/decrypt /key`:"*Key String*" <br/>or <br/>`/decrypt /keyfile`:[*Path*]*FileName* | Decrypts the store with the specified key. With this option, you will need to specify the encryption key in one of the following ways:<ul><li>`/key:`*KeyString* specifies the encryption key. If there is a space in *KeyString*, you must surround the argument with quotation marks.</li><li>`/keyfile:`*FilePathAndName* specifies a text (.txt) file that contains the encryption key</li></ul> <br/>*KeyString* cannot exceed 256 characters. <br/>The `/key` and `/keyfile` options cannot be used on the same command line. <br/>The `/decrypt` and `/nocompress` options cannot be used on the same command line. <br/><div class="alert">**Important** <br/> Use caution with this option, because anyone who has access to the **LoadState** command-line script will also have access to the encryption key.</div> <br/>For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /decrypt /key:mykey` |
-| `/decrypt:`*"encryption strength"* | The `/decrypt` option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). |
-| `/hardlink` | Enables user-state data to be restored from a hard-link migration store. The `/nocompress` parameter must be specified with `/hardlink` option. |
-| `/nocompress` | Specifies that the store is not compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option cannot be used with the `/decrypt` option. <br/>For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /nocompress` |
+| **StorePath** | Indicates the folder where the files and settings data are stored. You must specify *StorePath* when using the `LoadState.exe` command. You can't specify more than one *StorePath*. |
+| **/decrypt /key**:*KeyString* <br/>or <br/>**/decrypt /key**:"*Key String*" <br/>or <br/>**/decrypt /keyfile**:[*Path*]*FileName* | Decrypts the store with the specified key. With this option, you'll need to specify the encryption key in one of the following ways:<ul><li>`/key`:*KeyString* specifies the encryption key. If there's a space in *KeyString*, you must surround the argument with quotation marks (`"`).</li><li>`/keyfile`:*FilePathAndName* specifies a text (`.txt`) file that contains the encryption key</li></ul> <br/>*KeyString* can't exceed 256 characters. <br/>The `/key` and `/keyfile` options can't be used on the same command line. <br/>The `/decrypt` and `/nocompress` options can't be used on the same command line. <br/><div class="alert">**Important** <br/> Use caution when using the `/key` or `keyfile` options. For example, anyone who has access to scripts that run the `LoadState.exe` command with these options will also have access to the encryption key.</div> <br/>For example: <br/>`LoadState.exe  /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /decrypt /key:mykey` |
+| **/decrypt**:*"encryption strength"* | The `/decrypt` option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). |
+| **/hardlink** | Enables user-state data to be restored from a hard-link migration store. The `/nocompress` parameter must be specified with `/hardlink` option. |
+| **/nocompress** | Specifies that the store isn't compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option can't be used with the `/decrypt` option. <br/>For example: <br/>`LoadState.exe  /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /nocompress` |
 
-## <a href="" id="bkmk-mig"></a>Migration Rule Options
+## Migration rule options
 
 USMT provides the following options to specify what files you want to migrate.
 
 | Command-Line Option | Description |
 |--- |--- |
-| `/i`:[*Path*]*FileName* | **(include)** <br/>Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* must be located in the current directory. <br/><br/>For more information about which files to specify, see the &quot;XML files&quot; section of the [Frequently Asked Questions](usmt-faq.yml) topic. |
-| `/config:`[*Path*]*FileName* | Specifies the Config.xml file that the **LoadState** command should use. You cannot specify this option more than once on the command line. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the *FileName* must be located in the current directory. <br/><br/>This example migrates the files and settings based on the rules in the Config.xml, MigDocs.xml, and MigApp.xml files: <br/><br/>`loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log` |
-| `/auto:`*"path to script files"* | This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The `/auto` option has the same effect as using the following options: `/i:MigDocs.xml` `/i:MigApp.xml /v:5`. |
+| **/i**:[*Path*]*FileName* | **(include)** <br/>Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (`MigApp.xml`, `MigSys.xml`, `MigDocs.xml` and any custom .xml files that you create). *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* must be located in the current directory. <br/><br/>For more information about which files to specify, see the &quot;XML files&quot; section of the [Frequently Asked Questions](usmt-faq.yml) article. |
+| **/config**:[*Path*]*FileName* | Specifies the `Config.xml` file that the `LoadState.exe` command should use. You can't specify this option more than once on the command line. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then the *FileName* must be located in the current directory. <br/><br/>This example migrates the files and settings based on the rules in the `Config.xml`, `MigDocs.xml`, and `MigApp.xml` files: <br/><br/>`LoadState.exe  \server\share\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:5 /l:LoadState.log` |
+| **/auto**:*"path to script files"* | This option enables you to specify the location of the default .xml files and then launch your migration. If no path is specified, USMT will use the directory where the USMT binaries are located. The `/auto` option has the same effect as using the following options: `/i:MigDocs.xml` `/i:MigApp.xml /v:5`. |
 
-## <a href="" id="bkmk-mon"></a>Monitoring Options
+## Monitoring options
 
 USMT provides several command-line options that you can use to analyze problems that occur during migration.
 
 | Command-Line Option | Description |
 |--- |--- |
-| `/l:`[*Path*]*FileName* | Specifies the location and name of the **LoadState** log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the log will be created in the current directory. You can specify the **/v** option to adjust the amount of output. <br/><br/>If you run the **LoadState** command from a shared network resource, you must specify this option or USMT will fail with the error: &quot;USMT was unable to create the log file(s)&quot;. To fix this issue, use the **/l:load.log** option. |
-| `/v:`*`<VerbosityLevel>`* | **(Verbosity)** <br/><br/>Enables verbose output in the LoadState log file. The default value is 0. <br/>You can set the *VerbosityLevel* to one of the following levels:<ul><li>**0** - Only the default errors and warnings are enabled.</li><li>**1** - Enables verbose output.</li><li>**4** - Enables error and status output.</li><li>**5** - Enables verbose and status output.</li><li>**8** - Enables error output to a debugger.</li><li>**9** - Enables verbose output to a debugger.</li><li>**12** - Enables error and status output to a debugger.</li><li>**13** - Enables verbose, status, and debugger output.</li></ul><br/>For example: <br/>`loadstate \server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml` |
-| `/progress:`[*Path*]*FileName* | Creates the optional progress log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory. <br/><br/>For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:loadlog.log` |
-| `/c` | When this option is specified, the **LoadState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit on the computer, the **LoadState** command will log an error and continue with the migration. Without the **/c** option, the **LoadState** command will exit on the first error. You can use the new &lt;**ErrorControl**&gt; section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This enables the **/c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the **/genconfig** option now generates a sample &lt;**ErrorControl**&gt; section that is enabled by specifying error messages and desired behaviors in the Config.xml file. |
-| `/r:`*`<TimesToRetry>`* | **(Retry)** <br/><br/>Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable. <br/><br/>While restoring the user state, the **/r** option will not recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. |
-| `/w:`*`<SecondsBeforeRetry>`* | **(Wait)** <br/><br/>Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. |
-| `/?` or `/help` | Displays Help on the command line. |
+| **/l**:[*Path*]*FileName* | Specifies the location and name of the **LoadState** log. You can't store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then the log will be created in the current directory. You can specify the `/v` option to adjust the verbosity of the log. <br/><br/>If you run the `LoadState.exe` command from a shared network resource, you must specify the `l` option, or USMT will fail with the error:<br/><br/>***USMT was unable to create the log file(s)***<br/><br/> To fix this issue, make sure to specify the `/l` option when running `LoadState.exe` from a shared network resource. |
+| **/v**:*`<VerbosityLevel>`* | **(Verbosity)** <br/><br/>Enables verbose output in the **LoadState** log file. The default value is 0. <br/>You can set the *VerbosityLevel* to one of the following levels:<ul><li>**0** - Only the default errors and warnings are enabled.</li><li>**1** - Enables verbose output.</li><li>**4** - Enables error and status output.</li><li>**5** - Enables verbose and status output.</li><li>**8** - Enables error output to a debugger.</li><li>**9** - Enables verbose output to a debugger.</li><li>**12** - Enables error and status output to a debugger.</li><li>**13** - Enables verbose, status, and debugger output.</li></ul><br/>For example: <br/>`LoadState.exe  \server\share\migration\mystore /v:5 /i:MigDocs.xml /i:MigApp.xml` |
+| **/progress**:[*Path*]*FileName* | Creates the optional progress log. You can't store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* will be created in the current directory. <br/><br/>For example: <br/>`LoadState.exe  /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /progress:Progress.log /l:loadlog.log` |
+| **/c** | When this option is specified, the `LoadState.exe` command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there's a large file that won't fit on the computer, the `LoadState.exe` command will log an error and continue with the migration. Without the `/c` option, the `LoadState.exe` command will exit on the first error. You can use the new &lt;**ErrorControl**&gt; section in the `Config.xml` file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This error control enables the `/c` command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the `/genconfig` option now generates a sample &lt;**ErrorControl**&gt; section that is enabled by specifying error messages and desired behaviors in the `Config.xml` file. |
+| **/r**:*`<TimesToRetry>`* | **(Retry)** <br/><br/>Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity isn't reliable. <br/><br/>While restoring the user state, the `/r` option won't recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. |
+| **/w**:*`<SecondsBeforeRetry>`* | **(Wait)** <br/><br/>Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. |
+| **/?** or **/help** | Displays Help on the command line. |
 
-## <a href="" id="bkmk-user"></a>User Options
+## User options
 
-By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or by using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md).
+By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You can't exclude users in the migration .xml files or by using the `Config.xml` file. For more information, see [Identify Users](usmt-identify-users.md).
 
 | Command-Line Option | Description |
 |--- |--- |
-| `/all` | Migrates all of the users on the computer. <br/><br/>USMT migrates all user accounts on the computer, unless you specifically exclude an account with the **/ue** or **/uel** options. For this reason, you do not need to specify this option on the command line. However, if you choose to use the **/all** option, you cannot also use the **/ui**, **/ue** or **/uel** options. |
-| `/ui:`*DomainName UserName* <br/>or <br/>`/ui:`*"DomainName User Name"* <br/>or <br/>`/ui:`*ComputerName LocalUserName* | **(User include)** <br/><br/>Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the **/ue** option. You can specify multiple **/ui** options, but you cannot use the **/ui** option with the **/all** option. *DomainName* and *UserName* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks. <br/>For example:<ul><li>To include only User2 from the Corporate domain, type: <br/>`/ue:* /ui:corporate\user2`</li></ul> <div class="alert">**Note** <br/>If a user is specified for inclusion with the **/ui** option, and also is specified to be excluded with either the **/ue** or **/uel** options, the user will be included in the migration.</div> <br/> For more examples, see the descriptions of the **/uel**, **/ue**, and **/ui** options in this table. |
-| `/uel:`*`<NumberOfDays>`* <br/>or <br/>`/uel:`*`<YYYY/MM/DD>`* <br/>or <br/>`/uel:0` | **(User exclude based on last logon)** <br/><br/>Migrates only the users that logged onto the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The **/uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the **/all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT. <div class="alert">**Note** <br/>The **/uel** option is not valid in offline migrations.</div> <br/>Examples:<ul><li>`/uel:0` migrates accounts that were logged on to the source computer when the **ScanState** command was run.</li><li>`/uel:90` migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.</li><li>`/uel:1` migrates users whose accounts have been modified within the last 24 hours.</li><li>`/uel:2002/1/15` migrates users who have logged on or whose accounts have been modified since January 15, 2002.</li></ul> <br/>For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /uel:0` |
-| `/ue`:*DomainName UserName* <br/>or <br/>`/ue`*"DomainName User Name"* <br/>or <br/>`/ue`:*ComputerName LocalUserName* | **(User exclude)** <br/><br/>Excludes the specified users from the migration. You can specify multiple **/ue** options but you cannot use the **/ue** option with the **/all** option. *DomainName* and *UserName* can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks. <br/><br/>For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /ue:contoso\user1` <br/>For more examples, see the descriptions of the **/uel**, **/ue**, and **/ui** options in this table. |
-| `/md:`*OldDomain*:*NewDomain* <br/>or <br/>`/md:`*LocalComputerName:NewDomain* | **(move domain)** <br/>Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. *OldDomain* may contain the asterisk () wildcard character. <br/><br/>You can specify this option more than once. You may want to specify multiple **/md** options if you are consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: `/md:corporate:fabrikam` and `/md:farnorth:fabrikam`. <br/><br/>If there are conflicts between two **/md** commands, the first rule that you specify is applied. For example, if you specify the `/md:corporate:fabrikam` and `/md:corporate:farnorth` commands, then Corporate users would be mapped to the Fabrikam domain. <div class="alert"> **Note** <br/>If you specify an *OldDomain* that did not exist on the source computer, the **LoadState** command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to *NewDomain* but will remain in their original domain. For example, if you misspell &quot;contoso&quot; and you specify &quot;/md:contso:fabrikam&quot;, the users will remain in contoso on the destination computer.</div> <br/> For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore` <br/>` /progress:prog.log /l:load.log /md:contoso:fabrikam` |
-| `/mu:`*OldDomain OldUserName*:[*NewDomain*]*NewUserName* <br/>or <br/>`/mu:`*OldLocalUserName*:*NewDomain NewUserName* | Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple **/mu** options. You cannot use wildcard characters with this option. <br/><br/>For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore` <br/>`/progress:prog.log /l:load.log /mu:contoso\user1:fabrikam\user1` |
-| `/lac:`[*Password*] | **(local account create)** <br/><br/>Specifies that if a user account is a local (non-domain) account, and it does not exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the **/lae** option. <br/><br/>If the **/lac** option is not specified, any local user accounts that do not already exist on the destination computer will not be migrated. <br/><br/>*Password* is the password for the newly created account. An empty password is used by default. <div class="alert"> **Caution** <br/>Use the *Password* variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the **LoadState** command. <br/>Also, if the computer has multiple users, all migrated users will have the same password.</div> <br/>For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore` <br/>For instructions, see [Migrate User Accounts](usmt-migrate-user-accounts.md). |
-| `/lae` | **(local account enable)** <br/><br/>Enables the account that was created with the **/lac** option. You must specify the **/lac** option with this option. <br/><br/>For example: <br/>`loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore` <br/>`/progress:prog.log /l:load.log /lac:password /lae` <br/><br/>For instructions, see [Migrate User Accounts](usmt-migrate-user-accounts.md). |
-
+| **/all** | Migrates all of the users on the computer. <br/><br/>USMT migrates all user accounts on the computer, unless you specifically exclude an account with the `/ue` or `/uel` options. For this reason, you don't need to specify this option on the command line. However, if you choose to use the `/all` option, you can't also use the `/ui`, `/ue` or `/uel` options. |
+| **/ui**:*DomainName UserName* <br/>or <br/>**/ui**:*"DomainName User Name"* <br/>or <br/>**/ui**:*ComputerName LocalUserName* | **(User include)** <br/><br/>Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the `/ue` option. You can specify multiple `/ui` options, but you can't use the `/ui` option with the `/all` option. *DomainName* and *UserName* can contain the asterisk (`*`) wildcard character. When you specify a user name that contains spaces, you'll need to surround it with quotations marks (`"`). <br/><br/>For example, to include only **User2** from the Corporate domain, enter: <br/><br/>`/ue:* /ui:corporate\user2`<br/><br/><div class="alert">**Note** <br/>If a user is specified for inclusion with the `/ui` option and also specified to be excluded with either the `/ue` or `/uel` options, the user will be included in the migration.</div> <br/> For more examples, see the descriptions of the `/uel`, `/ue`, and `/ui` options in this table. |
+| **/uel**:*`<NumberOfDays>`* <br/>or <br/>**/uel**:*`<YYYY/MM/DD>`* <br/>or <br/>**/uel**:0 | **(User exclude based on last logon)** <br/><br/>Migrates only the users that logged onto the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The `/uel` option acts as an include rule. For example, the `/uel:30` option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the `ScanState.exe` command is run. You can specify the number of days or you can specify a date. You can't use this option with the `/all` option. USMT retrieves the last sign-in information from the local computer, so the computer doesn't need to be connected to the network when you run this option. In addition, if a domain user has signed into another computer, that sign-in instance isn't considered by USMT. <div class="alert">**Note** <br/>The `/uel` option isn't valid in offline migrations.</div> <br/>Examples:<ul><li>`/uel:0` migrates accounts that were logged on to the source computer when the `ScanState.exe` command was run.</li><li>`/uel:90` migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.</li><li>`/uel:1` migrates users whose accounts have been modified within the last 24 hours.</li><li>`/uel:2020/2/15` migrates users who have logged on or whose accounts have been modified since February 15, 2020.</li></ul> <br/>For example: <br/>`LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /uel:0` |
+| **/ue**:*DomainName\UserName* <br/>or <br/>**/ue** *"DomainName\User Name"* <br/>or <br/>**/ue**:*ComputerName\LocalUserName* | **(User exclude)** <br/><br/>Excludes the specified users from the migration. You can specify multiple `/ue` options but you can't use the `/ue` option with the `/all` option. *DomainName* and *UserName* can contain the asterisk (`*`) wildcard character. When you specify a user name that contains spaces, you'll need to surround it with quotation marks (`"`). <br/><br/>For example: <br/>`LoadState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /ue:contoso\user1` <br/>For more examples, see the descriptions of the `/uel`, `/ue`, and `/ui` options in this table. |
+| **/md**:*OldDomain*:*NewDomain* <br/>or <br/>**/md**:*LocalComputerName:NewDomain* | **(Move domain)** <br/><br/>Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. *OldDomain* may contain the asterisk () wildcard character. <br/><br/>You can specify this option more than once. You may want to specify multiple `/md` options if you're consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: `/md:corporate:fabrikam` and `/md:farnorth:fabrikam`. <br/><br/>If there are conflicts between two `/md` commands, the first rule that you specify is applied. For example, if you specify the `/md:corporate:fabrikam` and `/md:corporate:farnorth` commands, then Corporate users would be mapped to the Fabrikam domain. <div class="alert"> **Note** <br/>If you specify an *OldDomain* that didn't exist on the source computer, the `LoadState.exe` command will appear to complete successfully, without an error or warning. However, in this case, users won't be moved to *NewDomain* but will remain in their original domain. For example, if you misspell **contoso** and you instead specify **/md:contso:fabrikam**, the users will remain in **contoso** on the destination computer.</div> <br/> For example: <br/>`LoadState.exe  /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore` <br/>` /progress:Progress.log /l:LoadState.log /md:contoso:fabrikam` |
+| **/mu**:*OldDomain OldUserName*:[*NewDomain*]*NewUserName* <br/>or <br/>**/mu**:*OldLocalUserName*:*NewDomain NewUserName* | **(Move user)** <br/><br/>Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple `/mu` options. You can't use wildcard characters with this option. <br/><br/>For example: <br/>`LoadState.exe  /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore` <br/>`/progress:Progress.log /l:LoadState.log /mu:contoso\user1:fabrikam\user1` |
+| **/lac**:[*Password*] | **(Local account create)** <br/><br/>Specifies that if a user account is a local (non-domain) account, and it doesn't exist on the destination computer, USMT will create the account on the destination computer but it will be disabled. To enable the account, you must also use the `/lae` option. <br/><br/>If the `/lac` option isn't specified, any local user accounts that don't already exist on the destination computer won't be migrated. <br/><br/>*Password* is the password for the newly created account. An empty password is used by default. <div class="alert"> **Caution** <br/>Use the *Password* variable with caution because it's provided in plain text and can be obtained by anyone with access to the computer that is running the `LoadState.exe` command. <br/>Also, if the computer has multiple users, all migrated users will have the same password.</div> <br/>For example: <br/>`LoadState.exe  /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore` <br/><br/>For instructions, see [Migrate user accounts](usmt-migrate-user-accounts.md). |
+| `/lae` | **(Local account enable)** <br/><br/>Enables the account that was created with the `/lac` option. You must specify the `/lac` option with this option. <br/><br/>For example: <br/>`LoadState.exe  /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore` <br/>`/progress:Progress.log /l:LoadState.log /lac:password /lae` <br/><br/>For instructions, see [Migrate user accounts](usmt-migrate-user-accounts.md). |
 
 ### Examples for the /ui and /ue options
 
@@ -108,24 +111,24 @@ The following examples apply to both the **/ui** and **/ue** options. You can re
 | Exclude all local users. | `/ue:%computername%` |
 | Exclude users in all domains named User1, User2, and so on. | `/ue:\user` |
 
-### Using the Options Together
+### Using the options together
 
-You can use the **/uel**, **/ue** and **/ui** options together to migrate only the users that you want migrated.
+You can use the `/uel`, `/ue` and `/ui` options together to migrate only the users that you want migrated.
 
-**The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option.
+**The /ui option has precedence over the /ue and /uel options.** If a user is included using the `/ui` option and also excluded using either the `/ue` or `/uel` options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the `/ui` option takes precedence over the `/ue` option.
 
-**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user's profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
+**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the `/uel` option, that user's profile will be migrated even if they're excluded by using the `/ue` option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they've logged on to the computer within the last 14 days.
 
 | Behavior | Command |
 |--- |--- |
 | Include only User2 from the Fabrikam domain and exclude all other users. | `/ue:* /ui:fabrikam\user2` |
 | Include only the local user named User1 and exclude all other users. | `/ue:* /ui:user1` |
-| Include only the domain users from Contoso, except Contoso\User1. | This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:<ul><li>Using the **ScanState** command-line tool, type: `/ue:* /ui:contoso`</li><li>Using the **LoadState** command-line tool, type: `/ue:contoso\user1`</li></ul> |
+| Include only the domain users from Contoso, except Contoso\User1. | This behavior can't be completed using a single command. Instead, to migrate this set of users, you'll need to specify the following options:<ul><li>Using the **ScanState** command-line tool, enter: <br>`/ue:* /ui:contoso`</li><li>Using the **LoadState** command-line tool, enter: <br>`/ue:contoso\user1`</li></ul> |
 | Include only local (non-domain) users. | `/ue: /ui:%computername%*` |
 
-## <a href="" id="bkmk-cloi"></a>Incompatible Command-Line Options
+## Incompatible command-line options
 
-The following table indicates which command-line options are not compatible with the **LoadState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
+The following table indicates which command-line options aren't compatible with the `LoadState.exe` command. If the table entry for a particular combination is blank, the options are compatible, and you can use them together. The X symbol means that the options aren't compatible. For example, you can't use the `/nocompress` option with the `/encrypt` option.
 
 | Command-Line Option | /keyfile | /nocompress | /genconfig | /all |
 |--- |--- |--- |--- |--- |
@@ -154,8 +157,8 @@ The following table indicates which command-line options are not compatible with
 | **/lac** |  |  |  |  |
 
 > [!NOTE]
-> You must specify either the **/key** or **/keyfile** option with the **/encrypt** option.
+> You must specify either the `/key` or `/keyfile` option with the `/encrypt` option.
 
-## Related topics
+## Related articles
 
-[XML Elements Library](usmt-xml-elements-library.md)
+[XML elements library](usmt-xml-elements-library.md)
diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md
index 37530b9f6c..06ccc91749 100644
--- a/windows/deployment/usmt/usmt-log-files.md
+++ b/windows/deployment/usmt/usmt-log-files.md
@@ -1,107 +1,108 @@
 ---
 title: Log Files (Windows 10)
-description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations.
+description: Learn how to use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Log Files
+# USMT log files
 
-You can use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. This topic describes the available command-line options to enable USMT logs, and new XML elements that configure which types of errors are fatal and should halt the migration, which types are non-fatal and should be skipped so that the migration can continue.
+You can use User State Migration Tool (USMT) 10.0 logs to monitor your migration and to troubleshoot errors and failed migrations. This article describes the available command-line options to enable USMT logs, and new XML elements that configure which types of errors are fatal and should halt the migration, which types are non-fatal and should be skipped so that the migration can continue.
 
-[Log Command-Line Options](#bkmk-commandlineoptions)
+[Log command-line options](#log-command-line-options)
 
-[ScanState and LoadState Logs](#bkmk-scanloadstatelogs)
+[ScanState and LoadState logs](#scanstate-and-loadstate-logs)
 
-[Progress Log](#bkmk-progresslog)
+[Progress log](#progress-log)
 
-[List Files Log](#bkmk-listfileslog)
+[List files log](#list-files-log)
 
-[Diagnostic Log](#bkmk-diagnosticlog)
+[Diagnostic log](#diagnostic-log)
 
-## <a href="" id="bkmk-commandlineoptions"></a>Log Command-Line Options
+## Log command-line options
 
 The following table describes each command-line option related to logs, and it provides the log name and a description of what type of information each log contains.
 
 |Command line Option|File Name|Description|
 |--- |--- |--- |
-|**/l** *[Path]FileName*|Scanstate.log or LoadState.log|Specifies the path and file name of the ScanState.log or LoadState log.|
-|**/progress** *[Path]FileName*|Specifies the path and file name of the Progress log.|Provides information about the status of the migration, by percentage complete.|
-|**/v** *[VerbosityLevel]*|Not applicable|See the "Monitoring Options" section in [ScanState Syntax](usmt-scanstate-syntax.md).|
-|**/listfiles** *[Path]FileName*|Specifies the path and file name of the Listfiles log.|Provides a list of the files that were migrated.|
-|Set the environment variable MIG_ENABLE_DIAG to a path to an XML file.|USMTDiag.xml|The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents.|
+|**/l**"*[Path]FileName*|`ScanState.exe.log` or `LoadState.log`|Specifies the path and file name of the **ScanState** log or **LoadState** log.|
+|**/progress**:*[Path]FileName*|Specifies the path and file name of the Progress log.|Provides information about the status of the migration, by percentage complete.|
+|**/v**:*[VerbosityLevel]*|Not applicable|See [Monitoring options](usmt-scanstate-syntax.md#monitoring-options) in [ScanState syntax](usmt-scanstate-syntax.md).|
+|**/listfiles**:*[Path]FileName*|Specifies the path and file name of the Listfiles log.|Provides a list of the files that were migrated.|
+|Set the environment variable **MIG_ENABLE_DIAG** to a path to an XML file.|`USMTDiag.xml`|The diagnostic log contains detailed system environment information, user environment information, and information about the migration units (migunits) being gathered and their contents.|
 
 > [!NOTE]
 > You cannot store any of the log files in *StorePath*. If you do, the log will be overwritten when USMT is run.
 
-## <a href="" id="bkmk-scanloadstatelogs"></a>ScanState and LoadState Logs
+## ScanState and LoadState logs
 
-ScanState and LoadState logs are text files that are create when you run the ScanState and LoadState tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see Monitoring Options in [ScanState Syntax](usmt-scanstate-syntax.md).
+ **ScanState** and **LoadState** logs are text files that are create when you run the **ScanState** and **LoadState** tools. You can use these logs to help monitor your migration. The content of the log depends on the command-line options that you use and the verbosity level that you specify. For more information about verbosity levels, see [Monitoring options](usmt-scanstate-syntax.md#monitoring-options) in [ScanState syntax](usmt-scanstate-syntax.md).
 
-## <a href="" id="bkmk-progresslog"></a>Progress Log
+## Progress log
 
-You can create a progress log using the **/progress** option. External tools, such as Microsoft System Center Operations Manager 2007, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows:
+You can create a progress log using the `/progress` option. External tools, such as Microsoft System Center Operations Manager, can parse the progress log to update your monitoring systems. The first three fields in each line are fixed as follows:
 
--   **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006.
+- **Date:** Date, in the format of *day* *shortNameOfTheMonth* *year*. For example: 08 Jun 2006.
 
--   **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13.
+- **Local time:** Time, in the format of *hrs*:*minutes*:*seconds* (using a 24-hour clock). For example: 13:49:13.
 
--   **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10.
+- **Migration time:** Duration of time that USMT was run, in the format of *hrs:minutes:seconds*. For example: 00:00:10.
 
 The remaining fields are key/value pairs as indicated in the following table.
 
 | Key | Value |
 |-----|-------|
-| program | ScanState.exe or LoadState.exe. |
-| productVersion | The full product version number of USMT. |
-| computerName | The name of the source or destination computer on which USMT was run. |
-| commandLine | The full command used to run USMT. |
-| PHASE | Reports that a new phase in the migration is starting. This can be one of the following:<ul><li>Initializing</li><li>Scanning</li><li>Collecting</li><li>Saving</li><li>Estimating</li><li>Applying</li></ul> |
-| detectedUser | <ul><li>For the ScanState tool, these are the users USMT detected on the source computer that can be migrated.</li><li>For the LoadState tool, these are the users USMT detected in the store that can be migrated.</li></ul> |
-| includedInMigration | Defines whether the user profile/component is included for migration. Valid values are Yes or No. |
-| forUser | Specifies either of the following:<ul><li>The user state being migrated.</li><li>*This Computer*, meaning files and settings that are not associated with a user.</li></ul> |
-| detectedComponent | Specifies a component detected by USMT.<ul><li>For ScanState, this is a component or application that is installed on the source computer.</li><li>For LoadState, this is a component or application that was detected in the store.</li></ul> |
-| totalSizeInMBToTransfer | Total size of the files and settings to migrate in megabytes (MB). |
-| totalPercentageCompleted | Total percentage of the migration that has been completed by either ScanState or LoadState. |
-| collectingUser | Specifies which user ScanState is collecting files and settings for. |
-| totalMinutesRemaining | Time estimate, in minutes, for the migration to complete. |
-| error | Type of non-fatal error that occurred. This can be one of the following:<ul><li>**UnableToCopy**: Unable to copy to store because the disk on which the store is located is full.</li><li>**UnableToOpen**: Unable to open the file for migration because the file is opened in non-shared mode by another application or service.</li><li>**UnableToCopyCatalog**: Unable to copy because the store is corrupted.</li><li>**UnableToAccessDevice**: Unable to access the device.</li><li>**UnableToApply**: Unable to apply the setting to the destination computer.</li></ul> |
-| objectName | The name of the file or setting that caused the non-fatal error. |
-| action | Action taken by USMT for the non-fatal error. The values are:<ul><li>**Ignore**: Non-fatal error ignored and the migration continued because the **/c** option was specified on the command line.</li><li>**Abort**: Stopped the migration because the **/c** option was not specified.</li></ul> |
-| errorCode | The errorCode or return value. |
-| numberOfIgnoredErrors | The total number of non-fatal errors that USMT ignored. |
-| message | The message corresponding to the errorCode. |
+| *program* | `ScanState.exe` or `LoadState.exe`. |
+| *productVersion* | The full product version number of USMT. |
+| *computerName* | The name of the source or destination computer on which USMT was run. |
+| *commandLine* | The full command used to run USMT. |
+| *PHASE* | Reports that a new phase in the migration is starting. This key can be one of the following values:<ul><li>Initializing</li><li>Scanning</li><li>Collecting</li><li>Saving</li><li>Estimating</li><li>Applying</li></ul> |
+| *detectedUser* | <ul><li>For the **ScanState** tool, this key are the users USMT detected on the source computer that can be migrated.</li><li>For the **LoadState** tool, this key are the users USMT detected in the store that can be migrated.</li></ul> |
+| *includedInMigration* | Defines whether the user profile/component is included for migration. Valid values are **Yes** or **No**. |
+| *forUser* | Specifies either of the following values:<ul><li>The user state being migrated.</li><li>*This Computer*, meaning files and settings that aren't associated with a user.</li></ul> |
+| *detectedComponent* | Specifies a component detected by USMT.<ul><li>For *ScanState*, this key is a component or application that is installed on the source computer.</li><li>For **LoadState**, this key is a component or application that was detected in the store.</li></ul> |
+| *totalSizeInMBToTransfer* | Total size of the files and settings to migrate in megabytes (MB). |
+| *totalPercentageCompleted* | Total percentage of the migration that has been completed by either **ScanState** or **LoadState**. |
+| *collectingUser* | Specifies which user **ScanState** is collecting files and settings for. |
+| *totalMinutesRemaining* | Time estimate, in minutes, for the migration to complete. |
+| *error* | Type of non-fatal error that occurred. This key can be one of the following values:<ul><li>**UnableToCopy**: Unable to copy to store because the disk on which the store is located is full.</li><li>**UnableToOpen**: Unable to open the file for migration because the file is opened in non-shared mode by another application or service.</li><li>**UnableToCopyCatalog**: Unable to copy because the store is corrupted.</li><li>**UnableToAccessDevice**: Unable to access the device.</li><li>**UnableToApply**: Unable to apply the setting to the destination computer.</li></ul> |
+| *objectName* | The name of the file or setting that caused the non-fatal error. |
+| *action* | Action taken by USMT for the non-fatal error. The values are:<ul><li>**Ignore**: Non-fatal error ignored and the migration continued because the **/c** option was specified on the command line.</li><li>**Abort**: Stopped the migration because the **/c** option wasn't specified.</li></ul> |
+| *errorCode* | The errorCode or return value. |
+| *numberOfIgnoredErrors* | The total number of non-fatal errors that USMT ignored. |
+| *message** | The message corresponding to the errorCode. |
 
-## <a href="" id="bkmk-listfileslog"></a>List Files Log
+## List files log
 
-The List files log (Listfiles.txt) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for ScanState.exe.
+The List files log (`Listfiles.txt`) provides a list of the files that were migrated. This list can be used to troubleshoot XML issues or can be retained as a record of the files that were gathered into the migration store. The List Files log is only available for `ScanState.exe`.
 
-## <a href="" id="bkmk-diagnosticlog"></a>Diagnostic Log
+## Diagnostic log
 
-You can obtain the diagnostic log by setting the environment variable MIG\_ENABLE\_DIAG to a path to an XML file.
+You can obtain the diagnostic log by setting the environment variable **MIG_ENABLE_DIAG** to a path to an XML file.
 
 The diagnostic log contains:
 
--   Detailed system environment information
+- Detailed system environment information
 
--   Detailed user environment information
+- Detailed user environment information
 
--   Information about the migration units (migunits) being gathered and their contents
+- Information about the migration units (migunits) being gathered and their contents
 
 ## Using the Diagnostic Log
 
-The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it is associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files.
+The diagnostic log is essentially a report of all the migration units (migunits) included in the migration. A migunit is a collection of data that is identified by the component it's associated with in the XML files. The migration store is made up of all the migunits in the migration. The diagnostic log can be used to verify which migunits were included in the migration and can be used for troubleshooting while authoring migration XML files.
 
 The following examples describe common scenarios in which you can use the diagnostic log.
 
 **Why is this file not migrating when I authored an "include" rule for it?**
 
-Let's imagine that we have the following directory structure and that we want the "data" directory to be included in the migration along with the "New Text Document.txt" file in the "New Folder." The directory of **C:\\data** contains:
+Let's imagine that we have the following directory structure and that we want the **data** directory to be included in the migration along with the **New Text Document.txt** file in the **New Folder**. The directory of `C:\data` contains:
 
 ```console
 01/21/2009  10:08 PM    <DIR>          .
@@ -112,7 +113,7 @@ Let's imagine that we have the following directory structure and that we want th
                2 File(s)             26 bytes
 ```
 
-The directory of **C:\\data\\New Folder** contains:
+The directory of `C:\data\New Folder` contains:
 
 ```console
 01/21/2009  10:08 PM    <DIR>          .
@@ -143,59 +144,59 @@ To migrate these files you author the following migration XML:
 </migration>
 ```
 
-However, upon testing the migration you notice that the "New Text Document.txt" file isn't included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component "DATA1", the following XML section is discovered:
+However, upon testing the migration you notice that the **New Text Document.txt** file isn't included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable **MIG_ENABLE_DIAG** set such that the diagnostic log is generated. Upon searching the diagnostic log for the component **DATA1**, the following XML section is discovered:
 
 ```xml
 <MigUnitList>
-<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
-<Patterns Type="Include">
-<Pattern Type="File" Path="C:\data [*]"/>
-</Patterns>
-</MigUnit>
+	<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
+		<Patterns Type="Include">
+			<Pattern Type="File" Path="C:\data [*]"/>
+		</Patterns>
+	</MigUnit>
 </MigUnitList>
 <Perform Name="Gather" User="System">
-<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
-<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
-</MigUnit>
+	<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
+		<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
+		<Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
+		<Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
+	</MigUnit>
 </Perform>
 ```
 
-Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The &lt;Perform&gt; section details the actual files that were scheduled for gathering and the result of the gathering operation. The "New Text Document.txt" file doesn't appear in this section, which confirms that the migration rule was not correctly authored.
+Analysis of this XML section reveals the migunit that was created when the migration rule was processed. The **&lt;Perform&gt;** section details the actual files that were scheduled for gathering and the result of the gathering operation. The **New Text Document.txt** file doesn't appear in this section, which confirms that the migration rule wasn't correctly authored.
 
-An analysis of the XML elements reference topic reveals that the &lt;pattern&gt; tag needs to be modified as follows:
+An analysis of the [XML elements library](usmt-xml-elements-library.md) reference article reveals that the [**&lt;pattern&gt;**](usmt-xml-elements-library.md#pattern) tag needs to be modified as follows:
 
 ```xml
 <pattern type="File">c:\data\* [*]</pattern>
 ```
 
-When the migration is preformed again with the modified tag, the diagnostic log reveals the following:
+When the migration is performed again with the modified tag, the diagnostic log reveals the following information:
 
 ```xml
 <MigUnitList>
-<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
-<Patterns Type="Include">
-<Pattern Type="File" Path="C:\data\* [*]"/>
-</Patterns>
-</MigUnit>
+  <MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
+    <Patterns Type="Include">
+      <Pattern Type="File" Path="C:\data\* [*]"/>
+    </Patterns>
+  </MigUnit>
 </MigUnitList>
 <Perform Name="Gather" User="System">
-<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
-<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data\New Folder [New Text Document.txt]" SimObj="false" Success="true"/>
-</MigUnit>
+  <MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
+    <Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data\New Folder [New Text Document.txt]" SimObj="false" Success="true"/>
+  </MigUnit>
 </Perform>
 ```
 
-This diagnostic log confirms that the modified &lt;pattern&gt; value enables the migration of the file.
+This diagnostic log confirms that the modified **&lt;pattern&gt;** value enables the migration of the file.
 
 **Why is this file migrating when I authored an exclude rule excluding it?**
 
-In this scenario, you have the following directory structure and you want all files in the "data" directory to migrate, except for text files. The **C:\\Data** folder contains:
+In this scenario, you have the following directory structure and you want all files in the **Data** directory to migrate, except for text files. The `C:\Data` folder contains:
 
 ```console
 Directory of C:\Data
@@ -208,7 +209,7 @@ Directory of C:\Data
                2 File(s)             26 bytes
 ```
 
-The **C:\\Data\\New Folder\\** contains:
+The `C:\Data\New Folder\` contains:
 
 ```console
 01/21/2009  10:08 PM    <DIR>          .
@@ -245,33 +246,33 @@ You author the following migration XML:
 </component>
 ```
 
-However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component "DATA1", the following XML section is discovered:
+However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable **MIG_ENABLE_DIAG** set so that the diagnostic log is generated. Upon searching the diagnostic log for the component **DATA1**, the following XML section is discovered:
 
 ```xml
 <MigUnitList>
-<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
-<Patterns Type="Include">
-<Pattern Type="File" Path="C:\data\* [*]"/>
-</Patterns>
-<Patterns Type="Exclude">
-<Pattern Type="File" Path="C:\* [*.txt]"/>
-</Patterns>
-</MigUnit>
+  <MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
+    <Patterns Type="Include">
+      <Pattern Type="File" Path="C:\data\* [*]"/>
+    </Patterns>
+    <Patterns Type="Exclude">
+      <Pattern Type="File" Path="C:\* [*.txt]"/>
+    </Patterns>
+  </MigUnit>
 </MigUnitList>
 <Perform Name="Gather" User="System">
-<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
-<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data [test.docx]" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data\New Folder [New Text Document.txt]" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data\New Folder [test.docx]" SimObj="false" Success="true"/>
-</MigUnit>
+  <MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
+    <Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data [test (1).txt]" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data [test.docx]" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data [test.txt]" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data\New Folder [New Text Document.txt]" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data\New Folder [test.docx]" SimObj="false" Success="true"/>
+  </MigUnit>
 </Perform>
 ```
 
-Upon reviewing the diagnostic log, you confirm that the files are still migrating, and that it is a problem with the authored migration XML rule. You author an update to the migration XML script as follows:
+Upon reviewing the diagnostic log, you confirm that the files are still migrating, and that it's a problem with the authored migration XML rule. You author an update to the migration XML script as follows:
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@@ -306,31 +307,30 @@ Your revised migration XML script excludes the files from migrating, as confirme
 
 ```xml
 <MigUnitList>
-<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
-<Patterns Type="Include">
-<Pattern Type="File" Path="C:\data\* [*]"/>
-</Patterns>
-<Patterns Type="Exclude">
-<Pattern Type="File" Path="C:\data\* [*.txt]"/>
-</Patterns>
-</MigUnit>
+  <MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)" Context="System" ConfidenceLevel="100" Group="Applications" Role="UserData" Agent="CMXEAgent" Selected="true" Supported="true">
+    <Patterns Type="Include">
+      <Pattern Type="File" Path="C:\data\* [*]"/>
+    </Patterns>
+    <Patterns Type="Exclude">
+      <Pattern Type="File" Path="C:\data\* [*.txt]"/>
+    </Patterns>
+  </MigUnit>
 </MigUnitList>
 <Perform Name="Gather" User="System">
-<MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
-<Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data [test.docx]" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
-<Operation Name="Store" Type="File" Path="C:\data\New Folder [test.docx]" SimObj="false" Success="true"/>
-</MigUnit>
+  <MigUnit Name="&lt;System&gt;\DATA1 (CMXEAgent)">
+    <Operation Name="Store" Type="File" Path="C:\data" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data [test.docx]" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data\New Folder" SimObj="false" Success="true"/>
+    <Operation Name="Store" Type="File" Path="C:\data\New Folder [test.docx]" SimObj="false" Success="true"/>
+  </MigUnit>
 </Perform>
 ```
 
-## Related topics
+## Related articles
 
+[XML elements library](usmt-xml-elements-library.md)
 
-[XML Elements Library](usmt-xml-elements-library.md)
+[ScanState syntax](usmt-scanstate-syntax.md)
 
-[ScanState Syntax](usmt-scanstate-syntax.md)
-
-[LoadState Syntax](usmt-loadstate-syntax.md)
+[LoadState syntax](usmt-loadstate-syntax.md)
 
diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
index 557a608926..7b8526be55 100644
--- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
+++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md
@@ -2,51 +2,46 @@
 title: Migrate EFS Files and Certificates (Windows 10)
 description: Learn how to migrate Encrypting File System (EFS) certificates. Also, learn where to find information about how to identify file types, files, and folders.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Migrate EFS Files and Certificates
+# Migrate EFS files and certificates
 
+This article describes how to migrate Encrypting File System (EFS) certificates. For more information about the `/efs` option, see [Encrypted file options](usmt-scanstate-syntax.md#encrypted-file-options) in [ScanState syntax](usmt-scanstate-syntax.md).
 
-This topic describes how to migrate Encrypting File System (EFS) certificates. For more information about the **/efs** For options, see [ScanState Syntax](usmt-scanstate-syntax.md).
+## To migrate EFS files and certificates
 
-## To Migrate EFS Files and Certificates
+Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found unless you specify an `/efs` option. Therefore when a device has EFS encrypted files, you must specify the `/efs` option with any one of the following parameters:
 
+- `abort`
+- `skip`
+- `decryptcopy`
+- `copyraw`
+- `hardlink`
 
-Encrypting File System (EFS) certificates will be migrated automatically. However, by default, the User State Migration Tool (USMT) 10.0 fails if an encrypted file is found (unless you specify an **/efs** option). Therefore, you must specify **/efs:abort | skip | decryptcopy | copyraw | hardlink** with the ScanState command to migrate the encrypted files. Then, when you run the LoadState command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
+when running the `ScanState.exe` command to migrate the encrypted files. Then, when you run the `LoadState.exe` command on the destination computer, the encrypted file and the EFS certificate will be automatically migrated.
 
-**Note**  
-The **/efs** options are not used with the LoadState command.
+> [!NOTE]
+> The `/efs` options are not used with the `LoadState.exe` command.
 
- 
+Before using the **ScanState** tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the **LoadState** tool.
 
-Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool.
+You can run the [Cipher.exe](/windows-server/administration/windows-commands/cipher) tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt enter:
 
-You can run the Cipher tool at a Windows command prompt to review and change encryption settings on files and folders. For example, to remove encryption from a folder, at a command prompt type:
-
-``` syntax
-Cipher /D /S:<PATH>
+```cmd
+cipher.exe /D /S:<PATH>
 ```
 
-Where *&lt;Path&gt;* is the full path of the topmost parent directory where the encryption attribute is set.
-
-## Related topics
-
-
-[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)
-
-[Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)
-
- 
-
- 
-
-
+where *&lt;Path&gt;* is the full path of the topmost parent directory where the encryption attribute is set.
 
+## Related articles
 
+[What does USMT migrate?](usmt-what-does-usmt-migrate.md)
 
+[Identify file types, files, and folders](usmt-identify-file-types-files-and-folders.md)
diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md
index c5adc7c133..518b93c468 100644
--- a/windows/deployment/usmt/usmt-migrate-user-accounts.md
+++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md
@@ -2,92 +2,94 @@
 title: Migrate User Accounts (Windows 10)
 description: Learn how to migrate user accounts and how to specify which users to include and exclude by using the User options on the command line.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Migrate User Accounts
 
+By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You can't specify users in the migration XML files or by using the `Config.xml` file.
 
-By default, all users are migrated. The only way to specify which users to include and exclude is on the command line by using the User options. You cannot specify users in the migration XML files or by using the Config.xml file.
+## To migrate all user accounts and user settings
 
-## In this Topic
+Links to detailed explanations of commands are available in the [Related articles](#related-articles) section.
 
+1. Sign into the source computer as an administrator.
 
--   [To migrate all user accounts and user settings](#bkmk-migrateall)
+2. Enter the following `ScanState.exe` command line in a command prompt window:
 
--   [To migrate two domain accounts (User1 and User2)](#bkmk-migratetwo)
+    ```cmd
+    ScanState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /o
+    ````
 
--   [To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain](#bkmk-migratemoveuserone)
+3. Sign into the destination computer as an administrator.
 
-## <a href="" id="bkmk-migrateall"></a>To migrate all user accounts and user settings
-Links to detailed explanations of commands are available in the Related Topics section.
+4. Enter one of the following `LoadState.exe ` command lines in a command prompt window:
 
-1.  Log on to the source computer as an administrator, and specify the following in a **Command-Prompt** window:
+   - If you're migrating domain accounts, enter:
 
-    `scanstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /o`
+        ```cmd
+        LoadState.exe  \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
+        ```
 
-2.  Log on to the destination computer as an administrator.
+   - If you're migrating local accounts along with domain accounts, enter:
 
-3.  Do one of the following:
+        ```cmd
+        LoadState.exe  \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml /lac /lae
+        ```
 
-    -   If you are migrating domain accounts, specify:
+        > [!NOTE]
+        > You do not have to specify the `/lae` option, which enables the account that was created with the `/lac` option. Instead, you can create a disabled local account by specifying only the `/lac` option, and then a local administrator needs to enable the account on the destination computer.
 
-        `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+## To migrate two domain accounts (User1 and User2)
 
-    -   If you are migrating local accounts along with domain accounts, specify:
+Links to detailed explanations of commands are available in the [Related articles](#related-articles) section.
 
-        `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml /lac /lae`
+1. Sign into the source computer as an administrator.
 
-        **Note**  
-        You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer.
+2. Enter the following `ScanState.exe` command line in a command prompt window:
 
-         
+    ```cmd
+    ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml /o
+    ```
 
-## <a href="" id="bkmk-migratetwo"></a>To migrate two domain accounts (User1 and User2)
-Links to detailed explanations of commands are available in the Related Topics section.
+3. Sign into the destination computer as an administrator.
 
-1.  Log on to the source computer as an administrator, and specify:
+4. Enter the following `LoadState.exe ` command line in a command prompt window:
 
-    `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:fabrikam\user2 /i:migdocs.xml /i:migapp.xml /o`
+    ```cmd
+    LoadState.exe  \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml
+    ```
 
-2.  Log on to the destination computer as an administrator.
+## To migrate two domain accounts (User1 and User2) and move both accounts from the Contoso domain to the Fabrikam domain
 
-3.  Specify the following:
+Links to detailed explanations of commands are available in the [Related articles](#related-articles) section.
 
-    `loadstate \\server\share\migration\mystore /i:migdocs.xml /i:migapp.xml`
+1. Sign into the source computer as an administrator.
 
-## <a href="" id="bkmk-migratemoveuserone"></a>To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain
-Links to detailed explanations of commands are available in the Related Topics section.
+2. Enter the following `ScanState.exe` command line in a command prompt window:
 
-1.  Log on to the source computer as an administrator, and type the following at the command-line prompt:
+    ```cmd
+    ScanState.exe \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:MigDocs.xml /i:MigApp.xml /o
+    ```
 
-    `scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\user1 /ui:contoso\user2 /i:migdocs.xml /i:migapp.xml /o`
+3. Sign into the destination computer as an administrator.
 
-2.  Log on to the destination computer as an administrator.
-
-3.  Specify the following:
-
-    `loadstate \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:migdocs.xml /i:migapp.xml`
-
-## Related topics
-
-
-[Identify Users](usmt-identify-users.md)
-
-[ScanState Syntax](usmt-scanstate-syntax.md)
-
-[LoadState Syntax](usmt-loadstate-syntax.md)
-
- 
-
- 
+4. Enter the following `LoadState.exe ` command line in a command prompt window:
 
+    ```cmd
+    LoadState.exe  \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user1 /mu:contoso\user2:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml
+    ```
 
+## Related articles
 
+[Identify users](usmt-identify-users.md)
 
+[ScanState syntax](usmt-scanstate-syntax.md)
 
+[LoadState syntax](usmt-loadstate-syntax.md)
diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md
index baff6e26b1..07c5b088c8 100644
--- a/windows/deployment/usmt/usmt-migration-store-encryption.md
+++ b/windows/deployment/usmt/usmt-migration-store-encryption.md
@@ -1,35 +1,36 @@
 ---
 title: Migration Store Encryption (Windows 10)
-description:  Learn how the User State Migration Tool (USMT) enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES).
+description: Learn how the User State Migration Tool (USMT) enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Migration Store Encryption
+# Migration store encryption
 
-This topic discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration.
+This article discusses User State Migration Tool (USMT) 10.0 options for migration store encryption to protect the integrity of user data during a migration.
 
-## USMT Encryption Options
+## USMT encryption options
 
 USMT enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES), in several bit-level options. AES is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data.
 
-The encryption algorithm you choose must be specified for both the **ScanState** and the **LoadState** commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the **ScanState** and the **LoadState** command lines by using the **/encrypt**:*"encryptionstrength"* and the **/decrypt**:*"encryptionstrength"* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the Usmtutils.exe file to determine which encryption algorithms are available to the computers' locales before you begin the migration.
+The encryption algorithm you choose must be specified for both the `ScanState.exe` and the `LoadState.exe` commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the `ScanState.exe` and the `LoadState.exe` command lines by using the `/encrypt`:*encryptionstrength* and the `/decrypt`:*encryptionstrength* command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in Windows 7, Windows 8, and Windows 10 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the `UsmtUtils.exe` file to determine which encryption algorithms are available to the computers' locales before you begin the migration.
 
 The following table describes the command-line encryption options in USMT.
 
 |Component|Option|Description|
 |--- |--- |--- |
-|**ScanState**|**/encrypt**<*AES, AES_128, AES_192, AES_256, 3DES, 3DES_112*>|This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the **ScanState** tool employs the 3DES algorithm.|
-|**LoadState**|**/decrypt**<*AES, AES_128, AES_192, AES_256, 3DES, 3DES_112*>|This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the **LoadState** tool employs the 3DES algorithm.|
+|*ScanState*|**/encrypt**<*AES, AES_128, AES_192, AES_256, 3DES, 3DES_112*>|This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument isn't provided, the **ScanState** tool employs the **3DES** algorithm.|
+|*LoadState*|**/decrypt**<*AES, AES_128, AES_192, AES_256, 3DES, 3DES_112*>|This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument isn't provided, the **LoadState** tool employs the **3DES** algorithm.|
 
-**Important**  
-Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the UsmtUtils command with the **/ec** option. For more information see [UsmtUtils Syntax](usmt-utilities.md)
+> [!IMPORTANT]
+> Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the `UsmtUtils.exe` command with the `/ec` option. For more information, see [UsmtUtils syntax](usmt-utilities.md).
 
-## Related topics
+## Related articles
 
-[Plan Your Migration](usmt-plan-your-migration.md)
+[Plan your migration](usmt-plan-your-migration.md)
diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md
index 3b9eb9b707..7609e4e147 100644
--- a/windows/deployment/usmt/usmt-overview.md
+++ b/windows/deployment/usmt/usmt-overview.md
@@ -1,45 +1,46 @@
 ---
 title: User State Migration Tool (USMT) Overview (Windows 10)
 description: Learn about using User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems.
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 10/16/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-deploy
 ---
 
-# User State Migration Tool (USMT) Overview
+# User State Migration Tool (USMT) overview
 
-You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common Migration Scenarios](usmt-common-migration-scenarios.md).
+You can use User State Migration Tool (USMT) 10.0 to streamline and simplify user state migration during large deployments of Windows operating systems. USMT captures user accounts, user files, operating system settings, and application settings, and then migrates them to a new Windows installation. You can use USMT for both PC replacement and PC refresh migrations. For more information, see [Common migration scenarios](usmt-common-migration-scenarios.md).
 
-USMT enables you to do the following:
+USMT enables you to do the following actions:
 
--   Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they are migrated. For more information about how to modify these files, see [USMT XML Reference](usmt-xml-reference.md).
--   Fit your customized migration into your automated deployment process by using the ScanState and LoadState tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md).
--   Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md) and [Offline Migration Reference](offline-migration-reference.md).
+- Configure your migration according to your business needs by using the migration rule (.xml) files to control exactly which files and settings are migrated and how they're migrated. For more information about how to modify these files, see [USMT XML reference](usmt-xml-reference.md).
+- Fit your customized migration into your automated deployment process by using the **ScanState** and **LoadState** tools, which control collecting and restoring the user files and settings. For more information, see [User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md).
+- Perform offline migrations. You can run migrations offline by using the ScanState command in Windows Preinstallation Environment (WinPE) or you can perform migrations from previous installations of Windows contained in Windows.old directories. For more information about migration types, see [Choose a migration store Type](usmt-choose-migration-store-type.md) and [Offline migration reference](offline-migration-reference.md).
 
 ## Benefits
 
 USMT provides the following benefits to businesses that are deploying Windows operating systems:
 
--   Safely migrates user accounts, operating system and application settings.
--   Lowers the cost of deploying Windows by preserving user state.
--   Reduces end-user downtime required to customize desktops and find missing files.
--   Reduces help-desk calls.
--   Reduces the time needed for the user to become familiar with the new operating system.
--   Increases employee satisfaction with the migration experience.
+- Safely migrates user accounts, operating system and application settings.
+- Lowers the cost of deploying Windows by preserving user state.
+- Reduces end-user downtime required to customize desktops and find missing files.
+- Reduces help-desk calls.
+- Reduces the time needed for the user to become familiar with the new operating system.
+- Increases employee satisfaction with the migration experience.
 
 ## Limitations
 
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover is not a free utility. PCmover Express is a tool created by Microsoft's partner, Laplink.
+USMT is intended for administrators who are performing large-scale automated deployments. If you're only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover isn't a free utility. PCmover Express is a tool created by Microsoft's partner, Laplink.
 
-There are some scenarios in which the use of USMT is not recommended. These include:
+There are some scenarios in which the use of USMT isn't recommended. These scenarios include:
 
--   Migrations that require end-user interaction.
--   Migrations that require customization on a machine-by-machine basis.
+- Migrations that require end-user interaction.
+- Migrations that require customization on a machine-by-machine basis.
 
-## Related topics
+## Related articles
 
-- [User State Migration Tool (USMT) Technical Reference](usmt-technical-reference.md)
+- [User State Migration Tool (USMT) technical reference](usmt-technical-reference.md)
diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md
index 248b3645e1..6559990881 100644
--- a/windows/deployment/usmt/usmt-plan-your-migration.md
+++ b/windows/deployment/usmt/usmt-plan-your-migration.md
@@ -2,32 +2,33 @@
 title: Plan Your Migration (Windows 10)
 description: Learn how to your plan your migration carefully so your migration can proceed smoothly and so that you reduce the risk of migration failure.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Plan Your Migration
+# Plan your migration
 
-Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
+Before you use the User State Migration Tool (USMT) 10.0 to perform your migration, we recommend that you plan your migration carefully. Planning can help your migration proceed smoothly and can reduce the risk of migration failure.
 
 In migration planning, both organizations and individuals must first identify what to migrate, including user settings, applications and application settings, and personal data files and folders. Identifying the applications to migrate is especially important so that you can avoid capturing data about applications that may be phased out.
 
-One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you will not install on the destination system is redundant. This can also introduce instability in a newly deployed computer.
+One of the most important requirements for migrating settings and data is restoring only the information that the destination computer requires. Although the data that you capture on the source computer may be more comprehensive than the restoration data for backup purposes, restoring data or settings for applications that you won't install on the destination system is redundant. Restoring data or settings for applications that aren't installed can also introduce instability in a newly deployed computer.
 
-## In This Section
+## In this section
 
 | Link | Description |
 |--- |--- |
-|[Common Migration Scenarios](usmt-common-migration-scenarios.md)|Determine whether you will perform a refresh migration or a replace migration.|
-|[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)|Learn which applications, user data, and operating system components USMT migrates.|
-|[Choose a Migration Store Type](usmt-choose-migration-store-type.md)|Choose an uncompressed, compressed, or hard-link migration store.|
-|[Determine What to Migrate](usmt-determine-what-to-migrate.md)|Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.|
-|[Test Your Migration](usmt-test-your-migration.md)|Test your migration before you deploy Windows to all users.|
+|[Common migration scenarios](usmt-common-migration-scenarios.md)|Determine whether you'll perform a refresh migration or a replace migration.|
+|[What does USMT migrate?](usmt-what-does-usmt-migrate.md)|Learn which applications, user data, and operating system components USMT migrates.|
+|[Choose a migration store type](usmt-choose-migration-store-type.md)|Choose an uncompressed, compressed, or hard-link migration store.|
+|[Determine what to migrate](usmt-determine-what-to-migrate.md)|Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.|
+|[Test your migration](usmt-test-your-migration.md)|Test your migration before you deploy Windows to all users.|
 
-## Related topics
+## Related articles
 
-[USMT XML Reference](usmt-xml-reference.md)
+[USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-recognized-environment-variables.md b/windows/deployment/usmt/usmt-recognized-environment-variables.md
index 621d54116b..37172c925e 100644
--- a/windows/deployment/usmt/usmt-recognized-environment-variables.md
+++ b/windows/deployment/usmt/usmt-recognized-environment-variables.md
@@ -1,139 +1,131 @@
 ---
 title: Recognized Environment Variables (Windows 10)
 description: Learn how to use environment variables to identify folders that may be different on different computers.
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-deploy
 ---
 
-# Recognized Environment Variables
+# Recognized environment variables
 
+When using the XML files `MigDocs.xml`, `MigApp.xml`, and `MigUser.xml`, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the **Documents** folder may be `C:\Users\<Username>\My Documents` on one computer and `C:\Documents and Settings\<username>\My Documents` on another. You can use the asterisk (\*) wildcard character in `MigUser.xml`, `MigApp.xml` and `MigDoc.xml` files. However, you can't use the asterisk (\*) wildcard characters in the `Config.xml` file.
 
-When using the XML files MigDocs.xml, MigApp.xml, and MigUser.xml, you can use environment variables to identify folders that may be different on different computers. Constant special item ID list (CSIDL) values provide a way to identify folders that applications use frequently but may not have the same name or location on any given computer. For example, the documents folder may be C:\\Users\\&lt;Username&gt;\\My Documents on one computer and C:\\Documents and Settings on another. You can use the asterisk (\*) wildcard character in MigUser.xml, MigApp.xml and MigDoc.xml files. However, you cannot use the asterisk (\*) wildcard characters in the Config.xml file.
-
-## In This Topic
-
-
--   [Variables that are processed for the operating system and in the context of each user](#bkmk-1)
-
--   [Variables that are recognized only in the user context](#bkmk-2)
-
-## <a href="" id="bkmk-1"></a>Variables that are processed for the operating system and in the context of each user
-
+## Variables that are processed for the operating system and in the context of each user
 
 You can use these variables within sections in the .xml files with `context=UserAndSystem`, `context=User`, and `context=System`.
 
 |Variable|Explanation|
 |--- |--- |
-|**ALLUSERSAPPDATA**|Same as **CSIDL_COMMON_APPDATA**.|
-|**ALLUSERSPROFILE**|Refers to %**PROFILESFOLDER**%\Public or %**PROFILESFOLDER**%\all users.|
-|**COMMONPROGRAMFILES**|Same as **CSIDL_PROGRAM_FILES_COMMON**.|
-|**COMMONPROGRAMFILES**(X86)|Refers to the C:\Program Files (x86)\Common Files folder on 64-bit systems.|
-|**CSIDL_COMMON_ADMINTOOLS**|Version 10.0. The file-system directory that contains administrative tools for all users of the computer.|
-|**CSIDL_COMMON_ALTSTARTUP**|The file-system directory that corresponds to the non-localized Startup program group for all users.|
-|**CSIDL_COMMON_APPDATA**|The file-system directory that contains application data for all users. A typical path Windows is C:\ProgramData.|
-|**CSIDL_COMMON_DESKTOPDIRECTORY**|The file-system directory that contains files and folders that appear on the desktop for all users. A typical Windows® XP path is C:\Documents and Settings\All Users\Desktop. A typical path is C:\Users\Public\Desktop.|
-|**CSIDL_COMMON_DOCUMENTS**|The file-system directory that contains documents that are common to all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Documents. A typical path is C:\Users\Public\Documents.|
-|**CSIDL_COMMON_FAVORITES**|The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.|
-|**CSIDL_COMMON_MUSIC**|The file-system directory that serves as a repository for music files common to all users. A typical path is C:\Users\Public\Music.|
-|**CSIDL_COMMON_PICTURES**|The file-system directory that serves as a repository for image files common to all users. A typical path is C:\Users\Public\Pictures.|
-|**CSIDL_COMMON_PROGRAMS**|The file-system directory that contains the directories for the common program groups that appear on the **Start** menu for all users. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs.|
-|**CSIDL_COMMON_STARTMENU**|The file-system directory that contains the programs and folders which appear on the **Start** menu for all users. A typical path in Windows is C:\ProgramData\Microsoft\Windows\Start Menu.|
-|**CSIDL_COMMON_STARTUP**|The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path in Windows XP is C:\Documents and Settings\All Users\Start Menu\Programs\Startup. A typical path is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.|
-|**CSIDL_COMMON_TEMPLATES**|The file-system directory that contains the templates that are available to all users. A typical path is C:\ProgramData\Microsoft\Windows\Templates.|
-|**CSIDL_COMMON_VIDEO**|The file-system directory that serves as a repository for video files common to all users. A typical path is C:\Users\Public\Videos.|
-|**CSIDL_DEFAULT_APPDATA**|Refers to the Appdata folder inside %**DEFAULTUSERPROFILE**%.|
-|C**SIDL_DEFAULT_LOCAL_APPDATA**|Refers to the local Appdata folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_COOKIES**|Refers to the Cookies folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_CONTACTS**|Refers to the Contacts folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_DESKTOP**|Refers to the Desktop folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_DOWNLOADS**|Refers to the Downloads folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_FAVORITES**|Refers to the Favorites folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_HISTORY**|Refers to the History folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_INTERNET_CACHE**|Refers to the Internet Cache folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_PERSONAL**|Refers to the Personal folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_MYDOCUMENTS**|Refers to the My Documents folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_MYPICTURES**|Refers to the My Pictures folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_MYMUSIC**|Refers to the My Music folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_MYVIDEO**|Refers to the My Videos folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_RECENT**|Refers to the Recent folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_SENDTO**|Refers to the Send To folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_STARTMENU**|Refers to the Start Menu folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_PROGRAMS**|Refers to the Programs folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_STARTUP**|Refers to the Startup folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_TEMPLATES**|Refers to the Templates folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_DEFAULT_QUICKLAUNCH**|Refers to the Quick Launch folder inside %**DEFAULTUSERPROFILE**%.|
-|**CSIDL_FONTS**|A virtual folder containing fonts. A typical path is C:\Windows\Fonts.|
-|**CSIDL_PROGRAM_FILESX86**|The Program Files folder on 64-bit systems. A typical path is C:\Program Files(86).|
-|**CSIDL_PROGRAM_FILES_COMMONX86**|A folder for components that are shared across applications on 64-bit systems. A typical path is C:\Program Files(86)\Common.|
-|**CSIDL_PROGRAM_FILES**|The Program Files folder. A typical path is C:\Program Files.|
-|**CSIDL_PROGRAM_FILES_COMMON**|A folder for components that are shared across applications. A typical path is C:\Program Files\Common.|
-|**CSIDL_RESOURCES**|The file-system directory that contains resource data. A typical path is C:\Windows\Resources.|
-|**CSIDL_SYSTEM**|The Windows System folder. A typical path is C:\Windows\System32.|
-|**CSIDL_WINDOWS**|The Windows directory or system root. This corresponds to the %**WINDIR**% or %**SYSTEMROOT**% environment variables. A typical path is C:\Windows.|
-|**DEFAULTUSERPROFILE**|Refers to the value in **HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile]**.|
-|**PROFILESFOLDER**|Refers to the value in **HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory]**.|
-|**PROGRAMFILES**|Same as **CSIDL_PROGRAM_FILES**.|
-|**PROGRAMFILES(X86)**|Refers to the C:\Program Files (x86) folder on 64-bit systems.|
-|**SYSTEM**|Refers to %**WINDIR**%\system32.|
-|**SYSTEM16**|Refers to %**WINDIR**%\system.|
-|**SYSTEM32**|Refers to %**WINDIR**%\system32.|
-|**SYSTEMDRIVE**|The drive that holds the Windows folder. Note that this is a drive name and not a folder name (`C:` not `C:\`).|
-|**SYSTEMPROFILE**|Refers to the value in **HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath]**.|
-|**SYSTEMROOT**|Same as **WINDIR**.|
-|**WINDIR**|Refers to the Windows folder located on the system drive.|
+|*ALLUSERSAPPDATA*|Same as **CSIDL_COMMON_APPDATA**.|
+|*ALLUSERSPROFILE*|Refers to `%PROFILESFOLDER%\Public` or `%PROFILESFOLDER%\all users`.|
+|*COMMONPROGRAMFILES*|Same as **CSIDL_PROGRAM_FILES_COMMON**.|
+|*COMMONPROGRAMFILES*(X86)|Refers to the `C:\Program Files (x86)\Common Files` folder on 64-bit systems.|
+|*CSIDL_COMMON_ADMINTOOLS*|Version 10.0. The file-system directory that contains administrative tools for all users of the computer.|
+|*CSIDL_COMMON_ALTSTARTUP*|The file-system directory that corresponds to the non-localized Startup program group for all users.|
+|*CSIDL_COMMON_APPDATA*|The file-system directory that contains application data for all users. A typical path Windows is `C:\ProgramData`.|
+|*CSIDL_COMMON_DESKTOPDIRECTORY*|The file-system directory that contains files and folders that appear on the desktop for all users. A typical path is `C:\Users\Public\Desktop`.|
+|*CSIDL_COMMON_DOCUMENTS*|The file-system directory that contains documents that are common to all users. A typical path is `C:\Users\Public\Documents`.|
+|*CSIDL_COMMON_FAVORITES*|The file-system directory that serves as a common repository for favorites common to all users. A typical path is C:\Users\Public\Favorites.|
+|*CSIDL_COMMON_MUSIC*|The file-system directory that serves as a repository for music files common to all users. A typical path is `C:\Users\Public\Music`.|
+|*CSIDL_COMMON_PICTURES*|The file-system directory that serves as a repository for image files common to all users. A typical path is `C:\Users\Public\Pictures`.|
+|*CSIDL_COMMON_PROGRAMS*|The file-system directory that contains the directories for the common program groups that appear on the **Start** menu for all users. A typical path is `C:\ProgramData\Microsoft\Windows\Start Menu\Programs`.|
+|*CSIDL_COMMON_STARTMENU*|The file-system directory that contains the programs and folders that appear on the **Start** menu for all users. A typical path in Windows is `C:\ProgramData\Microsoft\Windows\Start Menu`.|
+|*CSIDL_COMMON_STARTUP*|The file-system directory that contains the programs that appear in the Startup folder for all users. A typical path is `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup`.|
+|*CSIDL_COMMON_TEMPLATES*|The file-system directory that contains the templates that are available to all users. A typical path is `C:\ProgramData\Microsoft\Windows\Templates`.|
+|*CSIDL_COMMON_VIDEO*|The file-system directory that serves as a repository for video files common to all users. A typical path is `C:\Users\Public\Videos`.|
+|*CSIDL_DEFAULT_APPDATA*|Refers to the Appdata folder inside `%DEFAULTUSERPROFILE%`.|
+|C*SIDL_DEFAULT_LOCAL_APPDATA*|Refers to the local Appdata folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_COOKIES*|Refers to the Cookies folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_CONTACTS*|Refers to the Contacts folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_DESKTOP*|Refers to the Desktop folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_DOWNLOADS*|Refers to the Downloads folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_FAVORITES*|Refers to the Favorites folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_HISTORY*|Refers to the History folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_INTERNET_CACHE*|Refers to the Internet Cache folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_PERSONAL*|Refers to the Personal folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_MYDOCUMENTS*|Refers to the My Documents folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_MYPICTURES*|Refers to the My Pictures folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_MYMUSIC*|Refers to the My Music folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_MYVIDEO*|Refers to the My Videos folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_RECENT*|Refers to the Recent folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_SENDTO*|Refers to the Send To folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_STARTMENU*|Refers to the Start Menu folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_PROGRAMS*|Refers to the Programs folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_STARTUP*|Refers to the Startup folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_TEMPLATES*|Refers to the Templates folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_DEFAULT_QUICKLAUNCH*|Refers to the Quick Launch folder inside `%DEFAULTUSERPROFILE%`.|
+|*CSIDL_FONTS*|A virtual folder containing fonts. A typical path is `C:\Windows\Fonts`.|
+|*CSIDL_PROGRAM_FILESX86*|The Program Files folder on 64-bit systems. A typical path is `C:\Program Files(86)`.|
+|*CSIDL_PROGRAM_FILES_COMMONX86*|A folder for components that are shared across applications on 64-bit systems. A typical path is `C:\Program Files(86)\Common`.|
+|*CSIDL_PROGRAM_FILES*|The Program Files folder. A typical path is `C:\Program Files`.|
+|*CSIDL_PROGRAM_FILES_COMMON*|A folder for components that are shared across applications. A typical path is `C:\Program Files\Common`.|
+|*CSIDL_RESOURCES*|The file-system directory that contains resource data. A typical path is `C:\Windows\Resources`.|
+|*CSIDL_SYSTEM*|The Windows System folder. A typical path is `C:\Windows\System32`.|
+|*CSIDL_WINDOWS*|The Windows directory or system root path. This value corresponds to the `%WINDIR%` or `%SYSTEMROOT%` environment variables. A typical path is `C:\Windows`.|
+|*DEFAULTUSERPROFILE*|Refers to the value in `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [DefaultUserProfile]`.|
+|*PROFILESFOLDER*|Refers to the value in `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList [ProfilesDirectory]`.|
+|*PROGRAMFILES*|Same as **CSIDL_PROGRAM_FILES**.|
+|*PROGRAMFILES(X86)*|Refers to the `C:\Program Files (x86)` folder on 64-bit systems.|
+|*SYSTEM*|Refers to `%WINDIR%\system32`.|
+|*SYSTEM16*|Refers to `%WINDIR%\system`.|
+|*SYSTEM32*|Refers to `%WINDIR%\system32`.|
+|*SYSTEMDRIVE*|The drive that holds the Windows folder. This value is a drive name and not a folder name (`C:` not `C:\`).|
+|*SYSTEMPROFILE*|Refers to the value in `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 [ProfileImagePath]`.|
+|*SYSTEMROOT*|Same as **WINDIR**.|
+|*WINDIR*|Refers to the Windows folder located on the system drive.|
 
-## <a href="" id="bkmk-2"></a>Variables that are recognized only in the user context
+## Variables that are recognized only in the user context
 
 You can use these variables in the .xml files within sections with `context=User` and `context=UserAndSystem`.
 
 |Variable|Explanation|
 |--- |--- |
-|**APPDATA**|Same as **CSIDL_APPDATA**.|
-|**CSIDL_ADMINTOOLS**|The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.|
-|**CSIDL_ALTSTARTUP**|The file-system directory that corresponds to the user's non-localized Startup program group.|
-|**CSIDL_APPDATA**|The file-system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\username\Application Data or C:\Users\username\AppData\Roaming.|
-|**CSIDL_BITBUCKET**|The virtual folder that contains the objects in the user's Recycle Bin.|
-|**CSIDL_CDBURN_AREA**|The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning.|
-|**CSIDL_CONNECTIONS**|The virtual folder representing Network Connections that contains network and dial-up connections.|
-|**CSIDL_CONTACTS**|This refers to the Contacts folder in %**CSIDL_PROFILE**%.|
-|**CSIDL_CONTROLS**|The virtual folder that contains icons for the Control Panel items.|
-|**CSIDL_COOKIES**|The file-system directory that serves as a common repository for Internet cookies. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies.|
-|**CSIDL_DESKTOP**|The virtual folder representing the Windows desktop.|
-|**CSIDL_DESKTOPDIRECTORY**|The file-system directory used to physically store file objects on the desktop, which should not be confused with the desktop folder itself. A typical path is C:\Users\username\Desktop.|
-|**CSIDL_DRIVES**|The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.|
-|**CSIDL_FAVORITES**|The file-system directory that serves as a common repository for the user's favorites. A typical path is C:\Users\Username\Favorites.|
-|**CSIDL_HISTORY**|The file-system directory that serves as a common repository for Internet history items.|
-|**CSIDL_INTERNET**|A virtual folder for Internet Explorer.|
-|**CSIDL_INTERNET_CACHE**|The file-system directory that serves as a common repository for temporary Internet files. A typical path is C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files|
-|**CSIDL_LOCAL_APPDATA**|The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is C:\Users\username\AppData\Local.|
-|**CSIDL_MYDOCUMENTS**|The virtual folder representing My Documents.A typical path is C:\Users\Username\Documents.|
-|**CSIDL_MYMUSIC**|The file-system directory that serves as a common repository for music files. A typical path is C:\Users\Username\Music.|
-|**CSIDL_MYPICTURES**|The file-system directory that serves as a common repository for image files. A typical path is C:\Users\Username\Pictures.|
-|**CSIDL_MYVIDEO**|The file-system directory that serves as a common repository for video files. A typical path is C:\Users\Username\Videos.|
-|**CSIDL_NETHOOD**|A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It is not the same as CSIDL_NETWORK, which represents the network namespace root. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Network Shortcuts.|
-|**CSIDL_NETWORK**|A virtual folder representing My Network Places, the root of the network namespace hierarchy.|
-|**CSIDL_PERSONAL**|The virtual folder representing the My Documents desktop item. This is equivalent to **CSIDL_MYDOCUMENTS**. <br/>A typical path is C:\Documents and Settings\username\My Documents.|
-|**CSIDL_PLAYLISTS**|The virtual folder used to store play albums, typically C:\Users\username\My Music\Playlists.|
-|**CSIDL_PRINTERS**|The virtual folder that contains installed printers.|
-|**CSIDL_PRINTHOOD**|The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Printer Shortcuts.|
-|**CSIDL_PROFILE**|The user's profile folder. A typical path is C:\Users\Username.|
-|**CSIDL_PROGRAMS**|The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs.|
-|**CSIDL_RECENT**|The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Recent.|
-|**CSIDL_SENDTO**|The file-system directory that contains **Send To** menu items. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\SendTo.|
-|**CSIDL_STARTMENU**|The file-system directory that contains **Start** menu items. A typical path in Windows XP is C:\Documents and Settings\username\Start Menu. A typical path in Windows Vista, Windows 7, or Windows 8 is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu.|
-|**CSIDL_STARTUP**|The file-system directory that corresponds to the user's Startup program group. A typical path is C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.|
-|**CSIDL_TEMPLATES**|The file-system directory that serves as a common repository for document templates. A typical path is C:\Users\username\AppData\Roaming\Microsoft\Windows\Templates.|
-|**HOMEPATH**|Same as the standard environment variable.|
-|**TEMP**|The temporary folder on the computer. A typical path is %**USERPROFILE**%\AppData\Local\Temp.|
-|**TMP**|The temporary folder on the computer. A typical path is %**USERPROFILE**%\AppData\Local\Temp.|
-|**USERPROFILE**|Same as **CSIDL_PROFILE**.|
-|**USERSID**|Represents the current user-account security identifier (SID). For example, <br/>S-1-5-21-1714567821-1326601894-715345443-1026.|
+|*APPDATA*|Same as **CSIDL_APPDATA**.|
+|*CSIDL_ADMINTOOLS*|The file-system directory that is used to store administrative tools for an individual user. The Microsoft® Management Console (MMC) saves customized consoles to this directory, which roams with the user profile.|
+|*CSIDL_ALTSTARTUP*|The file-system directory that corresponds to the user's non-localized Startup program group.|
+|*CSIDL_APPDATA*|The file-system directory that serves as a common repository for application-specific data. A typical path is `C:\Users\<username>\AppData\Roaming`.|
+|*CSIDL_BITBUCKET*|The virtual folder that contains the objects in the user's Recycle Bin.|
+|*CSIDL_CDBURN_AREA*|The file-system directory acting as a staging area for files waiting to be written to CD. A typical path is `C:\Users\<username>\AppData\Local\Microsoft\Windows\MasteredBurning\Disc Burning`.|
+|*CSIDL_CONNECTIONS*|The virtual folder representing Network Connections that contains network and dial-up connections.|
+|*CSIDL_CONTACTS*|This value refers to the Contacts folder in **%CSIDL_PROFILE%**.|
+|*CSIDL_CONTROLS*|The virtual folder that contains icons for the Control Panel items.|
+|*CSIDL_COOKIES*|The file-system directory that serves as a common repository for Internet cookies. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies`.|
+|*CSIDL_DESKTOP*|The virtual folder representing the Windows desktop.|
+|*CSIDL_DESKTOPDIRECTORY*|The file-system directory used to physically store file objects on the desktop, which shouldn't be confused with the desktop folder itself. A typical path is `C:\Users\<username>\Desktop`.|
+|*CSIDL_DRIVES*|The virtual folder representing My Computer that contains everything on the local computer: storage devices, printers, and Control Panel. The folder may also contain mapped network drives.|
+|*CSIDL_FAVORITES*|The file-system directory that serves as a common repository for the user's favorites. A typical path is `C:\Users\<username>\Favorites`.|
+|*CSIDL_HISTORY*|The file-system directory that serves as a common repository for Internet history items.|
+|*CSIDL_INTERNET*|A virtual folder for Internet Explorer.|
+|*CSIDL_INTERNET_CACHE*|The file-system directory that serves as a common repository for temporary Internet files. A typical path is `C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files`|
+|*CSIDL_LOCAL_APPDATA*|The file-system directory that serves as a data repository for local, non-roaming applications. A typical path is `C:\Users\<username>\AppData\Local`.|
+|*CSIDL_MYDOCUMENTS*|The virtual folder representing My Documents.A typical path is `C:\Users\<username>\Documents`.|
+|*CSIDL_MYMUSIC*|The file-system directory that serves as a common repository for music files. A typical path is `C:\Users\<username>\Music`.|
+|*CSIDL_MYPICTURES*|The file-system directory that serves as a common repository for image files. A typical path is `C:\Users\<username>\Pictures`.|
+|*CSIDL_MYVIDEO*|The file-system directory that serves as a common repository for video files. A typical path is `C:\Users\<username>\Videos`.|
+|*CSIDL_NETHOOD*|A file-system directory that contains the link objects that may exist in the My Network Places virtual folder. It isn't the same as *CSIDL_NETWORK*, which represents the network namespace root. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Network Shortcuts`.|
+|*CSIDL_NETWORK*|A virtual folder representing My Network Places, the root of the network namespace hierarchy.|
+|*CSIDL_PERSONAL*|The virtual folder representing the My Documents desktop item. This value is equivalent to **CSIDL_MYDOCUMENTS**. A typical path is `C:\Documents and Settings\<username>\My Documents`.|
+|*CSIDL_PLAYLISTS*|The virtual folder used to store play albums, typically `C:\Users\<username>\My Music\Playlists`.|
+|*CSIDL_PRINTERS*|The virtual folder that contains installed printers.|
+|*CSIDL_PRINTHOOD*|The file-system directory that contains the link objects that can exist in the Printers virtual folder. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Printer Shortcuts`.|
+|*CSIDL_PROFILE*|The user's profile folder. A typical path is `C:\Users\<username>`.|
+|*CSIDL_PROGRAMS*|The file-system directory that contains the user's program groups, which are themselves file-system directories. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs`.|
+|*CSIDL_RECENT*|The file-system directory that contains shortcuts to the user's most recently used documents. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent`.|
+|*CSIDL_SENDTO*|The file-system directory that contains **Send To** menu items. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\SendTo`.|
+|*CSIDL_STARTMENU*|The file-system directory that contains **Start** menu items. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu`.|
+|*CSIDL_STARTUP*|The file-system directory that corresponds to the user's Startup program group. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`.|
+|*CSIDL_TEMPLATES*|The file-system directory that serves as a common repository for document templates. A typical path is `C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Templates`.|
+|*HOMEPATH*|Same as the standard environment variable.|
+|*TEMP*|The temporary folder on the computer. A typical path is `%USERPROFILE%\AppData\Local\Temp`.|
+|*TMP*|The temporary folder on the computer. A typical path is `%USERPROFILE%\AppData\Local\Temp`.|
+|*USERPROFILE*|Same as **CSIDL_PROFILE**.|
+|*USERSID*|Represents the current user-account security identifier (SID). For example, `S-1-5-21-1714567821-1326601894-715345443-1026`.|
 
-## Related topics
+## Related articles
 
-[USMT XML Reference](usmt-xml-reference.md)
+[USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md
index 44228df5ef..9c2604adf1 100644
--- a/windows/deployment/usmt/usmt-reference.md
+++ b/windows/deployment/usmt/usmt-reference.md
@@ -2,32 +2,33 @@
 title: User State Migration Toolkit (USMT) Reference (Windows 10)
 description: Use this User State Migration Toolkit (USMT) article to learn details about USMT, like operating system, hardware, and software requirements, and user prerequisites.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# User State Migration Toolkit (USMT) Reference
+# User State Migration Toolkit (USMT) reference
 
-## In This Section
+## In this section
 
 | Link | Description |
 |--- |--- |
-|[USMT Requirements](usmt-requirements.md)|Describes operating system, hardware, and software requirements, and user prerequisites.|
-|[USMT Best Practices](usmt-best-practices.md)|Discusses general and security-related best practices when using USMT.|
-|[How USMT Works](usmt-how-it-works.md)|Learn about the processes behind the ScanState and LoadState tools.|
-|[Plan Your Migration](usmt-plan-your-migration.md)|Choose what to migrate and the best migration scenario for your enterprise.|
-|[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)|Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.|
-|[USMT XML Reference](usmt-xml-reference.md)|Learn about customizing a migration with XML files.|
-|[Offline Migration Reference](offline-migration-reference.md)|Find requirements, best practices, and other considerations for performing a migration offline.|
+|[USMT requirements](usmt-requirements.md)|Describes operating system, hardware, and software requirements, and user prerequisites.|
+|[USMT best practices](usmt-best-practices.md)|Discusses general and security-related best practices when using USMT.|
+|[How USMT works](usmt-how-it-works.md)|Learn about the processes behind the ScanState and LoadState tools.|
+|[Plan your migration](usmt-plan-your-migration.md)|Choose what to migrate and the best migration scenario for your enterprise.|
+|[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md)|Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.|
+|[USMT XML reference](usmt-xml-reference.md)|Learn about customizing a migration with XML files.|
+|[Offline Migration reference](offline-migration-reference.md)|Find requirements, best practices, and other considerations for performing a migration offline.|
 
-## Related topics
+## Related articles
 
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+[User State Migration Tool (USMT) overview topics](usmt-topics.md)
 
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+[User State Migration Tool (USMT) how-to topics](usmt-how-to.md)
 
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
+[User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index 36394f875a..d0f86bfc08 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -2,100 +2,93 @@
 title: USMT Requirements (Windows 10)
 description: While the User State Migration Tool (USMT) doesn't have many requirements, these tips and tricks can help smooth the migration process.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 05/03/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# USMT Requirements
+# USMT requirements
 
-## In This Topic
+## Supported operating systems
 
--   [Supported Operating Systems](#bkmk-1)
--   [Windows PE](#windows-pe)
--   [Credentials](#credentials)
--   [Config.xml](#configxml)
--   [LoadState](#loadstate)
--   [Hard Disk Requirements](#bkmk-3)
--   [User Prerequisites](#bkmk-userprereqs)
-
-## <a href="" id="bkmk-1"></a>Supported Operating Systems
-
-The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings.
+The User State Migration Tool (USMT) 10.0 doesn't have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings.
 
 The following table lists the operating systems supported in USMT.
 
-|Operating Systems|ScanState (source computer)|LoadState (destination computer)|
+|Operating Systems|ScanState (source computer)|LoadState (destination computer)|
 |--- |--- |--- |
-|32-bit versions of Windows 7|✔️|✔️|
-|64-bit versions of Windows 7|✔️|✔️|
-|32-bit versions of Windows 8|✔️|✔️|
-|64-bit versions of Windows 8|✔️|✔️|
-|32-bit versions of Windows 10|✔️|✔️|
-|64-bit versions of Windows 10|✔️|✔️|
+|32-bit versions of Windows 7|✔️|✔️|
+|64-bit versions of Windows 7|✔️|✔️|
+|32-bit versions of Windows 8|✔️|✔️|
+|64-bit versions of Windows 8|✔️|✔️|
+|32-bit versions of Windows 10|✔️|✔️|
+|64-bit versions of Windows 10|✔️|✔️|
 
 > [!NOTE]
 > You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system.
 
-USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7.
+## Unsupported scenarios
 
-USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10.
-For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](/previous-versions/windows/server/dd560801(v=ws.10)).
+- USMT doesn't support any of the Windows Server® operating systems.
+- USMT for Windows 10 shouldn't be used for migrating between previous versions of Windows. USMT for Windows 10 is only meant to migrate to Windows 10 or between Windows 10 versions. For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) overview](/previous-versions/windows/hh825227(v=win.10)).
 
 ## Windows PE
 
-- **Must use latest version of Windows PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](/windows-hardware/manufacture/desktop/whats-new-in-windows-pe-s14).
+- **Must use latest version of Windows PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](/windows-hardware/manufacture/desktop/whats-new-in-windows-pe-s14).
 
 ## Credentials
 
 - **Run as administrator**
-    When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8, or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you do not run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration.
+    When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8, or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you don't run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration.
 
 To open an elevated command prompt:
 
-1. Click **Start**.
-2. Enter **cmd** in the search function.
-3. Depending on the OS you are using, **cmd** or **Command Prompt** is displayed.
-3. Right-click **cmd** or **Command Prompt**, and then click **Run as administrator**.
-4. If the current user is not already an administrator, you will be prompted to enter administrator credentials.
+1. Select **Start**.
+2. Enter `cmd` in the search function.
+3. Depending on the OS you're using, **cmd** or **Command Prompt** is displayed.
+4. Right-click **cmd** or **Command Prompt**, and then select **Run as administrator**.
+5. If the current user isn't already an administrator, you'll be prompted to enter administrator credentials.
 
 > [!IMPORTANT]
 > You must run USMT using an account with full administrative permissions, including the following privileges:
-
-- SeBackupPrivilege (Back up files and directories)
-- SeDebugPrivilege (Debug programs)
-- SeRestorePrivilege (Restore files and directories)
-- SeSecurityPrivilege (Manage auditing and security log)
-- SeTakeOwnership Privilege (Take ownership of files or other objects)
+>
+> - SeBackupPrivilege (Back up files and directories)
+> - SeDebugPrivilege (Debug programs)
+> - SeRestorePrivilege (Restore files and directories)
+> - SeSecurityPrivilege (Manage auditing and security log)
+> - SeTakeOwnership Privilege (Take ownership of files or other objects)
 
 ## Config.xml
 
--  **Specify the /c option and &lt;ErrorControl&gt; settings in the Config.xml file.**<BR>
-    USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file, which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **&lt;ErrorControl&gt;** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md).
+### Specify the `/c` option and &lt;ErrorControl&gt; settings in the `Config.xml` file
+
+USMT will fail if it can't migrate a file or setting, unless you specify the `/c` option. When you specify the `/c` option, USMT logs an error each time it encounters a file that is in use that didn't migrate, but the migration won't be interrupted. In USMT, you can specify in the `Config.xml` file, which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **&lt;ErrorControl&gt;** element, see [Config.xml file](usmt-configxml-file.md#errorcontrol), [Log files](usmt-log-files.md), and [XML elements library](usmt-xml-elements-library.md).
 
 ## LoadState
 
--  **Install applications before running the LoadState command.**<BR>
-    Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved.
+### Install applications before running the LoadState command
 
-## <a href="" id="bkmk-3"></a>Hard-Disk Requirements
+Install all applications on the destination computer before restoring the user state. Installing applications before running the `LoadState.exe` command ensures that migrated settings are preserved.
 
-Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).
+## Hard-disk requirements
 
-## <a href="" id="bkmk-userprereqs"></a>User Prerequisites
+Ensure that there's enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).
 
-This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following:
+## User prerequisites
 
--   The navigation and hierarchy of the Windows registry.
--   The files and file types that applications use.
--   The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors.
--   XML-authoring basics.
+This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following concepts:
 
-## Related topics
+- The navigation and hierarchy of the Windows registry.
+- The files and file types that applications use.
+- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software publishers.
+- XML-authoring basics.
 
-[Plan Your Migration](usmt-plan-your-migration.md)<BR>
-[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)<BR>
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)<BR>
+## Related articles
+
+- [Plan your migration](usmt-plan-your-migration.md)
+- [Estimate migration store size](usmt-estimate-migration-store-size.md)
+- [User State Migration Tool (USMT) overview topics](usmt-topics.md)
diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
index 526e988ace..026a457ea7 100644
--- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md
+++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md
@@ -1,63 +1,53 @@
 ---
 title: Reroute Files and Settings (Windows 10)
-description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines to reroute files and settings.
+description: Learn how to create a custom .xml file and specify this file name on both the ScanState and LoadState command lines to reroute files and settings.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Reroute Files and Settings
 
+To reroute files and settings, create a custom .xml file and specify the .xml file name on both the `ScanState.exe` and `LoadState.exe` command-lines. Th custom .xml file enables you to keep your changes separate from the default .xml files, so that it's easier to track your modifications.
 
-To reroute files and settings, create a custom .xml file and specify this file name on both the ScanState and LoadState commandlines. This enables you to keep your changes separate from the default .xml files, so that it is easier to track your modifications.
+## Reroute a folder
 
-In this topic:
+The following custom .xml file migrates the directories and files from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**.
 
--   [Reroute a Folder](#bkmk-reroutefolder)
-
--   [Reroute a Specific File Type](#bkmk-reroutespecfiletype)
-
--   [Reroute a Specific File](#bkmk-reroutespecificfile)
-
-## <a href="" id="bkmk-reroutefolder"></a>Reroute a Folder
-
-
-The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
-
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 <component type="Documents" context="User">
   <displayName>Engineering Drafts Documents to Personal Folder</displayName>
   <role role="Data">
-    <rules>
+    <rules>
       <!-- Migrate all directories and files present in c:\EngineeringDrafts folder -->
       <include>
         <objectSet>
           <pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
         </objectSet>
-      </include>
-      <!-- This migrates all files and directories from C:\EngineeringDrafts to every user’s personal folder.-->
+      </include>
+      <!-- This migrates all files and directories from C:\EngineeringDrafts to every user's personal folder.-->
       <locationModify script="MigXmlHelper.RelativeMove('C:\EngineeringDrafts','%CSIDL_PERSONAL%')">
         <objectSet>
           <pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
         </objectSet>
-      </locationModify>
-    </rules>
+      </locationModify>
+    </rules>
   </role>
 </component>
 </migration>
 ```
 
-## <a href="" id="bkmk-reroutespecfiletype"></a>Reroute a Specific File Type
+## Reroute a specific file type
 
+The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the `C:\Music` folder on the destination computer.
 
-The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer.
-
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 <component type="Documents" context="System">
   <displayName>All .mp3 files to My Documents</displayName>
@@ -80,12 +70,11 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o
 </migration> 
 ```
 
-## <a href="" id="bkmk-reroutespecificfile"></a>Reroute a Specific File
+## Reroute a specific file
 
+The following custom .xml file migrates the `Sample.doc` file from `C:\EngineeringDrafts` into the **My Documents** folder of every user. **%CSIDL_PERSONAL%** is the virtual folder representing the **My Documents** desktop item, which is equivalent to **CSIDL_MYDOCUMENTS**.
 
-The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS.
-
-``` xml
+```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/test">
 <component type="Documents" context="User">
 <displayName>Sample.doc into My Documents</displayName>
@@ -107,20 +96,10 @@ The following custom .xml file migrates the Sample.doc file from C:\\Engineering
 </migration>
 ```
 
-## Related topics
-
-
-[Customize USMT XML Files](usmt-customize-xml-files.md)
-
-[Conflicts and Precedence](usmt-conflicts-and-precedence.md)
-
-[USMT XML Reference](usmt-xml-reference.md)
-
- 
-
- 
-
-
+## Related articles
 
+[Customize USMT XML files](usmt-customize-xml-files.md)
 
+[Conflicts and precedence](usmt-conflicts-and-precedence.md)
 
+[USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index c0384baa68..ac1cc27168 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -2,41 +2,35 @@
 title: USMT Resources (Windows 10)
 description: Learn about User State Migration Tool (USMT) online resources, including Microsoft Visual Studio and forums.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# USMT Resources
+# USMT resources
 
+## USMT online resources
 
-## USMT Online Resources
+- [ADK Release Notes](/windows-hardware/get-started/what-s-new-in-kits-and-tools)
 
+- Microsoft Visual Studio
 
--   [ADK Release Notes](/windows-hardware/get-started/what-s-new-in-kits-and-tools)
+  - You can use the User State Migration Tool (USMT) XML schema (the `MigXML.xsd` file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
+  
+    For more information about how to use the schema with your XML authoring environment, see the environment's documentation.
 
--   Microsoft Visual Studio
+- [Ask the Directory Services Team blog](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/bg-p/AskDS)
 
-    -   You can use the User State Migration Tool (USMT) XML schema (the MigXML.xsd file) to validate the migration .xml files using an XML authoring tool such as Microsoft® Visual Studio®.
+- Forums:
 
-        For more information about how to use the schema with your XML authoring environment, see the environment’s documentation.
+  - [Microsoft Deployment Toolkit forum](/answers/topics/mem-mdt.html)
 
--   [Ask the Directory Services Team blog](/archive/blogs/askds/)
+  - [Configuration Manager Operating System Deployment forum](/answers/topics/mem-cm-osd.html)
 
--   Forums:
+## Related articles
 
-    -   [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=226386)
-
-    -   [Configuration Manager Operating System Deployment](https://go.microsoft.com/fwlink/p/?LinkId=226388)
-
-## Related topics
-
-
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
-
- 
-
- 
+[User State Migration Tool (USMT) overview topics](usmt-topics.md)
diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md
deleted file mode 100644
index 108dc532c1..0000000000
--- a/windows/deployment/usmt/usmt-return-codes.md
+++ /dev/null
@@ -1,274 +0,0 @@
----
-title: Return Codes (Windows 10)
-description: Learn about User State Migration Tool (USMT) 10.0 return codes and error messages. Also view a list of USMT return codes and their associated migration steps.
-ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Return Codes
-
-This topic describes User State Migration Tool (USMT) 10.0 return codes and error messages. Also included is a table listing the USMT return codes with their associated mitigation steps. In addition, this topic provides tips to help you use the logfiles to determine why you received an error.
-
-Understanding the requirements for running USMT can help minimize errors in your USMT migrations. For more information, see [USMT Requirements](usmt-requirements.md).
-
-## In This Topic
-
-[USMT Return Codes](#bkmk-returncodes)
-
-[USMT Error Messages](#bkmk-errormessages)
-
-[Troubleshooting Return Codes and Error Messages](#bkmk-tscodeserrors)
-
-## <a href="" id="bkmk-returncodes"></a>USMT Return Codes
-
-If you encounter an error in your USMT migration, you can use return codes and the more specific information provided in the associated USMT error messages to troubleshoot the issue and to identify mitigation steps.
-
-Return codes are grouped into the following broad categories that describe their area of error reporting:
-
-Success or User Cancel
-
-Invalid Command Lines
-
-Setup and Initialization
-
-Non-fatal Errors
-
-Fatal Errors
-
-As a best practice, we recommend that you set verbosity level to 5, **/v**<em>:5</em>, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger.
-
-## <a href="" id="bkmk-errormessages"></a>USMT Error Messages
-
-Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
-
-You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](/windows/win32/debug/system-error-codes--0-499-).
-
-## <a href="" id="bkmk-tscodeserrors"></a>Troubleshooting Return Codes and Error Messages
-
-The following information lists each return code by numeric value, along with the associated error messages and suggested troubleshooting actions.
-
-- **0: USMT_SUCCESS**
-  - **Error message**: Successful run
-
-- **1: USMT_DISPLAY_HELP**
-  - **Error message**: Command line help requested
-
-- **2: USMT_STATUS_CANCELED**
-  - **Error message**: 
-    - Gather was aborted because of an EFS file
-    - User chose to cancel (such as pressing CTRL+C)
-
-- **3: USMT_WOULD_HAVE_FAILED**
-  - **Error message**: At least one error was skipped as a result of /c.
-  - **Troubleshooting, mitigation, workarounds**: Review ScanState, LoadState, or UsmtUtils log for details about command-line errors.
-
-- **11: USMT_INVALID_PARAMETERS**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | /all conflicts with /ui, /ue or /uel | Review ScanState log or LoadState log for details about command-line errors. |
-  | /auto expects an optional parameter for the script folder | Review ScanState log or LoadState log for details about command-line errors. |
-  | /encrypt can't be used with /nocompress | Review ScanState log or LoadState log for details about command-line errors. |
-  | /encrypt requires /key or /keyfile | Review ScanState log or LoadState log for details about command-line errors. |
-  | /genconfig can't be used with most other options | Review ScanState log or LoadState log for details about command-line errors. |
-  | /genmigxml can't be used with most other options | Review ScanState log or LoadState log for details about command-line errors. |
-  | /hardlink requires /nocompress | Review ScanState log or LoadState log for details about command-line errors. |
-  | /key and /keyfile both specified | Review ScanState log or LoadState log for details about command-line errors. |
-  | /key or /keyfile used without enabling encryption | Review ScanState log or LoadState log for details about command-line errors. |
-  | /lae is only used with /lac | Review ScanState log or LoadState log for details about command-line errors. |
-  | /listfiles cannot be used with /p | Review ScanState log or LoadState log for details about command-line errors. |
-  | /offline requires a valid path to an XML file describing offline paths | Review ScanState log or LoadState log for details about command-line errors. |
-  | /offlinewindir requires a valid path to offline windows folder | Review ScanState log or LoadState log for details about command-line errors. |
-  | /offlinewinold requires a valid path to offline windows folder | Review ScanState log or LoadState log for details about command-line errors. |
-  | A command was already specified | Verify that the command-line syntax is correct and that there are no duplicate commands. |
-  | An option argument is missing | Review ScanState log or LoadState log for details about command-line errors. |
-  | An option is specified more than once and is ambiguous | Review ScanState log or LoadState log for details about command-line errors. |
-  | By default /auto selects all users and uses the highest log verbosity level. Switches like /all, /ui, /ue, /v are not allowed. | Review ScanState log or LoadState log for details about command-line errors. |
-  | Command line arguments are required. Specify /? for options. | Review ScanState log or LoadState log for details about command-line errors. |
-  | Command line option is not valid | Review ScanState log or LoadState log for details about command-line errors. |
-  | EFS parameter specified is not valid for /efs | Review ScanState log or LoadState log for details about command-line errors. |
-  | File argument is invalid for /genconfig | Review ScanState log or LoadState log for details about command-line errors. |
-  | File argument is invalid for /genmigxml | Review ScanState log or LoadState log for details about command-line errors. |
-  | Invalid space estimate path. Check the parameters and/or file system permissions | Review ScanState log or LoadState log for details about command-line errors. |
-  | List file path argument is invalid for /listfiles | Review ScanState log or LoadState log for details about command-line errors. |
-  | Retry argument must be an integer | Review ScanState log or LoadState log for details about command-line errors. |
-  | Settings store argument specified is invalid | Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set. |
-  | Specified encryption algorithm is not supported | Review ScanState log or LoadState log for details about command-line errors. |
-  | The /efs:hardlink requires /hardlink | Review ScanState log or LoadState log for details about command-line errors. |
-  | The /targetWindows7 option is only available for Windows XP, Windows Vista, and Windows 7 | Review ScanState log or LoadState log for details about command-line errors. |
-  | The store parameter is required but not specified | Review ScanState log or LoadState log for details about command-line errors. |
-  | The source-to-target domain mapping is invalid for /md | Review ScanState log or LoadState log for details about command-line errors. |
-  | The source-to-target user account mapping is invalid for /mu | Review ScanState log or LoadState log for details about command-line errors. |
-  | Undefined or incomplete command line option | Review ScanState log or LoadState log for details about command-line errors. <br/><br/>Category: Invalid Command Lines|
-  | Use /nocompress, or provide an XML file path with /p"pathtoafile" to get a compressed store size estimate | Review ScanState log or LoadState log for details about command-line errors. |
-  | User exclusion argument is invalid | Review ScanState log or LoadState log for details about command-line errors. |
-  | Verbosity level must be specified as a sum of the desired log options: Verbose (0x01), Record Objects (0x04), Echo to debug port (0x08) | Review ScanState log or LoadState log for details about command-line errors. |
-  | Volume shadow copy feature is not supported with a hardlink store | Review ScanState log or LoadState log for details about command-line errors. |
-  | Wait delay argument must be an integer | Review ScanState log or LoadState log for details about command-line errors. |
-
-- **12: USMT_ERROR_OPTION_PARAM_TOO_LARGE**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Command line arguments cannot exceed 256 characters | Review ScanState log or LoadState log for details about command-line errors.<br/><br/>Category: Invalid Command Lines |
-  | Specified settings store path exceeds the maximum allowed length of 256 characters | Review ScanState log or LoadState log for details about command-line errors. |
-
-- **13: USMT_INIT_LOGFILE_FAILED**
-  - **Error message**: Log path argument is invalid for /l
-  - **Troubleshooting, mitigation, workarounds**: When /l is specified in the ScanState command line, USMT validates the path. Verify that the drive and other information, for example file system characters, are correct.
-  - **Category**: Invalid Command Lines
-
-- **14: USMT_ERROR_USE_LAC**
-  - **Error message**: Unable to create a local account because /lac was not specified
-  - **Troubleshooting, mitigation, workarounds**: When creating local accounts, the command-line options /lac and /lae should be used.
-  - **Category**: Invalid Command Lines
-
-- **26: USMT_INIT_ERROR**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Multiple Windows installations found | Listfiles.txt could not be created. Verify that the location you specified for the creation of this file is valid. <br/><br/>Category: Setup and Initialization |
-  | Software malfunction or unknown exception | Check all loaded .xml files for errors, common error when using /I to load the Config.xml file. |
-  | Unable to find a valid Windows directory to proceed with requested offline operation; Check if offline input file is present and has valid entries | Verify that the offline input file is present and that it has valid entries. USMT could not find valid offline operating system. Verify your offline directory mapping. |
-
-- **27: USMT_INVALID_STORE_LOCATION**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | A store path can't be used because an existing store exists; specify /o to overwrite | Specify /o to overwrite an existing intermediate or migration store. <br/><br/>Category: Setup and Initialization |
-  | A store path is missing or has incomplete data | Make sure that the store path is accessible and that the proper permission levels are set. |
-  | An error occurred during store creation | Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store. |
-  | An inappropriate device such as a floppy disk was specified for the store | Make sure that the store path is accessible and that the proper permission levels are set. |
-  | Invalid store path; check the store parameter and/or file system permissions | Invalid store path; check the store parameter and/or file system permissions. |
-  | The file layout and/or file content is not recognized as a valid store | Make sure that the store path is accessible and that the proper permission levels are set. Specify /o to overwrite an existing intermediate or migration store. |
-  | The store path holds a store incompatible with the current USMT version | Make sure that the store path is accessible and that the proper permission levels are set. |
-  | The store save location is read-only or does not support a requested storage option | Make sure that the store path is accessible and that the proper permission levels are set. |
-
-- **28: USMT_UNABLE_GET_SCRIPTFILES**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Script file is invalid for /i | Check all specified migration .xml files for errors. This is a common error when using /i to load the Config.xml file. <br/><br/>Category: Setup and Initialization |
-  | Unable to find a script file specified by /i | Verify the location of your script files, and ensure that the command-line options are correct. |
-
-- **29: USMT_FAILED_MIGSTARTUP**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | A minimum of 250 MB of free space is required for temporary files | Verify that the system meets the minimum temporary disk space requirement of 250 MB. As a workaround, you can set the environment variable `USMT_WORKING_DIR=<path>` to redirect the temporary files working directory. <br/><br/>Category: Setup and Initialization |
-  | Another process is preventing migration; only one migration tool can run at a time | Check the ScanState log file for migration .xml file errors. |
-  | Failed to start main processing, look in log for system errors or check the installation | Check the ScanState log file for migration .xml file errors. |
-  | Migration failed because of an XML error; look in the log for specific details | Check the ScanState log file for migration .xml file errors. |
-  | Unable to automatically map the drive letters to match the online drive letter layout; Use /offline to provide a mapping table | Check the ScanState log file for migration .xml file errors. |
-
-- **31: USMT_UNABLE_FINDMIGUNITS**
-
-  - **Error message**: An error occurred during the discover phase; the log should have more specific information
-  - **Troubleshooting, mitigation, workarounds**: Check the ScanState log file for migration .xml file errors.
-  - **Category**: Setup and Initialization
-
-- **32: USMT_FAILED_SETMIGRATIONTYPE**
-  - **Error message**: An error occurred processing the migration system
-  - **Troubleshooting, mitigation, workarounds**: Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line.
-  - **Category**: Setup and Initialization
-
-- **33: USMT_UNABLE_READKEY**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Error accessing the file specified by the /keyfile parameter | Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. <br/><br/>Category: Setup and Initialization |
-  | The encryption key must have at least one character | Check the ScanState log file for migration .xml file errors, or use online Help by typing /? on the command line. |
-
-- **34: USMT_ERROR_INSUFFICIENT_RIGHTS**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Directory removal requires elevated privileges | Log on as Administrator, and run with elevated privileges. <br/><br/>Category: Setup and Initialization |
-  | No rights to create user profiles; log in as Administrator; run with elevated privileges | Log on as Administrator, and run with elevated privileges. |
-  | No rights to read or delete user profiles; log in as Administrator, run with elevated privileges | Log on as Administrator, and run with elevated privileges. |
-
-- **35: USMT_UNABLE_DELETE_STORE**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | A reboot is required to remove the store | Reboot to delete any files that could not be deleted when the command was executed. <br/><br/>Category: Setup and Initialization |
-  | A store path can't be used because it contains data that could not be overwritten | A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use **USMTUtils /rd** command to delete the store. |
-  | There was an error removing the store | Review ScanState log or LoadState log for details about command-line errors. |
-
-- **36: USMT_ERROR_UNSUPPORTED_PLATFORM**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Compliance check failure; please check the logs for details | Investigate whether there is an active temporary profile on the system. <br/><br/>Category: Setup and Initialization |
-  | Use of /offline is not supported during apply | The **/offline** command was not used while running in the Windows Preinstallation Environment (WinPE). |
-  | Use /offline to run gather on this platform | The **/offline** command was not used while running in WinPE. |
-
-- **37: USMT_ERROR_NO_INVALID_KEY**
-  - **Error message**: The store holds encrypted data but the correct encryption key was not provided
-  - **Troubleshooting, mitigation, workarounds**: Verify that you have included the correct encryption /key or /keyfile.
-  - **Category**: Setup and Initialization
-
-- **38: USMT_ERROR_CORRUPTED_NOTENCRYPTED_STORE**
-  - **Error message**: An error occurred during store access
-  - **Troubleshooting, mitigation, workarounds**: Review ScanState log or LoadState log for details about command-line errors. Make sure that the store path is accessible and that the proper permission levels are set.
-  - **Category**: Setup and Initialization
-
-- **39: USMT_UNABLE_TO_READ_CONFIG_FILE**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Error reading Config.xml | Review ScanState log or LoadState log for details about command-line errors in the Config.xml file. <br/><br/>Category: Setup and Initialization |
-  | File argument is invalid for /config | Check the command line you used to load the Config.xml file. You can use online Help by typing /? on the command line. |
-
-- **40: USMT_ERROR_UNABLE_CREATE_PROGRESS_LOG**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Error writing to the progress log | The Progress log could not be created. Verify that the location is valid and that you have write access. <br/><br/>Category: Setup and Initialization |
-  | Progress log argument is invalid for /progress | The Progress log could not be created. Verify that the location is valid and that you have write access. |
-
-- **41: USMT_PREFLIGHT_FILE_CREATION_FAILED**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | Can't overwrite existing file | The Progress log could not be created. Verify that the location is valid and that you have write access. <br/><br/>Category: Setup and Initialization |
-  | Invalid space estimate path. Check the parameters and/or file system permissions | Review ScanState log or LoadState log for details about command-line errors. |
-
-- **42: USMT_ERROR_CORRUPTED_STORE**
-  - **Error message**: The store contains one or more corrupted files
-  - **Troubleshooting, mitigation, workarounds**: Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
-
-- **61: USMT_MIGRATION_STOPPED_NONFATAL**
-  - **Error message**: Processing stopped due to an I/O error
-  - **Troubleshooting, mitigation, workarounds**: USMT exited but can continue with the /c command-line option, with the optional configurable &lt;ErrorControl&gt; section or by using the /vsc command-line option.
-  - **Category**: Non-fatal Errors
-
-- **71: USMT_INIT_OPERATING_ENVIRONMENT_FAILED**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | A Windows Win32 API error occurred | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. <br/><br/>Category: Fatal Errors |
-  | An error occurred when attempting to initialize the diagnostic mechanisms such as the log | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
-  | Failed to record diagnostic information | Data transfer has begun, and there was an error during the creation of migration store or during the apply phase. Review the ScanState log or LoadState log for details. |
-  | Unable to start. Make sure you are running USMT with elevated privileges | Exit USMT and log in again with elevated privileges. |
-
-- **72: USMT_UNABLE_DOMIGRATION**
-
-  | Error message | Troubleshooting, mitigation, workarounds |
-  | --- |  --- |
-  | An error occurred closing the store | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. <br/><br/>Category: Fatal Errors|
-  | An error occurred in the apply process | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
-  | An error occurred in the gather process | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
-  | Out of disk space while writing the store | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
-  | Out of temporary disk space on the local system | Data transfer has begun, and there was an error during migration-store creation or during the apply phase. Review the ScanState log or LoadState log for details. |
-
-## Related topics
-
-[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-
-[Log Files](usmt-log-files.md)
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 816652d904..e8fd16c69f 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -2,162 +2,147 @@
 title: ScanState Syntax (Windows 10)
 description: The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# ScanState Syntax
+# ScanState syntax
 
-The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
+The `ScanState.exe` command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. This article discusses the `ScanState.exe` command syntax and the options available with it.
 
-## In This Topic
+## Before you begin
 
-[Before You Begin](#bkmk-beforeyoubegin)
+Before you run the `ScanState.exe` command, note the  items:
 
-[Syntax](#bkmk-syntax)
+- To ensure that all operating system settings migrate, in most cases you must run the `ScanState.exe` commands in administrator mode from an account with administrative credentials.
 
-[Storage Options](#bkmk-storageoptions)
+- If you encrypt the migration store, you'll be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information isn't kept anywhere in the migration store. You'll need this information when you run the `LoadState.exe` command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
 
-[Migration Rule Options](#bkmk-migrationruleoptions)
+- For information about software requirements for running the `ScanState.exe` command, see [USMT requirements](usmt-requirements.md).
 
-[Monitoring Options](#bkmk-monitoringoptions)
+- Unless otherwise noted, you can use each option only once when running a tool on the command line.
 
-[User Options](#bkmk-useroptions)
+- You can gather domain accounts without the source computer having domain controller access. This functionality is available without any extra configuration.
 
-[Encrypted File Options](#bkmk-efs)
+- The [Incompatible command-line options](#incompatible-command-line-options) table lists which options you can use together and which command-line options are incompatible.
 
-[Incompatible Command-Line Options](#bkmk-iclo)
+- The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
 
-## <a href="" id="bkmk-beforeyoubegin"></a>Before You Begin
+## Syntax
 
-Before you run the **ScanState** command, note the following:
+This section explains the syntax and usage of the command-line options available when you use the `ScanState.exe` command. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
 
--   To ensure that all operating system settings migrate, in most cases you must run the **ScanState** commands in administrator mode from an account with administrative credentials.
+The `ScanState.exe` command's syntax is:
 
--   If you encrypt the migration store, you will be required to enter an encryption key or a path to a file containing the encryption key. Be sure to make note of the key or the key file location, because this information is not kept anywhere in the migration store. You will need this information when you run the LoadState command to decrypt the migration store, or if you need to run the recovery utility. An incorrect or missing key or key file results in an error message.
+> ScanState.exe \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
 
--   For information about software requirements for running the **ScanState** command, see [USMT Requirements](usmt-requirements.md).
+For example, to create a `Config.xml` file in the current directory, use:
 
--   Unless otherwise noted, you can use each option only once when running a tool on the command line.
+```cmd
+ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13
+```
 
--   You can gather domain accounts without the source computer having domain controller access. This functionality is available without any extra configuration.
+To create an encrypted store using the `Config.xml` file and the default migration .xml files, use:
 
--   The [Incompatible Command-Line Options](#bkmk-iclo) table lists which options you can use together and which command-line options are incompatible.
+`ScanState.exe \\server\share\migration\mystore /i:MigApp.xml /i:MigDocs.xml /o /config:Config.xml /v:13 /encrypt /key:"mykey"`
 
--   The directory location where you save the migration store will be excluded from the scan. For example, if you save the migration store to the root of the D drive, the D drive and all of its subdirectories will be excluded from the scan.
-
-## <a href="" id="bkmk-syntax"></a>Syntax
-
-This section explains the syntax and usage of the **ScanState** command-line options. The options can be specified in any order. If the option contains a parameter, you can use either a colon or a space separator.
-
-The **ScanState** command's syntax is:
-
-> scanstate \[*StorePath*\] \[/apps\] \[/ppkg:*FileName*\] \[/i:\[*Path*\\\]*FileName*\] \[/o\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/localonly\] \[/encrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsBeforeRetry*\] \[/c\] \[/p\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/efs:abort|skip|decryptcopy|copyraw\] \[/genconfig:\[*Path*\\\]*FileName*\[/config:\[*Path*\\\]*FileName*\] \[/?|help\]
-
-For example, to create a Config.xml file in the current directory, use:
-
-`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`
-
-To create an encrypted store using the Config.xml file and the default migration .xml files, use:
-
-`scanstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /o /config:config.xml /v:13 /encrypt /key:"mykey"`
-
-## <a href="" id="bkmk-storageoptions"></a>Storage Options
+## Storage options
 
 | Command-Line Option | Description |
 |-----|-----|
-| *StorePath* | Indicates a folder where files and settings will be saved. Note that *StorePath* cannot be **C:&#92;**. You must specify the *StorePath* option in the **ScanState** command, except when using the **/genconfig** option. You cannot specify more than one *StorePath* location. |
+| *StorePath* | Indicates a folder where files and settings will be saved. *StorePath* can't be `C:\`. You must specify the *StorePath* option in the `ScanState.exe` command, except when using the `/genconfig` option. You can't specify more than one *StorePath* location. |
 | **/apps** | Scans the image for apps and includes them and their associated registry settings. |
 | **/ppkg** [*&lt;FileName&gt;*] | Exports to a specific file location. |
-| **/o** | Required to overwrite any existing data in the migration store or Config.xml file. If not specified, the **ScanState** command will fail if the migration store already contains data. You cannot use this option more than once on a command line. |
-| **/vsc** | This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the **&lt;ErrorControl&gt;** section. <br/><br/>This option can be used only with the ScanState executable file and cannot be combined with the **/hardlink** option. |
-| **/hardlink** | Enables the creation of a hard-link migration store at the specified location. The **/nocompress** option must be specified with the **/hardlink** option. |
-| **/encrypt** [{**/key:** *&lt;KeyString&gt;* &#124; **/keyfile**:*&lt;file&gt;*]} | Encrypts the store with the specified key. Encryption is disabled by default. With this option, you will need to specify the encryption key-in one of the following ways: <ul><li>**/key:** *KeyString* specifies the encryption key. If there is a space in *KeyString*, you will need to surround *KeyString* with quotation marks.</li><li>**/keyfile:** *FilePathAndName* specifies a text (.txt) file that contains the encryption key.</li></ul> <br/>We recommend that *KeyString* be at least eight characters long, but it cannot exceed 256 characters. The **/key** and **/keyfile** options cannot be used on the same command line. The **/encrypt** and **/nocompress** options cannot be used on the same command line. <div class="alert">**Important**<br/>You should use caution with this option, because anyone who has access to the **ScanState** command-line script will also have access to the encryption key.</div> <br/>The following example shows the ScanState command and the **/key** option: <br/>`scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey` |
-| **/encrypt**:*&lt;EncryptionStrength&gt;* | The **/encrypt** option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). |
-| **/nocompress** | Disables compression of data and saves the files to a hidden folder named &quot;File&quot; at *StorePath*\USMT. Compression is enabled by default. Combining the **/nocompress** option with the **/hardlink** option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the **/nocompress** option with the **/hardlink** option. <br/><br/>The **/nocompress** and **/encrypt** options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the **LoadState** command will migrate each file directly from the store to the correct location on the destination computer without a temporary location. <br/><br/>For example:<br/>`scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress` |
+| **/o** | Required to overwrite any existing data in the migration store or `Config.xml` file. If not specified, the `ScanState.exe` command will fail if the migration store already contains data. You can't use this option more than once on a command line. |
+| **/vsc** | This option enables the volume shadow-copy service to migrate files that are locked or in use. This command-line option eliminates most file-locking errors that are typically encountered by the **&lt;ErrorControl&gt;** section. <br/><br/>This option is only used with the **ScanState** executable file and can't be combined with the `/hardlink` option. |
+| **/hardlink** | Enables the creation of a hard-link migration store at the specified location. The `/nocompress` option must be specified with the `/hardlink` option. |
+| **/encrypt** [{**/key:** *&lt;KeyString&gt;* &#124; **/keyfile**:*&lt;file&gt;*]} | Encrypts the store with the specified key. Encryption is disabled by default. With this option, you'll need to specify the encryption key-in one of the following ways: <ul><li>`/key`: *KeyString* specifies the encryption key. If there's a space in *KeyString*, you'll need to surround *KeyString* with quotation marks (`"`).</li><li>`/keyfile`: *FilePathAndName* specifies a text (`.txt`) file that contains the encryption key.</li></ul> <br/>*KeyString* is recommended to be at least eight characters long, but it can't exceed 256 characters. The `/key` and `/keyfile` options can't be used on the same command line. The `/encrypt` and `/nocompress` options can't be used on the same command line. <div class="alert">**Important**<br/>Use caution when using the `/key` or `keyfile` options. For example, anyone who has access to scripts that run the `ScanState.exe` command with these options will also have access to the encryption key.</div> <br/>The following example shows the `ScanState.exe` command and the `/key` option: <br/>`ScanState.exe /i:MigDocs.xml /i:MigApp.xml \server\share\migration\mystore /encrypt /key:mykey` |
+| **/encrypt**:*&lt;EncryptionStrength&gt;* | The `/encrypt` option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). |
+| **/nocompress** | Disables compression of data and saves the files to a hidden folder named &quot;File&quot; at *StorePath*\USMT. Compression is enabled by default. Combining the `/nocompress` option with the `/hardlink` option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you're combining the `/nocompress` option with the `/hardlink` option. <br/><br/>The `/nocompress` and `/encrypt` options can't be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the `LoadState.exe` command will migrate each file directly from the store to the correct location on the destination computer without a temporary location. <br/><br/>For example:<br/>`ScanState.exe /i:MigDocs.xml /i:MigApp.xml \server\share\migration\mystore /nocompress` |
 
-## <a href="" id="run-the-scanstate-command-on-an-offline-windows-system-"></a>Run the ScanState Command on an Offline Windows System
+## Run the ScanState command on an offline Windows system
 
-You can run the **ScanState** command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the **ScanState** command in WinPE or a Windows.old directory when you run the **ScanState** command in Windows.
+You can run the `ScanState.exe` command in Windows Preinstallation Environment (WinPE). In addition, USMT supports migrations from previous installations of Windows contained in Windows.old directories. The offline directory can be a Windows directory when you run the `ScanState.exe` command in WinPE or a Windows.old directory when you run the `ScanState.exe` command in Windows.
 
-There are several benefits to running the **ScanState** command on an offline Windows image, including:
+There are several benefits to running the `ScanState.exe` command on an offline Windows image, including:
 
--   **Improved Performance.**
+- **Improved performance.**
 
-    Because WinPE is a thin operating system, there are fewer running services. In this environment, the **ScanState** command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
+    Because WinPE is a thin operating system, there are fewer running services. In this environment, the `ScanState.exe` command has more access to the local hardware resources, enabling **ScanState** to perform migration operations more quickly.
 
--   **Simplified end to end deployment process.**
+- **Simplified end to end deployment process.**
 
     Migrating data from Windows.old simplifies the end-to-end deployment process by enabling the migration process to occur after the new operating system is installed.
 
--   **Improved success of migration.**
+- **Improved success of migration.**
 
-    The migration success rate is increased because files will not be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
+    The migration success rate is increased because files won't be locked for editing while offline, and because WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
 
--   **Ability to recover an unbootable computer.**
+- **Ability to recover an unbootable computer.**
 
     It might be possible to recover and migrate data from an unbootable computer.
 
-## Offline Migration Options
+## Offline migration options
 
 |Command-Line Option|Definition|
 |--- |--- |
-|**/offline:** *"path to an offline.xml file"*|This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.|
-|**/offlinewindir:** *"path to a Windows directory"*|This option specifies the offline Windows directory that the **ScanState** command gathers user state from. The offline directory can be Windows.old when you run the **ScanState** command in Windows or a Windows directory when you run the **ScanState** command in WinPE.|
-|**/offlinewinold:** *"Windows.old directory"*|This command-line option enables the offline migration mode and starts the migration from the location specified. It is only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.|
+|**/offline:** *"path to an Offline.xml file"*|This option is used to define a path to an offline .xml file that might specify other offline migration options, for example, an offline Windows directory or any domain or folder redirection required in your migration.|
+|**/offlinewindir:** *"path to a Windows directory"*|This option specifies the offline Windows directory that the `ScanState.exe` command gathers user state from. The offline directory can be Windows.old when you run the `ScanState.exe` command in Windows or a Windows directory when you run the `ScanState.exe` command in WinPE.|
+|**/offlinewinold:** *"Windows.old directory"*|This command-line option enables the offline migration mode and starts the migration from the location specified. It's only intended to be used in Windows.old migration scenarios, where the migration is occurring from a Windows.old directory.|
 
-## <a href="" id="bkmk-migrationruleoptions"></a>Migration Rule Options
+## Migration rule options
 
 USMT provides the following options to specify what files you want to migrate.
 
 | Command-Line Option | Description |
 |-----|-----|
-| **/i:**[*Path*]*FileName* | **(include)** <br/><br/>Specifies an .xml file that contains rules that define what user, application, or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* must be located in the current directory. For more information about which files to specify, see the &quot;XML Files&quot; section of the [Frequently Asked Questions](usmt-faq.yml) topic. |
-| **/genconfig:**[*Path*]*FileName* | (Generate **Config.xml**) <br/><br/>Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications, and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the **/i** option, when you specify this option.<br/><br/>After you create this file, you will need to make use of it with the **ScanState** command using the **/config** option.<br/><br/>The only options that you can specify with this option are the **/i**, **/v**, and **/l** options. You cannot specify *StorePath*, because the **/genconfig** option does not create a store. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory.<br/><br/>Examples: <ul><li>The following example creates a Config.xml file in the current directory:<br/>`scanstate /i:migapp.xml /i:migdocs.xml /genconfig:config.xml /v:13`</li></ul> |
-| **/config:**[*Path*]*FileName* | Specifies the Config.xml file that the **ScanState** command should use to create the store. You cannot use this option more than once on the command line. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* must be located in the current directory.<br/><br/>The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:<br/>`scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log`<br/><br/>The following example migrates the files and settings to the destination computer using the **Config.xml**, **MigDocs.xml**, and **MigApp.xml** files:<br/>`loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log` |
-| **/auto:** *path to script files* | This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The **/auto** option has the same effect as using the following options: **/i: MigDocs.xml** **/i:MigApp.xml /v:5**. |
-| **/genmigxml:** *path to a file* | This option specifies that the **ScanState** command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the **ScanState** command is running. |
-| **/targetwindows8** | Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command-line option in the following scenarios: <ul><li>**To create a Config.xml file by using the /genconfig option.** Using the **/targetwindows8** option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.</li><li>**To create a migration store.** Using the **/targetwindows8** option ensures that the ScanState tool gathers the correct set of operating system settings. Without the **/targetwindows8** command-line option, some settings can be lost during the migration.</li></ul> |
-| **/targetwindows7** | Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command-line option in the following scenarios: <ul><li>**To create a Config.xml file by using the /genconfig option.** Using the **/targetwindows7** option optimizes the Config.xml file so that it only contains components that relate to Windows 7.</li><li>**To create a migration store.** Using the **/targetwindows7** option ensures that the ScanState tool gathers the correct set of operating system settings. Without the **/targetwindows7** command-line option, some settings can be lost during the migration.</li></ul> |
-| **/localonly** | Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the **/localonly** option is not specified, then the **ScanState** command will copy files from these removable or network drives into the store.<br/><br/>Anything that is not considered a fixed drive by the OS will be excluded by **/localonly**. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md).<br/><br/>The **/localonly** command-line option includes or excludes data in the migration as identified in the following:<ul><li>**Removable drives such as a USB flash drive** - Excluded</li><li>**Network drives** - Excluded</li><li>**Fixed drives** - Included</li></ul>|
+| **/i:**[*Path*]*FileName* | **(include)** <br/><br/>Specifies an .xml file that contains rules that define what user, application, or system state to migrate. You can specify this option multiple times to include all of your .xml files (`MigApp.xml`, `MigDocs.xml`, and any custom .xml files that you create). *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* must be located in the current directory. For more information about which files to specify, see the &quot;XML Files&quot; section of the [Frequently asked questions](usmt-faq.yml) article. |
+| **/genconfig:**[*Path*]*FileName* | (Generate **Config.xml**) <br/><br/>Generates the optional `Config.xml` file, but doesn't create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications, and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the **/i** option, when you specify this option.<br/><br/>After you create this file, you'll need to make use of it with the `ScanState.exe` command using the **/config** option.<br/><br/>The only options that you can specify with this option are the `/i`, `/v`, and `/l` options. You can't specify *StorePath*, because the `/genconfig` option doesn't create a store. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* will be created in the current directory.<br/><br/>Examples: <ul><li>The following example creates a `Config.xml` file in the current directory:<br/>`ScanState.exe /i:MigApp.xml /i:MigDocs.xml /genconfig:Config.xml /v:13`</li></ul> |
+| **/config:**[*Path*]*FileName* | Specifies the `Config.xml` file that the `ScanState.exe` command should use to create the store. You can't use this option more than once on the command line. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* must be located in the current directory.<br/><br/>The following example creates a store using the `Config.xml` file, `MigDocs.xml`, and `MigApp.xml` files:<br/>`ScanState.exe \server\share\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:ScanState.log`<br/><br/>The following example migrates the files and settings to the destination computer using the `Config.xml`, `MigDocs.xml`, and `MigApp.xml` files:<br/>`LoadState.exe  \server\share\migration\mystore /config:Config.xml /i:MigDocs.xml /i:MigApp.xml /v:13 /l:LoadState.log` |
+| **/auto:** *path to script files* | This option enables you to specify the location of the default .xml files and then begin the migration. If no path is specified, USMT will reference the directory where the USMT binaries are located. The `/auto` option has the same effect as using the following options: `/i: MigDocs.xml /i:MigApp.xml /v:5`. |
+| **/genmigxml:** *path to a file* | This option specifies that the `ScanState.exe` command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the `ScanState.exe` command is running. |
+| **/targetwindows8** | Optimizes `ScanState.exe` when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command-line option in the following scenarios: <ul><li>**To create a `Config.xml` file by using the `/genconfig` option.** Using the `/targetwindows8` option optimizes the `Config.xml` file so that it only contains components that relate to Windows 8 or Windows 8.1.</li><li>**To create a migration store.** Using the `/targetwindows8` option ensures that the **ScanState** tool gathers the correct set of operating system settings. Without the `/targetwindows8` command-line option, some settings can be lost during the migration.</li></ul> |
+| **/targetwindows7** | Optimizes `ScanState.exe` when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command-line option in the following scenarios: <ul><li>**To create a `Config.xml` file by using the `/genconfig` option.** Using the **/targetwindows7** option optimizes the `Config.xml` file so that it only contains components that relate to Windows 7.</li><li>**To create a migration store.** Using the `/targetwindows7` option ensures that the **ScanState** tool gathers the correct set of operating system settings. Without the `/targetwindows7` command-line option, some settings can be lost during the migration.</li></ul> |
+| **/localonly** | Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the `/localonly` option isn't specified, then the `ScanState.exe` command will copy files from these removable or network drives into the store.<br/><br/>Anything that isn't considered a fixed drive by the OS will be excluded by `/localonly`. In some cases, large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom .xml file. For more information about how to exclude all files on a specific drive, see [Exclude files and settings](usmt-exclude-files-and-settings.md).<br/><br/>The `/localonly` command-line option includes or excludes data in the migration as identified in the following storage locations:<ul><li>**Removable drives such as a USB flash drive** - Excluded</li><li>**Network drives** - Excluded</li><li>**Fixed drives** - Included</li></ul>|
 
-## <a href="" id="bkmk-monitoringoptions"></a>Monitoring Options
+## Monitoring options
 
 USMT provides several options that you can use to analyze problems that occur during migration.
 
 > [!NOTE]
-> The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option.
+> The **ScanState** log is created by default, but you can specify the name and location of the log with the **/l** option.
 
 | Command-Line Option | Description |
 |-----|-----|
-| **/listfiles**:&lt;FileName&gt; | You can use the **/listfiles** command-line option with the **ScanState** command to generate a text file that lists all of the files included in the migration. |
-| **/l:**[*Path*]*FileName* | Specifies the location and name of the ScanState log. <br/><br/>You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then the log will be created in the current directory. You can use the **/v** option to adjust the amount of output. <br/><br/>If you run the **ScanState** or **LoadState** commands from a shared network resource, you must specify this option or USMT will fail with the following error: &quot;USMT was unable to create the log file(s)&quot;. To fix this issue, use the /**l: scan.log** command. |
-| **/v:***&lt;VerbosityLevel&gt;* | **(Verbosity)**<br/><br/>Enables verbose output in the ScanState log file. The default value is 0. <br/><br/>You can set the *VerbosityLevel* to one of the following levels: <ul><li>**0** - Only the default errors and warnings are enabled.</li><li>**1** - Enables verbose output.</li><li>**4** - Enables error and status output.</li><li>**5** - Enables verbose and status output.</li><li>**8** - Enables error output to a debugger.</li><li>**9** - Enables verbose output to a debugger.</li><li>**12** - Enables error and status output to a debugger.</li><li>**13** - Enables verbose, status, and debugger output.</li></ul> <br/>For example: <br/>`scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml`|
-| /**progress**:[*Path*]*FileName* | Creates the optional progress log. You cannot store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you do not specify the *Path* variable, then *FileName* will be created in the current directory.<br/><br/>For example: <br/>`scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log` |
-| **/c** | When this option is specified, the **ScanState** command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there is a large file that will not fit in the store, the **ScanState** command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the **/c** option, the **ScanState** command will exit on the first error.<br/><br/>You can use the new &lt;**ErrorControl**&gt; section in the Config.xml file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This advantage in the Config.xml file enables the /**c** command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /**genconfig** option now generates a sample &lt;**ErrorControl**&gt; section that is enabled by specifying error messages and desired behaviors in the Config.xml file. |
-| **/r:***&lt;TimesToRetry&gt;* | **(Retry)**<br/><br/>Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity is not reliable.<br/><br/>While storing the user state, the **/r** option will not be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. |
+| **/listfiles**:&lt;FileName&gt; | You can use the `/listfiles` command-line option with the `ScanState.exe` command to generate a text file that lists all of the files included in the migration. |
+| **/l:**[*Path*]*FileName* | Specifies the location and name of the **ScanState** log. <br/><br/>You can't store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then the log will be created in the current directory. You can use the `/v` option to adjust the amount of output. <br/><br/>If you run the `ScanState.exe` command from a shared network resource, you must specify the `/l` option, or USMT will fail with the following error:<br><br>***USMT was unable to create the log file(s)***<br><br>To fix this issue, make sure to specify the `/l` option when running `ScanState.exe` from a shared network resource. |
+| **/v:***&lt;VerbosityLevel&gt;* | **(Verbosity)**<br/><br/>Enables verbose output in the **ScanState** log file. The default value is 0. <br/><br/>You can set the *VerbosityLevel* to one of the following levels: <ul><li>**0** - Only the default errors and warnings are enabled.</li><li>**1** - Enables verbose output.</li><li>**4** - Enables error and status output.</li><li>**5** - Enables verbose and status output.</li><li>**8** - Enables error output to a debugger.</li><li>**9** - Enables verbose output to a debugger.</li><li>**12** - Enables error and status output to a debugger.</li><li>**13** - Enables verbose, status, and debugger output.</li></ul> <br/>For example: <br/>`ScanState.exe \server\share\migration\mystore /v:13 /i:MigDocs.xml /i:MigApp.xml`|
+| **/progress**:[*Path*]*FileName* | Creates the optional progress log. You can't store any of the log files in *StorePath*. *Path* can be either a relative or full path. If you don't specify the *Path* variable, then *FileName* will be created in the current directory.<br/><br/>For example: <br/>`ScanState.exe /i:MigApp.xml /i:MigDocs.xml \server\share\migration\mystore /progress:Progress.log /l:scanlog.log` |
+| **/c** | When this option is specified, the `ScanState.exe` command will continue to run, even if non-fatal errors occur. Any files or settings that cause an error are logged in the progress log. For example, if there's a large file that won't fit in the store, the `ScanState.exe` command will log an error and continue with the migration. In addition, if a file is open or in use by an application, USMT may not be able to migrate the file and will log an error. Without the `/c` option, the `ScanState.exe` command will exit on the first error.<br/><br/>You can use the new &lt;**ErrorControl**&gt; section in the `Config.xml` file to specify which file or registry read/write errors can be safely ignored and which might cause the migration to fail. This advantage in the `Config.xml` file enables the `/c` command-line option to safely skip all input/output (I/O) errors in your environment. In addition, the /`genconfig` option now generates a sample &lt;**ErrorControl**&gt; section that is enabled by specifying error messages and desired behaviors in the `Config.xml` file. |
+| **/r:***&lt;TimesToRetry&gt;* | **(Retry)**<br/><br/>Specifies the number of times to retry when an error occurs while saving the user state to a server. The default is three times. This option is useful in environments where network connectivity isn't reliable.<br/><br/>While storing the user state, the `/r` option won't be able to recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem. |
 | **/w:***&lt;SecondsBeforeRetry&gt;* | **(Wait)**<br/><br/>Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second. |
-| **/p:***&lt;pathToFile&gt;* | When the **ScanState** command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:<br/>`Scanstate.exe C:\MigrationLocation [additional parameters]`<br/>`/p:"C:\MigrationStoreSize.xml"`<br/><br/>For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).<br/><br/>To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the **/p** option, without specifying *&quot;pathtoafile&quot;*, in USMT. If you specify only the **/p** option, the storage space estimations are created in the same manner as with USMT3.x releases. |
-| /**?** or /**help** | Displays Help at the command line. |
+| **/p:***&lt;pathToFile&gt;* | When the `ScanState.exe` command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:<br/>`ScanState.exe C:\MigrationLocation [additional parameters]`<br/>`/p:"C:\MigrationStoreSize.xml"`<br/><br/>For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).<br/><br/>To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the `/p` option, without specifying *&quot;pathtoafile&quot;*, in USMT. If you specify only the `/p` option, the storage space estimations are created in the same manner as with USMT3.x releases. |
+| **/?** or **/help** | Displays Help at the command line. |
 
-## <a href="" id="bkmk-useroptions"></a>User Options
+## User options
 
-By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You cannot exclude users in the migration .xml files or using the Config.xml file. For more information, see [Identify Users](usmt-identify-users.md) and [Migrate User Accounts](usmt-migrate-user-accounts.md).
+By default, all users are migrated. The only way to specify which users to include and exclude is by using the following options. You can't exclude users in the migration .xml files or using the `Config.xml` file. For more information, see [Identify users](usmt-identify-users.md) and [Migrate user accounts](usmt-migrate-user-accounts.md).
 
 | Command-Line Option | Description |
 |-----|-----|
-| /**all** | Migrates all of the users on the computer. <br/><br/>USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /**ue** or /**uel** options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /**all** option, you cannot also use the /**ui**, /**ue** or /**uel** options. |
-| /**ui**:*&lt;DomainName&gt;*&#92;*&lt;UserName&gt;*<br/>or<br/>/**ui**:*&lt;ComputerName&gt;*&#92;*&lt;LocalUserName&gt;* | **(User include)** <br/><br/>Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /**ue** or /**uel** options. You can specify multiple /**ui** options, but you cannot use the /**ui** option with the /**all** option. *DomainName* and *UserName* can contain the asterisk (<em>) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks. <div class="alert">**Note**<br/>If a user is specified for inclusion with the /**ui** option, and also is specified to be excluded with either the /**ue** or /**uel** options, the user will be included in the migration.</div><br/>For example:<br/><ul><li>To include only User2 from the Fabrikam domain, type:<br/>`/ue:*\* /ui:fabrikam\user2`</li><li>To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:<br/>`/uel:30 /ui:fabrikam\*`<br/>In this example, a user account from the Contoso domain that was last modified two months ago will not be migrated.</li></ul><br/>For more examples, see the descriptions of the /**ue** and /**ui** options in this table. |
-| /**uel**:*&lt;NumberOfDays&gt;*<br/>or<br/>/**uel**:*&lt;YYYY/MM/DD&gt;*<br/>or<br/>**/uel:0** | **(User exclude based on last logon)**<br/><br/>Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The /**uel** option acts as an include rule. For example, the **/uel:30** option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.<br/><br/>You can specify the number of days or you can specify a date. You cannot use this option with the /**all** option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has signed in to another computer, that sign-in instance is not considered by USMT. <div class="alert">**Note**<br/>The /**uel** option is not valid in offline migrations.</div><ul><li>**/uel:0** migrates any users who are currently logged on.</li><li>**/uel:90** migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.</li><li>**/uel:1** migrates users whose account has been modified within the last 24 hours.</li><li>**/uel:2002/1/15** migrates users who have logged on or been modified January 15, 2002 or afterwards.</li></ul> <br/>For example: <br/>`scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0` |
-| /**ue**:*&lt;DomainName&gt;*&#92;*&lt;UserName&gt;*<br/>-or-<br/><br/>/**ue**:*&lt;ComputerName&gt;*&#92;*&lt;LocalUserName&gt;* | **(User exclude)**<br/><br/>Excludes the specified users from the migration. You can specify multiple /**ue** options. You cannot use this option with the /**all** option. *&lt;DomainName&gt;* and *&lt;UserName&gt;* can contain the asterisk (</em>) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.<br/><br/>For example:<br/>`scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1` |
+| **/all** | Migrates all of the users on the computer. <br/><br/>USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the `/ue` or `/uel` options. For this reason, you don't need to specify this option on the command line. However, if you choose to specify the `/all` option, you can't also use the `/ui`, `/ue` or `/uel` options. |
+| **/ui**:*&lt;DomainName&gt;*&#92;*&lt;UserName&gt;*<br/>or<br/>**/ui**:*&lt;ComputerName&gt;*&#92;*&lt;LocalUserName&gt;* | **(User include)** <br/><br/>Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the `/ue` or `/uel` options. You can specify multiple `/ui` options, but you can't use the `/ui` option with the `/all` option. *DomainName* and *UserName* can contain the asterisk (`*`) wildcard character. When you specify a user name that contains spaces, you'll need to surround it with quotation marks (`"`). <div class="alert">**Note**<br/>If a user is specified for inclusion with the `/ui` option and also specified to be excluded with either the `/ue` or `/uel` options, the user will be included in the migration.</div><br/>For example:<br/><ul><li>To include only **User2** from the Fabrikam domain, enter:<br/><br/>`/ue:*\* /ui:fabrikam\user2`<br/><br/></li><li>To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, enter:<br/><br/>`/uel:30 /ui:fabrikam\*`<br/><br/>In this example, a user account from the Contoso domain that was last modified two months ago won't be migrated.</li></ul><br/>For more examples, see the descriptions of the `/ue` and `/ui` options in this table. |
+| **/uel**:*&lt;NumberOfDays&gt;*<br/>or<br/>**/uel**:*&lt;YYYY/MM/DD&gt;*<br/>or<br/>**/uel:0** | **(User exclude based on last logon)**<br/><br/>Migrates the users that logged on to the source computer within the specified time period, based on the **Last Modified** date of the Ntuser.dat file on the source computer. The `/uel` option acts as an include rule. For example, the `/uel:30` option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the `ScanState.exe` command is run.<br/><br/>You can specify the number of days or you can specify a date. You can't use this option with the `/all` option. USMT retrieves the last sign-in information from the local computer, so the computer doesn't need to be connected to the network when you run this option. In addition, if a domain user has signed in to another computer, that sign-in instance isn't considered by USMT. <div class="alert">**Note**<br/>The `/uel` option isn't valid in offline migrations.</div><ul><li>`/uel:0` migrates any users who are currently logged on.</li><li>`/uel:90` migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.</li><li>`/uel:1` migrates users whose account has been modified within the last 24 hours.</li><li>`/uel:2020/2/15` migrates users who have logged on or been modified February 15, 2020 or afterwards.</li></ul> <br/>For example: <br/>`ScanState.exe /i:MigApp.xml /i:MigDocs.xml \\server\share\migration\mystore /uel:0` |
+| **/ue**:*&lt;DomainName&gt;*&#92;*&lt;UserName&gt;*<br/>-or-<br/><br/>**/ue**:*&lt;ComputerName&gt;*&#92;*&lt;LocalUserName&gt;* | **(User exclude)**<br/><br/>Excludes the specified users from the migration. You can specify multiple `/ue` options. You can't use this option with the `/all` option. *&lt;DomainName&gt;* and *&lt;UserName&gt;* can contain the asterisk (`*`) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks (`"`).<br/><br/>For example:<br/>`ScanState.exe /i:MigDocs.xml /i:MigApp.xml \\server\share\migration\mystore /ue:contoso\user1` |
 
-## How to Use /ui and /ue
+## How to use /ui and /ue
 
-The following examples apply to both the /**ui** and /**ue** options. You can replace the /**ue** option with the /**ui** option to include, rather than exclude, the specified users.
+The following examples apply to both the `/ui` and `/ue` options. You can replace the `/ue` option with the `/ui` option to include, rather than exclude, the specified users.
 
 |Behavior|Command|
 |--- |--- |
@@ -168,73 +153,73 @@ The following examples apply to both the /**ui** and /**ue** options. You can re
 |Exclude all local users.|`/ue:%computername%\*`|
 |Exclude users in all domains named User1, User2, and so on.|`/ue:*\user*`|
 
-## Using the Options Together
+## Using the options together
 
-You can use the /**uel**, /**ue** and /**ui** options together to migrate only the users that you want migrated.
+You can use the `/uel`, `/ue` and `/ui` options together to migrate only the users that you want migrated.
 
-The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option.
+The `/ui` option has precedence over the `/ue` and `/uel` options. If a user is specified for inclusion with the `/ui` option and also specified to be excluded with either the `/ue` or `/uel` options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then **User1** will be migrated, because the `/ui` option takes precedence over the `/ue` option.
 
-The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
+The `/uel` option takes precedence over the `/ue` option. If a user has logged on within the specified time period set by the `/uel` option, that user's profile will be migrated even if they're excluded by using the `/ue` option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they've logged on to the computer within the last 14 days.
 
 |Behavior|Command|
 |--- |--- |
 |Include only User2 from the Fabrikam domain and exclude all other users.|`/ue:*\* /ui:fabrikam\user2`|
 |Include only the local user named User1 and exclude all other users.|`/ue:*\* /ui:user1`|
-|Include only the domain users from Contoso, except Contoso\User1.|This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following commands: <ul><li>On the **ScanState** command line, type: `/ue:*\* /ui:contoso\*`</li><li>On the **LoadState** command line, type: `/ue:contoso\user1`</li></ul>|
+|Include only the domain users from Contoso, except Contoso\User1.|This behavior can't be completed using a single command. Instead, to migrate this set of users, you'll need to specify the following commands: <ul><li>On the `ScanState.exe` command line, enter:<br/> `/ue:*\* /ui:contoso\*`<br/></li><li>On the `LoadState.exe` command line, enter:<br/>`/ue:contoso\user1`</li></ul>|
 |Include only local (non-domain) users.|`/ue:*\* /ui:%computername%\*`|
 
-## <a href="" id="bkmk-efs"></a>Encrypted File Options
+## Encrypted file options
 
-You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an /**efs** option. To migrate encrypted files, you must change the default behavior.
+You can use the following options to migrate encrypted files. In all cases, by default, USMT fails if an encrypted file is found unless you specify an `/efs` option. To migrate encrypted files, you must change the default behavior.
 
 For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).
 
-> [!NOTE] 
-> EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files
+> [!NOTE]
+> EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the `/efs:copyraw` option with the `ScanState.exe` command to migrate the encrypted files
 
-> [!CAUTION] 
+> [!CAUTION]
 > Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration.
 
 | Command-Line Option | Explanation |
 |----|----|
-| **/efs:hardlink** | Creates a hard link to the EFS file instead of copying it. Use only with the **/hardlink** and the **/nocompress** options. |
-| **/efs:abort** | Causes the **ScanState** command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default. |
-| **/efs:skip** | Causes the **ScanState** command to ignore EFS files. |
-| /**efs:decryptcopy** | Causes the **ScanState** command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file cannot be decrypted. If the **ScanState** command succeeds, the file will be unencrypted in the migration store, and once you run the **LoadState** command, the file will be copied to the destination computer. |
-| **/efs:copyraw** | Causes the **ScanState** command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an **/efs** option. Therefore you should specify the **/efs:copyraw** option with the **ScanState** command to migrate the encrypted file. Then, when you run the **LoadState** command, the encrypted file and the EFS certificate will be automatically migrated.<br/><br/>For example: <br/>`ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw` <div class="alert">**Important** <br/>All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).</div>|
+| **/efs:hardlink** | Creates a hard link to the EFS file instead of copying it. Use only with the `/hardlink` and the `/nocompress` options. |
+| **/efs:abort** | Causes the `ScanState.exe` command to fail with an error code, if an Encrypting File System (EFS) file is found on the source computer. Enabled by default. |
+| **/efs:skip** | Causes the `ScanState.exe` command to ignore EFS files. |
+| **/efs:decryptcopy** | Causes the `ScanState.exe` command to decrypt the file, if possible, before saving it to the migration store, and to fail if the file can't be decrypted. If the `ScanState.exe` command succeeds, the file will be unencrypted in the migration store, and once you run the `LoadState.exe` command, the file will be copied to the destination computer. |
+| **/efs:copyraw** | Causes the `ScanState.exe` command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an `/efs` option. Therefore you should specify the `/efs:copyraw` option with the `ScanState.exe` command to migrate the encrypted file. Then, when you run the `LoadState.exe` command, the encrypted file and the EFS certificate will be automatically migrated.<br/><br/>For example: <br/>`ScanState.exe /i:MigDocs.xml /i:MigApp.xml \server\share\migration\mystore /efs:copyraw` <div class="alert">**Important** <br/>All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the **LoadState** tool. For more information, see [Migrate EFS files and certificates](usmt-migrate-efs-files-and-certificates.md).</div>|
 
-## <a href="" id="bkmk-iclo"></a>Incompatible Command-Line Options
+## Incompatible command-line options
 
-The following table indicates which command-line options are not compatible with the **ScanState** command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options are not compatible. For example, you cannot use the **/nocompress** option with the **/encrypt** option.
+The following table indicates which command-line options aren't compatible with the `ScanState.exe` command. If the table entry for a particular combination is blank, the options are compatible and you can use them together. The X symbol means that the options aren't compatible. For example, you can't use the `/nocompress` option with the `/encrypt` option.
 
 |Command-Line Option|/keyfile|/nocompress|/genconfig|/all|
 |--- |--- |--- |--- |--- |
 |**/i**|||||
 |**/o**|||||
 |**/v**|||||
-|/**nocompress**||||N/A|
-|/**localonly**|||X||
-|/**key**|X||X||
-|/**encrypt**|Required*|X|X||
-|/**keyfile**|N/A||X||
-|/**l**|||||
-|/**progress**|||X||
-|/**r**|||X||
-|/**w**|||X||
-|/**c**|||X||
-|/**p**|||X|N/A|
-|/**all**|||X||
-|/**ui**|||X|X|
-|/**ue**|||X|X|
-|/**uel**|||X|X|
-|/**efs**:*&lt;option&gt;*|||X||
-|/**genconfig**|||N/A||
-|/**config**|||X||
+|**/nocompress**||||N/A|
+|**/localonly**|||X||
+|**/key**|X||X||
+|**/encrypt**|Required*|X|X||
+|**/keyfile**|N/A||X||
+|**/l**|||||
+|**/progress**|||X||
+|**/r**|||X||
+|**/w**|||X||
+|**/c**|||X||
+|**/p**|||X|N/A|
+|**/all**|||X||
+|**/ui**|||X|X|
+|**/ue**|||X|X|
+|**/uel**|||X|X|
+|**/efs**:*&lt;option&gt;*|||X||
+|**/genconfig**|||N/A||
+|**/config**|||X||
 |*&lt;StorePath&gt;*|||X||
 
-> [!NOTE] 
-> You must specify either the /**key** or /**keyfile** option with the /**encrypt** option.
+> [!NOTE]
+> You must specify either the `/key` or `/keyfile` option with the `/encrypt` option.
 
-## Related topics
+## Related articles
 
 [XML Elements Library](usmt-xml-elements-library.md)
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index eb4cd7306c..2504eabb75 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -2,51 +2,53 @@
 title: User State Migration Tool (USMT) Technical Reference (Windows 10)
 description: The User State Migration Tool (USMT) provides a highly customizable user-profile migration experience for IT professionals.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-deploy
 ---
 
-# User State Migration Tool (USMT) Technical Reference
-The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
+# User State Migration Tool (USMT) technical reference
 
-Download the Windows ADK [from this website](/windows-hardware/get-started/adk-install).
+The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
 
-**USMT support for Microsoft Office**
->USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.<BR>
->USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016.
+Download the Windows ADK [from this website](/windows-hardware/get-started/adk-install).
+
+## USMT support for Microsoft Office
+
+- USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
+
+- USMT in the Windows ADK for Windows 10, version 1607 (10.1.14393.0) adds support for migration of user settings for installations of Microsoft Office 2016.
 
 USMT includes three command-line tools:
 
--   ScanState.exe<BR>
--   LoadState.exe<BR>
--   UsmtUtils.exe
+- ScanState.exe
+- LoadState.exe
+- UsmtUtils.exe
 
 USMT also includes a set of three modifiable .xml files:
 
--   MigApp.xml<BR>
--   MigDocs.xml<BR>
--   MigUser.xml
+- MigApp.xml
+- MigDocs.xml
+- MigUser.xml
 
-Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+Additionally, you can create custom .xml files to support your migration needs. You can also create a `Config.xml` file to specify files or settings to exclude from the migration.
 
-USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User's Guide](/previous-versions/windows/server/dd560801(v=ws.10)).
+USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) overview](/previous-versions/windows/hh825227(v=win.10)).
 
 ## In this section
-|Topic |Description|
-|------|-----------|
-|[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)|Describes what's new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.|
-|[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT, as well as how-to topics for conducting tasks in USMT.|
-|[User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT, as well as a reference for return codes used in USMT.|
-|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.|
 
-## Related topics
+| Link | Description |
+|------ |----------- |
+|[User State Migration Tool (USMT) overview topics](usmt-topics.md)|Describes what's new in USMT, how to get started with USMT, and the benefits and limitations of using USMT.|
+|[User State Migration Tool (USMT) how-to topics](usmt-how-to.md)|Includes step-by-step instructions for using USMT and how-to topics for conducting tasks in USMT.|
+|[User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)|Provides answers to frequently asked questions and common issues in USMT and a reference for return codes used in USMT.|
+|[User State Migration Toolkit (USMT) reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.|
+
+## Related articles
+
 - [Windows Assessment and Deployment Kit](/previous-versions/windows/it-pro/windows-8.1-and-8/dn247001(v=win.10))
-
- 
-
- 
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index 928a7307d9..a26c2a25cd 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -1,41 +1,36 @@
 ---
 title: Test Your Migration (Windows 10)
-description: Learn about testing your migration plan in a controlled laboratory setting before you deploy it to your entire organization. 
+description: Learn about testing your migration plan in a controlled laboratory setting before you deploy it to your entire organization.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Test Your Migration
+# Test your migration
 
+Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you're migrating data.
 
-Always test your migration plan in a controlled laboratory setting before you deploy it to your entire organization. In your test environment, you need at least one computer for each type of operating system from which you are migrating data.
+After you've thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate migration store size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store.
 
-After you have thoroughly tested the entire migration process on a single computer running each of your source operating systems, conduct a pilot migration with a small group of users. After migrating a few typical user states to the intermediate store, note the space required and adjust your initial calculations accordingly. For details about estimating the space needed for your migration, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). You might also need to adjust the registry-setting and file-location information in your migration-rule files. If you make changes, test the migration again. Then verify that all data and settings have migrated as expected. A pilot migration also gives you an opportunity to test your space estimates for the intermediate store.
+If your test migration encounters any errors, examine the **ScanState** and **LoadState** logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes). You can obtain more information about any listed **Windows** system error codes by typing in a command prompt window `net.exe helpmsg <error_number>`  where *<error_number>* is the error code number generated by the error message. For more information about System Error Codes, see [System Error Codes (0-499)](/windows/win32/debug/system-error-codes--0-499-).
 
-If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line.
+In most cases, the **ScanState** and **LoadState** logs indicate why a USMT migration is failing. We recommend that you use the `/v:5` option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger.
 
-In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**<em>:5</em> option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger.
+> [!NOTE]
+> Running the **ScanState** and **LoadState** tools with the `/v:5` option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred.
 
-**Note**  
-Running the ScanState and LoadState tools with the **/v**<em>:5</em> option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred.
+After you've determined that the pilot migration successfully migrated the specified files and settings, you're ready to add USMT to the server that is running Microsoft Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](/configmgr/osd/get-started/manage-user-state).
 
- 
+> [!NOTE]
+> For testing purposes, you can create an uncompressed store using the `/hardlink /nocompress` option. When compression is disabled, the **ScanState** tool saves the files and settings to a hidden folder named **File** at `<StorePath>\USMT`. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the `/listfiles` command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration.
 
-After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Endpoint Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](/configmgr/osd/get-started/manage-user-state).
+## Related articles
 
-**Note**  
-For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration.
+[Plan your migration](usmt-plan-your-migration.md)
 
- 
-
-## Related topics
-
-
-[Plan Your Migration](usmt-plan-your-migration.md)
-
-[Log Files](usmt-log-files.md)
+[Log files](usmt-log-files.md)
diff --git a/windows/deployment/usmt/usmt-topics.md b/windows/deployment/usmt/usmt-topics.md
index 65146dd2ac..755df2c928 100644
--- a/windows/deployment/usmt/usmt-topics.md
+++ b/windows/deployment/usmt/usmt-topics.md
@@ -1,27 +1,30 @@
 ---
 title: User State Migration Tool (USMT) Overview Topics (Windows 10)
-description: Learn about User State Migration Tool (USMT) overview topics that describe USMT as a highly customizable user-profile migration experience for IT professionals.
+description: Learn about User State Migration Tool (USMT) overview articles that describe USMT as a highly customizable user-profile migration experience for IT professionals.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# User State Migration Tool (USMT) Overview Topics
-The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: ScanState.exe, LoadState.exe, and UsmtUtils.exe. USMT also includes a set of three modifiable .xml files: MigApp.xml, MigDocs.xml, and MigUser.xml. Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
+# User State Migration Tool (USMT) overview topics
 
-## In This Section
+The User State Migration Tool (USMT) 10.0 provides a highly customizable user-profile migration experience for IT professionals. USMT includes three command-line tools: `ScanState.exe`, `LoadState.exe`, and `UsmtUtils.exe`. USMT also includes a set of three modifiable .xml files: `MigApp.xml`, `MigDocs.xml`, and `MigUser.xml`. Additionally, you can create custom .xml files to support your migration needs. You can also create a `Config.xml` file to specify files or settings to exclude from the migration.
 
-|Topic |Description|
-|------|-----------|
-|[User State Migration Tool (USMT) Overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.|
-|[Getting Started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.|
-|[Windows Upgrade and Migration Considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.|
+## In this section
 
-## Related topics
-- [User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
-- [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md)
-- [User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+| Link | Description |
+|------ |----------- |
+|[User State Migration Tool (USMT) overview](usmt-overview.md)|Describes the benefits and limitations of using USMT.|
+|[Getting started with the User State Migration Tool (USMT)](getting-started-with-the-user-state-migration-tool.md)|Describes the general process to follow to migrate files and settings, and provides links to more information.|
+|[Windows upgrade and migration considerations](../upgrade/windows-upgrade-and-migration-considerations.md)|Discusses the Microsoft® tools you can use to move files and settings between installations and special considerations for performing an upgrade or migration.|
+
+## Related articles
+
+- [User State Migration Tool (USMT) how-to topics](usmt-how-to.md)
+- [User State Migration Tool (USMT) troubleshooting](usmt-troubleshooting.md)
+- [User State Migration Toolkit (USMT) reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md
index 78dbd791cf..ede8f237ec 100644
--- a/windows/deployment/usmt/usmt-troubleshooting.md
+++ b/windows/deployment/usmt/usmt-troubleshooting.md
@@ -1,35 +1,36 @@
 ---
 title: User State Migration Tool (USMT) Troubleshooting (Windows 10)
-description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to assist in troubleshooting.
+description: Learn about topics that address common User State Migration Tool (USMT) 10.0 issues and questions to help troubleshooting.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# User State Migration Tool (USMT) Troubleshooting
+# User State Migration Tool (USMT) troubleshooting
 
-The following table describes topics that address common User State Migration Tool (USMT) 10.0 issues and questions. These topics describe tools that you can use to troubleshoot issues that arise during your migration.
+The following table describes articles that address common User State Migration Tool (USMT) 10.0 issues and questions. These articles describe tools that you can use to troubleshoot issues that arise during your migration.
 
-## In This Section
+## In this section
 
 | Link | Description |
 |--- |--- |
-|[Common Issues](usmt-common-issues.md)|Find troubleshooting solutions for common problems in USMT.|
+|[Common Issues](/troubleshoot/windows-client/deployment/usmt-common-issues)|Find troubleshooting solutions for common problems in USMT.|
 |[Frequently Asked Questions](usmt-faq.yml)|Find answers to questions about how to use USMT.|
 |[Log Files](usmt-log-files.md)|Learn how to enable logging to help you troubleshoot issues in USMT.|
-|[Return Codes](usmt-return-codes.md)|Learn how to use return codes to identify problems in USMT.|
+|[Return Codes](/troubleshoot/windows-client/deployment/usmt-return-codes)|Learn how to use return codes to identify problems in USMT.|
 |[USMT Resources](usmt-resources.md)|Find more information and support for using USMT.|
 
-## Related topics
+## Related articles
 
-[USMT Best Practices](usmt-best-practices.md)
+[USMT best practices](usmt-best-practices.md)
 
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+[User State Migration Tool (USMT) overview topics](usmt-topics.md)
 
-[User State Migration Tool (USMT) How-to topics](usmt-how-to.md)
+[User State Migration Tool (USMT) how-to topics](usmt-how-to.md)
 
-[User State Migration Toolkit (USMT) Reference](usmt-reference.md)
+[User State Migration Toolkit (USMT) reference](usmt-reference.md)
diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md
index 158700b4ee..cb67fc466b 100644
--- a/windows/deployment/usmt/usmt-utilities.md
+++ b/windows/deployment/usmt/usmt-utilities.md
@@ -1,108 +1,100 @@
 ---
 title: UsmtUtils Syntax (Windows 10)
-description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface.
+description: Learn about the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # UsmtUtils Syntax
 
-This topic describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
+This article describes the syntax for the utilities available in User State Migration Tool (USMT) 10.0 through the command-line interface. These utilities:
 
--   Improve your ability to determine cryptographic options for your migration.
+- Improve your ability to determine cryptographic options for your migration.
 
--   Assist in removing hard-link stores that cannot otherwise be deleted due to a sharing lock.
+- Help removing hard-link stores that can't otherwise be deleted due to a sharing lock.
 
--   Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
+- Verify whether the catalog file or any of the other files in the compressed migration store have become corrupted.
 
--   Extract files from the compressed migration store when you migrate files and settings to the destination computer.
+- Extract files from the compressed migration store when you migrate files and settings to the destination computer.
 
-## In This Topic
+## UsmtUtils.exe
 
-[Usmtutils.exe](#bkmk-usmtutils-exe)
+The following table lists command-line options for `UsmtUtils.exe`. The sections that follow provide further command-line options for the `/verify` and the `/extract` options.
 
-[Verify Options](#bkmk-verifyoptions)
+The syntax for `UsmtUtils.exe` is:
 
-[Extract Options](#bkmk-extractoptions)
-
-## <a href="" id="bkmk-usmtutils-exe"></a>Usmtutils.exe
-
-The following table lists command-line options for USMTutils.exe. The sections that follow provide further command-line options for the **/verify** and the **/extract** options.
-
-The syntax for UsmtUtils.exe is:
-
-usmtutils \[/ec | /rd *&lt;storeDir&gt;* | /verify *&lt;filepath&gt;* \[options\] | /extract *&lt;filepath&gt;* *&lt;destinationPath&gt;* \[options\]\]
+> UsmtUtils.exe \[/ec | /rd *&lt;storeDir&gt;* | /verify *&lt;filepath&gt;* \[options\] | /extract *&lt;filepath&gt;* *&lt;destinationPath&gt;* \[options\]\]
 
 |Command-line Option|Description|
 |--- |--- |
-|**/ec**|Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this on a destination computer to determine which algorithm to use with the **/encrypt** command before you run the ScanState tool on the source computer.|
-|**/rd** *&lt;storeDir&gt;* |Removes the directory path specified by the *&lt;storeDir&gt;* argument on the computer. You can use this command to delete hard-link migration stores that cannot otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes. <br/><br/>For example:<br/>`usmtutils /rd D:\MyHardLinkStore`|
-|**/y**|Overrides the accept deletions prompt when used with the **/rd** option. When you use the **/y** option with the **/rd** option, you will not be prompted to accept the deletions before USMT deletes the directories.|
-|**/verify**|Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. <br/><br/>See [Verify Options](#bkmk-verifyoptions) for syntax and options to use with **/verify**.|
-|**/extract**|Recovers files from a compressed USMT migration store. <br/><br/>See [Extract Options](#bkmk-extractoptions) for syntax and options to use with **/extract**.|
+|**/ec**|Returns a list of supported cryptographic algorithms (AlgIDs) on the current system. You can use this option on a destination computer to determine which algorithm to use with the `/encrypt` command before you run the **ScanState** tool on the source computer.|
+|**/rd** *&lt;storeDir&gt;* |Removes the directory path specified by the *&lt;storeDir&gt;* argument on the computer. You can use this command to delete hard-link migration stores that can't otherwise be deleted at a command prompt due to a sharing lock. If the migration store spans multiple volumes on a given drive, it will be deleted from all of these volumes. <br/><br/>For example:<br/>`UsmtUtils.exe /rd D:\MyHardLinkStore`|
+|**/y**|Overrides the accept deletions prompt when used with the `/rd` option. When you use the `/y` option with the `/rd` option, you won't be prompted to accept the deletions before USMT deletes the directories.|
+|**/verify**|Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. <br/><br/>See [Verify options](#verify-options) for syntax and options to use with `/verify`.|
+|**/extract**|Recovers files from a compressed USMT migration store. <br/><br/>See [Extract options](#extract-options) for syntax and options to use with `/extract`.|
 
-## <a href="" id="bkmk-verifyoptions"></a>Verify Options
+## Verify options
 
-Use the **/verify** option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the **/verify** option, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md).
+Use the `/verify` option when you want to determine whether a compressed migration store is intact or whether it contains corrupted files or a corrupted catalog. For more information on how to use the `/verify` option, see [Verify the condition of a compressed migration store](verify-the-condition-of-a-compressed-migration-store.md).
 
-The syntax for **/verify** is:
+The syntax for `/verify` is:
 
-usmtutils /verify\[:*&lt;reportType&gt;*\] *&lt;filePath&gt;* \[/l:*&lt;logfile&gt;*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*&lt;AlgID&gt;*\] {/key:*&lt;keystring&gt;* | /keyfile:*&lt;filename&gt;*}\]
+> UsmtUtils.exe /verify\[:*&lt;reportType&gt;*\] *&lt;filePath&gt;* \[/l:*&lt;logfile&gt;*\] \[/v:*VerbosityLevel*\] \[/decrypt \[:*&lt;AlgID&gt;*\] {/key:*&lt;keystring&gt;* | /keyfile:*&lt;filename&gt;*}\]
 
 | Command-line Option | Description |
 |-----|--------|
-| *&lt;reportType&gt;* | Specifies whether to report on all files, corrupted files only, or the status of the catalog. <ul><li>**Summary**. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.</li><li>**all**. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either “CORRUPTED” or “OK” depending on the status of the file. The last entry reports the corruption status of the &quot;CATALOG&quot; of the store. A catalog file contains metadata for all files in a migration store. The LoadState tool requires a valid catalog file in order to open the migration store. Returns &quot;OK&quot; if the catalog file is intact and LoadState can open the migration store and &quot;CORRUPTED&quot; if the migration store is corrupted.</li><li>**failureonly**. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.</li><li>**Catalog**. Returns only the status of the catalog file.</li></ul> |
+| *&lt;reportType&gt;* | Specifies whether to report on all files, corrupted files only, or the status of the catalog. <ul><li>**Summary**. Returns both the number of files that are intact and the number of files that are corrupted in the migration store. If no algorithm is specified, the summary report is displayed as a default.</li><li>**all**. Returns a tab-delimited list of all of the files in the compressed migration store and the status for each file. Each line contains the file name followed by a tab spacing, and either **CORRUPTED** or **OK** depending on the status of the file. The last entry reports the corruption status of the **CATALOG** of the store. A catalog file contains metadata for all files in a migration store. The **LoadState** tool requires a valid catalog file in order to open the migration store. Returns &quot;OK&quot; if the catalog file is intact and **LoadState** can open the migration store and &quot;CORRUPTED&quot; if the migration store is corrupted.</li><li>**failureonly**. Returns a tab-delimited list of only the files that are corrupted in the compressed migration store.</li><li>**Catalog**. Returns only the status of the catalog file.</li></ul> |
 | **/l:** <br/>*&lt;logfilePath&gt;* | Specifies the location and name of the log file. |
-| **/v:** *&lt;VerbosityLevel&gt;* | **(Verbosity)**<br/><br/>Enables verbose output in the UsmtUtils log file. The default value is 0.<br/><br/>You can set the *VerbosityLevel* to one of the following levels:<br/><ul><li>**0** - Only the default errors and warnings are enabled.</li><li>**1** - Enables verbose output.</li><li>**4** - Enables error and status output.</li><li>**5** - Enables verbose and status output.</li><li>**8** - Enables error output to a debugger.</li><li>**9** - Enables verbose output to a debugger.</li><li>**12** - Enables error and status output to a debugger.</li><li>**13** - Enables verbose, status, and debugger output.</li></ul> |
-| **/decrypt** *&lt;AlgID&gt;* **/**:*&lt;KeyString&gt;*<br/>or<br/>**/decrypt** *&lt;AlgID&gt;* **/**:*&lt;“Key String”&gt;*<br/>or<br/>**/decrypt:** *&lt;AlgID&gt;* **/keyfile**:*&lt;FileName&gt;* | Specifies that the **/encrypt** option was used to create the migration store with the ScanState tool. To decrypt the migration store, specify a **/key** or **/keyfile** option as follows:<br/><ul><li>*&lt;AlgID&gt;* specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.<br/>*&lt;AlgID&gt;* valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.</li><li>**/key:** *&lt;KeyString&gt;* specifies the encryption key. If there is a space in *&lt;KeyString&gt;*, you must surround the argument with quotation marks.</li><li>**/keyfile**: *&lt;FileName&gt;* specifies the location and name of a text (.txt) file that contains the encryption key.</li></ul><br/>For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md) |
+| **/v:** *&lt;VerbosityLevel&gt;* | **(Verbosity)**<br/><br/>Enables verbose output in the **UsmtUtils** log file. The default value is 0.<br/><br/>You can set the *VerbosityLevel* to one of the following levels:<br/><ul><li>**0** - Only the default errors and warnings are enabled.</li><li>**1** - Enables verbose output.</li><li>**4** - Enables error and status output.</li><li>**5** - Enables verbose and status output.</li><li>**8** - Enables error output to a debugger.</li><li>**9** - Enables verbose output to a debugger.</li><li>**12** - Enables error and status output to a debugger.</li><li>**13** - Enables verbose, status, and debugger output.</li></ul> |
+| **/decrypt** *&lt;AlgID&gt;* **/**:*&lt;KeyString&gt;*<br/>or<br/>**/decrypt** *&lt;AlgID&gt;* **/**:*&lt;"Key String"&gt;*<br/>or<br/>**/decrypt:** *&lt;AlgID&gt;* **/keyfile**:*&lt;FileName&gt;* | Specifies that the `/encrypt` option was used to create the migration store with the **ScanState** tool. To decrypt the migration store, specify a `/key` or `/keyfile` option as follows:<br/><ul><li>*&lt;AlgID&gt;* specifies the cryptographic algorithm that was used to create the migration store on the `ScanState.exe` command line. If no algorithm is specified, **ScanState** and **UsmtUtils** use the 3DES algorithm as a default.<br/>*&lt;AlgID&gt;* valid values include: `AES_128`, `AES_192`, `AES_256`, `3DES`, or `3DES_112`.</li><li> `/key:` *&lt;KeyString&gt;* specifies the encryption key. If there's a space in *&lt;KeyString&gt;*, you must surround the argument with quotation marks.</li><li> `/keyfile`: *&lt;FileName&gt;* specifies the location and name of a text (.txt) file that contains the encryption key.</li></ul><br/>For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md) |
 
-Some examples of **/verify** commands:
+Some examples of `/verify` commands:
 
--   `usmtutils /verify D:\MyMigrationStore\store.mig`
+- `UsmtUtils.exe /verify D:\MyMigrationStore\store.mig`
 
--   `usmtutils /verify:catalog D:\MyMigrationStore\store.mig`
+- `UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig`
 
--   `usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
+- `UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
 
--   `usmtutils /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
+- `UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt`
 
-## <a href="" id="bkmk-extractoptions"></a>Extract Options
+## Extract options
 
+Use the `/extract` option to recover files from a compressed USMT migration store if it will not restore normally with **LoadState**. For more information on how to use the `/extract` option, see [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md).
 
-Use the **/extract** option to recover files from a compressed USMT migration store if it will not restore normally with loadstate. For more information on how to use the **/extract** option, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
+The syntax for `/extract` is:
 
-The syntax for **/extract** is:
-
-/extract *&lt;filePath&gt;* *&lt;destinationPath&gt;* \[/i:*&lt;includePattern&gt;*\] \[/e: *&lt;excludePattern&gt;*\] \[/l: *&lt;logfile&gt;*\] \[/v: *VerbosityLevel&gt;*\] \[/decrypt\[:*&lt;AlgID&gt;*\] {key: *&lt;keystring&gt;* | /keyfile: *&lt;filename&gt;*}\] \[/o\]
+> /extract *&lt;filePath&gt;* *&lt;destinationPath&gt;* \[/i:*&lt;includePattern&gt;*\] \[/e: *&lt;excludePattern&gt;*\] \[/l: *&lt;logfile&gt;*\] \[/v: *VerbosityLevel&gt;*\] \[/decrypt\[:*&lt;AlgID&gt;*\] {key: *&lt;keystring&gt;* | /keyfile: *&lt;filename&gt;*}\] \[/o\]
 
 | Command-line Option | Description |
 |-------|-----|
 | *&lt;filePath&gt;* | Path to the USMT migration store. <br/><br/>For example:<br/>`D:\MyMigrationStore\USMT\store.mig` |
 | *&lt;destinationPath&gt;* | Path to the folder where the tool puts the individual files. |
-| **/i**:*&lt;includePattern&gt;* | Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use **/i**: *&lt;includePattern&gt;* and **/e**: *&lt;excludePattern&gt;* options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. |
-| **/e**:*&lt;excludePattern&gt;* | Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use **/i**: *&lt;includePattern&gt;* and **/e**: *&lt;excludePattern&gt;* options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. |
+| **/i**:*&lt;includePattern&gt;* | Specifies a pattern for files to include in the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use `/i`: *&lt;includePattern&gt;* and `/e`: *&lt;excludePattern&gt;* options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. |
+| **/e**:*&lt;excludePattern&gt;* | Specifies a pattern for files to omit from the extraction. You can specify more than one pattern. Separate patterns with a comma or a semicolon. You can use `/i`: *&lt;includePattern&gt;* and `/e`: *&lt;excludePattern&gt;* options in the same command. When both include and exclude patterns are used on the command line, include patterns take precedence over exclude patterns. |
 | **/l**:*&lt;logfilePath&gt;* | Specifies the location and name of the log file. |
-| **/v:***&lt;VerbosityLevel&gt;* | **(Verbosity)**<br/><br/>Enables verbose output in the UsmtUtils log file. The default value is 0.<br/><br/>You can set the *VerbosityLevel* to one of the following levels:<br/><ul><li>**0** - Only the default errors and warnings are enabled.</li><li>**1** - Enables verbose output.</li><li>**4** - Enables error and status output.</li><li>**5** - Enables verbose and status output.</li><li>**8** - Enables error output to a debugger.</li><li>**9** - Enables verbose output to a debugger.</li><li>**12** - Enables error and status output to a debugger.</li><li>**13** - Enables verbose, status, and debugger output.</li></ul> |
-| **/decrypt***&lt;AlgID&gt;***/key**:*&lt;KeyString&gt;*<br/>or<br/>**/decrypt***&lt;AlgID&gt;***/**:*&lt;“Key String”&gt;*<br/>or<br/>**/decrypt:***&lt;AlgID&gt;***/keyfile**:*&lt;FileName&gt;* | Specifies that the **/encrypt** option was used to create the migration store with the ScanState tool. To decrypt the migration store, you must also specify a **/key** or **/keyfile** option as follows:<br/><ul><li>*&lt;AlgID&gt;* specifies the cryptographic algorithm that was used to create the migration store on the ScanState command line. If no algorithm is specified, ScanState and UsmtUtils use the 3DES algorithm as a default.<br/>*&lt;AlgID&gt;* valid values include: AES_128, AES_192, AES_256, 3DES, or 3DES_112.</li><li>**/key**: *&lt;KeyString&gt;* specifies the encryption key. If there is a space in *&lt;KeyString&gt;*, you must surround the argument with quotation marks.</li><li>**/keyfile**:*&lt;FileName&gt;* specifies a text (.txt) file that contains the encryption key</li></ul><br/>For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md). |
+| **/v:***&lt;VerbosityLevel&gt;* | **(Verbosity)**<br/><br/>Enables verbose output in the **UsmtUtils** log file. The default value is 0.<br/><br/>You can set the *VerbosityLevel* to one of the following levels:<br/><ul><li>**0** - Only the default errors and warnings are enabled.</li><li>**1** - Enables verbose output.</li><li>**4** - Enables error and status output.</li><li>**5** - Enables verbose and status output.</li><li>**8** - Enables error output to a debugger.</li><li>**9** - Enables verbose output to a debugger.</li><li>**12** - Enables error and status output to a debugger.</li><li>**13** - Enables verbose, status, and debugger output.</li></ul> |
+| **/decrypt***&lt;AlgID&gt;***/key**:*&lt;KeyString&gt;*<br/>or<br/>**/decrypt***&lt;AlgID&gt;***/**:*&lt;"Key String"&gt;*<br/>or<br/>**/decrypt:***&lt;AlgID&gt;***/keyfile**:*&lt;FileName&gt;* | Specifies that the `/encrypt` option was used to create the migration store with the **ScanState** tool. To decrypt the migration store, you must also specify the `/key` or `/keyfile` option as follows:<br/><ul><li>*&lt;AlgID&gt;* specifies the cryptographic algorithm that was used to create the migration store on the `ScanState.exe` command line. If no algorithm is specified, **ScanState** and **UsmtUtils** use the 3DES algorithm as a default.<br/>*&lt;AlgID&gt;* valid values include: `AES_128`, `AES_192`, `AES_256`, `3DES`, or `3DES_112`.</li><li>`/key`: *&lt;KeyString&gt;* specifies the encryption key. If there's a space in *&lt;KeyString&gt;*, you must surround the argument with quotation marks.</li><li>`/keyfile`:*&lt;FileName&gt;* specifies a text (.txt) file that contains the encryption key</li></ul><br/>For more information about supported encryption algorithms, see [Migration store encryption](usmt-migration-store-encryption.md). |
 | **/o** | Overwrites existing output files. |
 
-Some examples of **/extract** commands:
+Some examples of `/extract` commands:
 
--   `usmtutils /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
+- `UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig C:\ExtractedStore`
 
--   `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
+- `UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:"*.txt, *.pdf" C:\ExtractedStore /decrypt /keyfile:D:\encryptionKey.txt`
 
--   `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
+- `UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /e:*.exe C:\ExtractedStore /decrypt:AES_128 /key:password /l:C:\usmtlog.txt`
 
--   `usmtutils /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
+- `UsmtUtils.exe /extract D:\MyMigrationStore\USMT\store.mig /i:myProject.* /e:*.exe C:\ExtractedStore /o`
 
-## Related topics
+## Related articles
 
-[User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)
+[User State Migration Tool (USMT) command-line syntax](usmt-command-line-syntax.md)
 
-[Return Codes](usmt-return-codes.md)
+[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index f61a77dc08..be20a22816 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -1,145 +1,164 @@
 ---
 title: What does USMT migrate (Windows 10)
-description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language.
+description: Learn how User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 09/12/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/23/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # What does USMT migrate?
 
-## <a href="" id="bkmk-defaultmigscripts"></a>Default migration scripts
+## Default migration scripts
 
-The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
+The User State Migration Tool (USMT) 10.0 is designed so that an IT engineer can precisely define migrations using the USMT .xml scripting language. USMT provides the following sample scripts:
 
--   **MigApp.XML.** Rules to migrate application settings.
+- **MigApp.XML** - Rules to migrate application settings.
 
--   **MigDocs.XML.** Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
+- **MigDocs.XML** - Rules that use the **MigXmlHelper.GenerateDocPatterns** helper function, which can be used to automatically find user documents on a computer without the need to author extensive custom migration .xml files.
 
--   **MigUser.XML.** Rules to migrate user profiles and user data.
+- **MigUser.XML** - Rules to migrate user profiles and user data.
 
-  MigUser.xml gathers everything in a user’s profile and then does a file extension- based search of most of the system for other user data. If data doesn’t match either of these criteria, the data won’t be migrated. For the most part, this file describes a "core" migration.
+  `MigUser.xml` gathers everything in a user's profile and then does a file extension- based search of most of the system for other user data. If data doesn't match either of these criteria, the data won't be migrated. Usually, this file describes a core migration.
 
-  The following data does not migrate with MigUser.xml:
+  The following data doesn't migrate with `MigUser.xml`:
 
-  - Files outside the user profile that don’t match one of the file extensions in MigUser.xml.
+  - Files outside the user profile that don't match one of the file extensions in `MigUser.xml`.
   - Access control lists (ACLs) for folders outside the user profile.
 
-## <a href="" id="bkmk-3"></a>User data
+## User data
 
-This section describes the user data that USMT migrates by default, using the MigUser.xml file. It also defines how to migrate ACLs.
+This section describes the user data that USMT migrates by default, using the `MigUser.xml` file. It also defines how to migrate access control lists (ACLs).
 
--   **Folders from each user profile.** When you specify the MigUser.xml file, USMT migrates everything in a user’s profiles including the following:
+- **Folders from each user profile.** When you specify the `MigUser.xml` file, USMT migrates everything in a user's profiles including the following items:
 
-  My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
+  - My Documents
+
+  - My Video
+
+  - My Music
+
+  - My Pictures
+
+  - Desktop files
+
+  - Start menu
+
+  - Quick Launch settings
+
+  - Favorites
 
   > [!IMPORTANT]
-  > Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-does-not-migrate-the-start-layout).
+  > Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
 
--   **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
+- **Folders from the All Users and Public profiles.** When you specify the `MigUser.xml` file, USMT also migrates the following from the **Public** profile in Windows Vista, Windows 7, Windows 8, or Windows 10:
 
-    -   Shared Documents
+  - Shared Documents
 
-    -   Shared Video
+  - Shared Video
 
-    -   Shared Music
+  - Shared Music
 
-    -   Shared desktop files
+  - Shared desktop files
 
-    -   Shared Pictures
+  - Shared Pictures
 
-    -   Shared Start menu
+  - Shared Start menu
 
-    -   Shared Favorites
+  - Shared Favorites
 
--   **File types.** When you specify the MigUser.xml file, the ScanState tool searches the fixed drives, collects, and then migrates files with any of the following file extensions:
+- **File types.** When you specify the `MigUser.xml` file, the **ScanState** tool searches the fixed drives, collects, and then migrates files with any of the following file extensions:
 
-  **.accdb, .ch3, .csv, .dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.**
+   `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*`
 
   > [!NOTE]
-  > The asterisk (\*) stands for zero or more characters.
+  > The asterisk (`*`) stands for zero or more characters.
 
--   **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration.
+  > [!NOTE]
+  > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
 
-> [!IMPORTANT]
-> To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `<pattern type="File">c:\test docs</pattern>`.
+- **Access control lists.** USMT migrates access control lists (ACLs) for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named `File1.txt` that is **read-only** for **User1** and **read/write** for **User2**, these settings will still apply on the destination computer after the migration.
 
-## <a href="" id="bkmk-4"></a>Operating-system components
+  > [!IMPORTANT]
+  > To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `<pattern type="File">c:\test docs</pattern>`.
 
-USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
+## Operating-system components
+
+USMT migrates operating-system components to a destination computer from computers running Windows 7 and Windows 8
 
 The following components are migrated by default using the manifest files:
 
--   Accessibility settings
+- Accessibility settings
 
--   Address book
+- Address book
 
--   Command-prompt settings
+- Command-prompt settings
 
--   \*Desktop wallpaper
+- Desktop wallpaper **¹**
 
--   EFS files
+- EFS files
 
--   Favorites
+- Favorites
 
--   Folder options
+- Folder options
 
--   Fonts
+- Fonts
 
--   Group membership. USMT migrates users’ group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then selecting **Manage**. When running an offline migration, the use of a **&lt;ProfileControl&gt;** section in the Config.xml file is required.
+- Group membership. USMT migrates users' group settings. The groups to which a user belongs can be found by right-clicking **My Computer** on the Start menu and then selecting **Manage**. When running an offline migration, the use of a **&lt;ProfileControl&gt;** section in the `Config.xml` file is required.
 
--   \*Windows Internet Explorer® settings
+- Windows Internet Explorer® settings **¹**
 
--   Microsoft® Open Database Connectivity (ODBC) settings
+- Microsoft® Open Database Connectivity (ODBC) settings
 
--   Mouse and keyboard settings
+- Mouse and keyboard settings
 
--   Network drive mapping
+- Network drive mapping
 
--   \*Network printer mapping
+- Network printer mapping **¹**
 
--   \*Offline files
+- Offline files **¹**
 
--   \*Phone and modem options
+- Phone and modem options **¹**
 
--   RAS connection and phone book (.pbk) files
+- RAS connection and phone book (.pbk) files
 
--   \*Regional settings
+- Regional settings **¹**
 
--   Remote Access
+- Remote Access
 
--   \*Taskbar settings
+- Taskbar settings **¹**
 
--   User personal certificates (all)
+- User personal certificates (all)
 
--   Windows Mail.
+- Windows Mail
 
--   \*Windows Media Player
+- Windows Media Player **¹**
 
--   Windows Rights Management
+- Windows Rights Management
 
-\* These settings aren't available for an offline migration. For more information, see [Offline Migration Reference](offline-migration-reference.md).
+  **¹** These settings aren't available for an offline migration. For more information, see [Offline migration reference](offline-migration-reference.md).
 
 > [!IMPORTANT]
 > This list may not be complete. There may be additional components that are migrated.
 
 > [!NOTE]
-> Some settings, such as fonts, aren't applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool.
+> Some settings, such as fonts, aren't applied by the **LoadState** tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the **LoadState** tool.
 
-## <a href="" id="bkmk-2"></a>Supported applications
+## Supported applications
 
 Even though it's not required for all applications, it's good practice to install all applications on the destination computer before restoring the user state. Installing applications before migrating settings helps to ensure that migrated settings aren't overwritten by the application installers.
 
 > [!NOTE]
-> 
-> - The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
-> - USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
+> The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office.
 
-When you specify the MigApp.xml file, USMT migrates the settings for the following applications:
+> [!NOTE]
+> USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate.
+
+When you specify the `MigApp.xml` file, USMT migrates the settings for the following applications:
 
 |Product|Version|
 |--- |--- |
@@ -155,7 +174,7 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi
 |Google Picasa|3|
 |Google Talk|beta|
 |IBM Lotus 1-2-3|9|
-|IBM Lotus Notes|6,7, 8|
+|IBM Lotus Notes|6, 7, 8|
 |IBM Lotus Organizer|5|
 |IBM Lotus WordPro|9.9|
 |Intuit Quicken Deluxe|2009|
@@ -188,54 +207,52 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi
 |Yahoo Messenger|9|
 |Microsoft Zune™ Software|3|
 
-## <a href="" id="no"></a>What USMT doesn't migrate
+## What USMT doesn't migrate
 
-The following is a list of the settings that USMT doesn't migrate. If you are having a problem that isn't listed here, see [Common Issues](usmt-common-issues.md).
+The following items are settings that USMT doesn't migrate. If you're having a problem that isn't listed here, see [Common issues](/troubleshoot/windows-client/deployment/usmt-common-issues).
 
 ### Application settings
 
-USMT does not migrate the following application settings:
+USMT doesn't migrate the following application settings:
 
--   Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
+- Settings from earlier versions of an application. The versions of each application must match on the source and destination computers. USMT doesn't support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. USMT can migrate from an earlier version of Microsoft Office to a later version.
 
--   Application settings and some operating-system settings when a local account is created. For example, if you run /lac to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
+- Application settings and some operating-system settings when a local account is created. For example, if you run `/lac` to create a local account on the destination computer, USMT will migrate the user data, but only some of the operating-system settings, such as wallpaper and screensaver settings, and no application settings will migrate.
 
--   Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
+- Microsoft Project settings, when migrating from Office 2003 to Office 2007 system.
 
--   ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the LoadState tool, the application won't start. You may encounter problems when:
+- ICQ Pro settings, if ICQ Pro is installed in a different location on the destination computer. To successfully migrate the settings of ICQ Pro, you must install ICQ Pro in the same location on the destination computer as it was on the source computer. Otherwise, after you run the **LoadState** tool, the application won't start. You may encounter problems when:
 
-    -   You change the default installation location on 32-bit destination computers.
+  - You change the default installation location on 32-bit destination computers.
 
-    -   You attempt to migrate from a 32-bit computer to a 64-bit computer. This is because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is "C:\\Program Files\\...". The ICQ Pro default installation directory on an x64-based computer, however, is “C:\\Program Files (x86)\\...”.
+  - You attempt to migrate from a 32-bit computer to a 64-bit computer. Attempting to migrate settings between different architectures doesn't work because the ICQ Pro default installation directory is different on the two types of computers. When you install ICQ Pro on a 32-bit computer, the default location is `C:\Program Files\...`. The ICQ Pro default installation directory on an x64-based computer, however, is `C:\Program Files (x86)\...`.
 
 ### Operating-System settings
 
-USMT does not migrate the following operating-system settings.
+USMT doesn't migrate the following operating-system settings.
 
--   Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
+- Local printers, hardware-related settings, drivers, passwords, application binary files, synchronization files, DLL files, or other executable files.
 
--   Permissions for shared folders. After migration, you must manually reshare any folders that were shared on the source computer.
+- Permissions for shared folders. After migration, you must manually re-share any folders that were shared on the source computer.
 
--   Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
+- Files and settings migrating between operating systems with different languages. The operating system of the source computer must match the language of the operating system on the destination computer.
 
--   Customized icons for shortcuts may not migrate.
+- Customized icons for shortcuts may not migrate.
 
--   Taskbar settings, when the source computer is running Windows XP.
+You should also note the following items:
 
-You should also note the following:
+- You should run USMT from an account with administrative credentials. Otherwise, some data won't migrate. When running the **ScanState** and **LoadState** tools, you must run the tools in Administrator mode from an account with administrative credentials. If you don't run USMT in Administrator mode, only the user profile that is logged on will be included in the migration.
 
--   You should run USMT from an account with administrative credentials. Otherwise, some data will not migrate. When running the ScanState and LoadState tools you must run the tools in Administrator mode from an account with administrative credentials. If you don't run USMT in Administrator mode, only the user profile that is logged on will be included in the migration. In addition, you must run the ScanState tool on Windows XP from an account with administrative credentials. Otherwise, some operating-system settings will not migrate. To run in Administrator mode, select **Start**, **All Programs**, **Accessories**, right-click **Command Prompt**, and then select **Run as administrator**.
-
--   You can use the /**localonly** option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify /**localonly**, see [ScanState Syntax](usmt-scanstate-syntax.md).
+- You can use the `/localonly` option to exclude the data from removable drives and network drives mapped on the source computer. For more information about what is excluded when you specify `/localonly`, see [ScanState syntax](usmt-scanstate-syntax.md).
 
 ### Start menu layout
 
-Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-does-not-migrate-the-start-layout).
+Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
 
 ### User profiles from Active Directory to Azure Active Directory
 
 USMT doesn't support migrating user profiles from Active Directory to Azure Active Directory.
 
-## Related topics
+## Related articles
 
 [Plan your migration](usmt-plan-your-migration.md)
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index 8a5c5bd2f7..34115d72da 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -2,51 +2,40 @@
 title: XML Elements Library (Windows 10)
 description: Learn about the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# XML Elements Library
+# XML elements library
 
 This topic describes the XML elements and helper functions that you can employ to author migration .xml files to use with User State Migration Tool (USMT). It is assumed that you understand the basics of XML.
 
-## In this topic
+In addition to XML elements and helper functions, this article describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions.
 
-In addition to XML elements and helper functions, this topic describes how to specify encoded locations and locations patterns, functions that are for internal USMT use only, and the version tags that you can use with helper functions.
-
--   [Elements and helper functions](#elements)
-
--   [Appendix](#appendix)
-
-    -   [Specifying locations](#locations)
-
-    -   [Internal USMT functions](#internalusmtfunctions)
-
-    -   [Valid version tags](#allowed)
-
-## <a href="" id="elements"></a>Elements and Helper Functions
+## Elements and helper functions
 
 The following table describes the XML elements and helper functions you can use with USMT.
 
 | Elements A-K | Elements L-Z | Helper functions |
 |-----|----|-----|
-| [&lt;addObjects&gt;](#addobjects) <br/>[&lt;attributes&gt;](#attribute) <br/>[&lt;bytes&gt;](#bytes) <br/>[&lt;commandLine&gt;](#commandline) <br/>[&lt;component&gt;](#component) <br/>[&lt;condition&gt;](#condition) <br/>[&lt;conditions&gt;](#conditions) <br/>[&lt;content&gt;](#content) <br/>[&lt;contentModify&gt;](#contentmodify) <br/>[&lt;description&gt;](#description) <br/>[&lt;destinationCleanup&gt;](#destinationcleanup) <br/>[&lt;detect&gt;](#detect) <br/>[&lt;detects&gt;](#detects) <br/>[&lt;detection&gt;](#detection) <br/>[&lt;displayName&gt;](#displayname) <br/>[&lt;environment&gt;](#bkmk-environment) <br/>[&lt;exclude&gt;](#exclude) <br/>[&lt;excludeAttributes&gt;](#excludeattributes) <br/>[&lt;extensions&gt;](#extensions) <br/>[&lt;extension&gt;](#extension) <br/>[&lt;externalProcess&gt;](#externalprocess) <br/>[&lt;icon&gt;](#icon) <br/>[&lt;include&gt;](#include) <br/>[&lt;includeAttribute&gt;](#includeattributes) | [&lt;library&gt;](#library) <br/>[&lt;location&gt;](#location) <br/>[&lt;locationModify&gt;](#locationmodify) <br/>[&lt;_locDefinition&gt;](#locdefinition) <br/>[&lt;manufacturer&gt;](#manufacturer) <br/>[&lt;merge&gt;](#merge) <br/>[&lt;migration&gt;](#migration) <br/>[&lt;namedElements&gt;](#namedelements) <br/>[&lt;object&gt;](#object) <br/>[&lt;objectSet&gt;](#objectset) <br/>[&lt;path&gt;](#path) <br/>[&lt;paths&gt;](#paths) <br/>[&lt;pattern&gt;](#pattern) <br/>[&lt;processing&gt;](#processing) <br/>[&lt;plugin&gt;](#plugin) <br/>[&lt;role&gt;](#role) <br/>[&lt;rules&gt;](#rules) <br/>[&lt;script&gt;](#script) <br/>[&lt;text&gt;](#text) <br/>[&lt;unconditionalExclude&gt;](#unconditionalexclude) <br/>[&lt;variable&gt;](#variable) <br/>[&lt;version&gt;](#version) <br/>[&lt;windowsObjects&gt;](#windowsobjects) | [&lt;condition&gt; functions](#conditionfunctions) <br/>[&lt;content&gt; functions](#contentfunctions) <br/>[&lt;contentModify&gt; functions](#contentmodifyfunctions) <br/>[&lt;include&gt; and &lt;exclude&gt; filter functions](#persistfilterfunctions) <br/>[&lt;locationModify&gt; functions](#locationmodifyfunctions) <br/>[&lt;merge&gt; functions](#mergefunctions) <br/>[&lt;script&gt; functions](#scriptfunctions) <br/>[Internal USMT functions](#internalusmtfunctions) |
+| [&lt;addObjects&gt;](#addobjects) <br/>[&lt;attributes&gt;](#attributes) <br/>[&lt;bytes&gt;](#bytes) <br/>[&lt;commandLine&gt;](#commandline) <br/>[&lt;component&gt;](#component) <br/>[&lt;condition&gt;](#condition) <br/>[&lt;conditions&gt;](#conditions) <br/>[&lt;content&gt;](#content) <br/>[&lt;contentModify&gt;](#contentmodify) <br/>[&lt;description&gt;](#description) <br/>[&lt;destinationCleanup&gt;](#destinationcleanup) <br/>[&lt;detect&gt;](#detect) <br/>[&lt;detects&gt;](#detects) <br/>[&lt;detection&gt;](#detection) <br/>[&lt;displayName&gt;](#displayname) <br/>[&lt;environment&gt;](#environment) <br/>[&lt;exclude&gt;](#exclude) <br/>[&lt;excludeAttributes&gt;](#excludeattributes) <br/>[&lt;extensions&gt;](#extensions) <br/>[&lt;extension&gt;](#extension) <br/>[&lt;externalProcess&gt;](#externalprocess) <br/>[&lt;icon&gt;](#icon) <br/>[&lt;include&gt;](#include) <br/>[&lt;includeAttribute&gt;](#includeattributes) | [&lt;library&gt;](#library) <br/>[&lt;location&gt;](#location) <br/>[&lt;locationModify&gt;](#locationmodify) <br/>[&lt;_locDefinition&gt;](#_locdefinition) <br/>[&lt;manufacturer&gt;](#manufacturer) <br/>[&lt;merge&gt;](#merge) <br/>[&lt;migration&gt;](#migration) <br/>[&lt;namedElements&gt;](#namedelements) <br/>[&lt;object&gt;](#object) <br/>[&lt;objectSet&gt;](#objectset) <br/>[&lt;path&gt;](#path) <br/>[&lt;paths&gt;](#paths) <br/>[&lt;pattern&gt;](#pattern) <br/>[&lt;processing&gt;](#processing) <br/>[&lt;plugin&gt;](#plugin) <br/>[&lt;role&gt;](#role) <br/>[&lt;rules&gt;](#rules) <br/>[&lt;script&gt;](#script) <br/>[&lt;text&gt;](#text) <br/>[&lt;unconditionalExclude&gt;](#unconditionalexclude) <br/>[&lt;variable&gt;](#variable) <br/>[&lt;version&gt;](#version) <br/>[&lt;windowsObjects&gt;](#windowsobjects) | [&lt;condition&gt; functions](#condition-functions) <br/>[&lt;content&gt; functions](#content-functions) <br/>[&lt;contentModify&gt; functions](#contentmodify-functions) <br/>[&lt;include&gt; and &lt;exclude&gt; filter functions](#include-and-exclude-filter-functions) <br/>[&lt;locationModify&gt; functions](#locationmodify-functions) <br/>[&lt;merge&gt; functions](#merge-functions) <br/>[&lt;script&gt; functions](#script-functions) <br/>[Internal USMT functions](#internal-usmt-functions) |
 
-## <a href="" id="addobjects"></a>&lt;addObjects&gt;
+## &lt;addObjects&gt;
 
-The &lt;addObjects&gt; element emulates the existence of one or more objects on the source computer. The child &lt;object&gt; elements provide the details of the emulated objects. If the content is a &lt;script&gt; element, the result of the invocation will be an array of objects.
+The **&lt;addObjects&gt;** element emulates the existence of one or more objects on the source computer. The child **&lt;object&gt;** elements provide the details of the emulated objects. If the content is a **&lt;script&gt;** element, the result of the invocation will be an array of objects.
 
--   **Number of occurrences:** unlimited
+- **Number of occurrences:** unlimited
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Required child elements:** [&lt;object&gt;](#object) In addition, you must specify [&lt;location&gt;](#location) and [&lt;attribute&gt;](#attribute) as child elements of this &lt;object&gt; element.
+- **Required child elements:** [&lt;object&gt;](#object) In addition, you must specify [&lt;location&gt;](#location) and [&lt;attribute&gt;](#attributes) as child elements of this **&lt;object&gt;** element.
 
--   **Optional child elements:**[&lt;conditions&gt;](#conditions), &lt;condition&gt;, [&lt;script&gt;](#script)
+- **Optional child elements:** [&lt;conditions&gt;](#conditions), [&lt;condition&gt;](#condition), [&lt;script&gt;](#script)
 
 Syntax:
 
@@ -55,7 +44,7 @@ Syntax:
 </addObjects>
 ```
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <addObjects>
@@ -72,15 +61,15 @@ The following example is from the MigApp.xml file:
 </addObjects>
 ```
 
-## <a href="" id="attribute"></a>&lt;attributes&gt;
+## &lt;attributes&gt;
 
-The &lt;attributes&gt; element defines the attributes for a registry key or file.
+The **&lt;attributes&gt;** element defines the attributes for a registry key or file.
 
--   **Number of occurrences:** once for each &lt;object&gt;
+- **Number of occurrences:** once for each [&lt;object&gt;](#object)
 
--   **Parent elements:**[&lt;object&gt;](#object)
+- **Parent elements:** [&lt;object&gt;](#object)
 
--   **Child elements:** none
+- **Child elements:** none
 
 Syntax:
 
@@ -92,7 +81,7 @@ Syntax:
 |------|-----|----|
 | *Content* | Yes | The content depends on the type of object specified. <br/><ul><li>For files, the content can be a string containing any of the following attributes separated by commas:<ul><li>Archive</li><li>Read-only</li><li>System</li><li>Hidden</li></ul></li><li>For registry keys, the content can be one of the following types:<ul><li>None</li><li>String</li><li>ExpandString</li><li>Binary</li><li>Dword</li><li>REG_SZ</li></ul></li></ul>|
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <object>
@@ -102,15 +91,15 @@ The following example is from the MigApp.xml file:
 </object> 
 ```
 
-## <a href="" id="bytes"></a>&lt;bytes&gt;
+## &lt;bytes&gt;
 
-You must specify the &lt;bytes&gt; element only for files because, if &lt;location&gt; corresponds to a registry key or a directory, then &lt;bytes&gt; will be ignored.
+You must specify the **&lt;bytes&gt;** element only for files because, if **&lt;location&gt;** corresponds to a registry key or a directory, then **&lt;bytes&gt;** will be ignored.
 
--   **Number of occurrences:** zero or one
+- **Number of occurrences:** zero or one
 
--   **Parent elements:**[&lt;object&gt;](#object)
+- **Parent elements:** [&lt;object&gt;](#object)
 
--   **Child elements:** none
+- **Child elements:** none
 
 Syntax:
 
@@ -121,10 +110,10 @@ Syntax:
 |Setting|Required?|Value|
 |--- |--- |--- |
 |string|No, default is No|Determines whether *Content* should be interpreted as a string or as bytes.|
-|expand|No (default = Yes|When the expand parameter is Yes, the content of the &lt;bytes&gt; element is first expanded in the context of the source computer and then interpreted.|
-|*Content*|Yes|Depends on the value of the string.<ul><li>When the string is Yes: the content of the &lt;bytes&gt; element is interpreted as a string.</li><li>When the string is No: the content of the &lt;bytes&gt; element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, &quot;616263&quot; is the representation for the &quot;abc&quot; ANSI string. A complete representation of the UNICODE string &quot;abc&quot; including the string terminator would be: &quot;6100620063000000&quot;.</li></ul>|
+|expand|No (default = Yes|When the expand parameter is **Yes**, the content of the **&lt;bytes&gt;** element is first expanded in the context of the source computer and then interpreted.|
+|*Content*|Yes|Depends on the value of the string.<ul><li>When the string is **Yes**: the content of the **&lt;bytes&gt;** element is interpreted as a string.</li><li>When the string is **No**: the content of the **&lt;bytes&gt;** element is interpreted as bytes. Each two characters represent the hexadecimal value of a byte. For example, `616263` is the representation for the `abc` ANSI string. A complete representation of the UNICODE string `abc` including the string terminator would be: `6100620063000000`.</li></ul>|
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <object>
@@ -134,16 +123,15 @@ The following example is from the MigApp.xml file:
 </object> 
 ```
 
-## <a href="" id="commandline"></a>&lt;commandLine&gt;
+## &lt;commandLine&gt;
 
+You might want to use the **&lt;commandLine&gt;** element if you want to start or stop a service or application before or after you run the **ScanState** and **LoadState** tools.
 
-You might want to use the &lt;commandLine&gt; element if you want to start or stop a service or application before or after you run the ScanState and LoadState tools.
+- **Number of occurrences:** unlimited
 
--   **Number of occurrences:** unlimited
+- **Parent elements:** [&lt;externalProcess&gt;](#externalprocess)
 
--   **Parent elements:**[&lt;externalProcess&gt;](#externalprocess)
-
--   **Child elements:** none****
+- **Child elements:** none
 
 Syntax:
 
@@ -155,19 +143,22 @@ Syntax:
 |--- |--- |--- |
 |*CommandLineString*|Yes|A valid command line.|
 
-## <a href="" id="component"></a>&lt;component&gt;
+## &lt;component&gt;
 
-The &lt;component&gt; element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft&reg; Office 2003" is a component that contains another component, "Microsoft Office Access&reg; 2003". You can use the child elements to define the component.
+The **&lt;component&gt;** element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the `MigApp.xml` file, "Microsoft Office 2003" is a component that contains another component, "Microsoft Office Access 2003". You can use the child elements to define the component.
 
-A component can be nested inside another component; that is, the &lt;component&gt; element can be a child of the &lt;role&gt; element within the &lt;component&gt; element in two cases: 1) when the parent &lt;component&gt; element is a container or 2) if the child &lt;component&gt; element has the same role as the parent &lt;component&gt; element.
+A component can be nested inside another component; that is, the **&lt;component&gt;** element can be a child of the **&lt;role&gt;** element within the **&lt;component&gt;** element in two cases:
 
--   **Number of occurrences:** Unlimited
+1. When the parent **&lt;component&gt;** element is a container
+2. If the child **&lt;component&gt;** element has the same role as the parent **&lt;component&gt;** element.
 
--   **Parent elements:**[&lt;migration&gt;](#migration), [&lt;role&gt;](#role)
+- **Number of occurrences:** Unlimited
 
--   **Required child elements:**[&lt;role&gt;](#role), [&lt;displayName&gt;](#displayname)
+- **Parent elements:** [&lt;migration&gt;](#migration), [&lt;role&gt;](#role)
 
--   **Optional child elements:**[&lt;manufacturer&gt;](#manufacturer), [&lt;version&gt;](#version), [&lt;description&gt;](#description), [&lt;paths&gt;](#paths), [&lt;icon&gt;](#icon), [&lt;environment&gt;](#bkmk-environment), [&lt;extensions&gt;](#extensions)
+- **Required child elements:** [&lt;role&gt;](#role), [&lt;displayName&gt;](#displayname)
+
+- **Optional child elements:** [&lt;manufacturer&gt;](#manufacturer), [&lt;version&gt;](#version), [&lt;description&gt;](#description), [&lt;paths&gt;](#paths), [&lt;icon&gt;](#icon), [&lt;environment&gt;](#environment), [&lt;extensions&gt;](#extensions)
 
 Syntax:
 
@@ -179,26 +170,26 @@ hidden="Yes|No">
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| type | Yes | You can use the following to group settings, and define the type of the component. <ul><li>**System:** Operating system settings. All Windows&reg; components are defined by this type. <br/>When type=&quot;System&quot; and defaultSupported=&quot;FALSE&quot; the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type=&quot;System&quot; and defaultSupported=&quot;FALSE&quot;. If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.</li><li>**Application:** Settings for an application.</li><li>**Device:** Settings for a device.</li><li>**Documents:** Specifies files.</li></ul> |
-| context | No <br/>Default = UserAndSystem | Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the &lt;component&gt; element. For example, if a &lt;component&gt; element has a context of User and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it has a context of User. If a &lt;rules&gt; element has a context of System, it would act as though the &lt;rules&gt; element is not there. <ul><li>**User**. Evaluates the component for each user.</li><li>**System**. Evaluates the component only once for the system.</li><li>**UserAndSystem**. Evaluates the component for the entire operating system and each user.</li></ul> |
-| defaultSupported | No <br/>(default = TRUE) | Can be any of TRUE, FALSE, YES, or NO. If this parameter is FALSE (or NO), the component will not be migrated unless there is an equivalent component on the destination computer. <br/>When type=&quot;System&quot; and defaultSupported=&quot;FALSE&quot; the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type=&quot;System&quot; and defaultSupported=&quot;FALSE&quot;. If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers. |
+| type | Yes | You can use the following to group settings, and define the type of the component.<ul><li>**System:** Operating system settings. All Windows components are defined by this type. <br/>When **type=&quot;System&quot;** and **defaultSupported=&quot;FALSE&quot;** the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the `LoadState.exe` command line. For example, the default `MigSys.xml` file contains components with **type=&quot;System&quot;** and **defaultSupported=&quot;FALSE&quot;**. If you specify this file on the `ScanState.exe` command line, you must also specify the file on the `LoadState.exe` command line for the settings to migrate. This is because the `LoadState.exe` tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the **LoadState** tool will not migrate those settings from the store. This is helpful because you can use the same store for destination computers that are the same version of Windows and a different version of Windows as the source computer.</li><li>**Application:** Settings for an application.</li><li>**Device:** Settings for a device.</li><li>**Documents:** Specifies files.</li></ul> |
+| context | No <br/>Default = UserAndSystem | Defines the scope of this parameter; that is, whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the **&lt;component&gt;** element. For example, if a **&lt;component&gt;** element has a context of **User** and a **&lt;rules&gt;** element had a context of **UserAndSystem**, then the **&lt;rules&gt;** element would act as though it has a context of **User**. If a **&lt;rules&gt;** element has a context of **System**, it would act as though the **&lt;rules&gt;** element is not there. <ul><li>**User**: Evaluates the component for each user.</li><li>**System**: Evaluates the component only once for the system.</li><li>**UserAndSystem**: Evaluates the component for the entire operating system and each user.</li></ul> |
+| defaultSupported | No <br/>(default = TRUE) | Can be any of **TRUE**, **FALSE**, **YES**, or **NO**. If this parameter is **FALSE** (or **NO**), the component will not be migrated unless there is an equivalent component on the destination computer. <br/>When **type=&quot;System&quot;** and **defaultSupported=&quot;FALSE&quot;** the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the `LoadState.exe` command line. For example, the default `MigSys.xml` file contains components with **type=&quot;System&quot;** and **defaultSupported=&quot;FALSE&quot;**. If you specify this file on the `ScanState.exe` command line, you must also specify the file on the `LoadState.exe` command line for the settings to migrate. This is because the **LoadState** tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the **LoadState** tool will not migrate those settings from the store. This is helpful because you can use the same store for destination computers that are the same version of Windows and a different version of Windows as the source computer. |
 | hidden |   | This parameter is for internal USMT use only. |
 
 For an example, see any of the default migration .xml files.
 
-## <a href="" id="condition"></a>&lt;condition&gt;
+## &lt;condition&gt;
 
-Although the &lt;condition&gt; element under the &lt;detect&gt;, &lt;objectSet&gt;, and &lt;addObjects&gt; elements is supported, we recommend that you do not use it. This element might be deprecated in future versions of USMT, requiring you to rewrite your scripts. We recommend that, if you need to use a condition within the &lt;objectSet&gt; and &lt;addObjects&gt; elements, you use the more powerful [&lt;conditions&gt;](#conditions) element, which allows you to formulate complex Boolean statements.
+Although the **&lt;condition&gt;** element under the **&lt;detect&gt;**, **&lt;objectSet&gt;**, and **&lt;addObjects&gt;** elements is still supported, it is recommend to no longer use the **&lt;condition&gt;** element because it may be deprecated in future versions of USMT. If the **&lt;condition&gt;** element were depecated, it would require a rewrite of any scripts that use the **&lt;condition&gt;** element. Instead, if you need to use a condition within the **&lt;objectSet&gt;** and **&lt;addObjects&gt;** elements, it is recommended to use the more powerful **[&lt;conditions&gt;](#conditions)** element. The **&lt;conditions&gt;** element allows for formulation of complex Boolean statements.
 
-The &lt;condition&gt; element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return FALSE, the parent element will not be evaluated.
+The **&lt;condition&gt;** element has a Boolean result. You can use this element to specify the conditions in which the parent element will be evaluated. If any of the present conditions return **FALSE**, the parent element will not be evaluated.
 
--   **Number of occurrences:** unlimited.
+- **Number of occurrences:** unlimited.
 
--   **Parent elements:**[&lt;conditions&gt;](#conditions), &lt;detect&gt;, &lt;objectSet&gt;, &lt;addObjects&gt;
+- **Parent elements:** [&lt;conditions&gt;](#conditions), [&lt;detect&gt;](#detect), [&lt;objectSet&gt;](#objectset), [&lt;addObjects&gt;](#addobjects)
 
--   **Child elements:** none
+- **Child elements:** none
 
--   **Helper functions:** You can use the following [&lt;condition&gt; functions](#conditionfunctions) with this element: DoesOSMatch, IsNative64Bit(), IsOSLaterThan, IsOSEarlierThan, DoesObjectExist, DoesFileVersionMatch, IsFileVersionAbove, IsFileVersionBelow, IsSystemContext, DoesStringContentEqual, DoesStringContentContain, IsSameObject, IsSameContent, and IsSameStringContent.
+- **Helper functions:** You can use the following [&lt;condition&gt; functions](#condition-functions) with this element: `DoesOSMatch`, `IsNative64Bit()`, `IsOSLaterThan`, `IsOSEarlierThan`, `DoesObjectExist`, `DoesFileVersionMatch`, `IsFileVersionAbove`, `IsFileVersionBelow`, `IsSystemContext`, `DoesStringContentEqual`, `DoesStringContentContain`, `IsSameObject`, `IsSameContent`, and `IsSameStringContent`.
 
 Syntax:
 
@@ -208,12 +199,10 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-|negation|No <br/>Default = No|"Yes" reverses the True/False value of the condition.|
+|negation|No <br/>Default = No|**"Yes"** reverses the True/False value of the condition.|
 |*ScriptName*|Yes|A script that has been defined within this migration section.|
 
-For example,
-
-In the code sample below, the &lt;condition&gt; elements, A and B, are joined together by the AND operator because they are in separate &lt;conditions&gt; sections. For example:
+For example, in the code sample below, the **&lt;condition&gt;** elements, **A** and **B**, are joined together by the **AND** operator because they are in separate **&lt;conditions&gt;** sections:
 
 ```xml
 <detection>
@@ -226,7 +215,7 @@ In the code sample below, the &lt;condition&gt; elements, A and B, are joined to
 </detection>
 ```
 
-However, in the code sample below, the &lt;condition&gt; elements, A and B, are joined together by the OR operator because they are in the same &lt;conditions&gt; section.
+However, in the code sample below, the **&lt;condition&gt;** elements, **A** and **B**, are joined together by the **OR** operator because they are in the same **&lt;conditions&gt;** section.
 
 ```xml
 <detection>
@@ -237,17 +226,17 @@ However, in the code sample below, the &lt;condition&gt; elements, A and B, are
 </detection>
 ```
 
-### <a href="" id="conditionfunctions"></a>&lt;condition&gt; functions
+### &lt;condition&gt; functions
 
-The &lt;condition&gt; functions return a Boolean value. You can use these elements in &lt;addObjects&gt; conditions.
+The **&lt;condition&gt;** functions return a Boolean value. You can use these elements in **&lt;addObjects&gt;** conditions.
 
--   [Operating system version functions](#operatingsystemfunctions)
+- [Operating system version functions](#operating-system-version-functions)
 
--   [Object content functions](#objectcontentfunctions)
+- [Object content functions](#object-content-functions)
 
-### <a href="" id="operatingsystemfunctions"></a>Operating system version functions
+### Operating system version functions
 
--   **DoesOSMatch**
+- **DoesOSMatch**
 
     All matches are case insensitive.
 
@@ -255,8 +244,8 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*OSType*|Yes|The only valid value for this setting is **NT**. Note, however, that you must set this setting for the &lt;condition&gt; functions to work correctly.|
-    |*OSVersion*|Yes|The major version, minor version, build number and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version with a pattern. For example, `5.0.*`.|
+    |*OSType*|Yes|The only valid value for this setting is **NT**. Note, however, that you must set this setting for the **&lt;condition&gt;** functions to work correctly.|
+    |*OSVersion*|Yes|The major version, minor version, build number and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version with a pattern such as `5.0.*`.|
 
   For example:
 
@@ -264,11 +253,11 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
   <condition>MigXmlHelper.DoesOSMatch("NT","\*")</condition>
   ```
 
--   **IsNative64Bit**
+- **IsNative64Bit**
 
-    The IsNative64Bit function returns TRUE if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns FALSE.
+    The **IsNative64Bit** function returns **TRUE** if the migration process is running as a native 64-bit process; that is, a process running on a 64-bit system without Windows on Windows (WOW). Otherwise, it returns **FALSE**.
 
--   **IsOSLaterThan**
+- **IsOSLaterThan**
 
     All comparisons are case insensitive.
 
@@ -276,8 +265,8 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*OSType*|Yes|Can be **9x** or **NT**. If *OSType* does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and *OSType* is "9x", the result will be FALSE.|
-    |*OSVersion*|Yes|The major version, minor version, build number, and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version but no pattern is allowed. For example, `5.0`. <br/><br/>The IsOSLaterThan function returns TRUE if the current operating system is later than or equal to *OSVersion*.|
+    |*OSType*|Yes|Can be **9x** or **NT**. If *OSType* does not match the type of the current operating system, then it returns **FALSE**. For example, if the current operating system is Windows NT-based and *OSType* is **"9x"**, the result will be **FALSE**.|
+    |*OSVersion*|Yes|The major version, minor version, build number, and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version but no pattern is allowed such as `5.0`. <br/><br/>The **IsOSLaterThan** function returns **TRUE** if the current operating system is later than or equal to *OSVersion*.|
 
   For example:
 
@@ -285,7 +274,7 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
   <condition negation="Yes">MigXmlHelper.IsOSLaterThan("NT","6.0")</condition>
   ```
 
--   **IsOSEarlierThan**
+- **IsOSEarlierThan**
 
     All comparisons are case insensitive.
 
@@ -293,24 +282,23 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*OSType*|Yes|Can be **9x** or **NT**. If *OSType* does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and *OSType* is "9x" the result will be FALSE.|
-    |*OSVersion*|Yes|The major version, minor version, build number, and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version but no pattern is allowed. For example, `5.0`. <br/><br/>The IsOSEarlierThan function returns TRUE if the current operating system is earlier than *OSVersion*.|
+    |*OSType*|Yes|Can be **9x** or **NT**. If *OSType* does not match the type of the current operating system, then it returns **FALSE**. For example, if the current operating system is Windows NT-based and *OSType* is **"9x"** the result will be **FALSE**.|
+    |*OSVersion*|Yes|The major version, minor version, build number, and corrected service diskette version separated by periods. For example, `5.0.2600.Service Pack 1`. You can also specify partial specification of the version but no pattern is allowed such as `5.0`. <br/><br/>The **IsOSEarlierThan** function returns **TRUE** if the current operating system is earlier than *OSVersion*.|
 
-
-### <a href="" id="objectcontentfunctions"></a>Object content functions
+### Object content functions
 
 - **DoesObjectExist**
 
-  The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration.
+  The DoesObjectExist function returns **TRUE** if any object exists that matches the location pattern. Otherwise, it returns **FALSE**. The location pattern is expanded before attempting the enumeration.
 
   Syntax: `DoesObjectExist("ObjectType","EncodedLocationPattern")`
 
    |Setting|Required?|Value|
    |--- |--- |--- |
    |*ObjectType*|Yes|Defines the object type. Can be File or Registry.|
-   |*EncodedLocationPattern*|Yes|The [location pattern](#locations). Environment variables are allowed.|
+   |*EncodedLocationPattern*|Yes|The **[location pattern](#specifying-locations)**. Environment variables are allowed.|
 
-  For an example of this element, see the MigApp.xml file.
+  For an example of this element, see the `MigApp.xml` file.
 
 - **DoesFileVersionMatch**
 
@@ -320,8 +308,8 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*EncodedFileLocation*|Yes|The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.|
-    |*VersionTag*|Yes|The [version tag](#allowed) value that will be checked.|
+    |*EncodedFileLocation*|Yes|The **[location pattern](#specifying-locations)** for the file that will be checked. Environment variables are allowed.|
+    |*VersionTag*|Yes|The **[version tag](#valid-version-tags)** value that will be checked.|
     |*VersionValue*|Yes|A string pattern. For example, "Microsoft*".|
 
   For example:
@@ -332,14 +320,14 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
 
 - **IsFileVersionAbove**
 
-  The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*.
+  The **IsFileVersionAbove** function returns **TRUE** if the version of the file is higher than *VersionValue*.
 
   Syntax: `IsFileVersionAbove("EncodedFileLocation","VersionTag","VersionValue")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*EncodedFileLocation*|Yes|The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.|
-    |*VersionTag*|Yes|The [version tag](#allowed) value that will be checked.|
+    |*EncodedFileLocation*|Yes|The **[location pattern](#specifying-locations)** for the file that will be checked. Environment variables are allowed.|
+    |*VersionTag*|Yes|The **[version tag](#valid-version-tags)** value that will be checked.|
     |*VersionValue*|Yes|The value to compare to. You cannot specify a pattern.|
 
 - **IsFileVersionBelow**
@@ -348,26 +336,26 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*EncodedFileLocation*|Yes|The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.|
-    |*VersionTag*|Yes|The [version tag](#allowed) value that will be checked.|
+    |*EncodedFileLocation*|Yes|The **[location pattern](#specifying-locations)** for the file that will be checked. Environment variables are allowed.|
+    |*VersionTag*|Yes|The **[version tag](#valid-version-tags)** value that will be checked.|
     |*VersionValue*|Yes|The value to compare to. You cannot specify a pattern.|
 
 - **IsSystemContext**
 
-  The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE.
+  The **IsSystemContext** function returns **TRUE** if the current context is **"System"**. Otherwise, it returns **FALSE**.
 
   Syntax: `IsSystemContext()`
 
 - **DoesStringContentEqual**
 
-  The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`.
+  The **DoesStringContentEqual** function returns **TRUE** if the string representation of the given object is identical to `StringContent`.
 
   Syntax: `DoesStringContentEqual("ObjectType","EncodedLocation","StringContent")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
     |*ObjectType*|Yes|Defines the type of object. Can be File or Registry.|
-    |*EncodedLocationPattern*|Yes|The [encoded location](#locations) for the object that will be examined. You can specify environment variables.|
+    |*EncodedLocationPattern*|Yes|The **[encoded location](#specifying-locations)** for the object that will be examined. You can specify environment variables.|
     |StringContent|Yes|The string that will be checked against.|
 
   For example:
@@ -378,27 +366,27 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
 
 - **DoesStringContentContain**
 
-  The DoesStringContentContain function returns TRUE if there is at least one occurrence of *StrToFind* in the string representation of the object.
+  The **DoesStringContentContain** function returns **TRUE** if there is at least one occurrence of *StrToFind* in the string representation of the object.
 
   Syntax: `DoesStringContentContain("ObjectType","EncodedLocation","StrToFind")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
     |*ObjectType*|Yes|Defines the type of object. Can be File or Registry.|
-    |*EncodedLocationPattern*|Yes|The [encoded location](#locations) for the object that will be examined. You can specify environment variables.|
+    |*EncodedLocationPattern*|Yes|The **[encoded location](#specifying-locations)** for the object that will be examined. You can specify environment variables.|
     |*StrToFind*|Yes|A string that will be searched inside the content of the given object.|
 
 - **IsSameObject**
 
-  The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE.
+  The **IsSameObject** function returns **TRUE** if the given encoded locations resolve to the same physical object. Otherwise, it returns **FALSE**.
 
   Syntax: `IsSameObject("ObjectType","EncodedLocation1","EncodedLocation2")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
     |*ObjectType*|Yes|Defines the type of object. Can be File or Registry.|
-    |*EncodedLocation1*|Yes|The [encoded location](#locations) for the first object. You can specify environment variables.|
-    |*EncodedLocation2*|Yes|The [encoded location](#locations) for the second object. You can specify environment variables.|
+    |*EncodedLocation1*|Yes|The **[encoded location](#specifying-locations)** for the first object. You can specify environment variables.|
+    |*EncodedLocation2*|Yes|The **[encoded location](#specifying-locations)** for the second object. You can specify environment variables.|
 
   For example:
 
@@ -411,39 +399,39 @@ The &lt;condition&gt; functions return a Boolean value. You can use these elemen
 
 - **IsSameContent**
 
-  The IsSameContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be compared byte by byte.
+  The **IsSameContent** function returns **TRUE** if the given objects have the same content. Otherwise, it returns **FALSE**. The content will be compared byte by byte.
 
   Syntax: `IsSameContent("ObjectType1","EncodedLocation1","ObjectType2","EncodedLocation2")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
     |*ObjectType1*|Yes|Defines the type of the first object. Can be File or Registry.|
-    |*EncodedLocation1*|Yes|The [encoded location](#locations) for the first object. You can specify environment variables.|
+    |*EncodedLocation1*|Yes|The **[encoded location](#specifying-locations)** for the first object. You can specify environment variables.|
     |*ObjectType2*|Yes|Defines the type of the second object. Can be File or Registry.|
-    |*EncodedLocation2*|Yes|The [encoded location](#locations) for the second object. You can specify environment variables.|
+    |*EncodedLocation2*|Yes|The **[encoded location](#specifying-locations)** for the second object. You can specify environment variables.|
 
 - **IsSameStringContent**
 
-  The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string.
+  The **IsSameStringContent** function returns **TRUE** if the given objects have the same content. Otherwise, it returns **FALSE**. The content will be interpreted as a string.
 
   Syntax: `IsSameStringContent("ObjectType1","EncodedLocation1","ObjectType2","EncodedLocation2")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
     |*ObjectType1*|Yes|Defines the type of the first object. Can be File or Registry.|
-    |*EncodedLocation1*|Yes|The [encoded location](#locations) for the first object. You can specify environment variables.|
+    |*EncodedLocation1*|Yes|The **[encoded location](#specifying-locations)** for the first object. You can specify environment variables.|
     |*ObjectType2*|Yes|Defines the type of the second object. Can be File or Registry.|
-    |*EncodedLocation2*|Yes|The [encoded location](#locations) for the second object. You can specify environment variables.|
+    |*EncodedLocation2*|Yes|The **[encoded location](#specifying-locations)** for the second object. You can specify environment variables.|
 
-## <a href="" id="conditions"></a>&lt;conditions&gt;
+## &lt;conditions&gt;
 
-The &lt;conditions&gt; element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators AND or OR according to the **operation** parameter.
+The **&lt;conditions&gt;** element returns a Boolean result that is used to specify the conditions in which the parent element is evaluated. USMT evaluates the child elements, and then joins their results using the operators **AND** or **OR** according to the operation parameter.
 
--   **Number of occurrences:** Unlimited inside another &lt;conditions&gt; element. Limited to one occurrence in [&lt;detection&gt;](#detection), [&lt;rules&gt;](#rules), [&lt;addObjects&gt;](#addobjects), and [&lt;objectSet&gt;](#objectset)
+- **Number of occurrences:** Unlimited inside another **&lt;conditions&gt;** element. Limited to one occurrence in [&lt;detection&gt;](#detection), [&lt;rules&gt;](#rules), [&lt;addObjects&gt;](#addobjects), and [&lt;objectSet&gt;](#objectset)
 
--   **Parent elements:**[&lt;conditions&gt;](#conditions), [&lt;detection&gt;](#detection), [&lt;environment&gt;](#bkmk-environment), [&lt;rules&gt;](#rules), [&lt;addObjects&gt;](#addobjects), and [&lt;objectSet&gt;](#objectset)
+- **Parent elements:** [&lt;conditions&gt;](#conditions), [&lt;detection&gt;](#detection), [&lt;environment&gt;](#environment), [&lt;rules&gt;](#rules), [&lt;addObjects&gt;](#addobjects), and [&lt;objectSet&gt;](#objectset)
 
--   **Child elements:**[&lt;conditions&gt;](#conditions), [&lt;condition&gt;](#condition)
+- **Child elements:** [&lt;conditions&gt;](#conditions), [&lt;condition&gt;](#condition)
 
 Syntax:
 
@@ -456,7 +444,7 @@ Syntax:
 |--- |--- |--- |
 |operation|No, default = AND|Defines the Boolean operation that is performed on the results that are obtained from the child elements.|
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <environment name="GlobalEnv">
@@ -469,17 +457,17 @@ The following example is from the MigApp.xml file:
 </environment>
 ```
 
-## <a href="" id="content"></a>&lt;content&gt;
+## &lt;content&gt;
 
-You can use the &lt;content&gt; element to specify a list of object patterns to obtain an object set from the source computer. Each &lt;objectSet&gt; within a &lt;content&gt; element is evaluated. For each resulting object pattern list, the objects that match it are enumerated and their content is filtered by the filter parameter. The resulting string array is the output for the &lt;content&gt; element. The filter script returns an array of locations. The parent &lt;objectSet&gt; element can contain multiple child &lt;content&gt; elements.
+You can use the **&lt;content&gt;** element to specify a list of object patterns to obtain an object set from the source computer. Each **&lt;objectSet&gt;** within a **&lt;content&gt;** element is evaluated. For each resulting object pattern list, the objects that match it are enumerated and their content is filtered by the filter parameter. The resulting string array is the output for the **&lt;content&gt;** element. The filter script returns an array of locations. The parent **&lt;objectSet&gt;** element can contain multiple child **&lt;content&gt;** elements.
 
--   **Number of occurrences:** unlimited
+- **Number of occurrences:** unlimited
 
--   **Parent elements:**[&lt;objectSet&gt;](#objectset)
+- **Parent elements:** [&lt;objectSet&gt;](#objectset)
 
--   **Child elements:**[&lt;objectSet&gt;](#objectset)
+- **Child elements:** [&lt;objectSet&gt;](#objectset)
 
--   **Helper functions:** You can use the following [&lt;content&gt; functions](#contentfunctions) with this element: ExtractSingleFile, ExtractMultipleFiles, and ExtractDirectory.
+- **Helper functions:** You can use the following [&lt;content&gt; functions](#content-functions) with this element: `ExtractSingleFile`, `ExtractMultipleFiles`, and `ExtractDirectory`.
 
 Syntax:
 
@@ -490,22 +478,22 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-|filter|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/>The script is called for each object that is enumerated by the object sets in the &lt;include&gt; rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.|
+|filter|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/>The script is called for each object that is enumerated by the object sets in the **&lt;include&gt;** rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.|
 
-### <a href="" id="contentfunctions"></a>&lt;content&gt; functions
+### &lt;content&gt; functions
 
-The following functions generate patterns out of the content of an object. These functions are called for every object that the parent &lt;ObjectSet&gt; element is enumerating.
+The following functions generate patterns out of the content of an object. These functions are called for every object that the parent **&lt;ObjectSet&gt;** element is enumerating.
 
--   **ExtractSingleFile**
+- **ExtractSingleFile**
 
-    If the registry value is a MULTI-SZ, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns NULL.
+    If the registry value is a **MULTI-SZ**, only the first segment is processed. The returned pattern is the encoded location for a file that must exist on the system. If the specification is correct in the registry value, but the file does not exist, this function returns **NULL**.
 
     Syntax: `ExtractSingleFile(Separators,PathHints)`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*Separators*|Yes|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You can specify NULL.|
-    |*PathHints*|Yes|A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL.|
+    |*Separators*|Yes|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is **"C:\Windows\Notepad.exe,-2"**, the separator is a comma. You can specify **NULL**.|
+    |*PathHints*|Yes|A list of extra paths, separated by colons (`;`), where the function will look for a file matching the current content. For example, if the content is **"Notepad.exe"** and the path is the **%Path%** environment variable, the function will find **Notepad.exe** in `%windir%` and returns **"c:\Windows [Notepad.exe]"**. You can specify **NULL**.|
 
   For example:
 
@@ -519,9 +507,9 @@ The following functions generate patterns out of the content of an object. These
   <content filter="MigXmlHelper.ExtractSingleFile(NULL,'%CSIDL_COMMON_FONTS%')">
   ```
 
--   **ExtractMultipleFiles**
+- **ExtractMultipleFiles**
 
-    The ExtractMultipleFiles function returns multiple patterns, one for each file that is found in the content of the given registry value. If the registry value is a MULTI-SZ, the MULTI-SZ separator is considered a separator by default. therefore, for MULTI-SZ, the &lt;Separators&gt; argument must be NULL.
+    The **ExtractMultipleFiles** function returns multiple patterns, one for each file that is found in the content of the given registry value. If the registry value is a **MULTI-SZ**, the **MULTI-SZ** separator is considered a separator by default. therefore, for **MULTI-SZ**, the **&lt;Separators&gt;** argument must be **NULL**.
 
     The returned patterns are the encoded locations for files that must exist on the source computer. If the specification is correct in the registry value but the file does not exist, it will not be included in the resulting list.
 
@@ -529,18 +517,18 @@ The following functions generate patterns out of the content of an object. These
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*Separators*|Yes|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. This parameter must be NULL when processing MULTI-SZ registry values.|
-    |*PathHints*|Yes|A list of extra paths, separated by colons (;), where the function will look for a file matching the current content. For example, if the content is "Notepad.exe" and the path is the %Path% environment variable, the function will find Notepad.exe in %windir% and returns "c:\Windows [Notepad.exe]". You can specify NULL.|
+    |*Separators*|Yes|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is **"C:\Windows\Notepad.exe,-2"**, the separator is a comma. This parameter must be NULL when processing **MULTI-SZ** registry values.|
+    |*PathHints*|Yes|A list of extra paths, separated by colons (`;`), where the function will look for a file matching the current content. For example, if the content is **"Notepad.exe"** and the path is the **%Path%** environment variable, the function will find **Notepad.exe** in `%windir%` and returns **"c:\Windows [Notepad.exe]"**. You can specify **NULL**.|
 
--   **ExtractDirectory**
+- **ExtractDirectory**
 
-    The ExtractDirectory function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns NULL. If it is processing a registry value that is a MULTI-SZ, only the first segment will be processed.
+    The **ExtractDirectory** function returns a pattern that is the encoded location for a directory that must exist on the source computer. If the specification is correct in the registry value, but the directory does not exist, this function returns **NULL**. If it is processing a registry value that is a **MULTI-SZ**, only the first segment will be processed.
 
     Syntax: `ExtractDirectory(Separators,LevelsToTrim,PatternSuffix)`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*Separators*|No|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is "C:\Windows\Notepad.exe,-2", the separator is a comma. You must specify NULL when processing MULTI-SZ registry values.|
+    |*Separators*|No|A list of possible separators that might follow the file specification in this registry value name. For example, if the content is **"C:\Windows\Notepad.exe,-2"**, the separator is a comma. You must specify **NULL** when processing **MULTI-SZ** registry values.|
     |*LevelsToTrim*|Yes|The number of levels to delete from the end of the directory specification. Use this function to extract a root directory when you have a registry value that points inside that root directory in a known location.|
     |*PatternSuffix*|Yes|The pattern to add to the directory specification. For example, `* [*]`.|
 
@@ -556,17 +544,17 @@ The following functions generate patterns out of the content of an object. These
   </objectSet>
   ```
 
-## <a href="" id="contentmodify"></a>&lt;contentModify&gt;
+## &lt;contentModify&gt;
 
-The &lt;contentModify&gt; element modifies the content of an object before it is written to the destination computer. For each &lt;contentModify&gt; element there can be multiple &lt;objectSet&gt; elements. This element returns the new content of the object that is being processed.
+The **&lt;contentModify&gt;** element modifies the content of an object before it is written to the destination computer. For each **&lt;contentModify&gt;** element there can be multiple **&lt;objectSet&gt;** elements. This element returns the new content of the object that is being processed.
 
--   **Number of occurrences:** Unlimited
+- **Number of occurrences:** Unlimited
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Required child elements:**[&lt;objectSet&gt;](#objectset)
+- **Required child elements:** [&lt;objectSet&gt;](#objectset)
 
--   **Helper functions**: You can use the following [&lt;contentModify&gt; functions](#contentmodifyfunctions) with this element: ConvertToDWORD, ConvertToString, ConvertToBinary, KeepExisting, OffsetValue, SetValueByTable, MergeMultiSzContent, and MergeDelimitedContent.
+- **Helper functions**: You can use the following [&lt;contentModify&gt; functions](#contentmodify-functions) with this element: **ConvertToDWORD**, **ConvertToString**, **ConvertToBinary**, **KeepExisting**, **OffsetValue**, **SetValueByTable**, **MergeMultiSzContent**, and **MergeDelimitedContent**.
 
 Syntax:
 
@@ -577,31 +565,31 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2").` <br/><br/>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.|
+|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2").` <br/><br/>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.|
 
-### <a href="" id="contentmodifyfunctions"></a>&lt;contentModify&gt; functions
+### &lt;contentModify&gt; functions
 
-The following functions change the content of objects as they are migrated. These functions are called for every object that the parent &lt;ObjectSet&gt; element is enumerating.
+The following functions change the content of objects as they are migrated. These functions are called for every object that the parent **&lt;ObjectSet&gt;** element is enumerating.
 
--   **ConvertToDWORD**
+- **ConvertToDWORD**
 
-    The ConvertToDWORD function converts the content of registry values that are enumerated by the parent &lt;ObjectSet&gt; element to a DWORD. For example, ConvertToDWORD will convert the string "1" to the DWORD 0x00000001. If the conversion fails, then the value of DefaultValueOnError will be applied.
+    The **ConvertToDWORD** function converts the content of registry values that are enumerated by the parent **&lt;ObjectSet&gt;** element to a DWORD. For example, **ConvertToDWORD** will convert the string `"1"` to the DWORD `0x00000001`. If the conversion fails, then the value of **DefaultValueOnError** will be applied.
 
     Syntax: `ConvertToDWORD(DefaultValueOnError)`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*DefaultValueOnError*|No|The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.|
+    |*DefaultValueOnError*|No|The value that will be written into the value name if the conversion fails. You can specify **NULL**, and `0` will be written if the conversion fails.|
 
--   **ConvertToString**
+- **ConvertToString**
 
-    The ConvertToString function converts the content of registry values that match the parent &lt;ObjectSet&gt; element to a string. For example, it will convert the DWORD 0x00000001 to the string "1". If the conversion fails, then the value of DefaultValueOnError will be applied.
+    The **ConvertToString** function converts the content of registry values that match the parent **&lt;ObjectSet&gt;** element to a string. For example, it will convert the DWORD `0x00000001` to the string **"1"**. If the conversion fails, then the value of **DefaultValueOnError** will be applied.
 
     Syntax: `ConvertToString(DefaultValueOnError)`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*DefaultValueOnError*|No|The value that will be written into the value name if the conversion fails. You can specify NULL, and 0 will be written if the conversion fails.|
+    |*DefaultValueOnError*|No|The value that will be written into the value name if the conversion fails. You can specify **NULL**, and `0` will be written if the conversion fails.|
 
   For example:
 
@@ -613,15 +601,15 @@ The following functions change the content of objects as they are migrated. Thes
   </contentModify>
   ```
 
--   **ConvertToBinary**
+- **ConvertToBinary**
 
-    The ConvertToBinary function converts the content of registry values that match the parent &lt;ObjectSet&gt; element to a binary type.
+    The **ConvertToBinary** function converts the content of registry values that match the parent **&lt;ObjectSet&gt;** element to a binary type.
 
     Syntax: `ConvertToBinary ()`
 
--   **OffsetValue**
+- **OffsetValue**
 
-    The OffsetValue function adds or subtracts *Value* from the value of the migrated object, and then writes the result back into the registry value on the destination computer. For example, if the migrated object is a DWORD with a value of 14, and the *Value* is "-2", the registry value will be 12 on the destination computer.
+    The **OffsetValue** function adds or subtracts *Value* from the value of the migrated object, and then writes the result back into the registry value on the destination computer. For example, if the migrated object is a DWORD with a value of `14`, and the *Value* is **"-2"**, the registry value will be `12` on the destination computer.
 
     Syntax: `OffsetValue(Value)`
 
@@ -629,9 +617,9 @@ The following functions change the content of objects as they are migrated. Thes
     |--- |--- |--- |
     |*Value*|Yes|The string representation of a numeric value. It can be positive or negative. For example, `OffsetValue(2)`.|
 
--   **SetValueByTable**
+- **SetValueByTable**
 
-    The SetValueByTable function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied.
+    The **SetValueByTable** function matches the value from the source computer to the source table. If the value is there, the equivalent value in the destination table will be applied. If the value is not there, or if the destination table has no equivalent value, the *DefaultValueOnError* will be applied.
 
     Syntax: `SetValueByTable(SourceTable,DestinationTable,DefaultValueOnError)`
 
@@ -639,21 +627,21 @@ The following functions change the content of objects as they are migrated. Thes
     |--- |--- |--- |
     |*SourceTable*|Yes|A list of values separated by commas that are possible for the source registry values.|
     |*DestinationTable*|No|A list of translated values separated by commas.|
-    |*DefaultValueOnError*|No|The value that will be applied to the destination computer if either 1) the value for the source computer does not match *SourceTable*, or 2) *DestinationTable* has no equivalent value. <br/><br/>If DefaultValueOnError is NULL, the value will not be changed on the destination computer.|
+    |*DefaultValueOnError*|No|The value that will be applied to the destination computer if either <ol><li>The value for the source computer does not match *SourceTable*</li><li>*DestinationTable* has no equivalent value.</li></ol><br>If **DefaultValueOnError** is **NULL**, the value will not be changed on the destination computer.|
 
--   **KeepExisting**
+- **KeepExisting**
 
-    You can use the KeepExisting function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer.
+    You can use the **KeepExisting** function when there are conflicts on the destination computer. This function will keep (not overwrite) the specified attributes for the object that is on the destination computer.
 
     Syntax: `KeepExisting("OptionString","OptionString","OptionString",…)`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    | *OptionString* | Yes | *OptionString* can be **Security**, **TimeFields**, or **FileAttrib**:*Letter*. You can specify one of each type of *OptionStrings*. Do not specify multiple *OptionStrings* with the same value. If you do, the right-most option of that type will be kept. For example, do not specify **(&quot;FileAttrib:H&quot;, &quot;FileAttrib:R&quot;)** because only Read-only will be evaluated. Instead specify **(&quot;FileAttrib:HR&quot;)** and both Hidden and Read-only attributes will be kept on the destination computer. <ul><li>**Security**. Keeps the destination object's security descriptor if it exists.</li><li>**TimeFields**. Keeps the destination object's time stamps. This parameter is for files only.</li><li>**FileAttrib:** *Letter*. Keeps the destination object's attribute value, either On or OFF, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after &quot;FileAttrib:&quot;. You can specify any combination of the following attributes: <ul><li>**A** = Archive</li><li>**C** = Compressed</li><li>**E** = Encrypted</li><li>**H** = Hidden</li><li>**I** = Not Content Indexed</li><li>**O** = Offline</li><li>**R** = Read-Only</li><li>**S** = System</li><li>**T** = Temporary</li></ul></li></ul> |
+    | *OptionString* | Yes | *OptionString* can be **Security**, **TimeFields**, or **FileAttrib**:*Letter*. You can specify one of each type of *OptionStrings*. Do not specify multiple *OptionStrings* with the same value. If you do, the right-most option of that type will be kept. For example, do not specify **(&quot;FileAttrib:H&quot;, &quot;FileAttrib:R&quot;)** because only Read-only will be evaluated. Instead specify **(&quot;FileAttrib:HR&quot;)** and both Hidden and Read-only attributes will be kept on the destination computer. <ul><li>**Security**: Keeps the destination object's security descriptor if it exists.</li><li>**TimeFields**: Keeps the destination object's time stamps. This parameter is for files only.</li><li>**FileAttrib:&lt;Letter&gt;**: Keeps the destination object's attribute value, either **ON** or **OFF**, for the specified set of file attributes. This parameter is for files only. The following are case-insensitive, but USMT will ignore any values that are invalid, repeated, or if there is a space after **FileAttrib:**. You can specify any combination of the following attributes: <ul><li>**A** = Archive</li><li>**C** = Compressed</li><li>**E** = Encrypted</li><li>**H** = Hidden</li><li>**I** = Not Content Indexed</li><li>**O** = Offline</li><li>**R** = Read-Only</li><li>**S** = System</li><li>**T** = Temporary</li></ul></li></ul> |
 
--   **MergeMultiSzContent**
+- **MergeMultiSzContent**
 
-    The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent &lt;ObjectSet&gt; element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed.
+    The **MergeMultiSzContent** function merges the **MULTI-SZ** content of the registry values that are enumerated by the parent **&lt;ObjectSet&gt;** element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting **MULTI-SZ**. Duplicate elements will be removed.
 
     Syntax: `MergeMultiSzContent (Instruction,String,Instruction,String,…)`
 
@@ -662,27 +650,27 @@ The following functions change the content of objects as they are migrated. Thes
     | *Instruction* | Yes | Can be one of the following: <ul><li>**Add**. Adds the corresponding String to the resulting MULTI-SZ if it is not already there.</li><li>**Remove**. Removes the corresponding String from the resulting MULTI-SZ.</li></ul> |
     | *String* | Yes | The string to be added or removed. |
 
--   **MergeDelimitedContent**
+- **MergeDelimitedContent**
 
-    The MergeDelimitedContent function merges the content of the registry values that are enumerated by the parent &lt;ObjectSet&gt; element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed.
+    The **MergeDelimitedContent** function merges the content of the registry values that are enumerated by the parent **&lt;ObjectSet&gt;** element with the content of the equivalent registry values that already exist on the destination computer. The content is considered a list of elements separated by one of the characters in the Delimiters parameter. Duplicate elements will be removed.
 
     Syntax: `MergeDelimitedContent(Delimiters,Instruction,String,…)`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    | *Delimiters* | Yes | A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the *Delimiters*. <br/>For example, &quot;.&quot; will separate the string based on a period. |
-    | *Instruction* | Yes | Can one of the following: <ul><li>**Add.** Adds *String* to the resulting MULTI-SZ if it is not already there.</li><li>**Remove.** Removes *String* from the resulting MULTI-SZ.</li></ul> |
+    | *Delimiters* | Yes | A single character that will be used to separate the content of the object that is being processed. The content will be considered as a list of elements that is separated by the *Delimiters*. <br/>For example, `"."` will separate the string based on a period. |
+    | *Instruction* | Yes | Can be one of the following: <ul><li>**Add**: Adds *String* to the resulting MULTI-SZ if it is not already there.</li><li>**Remove**: Removes *String* from the resulting MULTI-SZ.</li></ul> |
     | *String* | Yes | The string to be added or removed. |
 
-## <a href="" id="description"></a>&lt;description&gt;
+## &lt;description&gt;
 
-The &lt;description&gt; element defines a description for the component but does not affect the migration.
+The **&lt;description&gt;** element defines a description for the component but does not affect the migration.
 
--   **Number of occurrences:** zero or one
+- **Number of occurrences:** zero or one
 
--   **Parent elements:**[&lt;component&gt;](#component)
+- **Parent elements:** [&lt;component&gt;](#component)
 
--   **Child elements:** none
+- **Child elements:** none
 
 Syntax:
 
@@ -700,22 +688,20 @@ The following code sample shows how the &lt;description&gt; element defines the
 <description>My custom component<description>
 ```
 
-## <a href="" id="destinationcleanup"></a>&lt;destinationCleanup&gt;
+## &lt;destinationCleanup&gt;
 
-The &lt;destinationCleanup&gt; element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the LoadState tool is run on the destination computer. That is, this element is ignored by the ScanState tool.
+The **&lt;destinationCleanup&gt;** element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the **LoadState** tool is run on the destination computer. That is, this element is ignored by the **ScanState** tool.
 
 > [!IMPORTANT]
 > Use this option with extreme caution because it will delete objects from the destination computer.
 
+For each **&lt;destinationCleanup&gt;** element there can be multiple **&lt;objectSet&gt;** elements. A common use for this element is if there is a missing registry key on the source computer and you want to ensure that a component is migrated. In this case, you can delete all of the component's registry keys before migrating the source registry keys. This will ensure that if there is a missing key on the source computer, it will also be missing on the destination computer.
 
+- **Number of occurrences:** Unlimited
 
-For each &lt;destinationCleanup&gt; element there can be multiple &lt;objectSet&gt; elements. A common use for this element is if there is a missing registry key on the source computer and you want to ensure that a component is migrated. In this case, you can delete all of the component's registry keys before migrating the source registry keys. This will ensure that if there is a missing key on the source computer, it will also be missing on the destination computer.
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Number of occurrences:** Unlimited
-
--   **Parent elements:**[&lt;rules&gt;](#rules)
-
--   **Child elements:**[&lt;objectSet&gt;](#objectset) (Note that the destination computer will delete all child elements.)
+- **Child elements:** [&lt;objectSet&gt;](#objectset) (Note that the destination computer will delete all child elements.)
 
 Syntax:
 
@@ -726,7 +712,7 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-|filter|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/><br/>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.|
+|filter|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/><br/>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.|
 
 For example:
 
@@ -739,21 +725,21 @@ For example:
 </destinationCleanup>
 ```
 
-## <a href="" id="detect"></a>&lt;detect&gt;
+## &lt;detect&gt;
 
-Although the &lt;detect&gt; element is still supported, we do not recommend using it because it may be deprecated in future versions of USMT. In that case, you would have to rewrite your scripts. Instead, we recommend that you use the [&lt;detection&gt;](#detection)**element.**
+Although the **&lt;detect&gt;** element is still supported, it is recommend to no longer use the **&lt;detect&gt;** element because it may be deprecated in future versions of USMT. If the **&lt;detect&gt;** element were depecated, it would require a rewrite of any scripts that use the **&lt;detect&gt;** element. Instead, it is recommend to use the **[&lt;detection&gt;](#detection)** element. The **&lt;detection&gt;** element allows for more clearly formulated complex Boolean statements
 
-You use the &lt;detect&gt; element to determine if the component is present on a system. If all child &lt;detect&gt; elements within a &lt;detect&gt; element resolve to TRUE, then the &lt;detect&gt; element resolves to TRUE. If any child &lt;detect&gt; elements resolve to FALSE, then their parent &lt;detect&gt; element resolves to FALSE. If there is no &lt;detect&gt; element section, then USMT will assume that the component is present.
+The **&lt;detect&gt;** element can be used to determine if the component is present on a system. If all child **&lt;detect&gt;** elements within a **&lt;detect&gt;** element resolve to **TRUE**, then the **&lt;detect&gt;** element resolves to **TRUE**. If any child **&lt;detect&gt;** elements resolve to **FALSE**, then their parent **&lt;detect&gt;** element resolves to **FALSE**. If there is no **&lt;detect&gt;** element section, then USMT will assume that the component is present.
 
-For each &lt;detect&gt; element there can be multiple child &lt;condition&gt; or &lt;objectSet&gt; elements, which will be logically joined by an OR operator. If at least one &lt;condition&gt; or &lt;objectSet&gt; element evaluates to TRUE, then the &lt;detect&gt; element evaluates to TRUE.
+For each **&lt;detect&gt;** element there can be multiple child **&lt;condition&gt;** or **&lt;objectSet&gt;** elements, which will be logically joined by an **OR** operator. If at least one **&lt;condition&gt;** or **&lt;objectSet&gt;** element evaluates to **TRUE**, then the **&lt;detect&gt;** element evaluates to **TRUE**.
 
--   **Number of occurrences:** unlimited
+- **Number of occurrences:** unlimited
 
--   **Parent elements:** &lt;detects&gt;, [&lt;namedElements&gt;](#namedelements)
+- **Parent elements:** [&lt;detects&gt;](#detects), [&lt;namedElements&gt;](#namedelements)
 
--   **Required child elements:**[&lt;condition&gt;](#condition)
+- **Required child elements:** [&lt;condition&gt;](#condition)
 
--   **Optional child elements:**[&lt;objectSet&gt;](#objectset)
+- **Optional child elements:** [&lt;objectSet&gt;](#objectset)
 
 Syntax:
 
@@ -764,16 +750,16 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| name | Yes, when &lt;detect&gt; is a child to &lt;namedElements&gt; <br/>No, when &lt;detect&gt; is a child to &lt;detects&gt; | When *ID* is specified, any child elements are not processed. Instead, any other &lt;detect&gt; elements with the same name that are declared within the &lt;namedElements&gt; element are processed. |
-| context | No <br/>(default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the component element. For example, if a &lt;component&gt; element has a context of User, and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it had a context of User. If the &lt;rules&gt; element had a context of System, it would act as though the &lt;rules&gt; element were not there. <ul><li>**User.** Evaluates the variables for each user.</li><li>**System.** Evaluates the variables only once for the system.</li><li>**UserAndSystem.** Evaluates the variables for the entire operating system and each user.</li></ul> |
+| name | Yes, when **&lt;detect&gt;** is a child to **&lt;namedElements&gt;** <br/>No, when **&lt;detect&gt;** is a child to &lt;detects&gt; | When *ID* is specified, any child elements are not processed. Instead, any other **&lt;detect&gt;** elements with the same name that are declared within the **&lt;namedElements&gt;** element are processed. |
+| context | No <br/>(default = UserAndSystem) | Defines the scope of this parameter which are whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the component element. For example, if a **&lt;component&gt;** element has a context of **User**, and a **&lt;rules&gt;** element had a context of **UserAndSystem**, then the **&lt;rules&gt;** element would act as though it had a context of **User**. If the **&lt;rules&gt;** element had a context of **System**, it would act as though the **&lt;rules&gt;** element were not there. <ul><li>**User**: Evaluates the variables for each user.</li><li>**System**: Evaluates the variables only once for the system.</li><li>**UserAndSystem**: Evaluates the variables for the entire operating system and each user.</li></ul> |
 
 For examples, see the examples for [&lt;detection&gt;](#detection).
 
-## <a href="" id="detects"></a>&lt;detects&gt;
+## &lt;detects&gt;
 
-Although the &lt;detects&gt; element is still supported, we recommend that you do not use it because it may be deprecated in future versions of USMT, which would require you to rewrite your scripts. Instead, we recommend that you use the [&lt;detection&gt;](#detection) element if the parent element is &lt;role&gt; or &lt;namedElements&gt;, and we recommend that you use the &lt;conditions&gt; element if the parent element is &lt;rules&gt;. Using &lt;detection&gt; allows you to more clearly formulate complex Boolean statements.
+Although the **&lt;detects&gt;** element is still supported, it is recommend to no longer use the **&lt;detects&gt;** element because it may be deprecated in future versions of USMT. If the **&lt;detects&gt;** element were deprecated, it would require a rewrite of any scripts that use the **&lt;detects&gt;** element. Instead, it is recommend to use the **[&lt;detection&gt;](#detection)** element if the parent element is **&lt;role&gt;** or **&lt;namedElements&gt;**, or use the **[&lt;conditions&gt;](#conditions)** element if the parent element is **&lt;rules&gt;**. The **&lt;detection&gt;** element allows for more clearly formulated complex Boolean statements and the **&lt;conditions&gt;** element allows for formulation of complex Boolean statements.
 
-The &lt;detects&gt; element is a container for one or more &lt;detect&gt; elements. If all of the child &lt;detect&gt; elements within a &lt;detects&gt; element resolve to TRUE, then &lt;detects&gt; resolves to TRUE. If any of the child &lt;detect&gt; elements resolve to FALSE, then &lt;detects&gt; resolves to FALSE. If you do not want to write the &lt;detects&gt; elements within a component, then you can create the &lt;detects&gt; element under the &lt;namedElements&gt; element, and then refer to it. If there is no &lt;detects&gt; element section, then USMT will assume that the component is present. The results from each &lt;detects&gt; element are joined together by the OR operator to form the rule used to detect the parent element.
+The **&lt;detects&gt;** element is a container for one or more **&lt;detect&gt;** elements. If all of the child **&lt;detect&gt;** elements within a **&lt;detects&gt;** element resolve to **TRUE**, then **&lt;detects&gt;** resolves to **TRUE**. If any of the child **&lt;detect&gt;** elements resolve to **FALSE**, then **&lt;detects&gt;** resolves to **FALSE**. If you do not want to write the **&lt;detects&gt;** elements within a component, then you can create the **&lt;detects&gt;** element under the **&lt;namedElements&gt;** element, and then refer to it. If there is no **&lt;detects&gt;** element section, then USMT will assume that the component is present. The results from each **&lt;detects&gt;** element are joined together by the **OR** operator to form the rule used to detect the parent element.
 
 Syntax:
 
@@ -782,18 +768,18 @@ Syntax:
 </detects>
 ```
 
--   **Number of occurrences:** Unlimited.
+- **Number of occurrences:** Unlimited.
 
--   **Parent elements:**[&lt;role&gt;](#role), [&lt;rules&gt;](#rules), [&lt;namedElements&gt;](#namedelements)
+- **Parent elements:** [&lt;role&gt;](#role), [&lt;rules&gt;](#rules), [&lt;namedElements&gt;](#namedelements)
 
--   **Required child elements:** &lt;detect&gt;
+- **Required child elements:** [&lt;detect&gt;](#detect)
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| name | Yes, when &lt;detects&gt; is a child to &lt;namedElements&gt; <br/>No, when &lt;detects&gt; is a child to &lt;role&gt; or &lt;rules&gt; | When *ID* is specified, no child &lt;detect&gt; elements are processed. Instead, any other &lt;detects&gt; elements with the same name that are declared within the &lt;namedElements&gt; element are processed. |
-| context | No <br/>(default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the &lt;component element&gt;. For example, if a &lt;component&gt; element has a context of User and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it had a context of User. If the &lt;rules&gt; element had a context of System, it would act as though the &lt;rules&gt; element were not there. <ul><li>**User.** Evaluates the variables for each user.</li><li>**System.** Evaluates the variables only once for the system.</li><li>**UserAndSystem.** Evaluates the variables for the entire operating system and each user.</li></ul> <br/>The context parameter is ignored for &lt;detects&gt; elements that are inside &lt;rules&gt; elements. |
+| name | Yes, when &lt;detects&gt; is a child to **&lt;namedElements&gt;** <br/>No, when &lt;detects&gt; is a child to **&lt;role&gt;** or **&lt;rules&gt;** | When *ID* is specified, no child **&lt;detect&gt;** elements are processed. Instead, any other **&lt;detects&gt;** elements with the same name that are declared within the **&lt;namedElements&gt;** element are processed. |
+| context | No <br/>(default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the **&lt;component element&gt;**. For example, if a **&lt;component&gt;** element has a context of **User** and a **&lt;rules&gt;** element had a context of **UserAndSystem**, then the **&lt;rules&gt;** element would act as though it had a context of **User**. If the **&lt;rules&gt;** element had a context of **System**, it would act as though the **&lt;rules&gt;** element were not there. <ul><li>**User**: Evaluates the variables for each user.</li><li>**System**: Evaluates the variables only once for the system.</li><li>**UserAndSystem**: Evaluates the variables for the entire operating system and each user.</li></ul> <br/>The context parameter is ignored for **&lt;detects&gt;** elements that are inside **&lt;rules&gt;** elements. |
 
-The following example is from the MigApp.xml file.
+The following example is from the `MigApp.xml` file.
 
 ```xml
 <detects>
@@ -806,20 +792,19 @@ The following example is from the MigApp.xml file.
 </detects>
 ```
 
-## <a href="" id="detection"></a>&lt;detection&gt;
+## &lt;detection&gt;
 
+The  **&lt;detection&gt;** element is a container for one **&lt;conditions&gt;** element. The result of the child **&lt;condition&gt;** elements, located underneath the **&lt;conditions&gt;** element, determines the result of this element. For example, if all of the child **&lt;conditions&gt;** elements within the  **&lt;detection&gt;** element resolve to **TRUE**, then the  **&lt;detection&gt;** element resolves to **TRUE**. If any of the child **&lt;conditions&gt;** elements resolve to **FALSE**, then the  **&lt;detection&gt;** element resolves to **FALSE**.
 
-The &lt;detection&gt; element is a container for one &lt;conditions&gt; element. The result of the child &lt;condition&gt; elements, located underneath the &lt;conditions&gt; element, determines the result of this element. For example, if all of the child &lt;conditions&gt; elements within the &lt;detection&gt; element resolve to TRUE, then the &lt;detection&gt; element resolves to TRUE. If any of the child &lt;conditions&gt; elements resolve to FALSE, then the &lt;detection&gt; element resolves to FALSE.
+In addition, the results from each  **&lt;detection&gt;** section within the **&lt;role&gt;** element are joined together by the **OR** operator to form the detection rule of the parent element. That is, if one of the  **&lt;detection&gt;** sections resolves to **TRUE**, then the **&lt;role&gt;** element will be processed. Otherwise, the **&lt;role&gt;** element will not be processed.
 
-In addition, the results from each &lt;detection&gt; section within the &lt;role&gt; element are joined together by the OR operator to form the detection rule of the parent element. That is, if one of the &lt;detection&gt; sections resolves to TRUE, then the &lt;role&gt; element will be processed. Otherwise, the &lt;role&gt; element will not be processed.
+Use the  **&lt;detection&gt;** element under the **&lt;namedElements&gt;** element if you do not want to write it within a component. Then include a matching  **&lt;detection&gt;** section under the **&lt;role&gt;** element to control whether the component is migrated. If there is not a  **&lt;detection&gt;** section for a component, then USMT will assume that the component is present.
 
-Use the &lt;detection&gt; element under the &lt;namedElements&gt; element if you do not want to write it within a component. Then include a matching &lt;detection&gt; section under the &lt;role&gt; element to control whether the component is migrated. If there is not a &lt;detection&gt; section for a component, then USMT will assume that the component is present.
+- **Number of occurrences:** Unlimited.
 
--   **Number of occurrences:** Unlimited.
+- **Parent elements:** [&lt;role&gt;](#role), [&lt;namedElements&gt;](#namedelements)
 
--   **Parent elements:**[&lt;role&gt;](#role), [&lt;namedElements&gt;](#namedelements)
-
--   **Child elements:**[&lt;conditions&gt;](#conditions)
+- **Child elements:** [&lt;conditions&gt;](#conditions)
 
 Syntax:
 
@@ -830,8 +815,8 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| name | <ul><li>Yes, when &lt;detection&gt; is declared under &lt;namedElements&gt;</li><li>Optional, when declared under &lt;role&gt;</li></ul> | If declared, the content of the &lt;detection&gt; element is ignored and the content of the &lt;detection&gt; element with the same name that is declared in the &lt;namedElements&gt; element will be evaluated. |
-| context | No, default = UserAndSystem | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. <ul><li>**User.** Evaluates the component for each user.</li><li>**System.** Evaluates the component only once for the system.</li><li>**UserAndSystem.** Evaluates the component for the entire operating system and each user.</li></ul> |
+| name | <ul><li>Yes, when **&lt;detection&gt;** is declared under **&lt;namedElements&gt;**</li><li>Optional, when declared under **&lt;role&gt;**</li></ul> | If declared, the content of the  **&lt;detection&gt;** element is ignored and the content of the  **&lt;detection&gt;** element with the same name that is declared in the **&lt;namedElements&gt;** element will be evaluated. |
+| context | No, default = UserAndSystem | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. <ul><li>**User**: Evaluates the component for each user.</li><li>**System**: Evaluates the component only once for the system.</li><li>**UserAndSystem**: Evaluates the component for the entire operating system and each user.</li></ul> |
 
 For example:
 
@@ -856,16 +841,15 @@ and
    </detection>
 ```
 
-## <a href="" id="displayname"></a>&lt;displayName&gt;
+## &lt;displayName&gt;
 
+The **&lt;displayName&gt;** element is a required field within each **&lt;component&gt;** element.
 
-The &lt;displayName&gt; element is a required field within each &lt;component&gt; element.
+- **Number of occurrences:** once for each component
 
--   **Number of occurrences:** once for each component
+- **Parent elements:** [&lt;component&gt;](#component)
 
--   **Parent elements:**[&lt;component&gt;](#component)
-
--   **Child elements:** none
+- **Child elements:** none
 
 Syntax:
 
@@ -884,17 +868,17 @@ For example:
 <displayName>Command Prompt settings</displayName>
 ```
 
-## <a href="" id="bkmk-environment"></a>&lt;environment&gt;
+## &lt;environment&gt;
 
-The &lt;environment&gt; element is a container for &lt;variable&gt; elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#envex).
+The **&lt;environment&gt;** element is a container for **&lt;variable&gt;** elements in which you can define variables to use in your .xml file. All environment variables defined this way will be private. That is, they will be available only for their child components and the component in which they were defined. For two example scenarios, see [Examples](#examples).
 
--   **Number of occurrences:** unlimited
+- **Number of occurrences:** unlimited
 
--   **Parent elements:**[&lt;role&gt;](#role), [&lt;component&gt;](#component), [&lt;namedElements&gt;](#namedelements)
+- **Parent elements:** [&lt;role&gt;](#role), [&lt;component&gt;](#component), [&lt;namedElements&gt;](#namedelements)
 
--   **Required child elements:**[&lt;variable&gt;](#variable)
+- **Required child elements:** [&lt;variable&gt;](#variable)
 
--   **Optional child elements:**[conditions](#conditions)
+- **Optional child elements:** [&lt;conditions&gt;](#conditions)
 
 Syntax:
 
@@ -905,14 +889,14 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| name | Yes, when &lt;environment&gt; is a child of &lt;namedElements&gt; <br/>No, when &lt;environment&gt; is a child of &lt;role&gt; or &lt;component&gt; | When declared as a child of the &lt;role&gt; or &lt;component&gt; elements, if *ID* is declared, USMT ignores the content of the &lt;environment&gt; element and the content of the &lt;environment&gt; element with the same name declared in the &lt;namedElements&gt; element is processed. |
-| context | No <br/>(default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the &lt;component&gt; element. For example, if a &lt;component&gt; element has a context of User and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it had a context of User. If the &lt;rules&gt; element had a context of System, it would act as though &lt;rules&gt; were not there. <ul><li>**User.** Evaluates the variables for each user.</li><li>**System.** Evaluates the variables only once for the system.</li><li>**UserAndSystem.** Evaluates the variables for the entire operating system and each user.</li></ul> |
+| name | Yes, when **&lt;environment&gt;** is a child of **&lt;namedElements&gt;** <br/>No, when **&lt;environment&gt;** is a child of **&lt;role&gt;** or **&lt;component&gt;** | When declared as a child of the **&lt;role&gt;** or **&lt;component&gt;** elements, if *ID* is declared, USMT ignores the content of the **&lt;environment&gt;** element and the content of the **&lt;environment&gt;** element with the same name declared in the **&lt;namedElements&gt;** element is processed. |
+| context | No <br/>(default = UserAndSystem) | Defines the scope of this parameter: whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the **&lt;component&gt;** element. For example, if a **&lt;component&gt;** element has a context of **User** and a **&lt;rules&gt;** element had a context of **UserAndSystem**, then the **&lt;rules&gt;** element would act as though it had a context of **User**. If the **&lt;rules&gt;** element had a context of **System**, it would act as though **&lt;rules&gt;** were not there. <ul><li>**User**: Evaluates the variables for each user.</li><li>**System**: Evaluates the variables only once for the system.</li><li>**UserAndSystem**: Evaluates the variables for the entire operating system and each user.</li></ul> |
 
-## <a href="" id="envex"></a>
+## Examples
 
 ### Example scenario 1
 
-In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example:
+In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value `hklm\software\companyname\install [path\]` and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example:
 
 ```xml
 <environment>
@@ -922,7 +906,7 @@ In this scenario, you want to generate the location of objects at run time depen
 </environment>
 ```
 
-Then you can use an include rule as follows. You can use any of the [&lt;script&gt; functions](#scriptfunctions) to perform similar tasks.
+Then you can use an include rule as follows. You can use any of the [&lt;script&gt; functions](#script-functions) to perform similar tasks.
 
 ```xml
 <include>
@@ -932,7 +916,7 @@ Then you can use an include rule as follows. You can use any of the [&lt;script&
 </include>
 ```
 
-Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\].
+Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator "`,`") in the value of the registry `Hklm\software\companyname\application\ [Path\]`.
 
 ```xml
 <environment>
@@ -948,9 +932,9 @@ Second, you can also filter registry values that contain data that you need. The
 </environment>
 ```
 
-### Example scenario 2:
+### Example scenario 2
 
-In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following &lt;include&gt; rule in an .xml file:
+In this scenario, you want to migrate five files named `File1.txt`, `File2.txt`, and so on, from `%SYSTEMDRIVE%\data\userdata\dir1\dir2\`. To do this you must have the following **&lt;include&gt;** rule in an .xml file:
 
 ```xml
 <include>
@@ -974,7 +958,7 @@ Instead of typing the path five times, you can create a variable for the locatio
 </environment>
 ```
 
-Then, you can specify the variable in an &lt;include&gt; rule as follows:
+Then, you can specify the variable in an **&lt;include&gt;** rule as follows:
 
 ```xml
 <include>
@@ -988,18 +972,17 @@ Then, you can specify the variable in an &lt;include&gt; rule as follows:
 </include>
 ```
 
-## <a href="" id="exclude"></a>&lt;exclude&gt;
+## &lt;exclude&gt;
 
+The **&lt;exclude&gt;** element determines what objects will not be migrated, unless there is a more specific **&lt;include&gt;** element that migrates an object. If there is an **&lt;include&gt;** and **&lt;exclude&gt;** element for the same object, the object will be included. For each **&lt;exclude&gt;** element there can be multiple child **&lt;objectSet&gt;** elements.
 
-The &lt;exclude&gt; element determines what objects will not be migrated, unless there is a more specific &lt;include&gt; element that migrates an object. If there is an &lt;include&gt; and &lt;exclude&gt; element for the same object, the object will be included. For each &lt;exclude&gt; element there can be multiple child &lt;objectSet&gt; elements.
+- **Number of occurrences:** Unlimited
 
--   **Number of occurrences:** Unlimited
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
+- **Child elements:** [&lt;objectSet&gt;](#objectset)
 
--   **Child elements:**[&lt;objectSet&gt;](#objectset)
-
--   **Helper functions:** You can use the following [&lt;exclude&gt; filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, NeverRestore, and SameRegContent.
+- **Helper functions:** You can use the following [&lt;exclude&gt; filter functions](#include-and-exclude-filter-functions) with this element: `CompareStringContent`, `IgnoreIrrelevantLinks`, `AnswerNo`, `NeverRestore`, and `SameRegContent`.
 
 Syntax:
 
@@ -1010,10 +993,9 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-|filter|No <br/>(default = No)|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/><br/>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.|
+|filter|No <br/>(default = No)|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/><br/>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.|
 
-
-For example, from the MigUser.xml file:
+For example, from the `MigUser.xml` file:
 
 ```xml
 <exclude>
@@ -1025,16 +1007,15 @@ For example, from the MigUser.xml file:
 </exclude>
 ```
 
-## <a href="" id="excludeattributes"></a>&lt;excludeAttributes&gt;
+## &lt;excludeAttributes&gt;
 
+You can use the **&lt;excludeAttributes&gt;** element to determine which parameters associated with an object will not be migrated. If there are conflicts between the **&lt;includeAttributes&gt;** and **&lt;excludeAttributes&gt;** elements, the most specific pattern determines the patterns that will not be migrated. If an object does not have an **&lt;includeAttributes&gt;** or **&lt;excludeAttributes&gt;** element, then all of its parameters will be migrated.
 
-You can use the &lt;excludeAttributes&gt; element to determine which parameters associated with an object will not be migrated. If there are conflicts between the &lt;includeAttributes&gt; and &lt;excludeAttributes&gt; elements, the most specific pattern determines the patterns that will not be migrated. If an object does not have an &lt;includeAttributes&gt; or &lt;excludeAttributes&gt; element, then all of its parameters will be migrated.
+- **Number of occurrences:** Unlimited
 
--   **Number of occurrences:** Unlimited
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
-
--   **Child elements:**[&lt;objectSet&gt;](#objectset)
+- **Child elements:** [&lt;objectSet&gt;](#objectset)
 
 Syntax:
 
@@ -1074,7 +1055,7 @@ Example:
                      <pattern type="File">%SYSTEMDRIVE%\ [aa.txt]</pattern>
                   </objectSet>
                </includeAttributes>
-<!-- Logoff the user after loadstate successfully completed. -->
+<!-- Logoff the user after LoadState successfully completed. -->
                <externalProcess when="post-apply">
                   <commandLine>
                      logoff
@@ -1098,16 +1079,15 @@ Example:
 </migration>
 ```
 
-## <a href="" id="extensions"></a>&lt;extensions&gt;
-
+## &lt;extensions&gt;
 
 The &lt;extensions&gt; element is a container for one or more &lt;extension&gt; elements.
 
--   **Number of occurrences:** zero or one
+- **Number of occurrences:** zero or one
 
--   **Parent elements:**[&lt;component&gt;](#component)
+- **Parent elements:** [&lt;component&gt;](#component)
 
--   **Required child elements:**[&lt;extension&gt;](#extension)
+- **Required child elements:** [&lt;extension&gt;](#extension)
 
 Syntax:
 
@@ -1116,16 +1096,15 @@ Syntax:
 </extensions>
 ```
 
-## <a href="" id="extension"></a>&lt;extension&gt;
-
+## &lt;extension&gt;
 
 You can use the &lt;extension&gt; element to specify documents of a specific extension.
 
--   **Number of occurrences:** unlimited
+- **Number of occurrences:** unlimited
 
--   **Parent elements:**[&lt;extensions&gt;](#extensions)
+- **Parent elements:** [&lt;extensions&gt;](#extensions)
 
--   **Child elements:** none
+- **Child elements:** none
 
 Syntax:
 
@@ -1137,7 +1116,7 @@ Syntax:
 |--- |--- |--- |
 |*FilenameExtension*|Yes|A file name extension.|
 
-For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the &lt;component&gt; element:
+For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the **&lt;component&gt;** element:
 
 ```xml
 <extensions> 
@@ -1145,7 +1124,7 @@ For example, if you want to migrate all \*.doc files from the source computer, s
 <extensions> 
 ```
 
-is the same as specifying the following code below the &lt;rules&gt; element:
+is the same as specifying the following code below the **&lt;rules&gt;** element:
 
 ```xml
 <include> 
@@ -1157,16 +1136,15 @@ is the same as specifying the following code below the &lt;rules&gt; element:
 
 For another example of how to use the &lt;extension&gt; element, see the example for [&lt;excludeAttributes&gt;](#excludeattributes).
 
-## <a href="" id="externalprocess"></a>&lt;externalProcess&gt;
+## &lt;externalProcess&gt;
 
+You can use the &lt;externalProcess&gt; element to run a command line during the migration process. For example, you may want to run a command after the **LoadState** process completes.
 
-You can use the &lt;externalProcess&gt; element to run a command line during the migration process. For example, you may want to run a command after the LoadState process completes.
+- **Number of occurrences:** Unlimited
 
--   **Number of occurrences:** Unlimited
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
-
--   **Required child elements:**[&lt;commandLine&gt;](#commandline)
+- **Required child elements:** [&lt;commandLine&gt;](#commandline)
 
 Syntax:
 
@@ -1181,21 +1159,21 @@ Syntax:
 
 For an example of how to use the &lt;externalProcess&gt; element, see the example for [&lt;excludeAttributes&gt;](#excludeattributes).
 
-## <a href="" id="icon"></a>&lt;icon&gt;
+## &lt;icon&gt;
 
 This is an internal USMT element. Do not use this element.
 
-## <a href="" id="include"></a>&lt;include&gt;
+## &lt;include&gt;
 
-The &lt;include&gt; element determines what to migrate, unless there is a more specific [&lt;exclude&gt;](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each &lt;include&gt; element there can be multiple &lt;objectSet&gt; elements.
+The **&lt;include&gt;** element determines what to migrate, unless there is a more specific [&lt;exclude&gt;](#exclude) rule. You can specify a script to be more specific to extend the definition of what you want to collect. For each **&lt;include&gt;** element there can be multiple **&lt;objectSet&gt;** elements.
 
--   **Number of occurrences:** Unlimited
+- **Number of occurrences:** Unlimited
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Required child element:**[&lt;objectSet&gt;](#objectset)
+- **Required child element:** [&lt;objectSet&gt;](#objectset)
 
--   **Helper functions:** You can use the following [&lt;include&gt; filter functions](#persistfilterfunctions) with this element: CompareStringContent, IgnoreIrrelevantLinks, AnswerNo, and NeverRestore.
+- **Helper functions:** You can use the following [&lt;include&gt; filter functions](#include-and-exclude-filter-functions) with this element: `CompareStringContent`, `IgnoreIrrelevantLinks`, `AnswerNo`, and `NeverRestore`.
 
 Syntax:
 
@@ -1206,7 +1184,7 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| filter | No. <br/>If this parameter is not specified, then all patterns that are inside the child &lt;ObjectSet&gt; element will be processed. | A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;)`. <br/>The script will be called for each object that is enumerated by the object sets in the &lt;include&gt; rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. |
+| filter | No. <br/>If this parameter is not specified, then all patterns that are inside the child **&lt;objectSet&gt;** element will be processed. | A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;)`. <br/>The script will be called for each object that is enumerated by the object sets in the **&lt;include&gt;** rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated. |
 
 The following example is from the MigUser.xml file:
 
@@ -1238,28 +1216,28 @@ The following example is from the MigUser.xml file:
     </component>
 ```
 
-### <a href="" id="persistfilterfunctions"></a>&lt;include&gt; and &lt;exclude&gt; filter functions
+### &lt;include&gt; and **&lt;exclude&gt;** filter functions
 
 The following functions return a Boolean value. You can use them to migrate certain objects based on when certain conditions are met.
 
--   **AnswerNo**
+- **AnswerNo**
 
-    This filter always returns FALSE.
+    This filter always returns **FALSE**.
 
     Syntax: `AnswerNo ()`
 
--   **CompareStringContent**
+- **CompareStringContent**
 
     Syntax: `CompareStringContent("StringContent","CompareType")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
     | *StringContent* | Yes | The string to check against. |
-    | *CompareType* | Yes | A string. Use one of the following values: <ul><li>**Equal** (case insensitive). The function returns TRUE if the string representation of the current object that is processed by the migration engine is identical to `StringContent`.</li><li>**NULL** **or any other value**. The function returns TRUE if the string representation of the current object that is processed by the migration engine does not match `StringContent`.</li></ul> |
+    | *CompareType* | Yes | A string. Use one of the following values: <ul><li>**Equal** (case insensitive). The function returns **TRUE** if the string representation of the current object that is processed by the migration engine is identical to `StringContent`.</li><li>**NULL** **or any other value**. The function returns **TRUE** if the string representation of the current object that is processed by the migration engine does not match `StringContent`.</li></ul> |
 
--   **IgnoreIrrelevantLinks**
+- **IgnoreIrrelevantLinks**
 
-    This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during ScanState. Then they will be screened out when you run the LoadState tool.
+    This filter screens out the .lnk files that point to an object that is not valid on the destination computer. Note that the screening takes place on the destination computer, so all .lnk files will be saved to the store during **ScanState**. Then they will be screened out when you run the **LoadState** tool.
 
     Syntax: `IgnoreIrrelevantLinks ()`
 
@@ -1273,9 +1251,9 @@ The following functions return a Boolean value. You can use them to migrate cert
     </include>
     ```
 
--   **NeverRestore**
+- **NeverRestore**
 
-    You can use this function to collect the specified objects from the source computer but then not migrate the objects to the destination computer. When run with the ScanState tool, this function evaluates to TRUE. When run with the LoadState tool, this function evaluates to FALSE. You may want to use this function when you want to check an object's value on the destination computer but do not intend to migrate the object to the destination.
+    You can use this function to collect the specified objects from the source computer but then not migrate the objects to the destination computer. When run with the **ScanState** tool, this function evaluates to **TRUE**. When run with the **LoadState** tool, this function evaluates to **FALSE**. You may want to use this function when you want to check an object's value on the destination computer but do not intend to migrate the object to the destination.
 
     Syntax: `NeverRestore()`
 
@@ -1289,16 +1267,15 @@ The following functions return a Boolean value. You can use them to migrate cert
     </include>
     ```
 
-## <a href="" id="includeattributes"></a>&lt;includeAttributes&gt;
+## &lt;includeAttributes&gt;
 
+You can use the **&lt;includeAttributes&gt;** element to determine whether certain parameters associated with an object will be migrated along with the object itself. If there are conflicts between the **&lt;includeAttributes&gt;** and **&lt;excludeAttributes&gt;** elements, the most specific pattern will determine which parameters will be migrated. If an object does not have an **&lt;includeAttributes&gt;** or **&lt;excludeAttributes&gt;** element, then all of its parameters will be migrated.
 
-You can use the &lt;includeAttributes&gt; element to determine whether certain parameters associated with an object will be migrated along with the object itself. If there are conflicts between the &lt;includeAttributes&gt; and &lt;excludeAttributes&gt; elements, the most specific pattern will determine which parameters will be migrated. If an object does not have an &lt;includeAttributes&gt; or &lt;excludeAttributes&gt; element, then all of its parameters will be migrated.
+- **Number of occurrences:** unlimited
 
--   **Number of occurrences:** unlimited
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
-
--   **Child elements:**[&lt;objectSet&gt;](#objectset)
+- **Child elements:** [&lt;objectSet&gt;](#objectset)
 
 Syntax:
 
@@ -1309,23 +1286,23 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| attributes | Yes | Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, `"Security","TimeFields"`: <ul><li>Security can be one of the following values: <ul><li>**Owner.** The owner of the object (SID).</li><li>**Group.** The primary group for the object (SID).</li><li>**DACL** (discretionary access control list). An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.</li><li>**SACL** (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object&#39;s SACL is controlled by a privilege typically held only by system administrators.</li></ul></li><li>TimeFields can be one of the following: <ul><li>**CreationTime.** Specifies when the file or directory was created.</li><li>**LastAccessTime.** Specifies when the file is last read from, written to, or, in the case of executable files, run.</li><li>**LastWrittenTime.** Specifies when the file is last written to, truncated, or overwritten.</li></ul></li></ul> |
+| attributes | Yes | Specifies the attributes to be included with a migrated object. You can specify one of the following, or both separated by quotes; for example, `"Security","TimeFields"`: <ul><li>Security can be one of the following values: <ul><li>**Owner**: The owner of the object (SID).</li><li>**Group**: The primary group for the object (SID).</li><li>**DACL** (discretionary access control list): An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.</li><li>**SACL** (system access control list): An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object&#39;s SACL is controlled by a privilege typically held only by system administrators.</li></ul></li><li>TimeFields can be one of the following: <ul><li>**CreationTime**: Specifies when the file or directory was created.</li><li>**LastAccessTime**: Specifies when the file is last read from, written to, or, in the case of executable files, run.</li><li>**LastWrittenTime**: Specifies when the file is last written to, truncated, or overwritten.</li></ul></li></ul> |
 
-For an example of how to use the &lt;includeAttributes&gt; element, see the example for [&lt;excludeAttributes&gt;](#excludeattributes).
+For an example of how to use the **&lt;includeAttributes&gt;** element, see the example for [&lt;excludeAttributes&gt;](#excludeattributes).
 
-## <a href="" id="library"></a>&lt;library&gt;
+## &lt;library&gt;
 
 This is an internal USMT element. Do not use this element.
 
-## <a href="" id="location"></a>&lt;location&gt;
+## &lt;location&gt;
 
-The &lt;location&gt; element defines the location of the &lt;object&gt; element.
+The **&lt;location&gt;** element defines the location of the **&lt;object&gt;** element.
 
--   **Number of occurrences:** once for each &lt;object&gt;
+- **Number of occurrences:** once for each **&lt;object&gt;**
 
--   **Parent elements:**[&lt;object&gt;](#object)
+- **Parent elements:** [&lt;object&gt;](#object)
 
--   **Child elements:**[&lt;script&gt;](#script)
+- **Child elements:** [&lt;script&gt;](#script)
 
 Syntax:
 
@@ -1338,7 +1315,7 @@ Syntax:
 |type|Yes|*typeID* can be Registry or File.|
 |*ObjectLocation*|Yes|The location of the object.|
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <addObjects>
@@ -1355,17 +1332,17 @@ The following example is from the MigApp.xml file:
 </addObjects>
 ```
 
-## <a href="" id="locationmodify"></a>&lt;locationModify&gt;
+## &lt;locationModify&gt;
 
-You can use the &lt;locationModify&gt; element to change the location and name of an object before it is migrated to the destination computer. The &lt;locationModify&gt; element is processed only when the LoadState tool is run on the destination computer. In other words, this element is ignored by the ScanState tool. The &lt;locationModify&gt; element will create the appropriate folder on the destination computer if it does not already exist.
+You can use the **&lt;locationModify&gt;** element to change the location and name of an object before it is migrated to the destination computer. The **&lt;locationModify&gt;** element is processed only when the **LoadState** tool is run on the destination computer. In other words, this element is ignored by the **ScanState** tool. The **&lt;locationModify&gt;** element will create the appropriate folder on the destination computer if it does not already exist.
 
 **Number of occurrences:** Unlimited
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Required child element:**[&lt;objectSet&gt;](#objectset)
+- **Required child element:** [&lt;objectSet&gt;](#objectset)
 
--   **Helper functions:** You can use the following [&lt;locationModify&gt; functions](#locationmodifyfunctions) with this element: ExactMove, RelativeMove, and Move.
+- **Helper functions:** You can use the following [&lt;locationModify&gt; functions](#locationmodify-functions) with this element: `ExactMove`, `RelativeMove`, and `Move`.
 
 Syntax:
 
@@ -1376,9 +1353,9 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/><br/>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.|
+|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/><br/>The script will be called for each object that is enumerated by the object sets in the include rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.|
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <locationModify script="MigXmlHelper.RelativeMove('%CSIDL_APPDATA%\Microsoft\Office','%CSIDL_APPDATA%')">
@@ -1388,19 +1365,19 @@ The following example is from the MigApp.xml file:
 </locationModify>
 ```
 
-### <a href="" id="locationmodifyfunctions"></a>&lt;locationModify&gt; functions
+### &lt;locationModify&gt; functions
 
-The following functions change the location of objects as they are migrated when using the &lt;locationModify&gt; element. These functions are called for every object that the parent &lt;ObjectSet&gt; element is enumerating. The &lt;locationModify&gt; element will create the appropriate folder on the destination computer if it does not already exist.
+The following functions change the location of objects as they are migrated when using the **&lt;locationModify&gt;** element. These functions are called for every object that the parent **&lt;objectSet&gt;** element is enumerating. The **&lt;locationModify&gt;** element will create the appropriate folder on the destination computer if it does not already exist.
 
 - **ExactMove**
 
-  The ExactMove function moves all of the objects that are matched by the parent &lt;ObjectSet&gt; element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply.
+  The ExactMove function moves all of the objects that are matched by the parent **&lt;objectSet&gt;** element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply.
 
   Syntax: `ExactMove(ObjectEncodedLocation)`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*ObjectEncodedLocation*|Yes|The destination [location](#locations) for all of the source objects.|
+    |*ObjectEncodedLocation*|Yes|The destination [location](#specifying-locations) for all of the source objects.|
 
   For example:
 
@@ -1412,7 +1389,7 @@ The following functions change the location of objects as they are migrated when
   </locationModify>
   ```
 
--   **Move**
+- **Move**
 
     The Move function moves objects to a different location on the destination computer. In addition, this function creates subdirectories that were above the longest CSIDL in the source object name.
 
@@ -1422,7 +1399,7 @@ The following functions change the location of objects as they are migrated when
     |--- |--- |--- |
     |*DestinationRoot*|Yes|The location where the source objects will be moved. If needed, this function will create any subdirectories that were above the longest CSIDL in the source object name.|
 
--   **RelativeMove**
+- **RelativeMove**
 
     You can use the RelativeMove function to collect and move data. Note that you can use environment variables in source and destination roots, but they may be defined differently on the source and destination computers.
 
@@ -1430,7 +1407,7 @@ The following functions change the location of objects as they are migrated when
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*SourceRoot*|Yes|The location from where the objects will be moved. Any source objects that are enumerated by the parent &lt;ObjectSet&gt; element that are not in this location will not be moved.|
+    |*SourceRoot*|Yes|The location from where the objects will be moved. Any source objects that are enumerated by the parent **&lt;objectSet&gt;** element that are not in this location will not be moved.|
     |*DestinationRoot*|Yes|The location where the source objects will be moved to on the destination computer. If needed, this function will create any subdirectories that were above *SourceRoot*.|
 
 For example:
@@ -1448,21 +1425,19 @@ For example:
 </locationModify>
 ```
 
-## <a href="" id="locdefinition"></a>&lt;\_locDefinition&gt;
-
+## &lt;\_locDefinition&gt;
 
 This is an internal USMT element. Do not use this element.
 
-## <a href="" id="manufacturer"></a>&lt;manufacturer&gt;
+## &lt;manufacturer&gt;
 
+The **&lt;manufacturer&gt;** element defines the manufacturer for the component, but does not affect the migration.
 
-The &lt;manufacturer&gt; element defines the manufacturer for the component, but does not affect the migration.
+- **Number of occurrences:** zero or one
 
--   **Number of occurrences:** zero or one
+- **Parent elements:** [&lt;component&gt;](#component)
 
--   **Parent elements:**[&lt;component&gt;](#component)
-
--   **Child elements:** none
+- **Child elements:** none
 
 Syntax:
 
@@ -1474,19 +1449,19 @@ Syntax:
 |--- |--- |--- |
 |*Name*|Yes|The name of the manufacturer for the component.|
 
-## <a href="" id="merge"></a>&lt;merge&gt;
+## &lt;merge&gt;
 
-The &lt;merge&gt; element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to "OriginalFileName(1).OriginalExtension". This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify &lt;include&gt; rules along with the &lt;merge&gt; element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a &lt;merge&gt; rule C:\\\* \[\*\] set to &lt;sourcePriority&gt; and a &lt;merge&gt; rule C:\\subfolder\\\* \[\*\] set to &lt;destinationPriority&gt;, then USMT would use the &lt;destinationPriority&gt; rule because it is the more specific.
+The **&lt;merge&gt;** element determines what will happen when a collision occurs. A collision is when an object that is migrated is already present on the destination computer. If you do not specify this element, the default behavior for the registry is for the source object to overwrite the destination object. The default behavior for files is for the source file to be renamed to `OriginalFileName(1).OriginalExtension`. This element specifies only what should be done when a collision occurs. It does not include objects. Therefore, for your objects to migrate, you must specify **&lt;include&gt;** rules along with the **&lt;merge&gt;** element. When an object is processed and a collision is detected, USMT will select the most specific merge rule and apply it to resolve the conflict. For example, if you have a **&lt;merge&gt;** rule `C:\* [*]` set to **&lt;sourcePriority&gt;** and a **&lt;merge&gt;** rule `C:\subfolder\* [*]` set to **&lt;destinationPriority&gt;**, then USMT would use the **&lt;destinationPriority&gt;** rule because it is the more specific.
 
-For an example of this element, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md).
+For an example of this element, see [Conflicts and precedence](usmt-conflicts-and-precedence.md).
 
--   **Number of occurrences:** Unlimited
+- **Number of occurrences:** Unlimited
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Required child element:**[&lt;objectSet&gt;](#objectset)
+- **Required child element:** [&lt;objectSet&gt;](#objectset)
 
--   **Helper functions:** You can use the following [&lt;merge&gt; functions](#mergefunctions) with this element: SourcePriority, DestinationPriority, FindFilePlaceByPattern, LeafPattern, NewestVersion, HigherValue(), and LowerValue().
+- **Helper functions:** You can use the following [&lt;merge&gt; functions](#merge-functions) with this element: `SourcePriority`, `DestinationPriority`, `FindFilePlaceByPattern`, `LeafPattern`, `NewestVersion`, `HigherValue()`, and `LowerValue()`.
 
 Syntax:
 
@@ -1497,7 +1472,7 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/><br/>The script will be called for each object that is enumerated by the object sets in the &lt;include&gt; rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated.|
+|script|Yes|A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript ("Arg1","Arg2")`. <br/><br/>The script will be called for each object that is enumerated by the object sets in the **&lt;include&gt;** rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated.|
 
 The following example is from the MigUser.xml file:
 
@@ -1516,11 +1491,11 @@ The following example is from the MigUser.xml file:
 </rules>
 ```
 
-### <a href="" id="mergefunctions"></a>&lt;merge&gt; functions
+### &lt;merge&gt; functions
 
 These functions control how collisions are resolved.
 
--   **DestinationPriority**
+- **DestinationPriority**
 
     Specifies to keep the object that is on the destination computer and not migrate the object from the source computer.
 
@@ -1536,17 +1511,17 @@ These functions control how collisions are resolved.
     </merge>
     ```
 
--   **FindFilePlaceByPattern**
+- **FindFilePlaceByPattern**
 
-    The FindFilePlaceByPattern function saves files with an incrementing counter when a collision occurs. It is a string that contains one of each constructs: &lt;F&gt;, &lt;E&gt;, &lt;N&gt; in any order.
+    The FindFilePlaceByPattern function saves files with an incrementing counter when a collision occurs. It is a string that contains one of each constructs: **&lt;F&gt;**, **&lt;E&gt;**, **&lt;N&gt;** in any order.
 
     Syntax: `FindFilePlaceByPattern(FilePattern)`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    | *FilePattern* | Yes | <ul><li>**&lt;F&gt;** will be replaced by the original file name.</li><li>**&lt;N&gt;** will be replaced by an incrementing counter until there is no collision with the objects on the destination computer.</li><li>**&lt;E&gt;** will be replaced by the original file name extension.</li></ul> <br/>For example, `<F> (<N>).<E>` will change the source file MyDocument.doc into MyDocument (1).doc on the destination computer. |
+    | *FilePattern* | Yes | <ul><li>**&lt;F&gt;** will be replaced by the original file name.</li><li>**&lt;N&gt;** will be replaced by an incrementing counter until there is no collision with the objects on the destination computer.</li><li>**&lt;E&gt;** will be replaced by the original file name extension.</li></ul> <br/>For example, `<F> (<N>).<E>` will change the source file `MyDocument.doc` into `MyDocument (1).doc` on the destination computer. |
 
--   **NewestVersion**
+- **NewestVersion**
 
     The NewestVersion function will resolve conflicts on the destination computer based on the version of the file.
 
@@ -1554,17 +1529,17 @@ These functions control how collisions are resolved.
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    |*VersionTag*|Yes|The version field that will be checked. This can be "FileVersion" or "ProductVersion". The file with the highest *VersionTag* version determines which conflicts will be resolved based on the file's version. For example, if Myfile.txt contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain.|
+    |*VersionTag*|Yes|The version field that will be checked. This can be `FileVersion` or `ProductVersion`. The file with the highest *VersionTag* version determines which conflicts will be resolved based on the file's version. For example, if `Myfile.txt` contains FileVersion 1 and the same file on the destination computer contains FileVersion 2, the file on destination will remain.|
 
--   **HigherValue()**
+- **HigherValue()**
 
     You can use this function for merging registry values. The registry values will be evaluated as numeric values, and the one with the higher value will determine which registry values will be merged.
 
--   **LowerValue()**
+- **LowerValue()**
 
     You can use this function for merging registry values. The registry values will be evaluated as numeric values and the one with the lower value will determine which registry values will be merged.
 
--   **SourcePriority**
+- **SourcePriority**
 
     Specifies to migrate the object from the source computer, and to delete the object that is on the destination computer.
 
@@ -1580,17 +1555,17 @@ These functions control how collisions are resolved.
     </merge>
     ```
 
-## <a href="" id="migration"></a>&lt;migration&gt;
+## &lt;migration&gt;
 
-The &lt;migration&gt; element is the single root element of a migration .xml file and is required. Each .xml file must have a unique migration urlid. The urlid of each file that you specify on the command line must be unique. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following at the beginning of each file: &lt;CustomFileName&gt; is the name of the file; for example, "CustomApp".
+The **&lt;migration&gt;** element is the single root element of a migration .xml file and is required. Each .xml file must have a unique migration urlid. The urlid of each file that you specify on the command line must be unique. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following at the beginning of each file: &lt;CustomFileName&gt; is the name of the file; for example, "CustomApp".
 
--   **Number of occurrences:** one
+- **Number of occurrences:** one
 
--   **Parent elements:** none
+- **Parent elements:** none
 
--   **Required child elements:**[&lt;component&gt;](#component)
+- **Required child elements:** [&lt;component&gt;](#component)
 
--   **Optional child elements:**[&lt;library&gt;](#library), [&lt;namedElements&gt;](#namedelements)
+- **Optional child elements:** [&lt;library&gt;](#library), [&lt;namedElements&gt;](#namedelements)
 
 Syntax:
 
@@ -1604,7 +1579,7 @@ Syntax:
 |urlid|Yes|*UrlID* is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see [Use XML Namespaces](/previous-versions/windows/desktop/ms754539(v=vs.85)).|
 |Name|No|Although not required, it is good practice to use the name of the .xml file.|
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">
@@ -1637,9 +1612,9 @@ This filter helper function can be used to filter the migration of files based o
 </component>
 ```
 
-## <a href="" id="namedelements"></a>&lt;namedElements&gt;
+## &lt;namedElements&gt;
 
-You can use the **&lt;namedElements&gt;** element to define named elements. You can use these elements in any component throughout your .xml file. For an example of how to use this element, see the MigApp.xml file.
+You can use the **&lt;namedElements&gt;** element to define named elements. You can use these elements in any component throughout your .xml file. For an example of how to use this element, see the `MigApp.xml` file.
 
 Syntax:
 
@@ -1648,25 +1623,25 @@ Syntax:
 </namedElements>
 ```
 
--   **Number of occurrences:** Unlimited
+- **Number of occurrences:** Unlimited
 
--   **Parent elements:**[&lt;migration&gt;](#migration)
+- **Parent elements:** [&lt;migration&gt;](#migration)
 
--   **Child elements:**[&lt;environment&gt;](#bkmk-environment), [&lt;rules&gt;](#rules), [&lt;conditions&gt;](#conditions), [&lt;detection&gt;](#detection), &lt;detects&gt;, &lt;detect&gt;
+- **Child elements:** [&lt;environment&gt;](#environment), [&lt;rules&gt;](#rules), [&lt;conditions&gt;](#conditions), [&lt;detection&gt;](#detection), [&lt;detects&gt;](#detects), [&lt;detect&gt;](#detect)
 
-For an example of this element, see the MigApp.xml file.
+For an example of this element, see the `MigApp.xml` file.
 
-## <a href="" id="object"></a>&lt;object&gt;
+## &lt;object&gt;
 
-The &lt;object&gt; element represents a file or registry key.
+The **&lt;object&gt;** element represents a file or registry key.
 
--   **Number of occurrences:** Unlimited
+- **Number of occurrences:** Unlimited
 
--   **Parent elements:**[&lt;addObjects&gt;](#addobjects)
+- **Parent elements:** [&lt;addObjects&gt;](#addobjects)
 
--   **Required child elements:**[&lt;location&gt;](#location), [&lt;attributes&gt;](#attribute)
+- **Required child elements:** [&lt;location&gt;](#location), [&lt;attributes&gt;](#attributes)
 
--   **Optional child elements:**[&lt;bytes&gt;](#bytes)
+- **Optional child elements:** [&lt;bytes&gt;](#bytes)
 
 Syntax:
 
@@ -1675,7 +1650,7 @@ Syntax:
 </object>
 ```
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <addObjects>
@@ -1692,18 +1667,17 @@ The following example is from the MigApp.xml file:
 </addObjects>
 ```
 
-## <a href="" id="objectset"></a>&lt;objectSet&gt;
+## &lt;objectSet&gt;
 
+The **&lt;objectSet&gt;** element contains a list of object patterns ; for example, file paths, registry locations, and so on. Any child **&lt;conditions&gt;** elements will be evaluated first. If all child **&lt;conditions&gt;** elements return **FALSE**, the **&lt;objectSet&gt;** element will evaluate to an empty set. For each parent element, there can be only multiple **&lt;objectSet&gt;** elements.
 
-The &lt;objectSet&gt; element contains a list of object patterns ; for example, file paths, registry locations, and so on. Any child &lt;conditions&gt; elements will be evaluated first. If all child &lt;conditions&gt; elements return FALSE, the &lt;objectSet&gt; element will evaluate to an empty set. For each parent element, there can be only multiple &lt;objectSet&gt; elements.
+- **Number of occurrences:** Unlimited
 
--   **Number of occurrences:** Unlimited
+- **Parent elements:** [&lt;variable&gt;](#variable), [&lt;content&gt;](#content), [&lt;include&gt;](#include), [&lt;exclude&gt;](#exclude), [&lt;merge&gt;](#merge), [&lt;contentModify&gt;](#contentmodify), [&lt;locationModify&gt;](#locationmodify), [&lt;destinationCleanup&gt;](#destinationcleanup), [&lt;includeAttributes&gt;](#includeattributes), [&lt;excludeAttributes&gt;](#excludeattributes), [&lt;unconditionalExclude&gt;](#unconditionalexclude), [&lt;detect&gt;](#detect)
 
--   **Parent elements:**[&lt;variable&gt;](#variable), [&lt;content&gt;](#content), [&lt;include&gt;](#include), [&lt;exclude&gt;](#exclude), [&lt;merge&gt;](#merge), [&lt;contentModify&gt;](#contentmodify), [&lt;locationModify&gt;](#locationmodify), [&lt;destinationCleanup&gt;](#destinationcleanup), [&lt;includeAttributes&gt;](#includeattributes), [&lt;excludeAttributes&gt;](#excludeattributes), [&lt;unconditionalExclude&gt;](#unconditionalexclude), &lt;detect&gt;
+- **Required child elements:** either [&lt;script&gt;](#script) or [&lt;pattern&gt;](#pattern)
 
--   **Required child elements:** either [&lt;script&gt;](#script) or [&lt;pattern&gt;](#pattern)
-
--   **Optional child elements:**[&lt;content&gt;](#content), [conditions](#conditions), &lt;condition&gt;
+- **Optional child elements:** [&lt;content&gt;](#content), [&lt;conditions&gt;](#conditions), [&lt;condition&gt;](#condition)
 
 Syntax:
 
@@ -1742,31 +1716,28 @@ The following example is from the MigUser.xml file:
 </component>
 ```
 
-## <a href="" id="path"></a>&lt;path&gt;
-
+## &lt;path&gt;
 
 This is an internal USMT element. Do not use this element.
 
-## <a href="" id="paths"></a>&lt;paths&gt;
-
+## &lt;paths&gt;
 
 This is an internal USMT element. Do not use this element.
 
-## <a href="" id="pattern"></a>&lt;pattern&gt;
+## &lt;pattern&gt;
 
-
-You can use this element to specify multiple objects. You can specify multiple &lt;pattern&gt; elements for each &lt;objectSet&gt; element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with &lt;script&gt; instead. GenerateDrivePatterns is basically the same as a &lt;pattern&gt; rule, without the drive letter specification. For example, the following two lines of code are similar:
+You can use this element to specify multiple objects. You can specify multiple **&lt;pattern&gt;** elements for each **&lt;objectSet&gt;** element and they will be combined. If you are specifying files, you may want to use `GenerateDrivePatterns` with **&lt;script&gt;** instead. `GenerateDrivePatterns` is basically the same as a **&lt;pattern&gt;** rule, without the drive letter specification. For example, the following two lines of code are similar:
 
 ```xml
 <pattern type="File">C:\Folder\* [Sample.doc]</pattern>
 <script>MigXmlHelper.GenerateDrivePatterns("\Folder\* [Sample.doc]","Fixed"</script>
 ```
 
--   **Number of occurrences:** Unlimited
+- **Number of occurrences:** Unlimited
 
--   **Parent elements:**[&lt;objectSet&gt;](#objectset)
+- **Parent elements:** [&lt;objectSet&gt;](#objectset)
 
--   **Child elements:** none but *Path* \[*object*\] must be valid.
+- **Child elements:** none but *Path* \[*object*\] must be valid.
 
 Syntax:
 
@@ -1777,49 +1748,49 @@ Syntax:
 |Setting|Required?|Value|
 |--- |--- |--- |
 | type | Yes | *typeID* can be Registry, File, or Ini. If *typeId* is Ini, then you cannot have a space between *Path* and *object*. For example, the following is correct when type=&quot;Ini&quot;: <br/>**&lt;pattern type=&quot;Ini&quot;&gt;%WinAmp5InstPath%\Winamp.ini&#124;WinAmp[keeponscreen]&lt;/pattern&gt;** |
-| *Path* [*object*] | Yes | A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated. <ul><li>*Path* can contain the asterisk (*) wildcard character or can be an [Recognized Environment Variables](usmt-recognized-environment-variables.md). You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively.</li><li>*Object* can contain the asterisk () wildcard character. However, you cannot use the question mark as a wildcard character. For example: <br/> **`C:\Folder\ [*]`** enumerates all files in C:&lt;em&gt;Path* but no subfolders of C:\Folder. <br/> **`C:\Folder* [*]`** enumerates all files and subfolders of C:\Folder. <br/> **`C:\Folder\ [*.mp3]`** enumerates all .mp3 files in C:\Folder. <br/> **`C:\Folder\ [Sample.doc]`** enumerates only the Sample.doc file located in C:\Folder. <div class="alert">**Note**<br/>If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named &quot;file].txt&quot;, you must specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.</div></li></ul> |
+| *Path* [*object*] | Yes | A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated. <ul><li>*Path* can contain the asterisk (`*`) wildcard character or can be an [Recognized environment variables](usmt-recognized-environment-variables.md). You cannot use the question mark as a wildcard character. You can use `HKCU` and `HKLM` to refer to `HKEY_CURRENT_USER` and `HKEY_LOCAL_MACHINE` respectively.</li><li>*Object* can contain the asterisk (`*`) wildcard character. However, you cannot use the question mark as a wildcard character. For example: <br/> **`C:\Folder\ [*]`** enumerates all files in `C:\Folder` but no subfolders of `C:\Folder`. <br/> **`C:\Folder* [*]`** enumerates all files and subfolders of `C:\Folder`. <br/> **`C:\Folder\ [*.mp3]`** enumerates all `.mp3` files in `C:\Folder`. <br/> **`C:\Folder\ [Sample.doc]`** enumerates only the `Sample.doc` file located in C:\Folder. <div class="alert">**Note**<br/>If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named &quot;file].txt&quot;, you must specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.</div></li></ul> |
 
 For example:
 
--   To migrate a single registry key:
+- To migrate a single registry key:
 
     ```xml
     <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent]</pattern>
     ```
 
--   To migrate the EngineeringDrafts folder and any subfolders from the C: drive:
+- To migrate the `C:\EngineeringDrafts` folder and any subfolders from the C: drive:
 
     ```xml
     <pattern type="File">C:\EngineeringDrafts\* [*]</pattern>
     ```
 
--   To migrate only the EngineeringDrafts folder, excluding any subfolders, from the C: drive:
+- To migrate only the `C:\EngineeringDrafts` folder, excluding any subfolders, from the C: drive:
 
-    [Reroute Files and Settings](usmt-reroute-files-and-settings.md)
+    [Reroute files and settings](usmt-reroute-files-and-settings.md)
 
--   To migrate the Sample.doc file from C:\\EngineeringDrafts:
+- To migrate the `Sample.doc` file from `C:\EngineeringDrafts`:
 
     ```xml
     <pattern type="File"> C:\EngineeringDrafts\ [Sample.doc]</pattern>
     ```
 
--   To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated.
+- To migrate the `Sample.doc` file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated.
 
     ```xml
     <pattern type="File"> C:\* [Sample.doc] </pattern>
     ```
 
--   For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), [Include Files and Settings](usmt-include-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
+- For more examples of how to use this element, see [Exclude files and settings](usmt-exclude-files-and-settings.md), [Reroute files and settings](usmt-reroute-files-and-settings.md), [Include files and settings](usmt-include-files-and-settings.md), and [Custom XML examples](usmt-custom-xml-examples.md).
 
-## <a href="" id="processing"></a>&lt;processing&gt;
+## &lt;processing&gt;
 
 You can use this element to run a script during a specific point within the migration process. Return values are not expected from the scripts that you specify, and if there are return values, they will be ignored.
 
--   **Number of occurrences:** unlimited
+- **Number of occurrences:** unlimited
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Required child element:**[&lt;script&gt;](#script)
+- **Required child element:** [&lt;script&gt;](#script)
 
 Syntax:
 
@@ -1832,21 +1803,21 @@ Syntax:
 |--- |--- |--- |
 | when | Yes | Indicates when the script should be run. This value can be one of the following: <ul><li>**pre-scan** means before the scanning process begins.</li><li>**scan-success** means after the scanning process has finished successfully.</li><li>**post-scan** means after the scanning process has finished, whether it was successful or not.</li><li>**pre-apply** means before the apply process begins.</li><li>**apply-success** means after the apply process has finished successfully.</li><li>**post-apply** means after the apply process has finished, whether it was successful or not.</li></ul> |
 
-## <a href="" id="plugin"></a>&lt;plugin&gt;
+## &lt;plugin&gt;
 
 This is an internal USMT element. Do not use this element.
 
-## <a href="" id="role"></a>&lt;role&gt;
+## &lt;role&gt;
 
-The &lt;role&gt; element is required in a custom .xml file. By specifying the &lt;role&gt; element, you can create a concrete component. The component will be defined by the parameters specified at the &lt;component&gt; level, and with the role that you specify here.
+The **&lt;role&gt;** element is required in a custom .xml file. By specifying the **&lt;role&gt;** element, you can create a concrete component. The component will be defined by the parameters specified at the **&lt;component&gt;** level, and with the role that you specify here.
 
--   **Number of occurrences:** Each &lt;component&gt; can have one, two or three child &lt;role&gt; elements.
+- **Number of occurrences:** Each **&lt;component&gt;** can have one, two or three child **&lt;role&gt;** elements.
 
--   **Parent elements:**[&lt;component&gt;](#component), [&lt;role&gt;](#role)
+- **Parent elements:** [&lt;component&gt;](#component), [&lt;role&gt;](#role)
 
--   **Required child elements:**[&lt;rules&gt;](#rules)
+- **Required child elements:** [&lt;rules&gt;](#rules)
 
--   **Optional child elements:**[&lt;environment&gt;](#bkmk-environment), [&lt;detection&gt;](#detection), [&lt;component&gt;](#component), [&lt;role&gt;](#role), &lt;detects&gt;, &lt;plugin&gt;,
+- **Optional child elements:** [&lt;environment&gt;](#environment), [&lt;detection&gt;](#detection), [&lt;component&gt;](#component), [&lt;role&gt;](#role), [&lt;detects&gt;](#detects), [&lt;plugin&gt;](#plugin)
 
 Syntax:
 
@@ -1857,9 +1828,9 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| role | Yes | Defines the role for the component. Role can be one of: <ul><li>**Container**</li><li>**Binaries**</li><li>**Settings**</li><li>**Data**</li></ul> You can either: <ol><li>Specify up to three &lt;role&gt; elements within a &lt;component&gt; — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these &lt;role&gt; elements, but each nested element must be of the same role parameter.</li><li>Specify one "Container" &lt;role&gt; element within a &lt;component&gt; element. In this case, you cannot specify any child &lt;rules&gt; elements, only other &lt;component&gt; elements. And each child &lt;component&gt; element must have the same type as that of parent &lt;component&gt; element. For example:</li></ol> <pre class="syntax"><code>&lt;component context=&quot;UserAndSystem&quot; type=&quot;Application&quot;&gt; <br/>  &lt;displayName _locID=&quot;migapp.msoffice2003&quot;&gt;Microsoft Office 2003&lt;/displayName&gt; <br/>  &lt;environment name=&quot;GlobalEnv&quot; /&gt; <br/>  &lt;role role=&quot;Container&quot;&gt;<br/>    &lt;detection name=&quot;AnyOffice2003Version&quot; /&gt; <br/>    &lt;detection name=&quot;FrontPage2003&quot; /&gt; <br/>    &lt;!-- <br/> Office 2003 Common Settings <br/>  --&gt; <br/>     &lt;component context=&quot;UserAndSystem&quot; type=&quot;Application&quot;&gt;</code></pre> |
+| role | Yes | Defines the role for the component. Role can be one of: <ul><li>**Container**</li><li>**Binaries**</li><li>**Settings**</li><li>**Data**</li></ul> You can either: <ol><li>Specify up to three **&lt;role&gt;** elements within a **&lt;component&gt;** — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these **&lt;role&gt;** elements, but each nested element must be of the same role parameter.</li><li>Specify one "Container" **&lt;role&gt;** element within a **&lt;component&gt;** element. In this case, you cannot specify any child **&lt;rules&gt;** elements, only other **&lt;component&gt;** elements. And each child **&lt;component&gt;** element must have the same type as that of parent **&lt;component&gt;** element. For example:</li></ol> <pre class="syntax"><code>&lt;component context=&quot;UserAndSystem&quot; type=&quot;Application&quot;&gt; <br/>  &lt;displayName _locID=&quot;migapp.msoffice2003&quot;&gt;Microsoft Office 2003&lt;/displayName&gt; <br/>  &lt;environment name=&quot;GlobalEnv&quot; /&gt; <br/>  &lt;role role=&quot;Container&quot;&gt;<br/>    &lt;detection name=&quot;AnyOffice2003Version&quot; /&gt; <br/>    &lt;detection name=&quot;FrontPage2003&quot; /&gt; <br/>    &lt;!-- <br/> Office 2003 Common Settings <br/>  --&gt; <br/>     &lt;component context=&quot;UserAndSystem&quot; type=&quot;Application&quot;&gt;</code></pre> |
 
-The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file:
+The following example is from the MigUser.xml file. For more examples, see the `MigApp.xml` file:
 
 ```xml
 <component type="System" context="User">
@@ -1890,18 +1861,17 @@ The following example is from the MigUser.xml file. For more examples, see the M
 </component>
 ```
 
-## <a href="" id="rules"></a>&lt;rules&gt;
+## &lt;rules&gt;
 
+The **&lt;rules&gt;** element is required in a custom .xml file. This element contains rules that will run during the migration if the parent **&lt;component&gt;** element is selected, unless the child **&lt;conditions&gt;** element, if present, evaluates to **FALSE**. For each **&lt;rules&gt;** element there can be multiple child **&lt;rules&gt;** elements.
 
-The &lt;rules&gt; element is required in a custom .xml file. This element contains rules that will run during the migration if the parent &lt;component&gt; element is selected, unless the child &lt;conditions&gt; element, if present, evaluates to FALSE. For each &lt;rules&gt; element there can be multiple child &lt;rules&gt; elements.
+- **Number of occurrences:** unlimited
 
--   **Number of occurrences:** unlimited
+- **Parent elements:** [&lt;role&gt;](#role), [&lt;rules&gt;](#rules), [&lt;namedElements&gt;](#namedelements)
 
--   **Parent elements:**[&lt;role&gt;](#role), [&lt;rules&gt;](#rules), [&lt;namedElements&gt;](#namedelements)
+- **Required child elements:** [&lt;include&gt;](#include)
 
--   **Required child elements:**[&lt;include&gt;](#include)
-
--   **Optional child elements:**[&lt;rules&gt;](#rules), [&lt;exclude&gt;](#exclude), [&lt;unconditionalExclude&gt;](#unconditionalexclude),[&lt;merge&gt;](#merge), [&lt;contentModify&gt;](#contentmodify), [&lt;locationModify&gt;](#locationmodify), [&lt;destinationCleanup&gt;](#destinationcleanup), [&lt;addObjects&gt;](#addobjects), [&lt;externalProcess&gt;](#externalprocess), [&lt;processing&gt;](#processing), [&lt;includeAttributes&gt;](#includeattributes), [&lt;excludeAttributes&gt;](#excludeattributes), [conditions](#conditions), &lt;detects&gt;
+- **Optional child elements:** [&lt;rules&gt;](#rules), [&lt;exclude&gt;](#exclude), [&lt;unconditionalExclude&gt;](#unconditionalexclude),[&lt;merge&gt;](#merge), [&lt;contentModify&gt;](#contentmodify), [&lt;locationModify&gt;](#locationmodify), [&lt;destinationCleanup&gt;](#destinationcleanup), [&lt;addObjects&gt;](#addobjects), [&lt;externalProcess&gt;](#externalprocess), [&lt;processing&gt;](#processing), [&lt;includeAttributes&gt;](#includeattributes), [&lt;excludeAttributes&gt;](#excludeattributes), [conditions](#conditions), [&lt;detects&gt;](#detects)
 
 Syntax:
 
@@ -1912,8 +1882,8 @@ Syntax:
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| name | Yes, when &lt;rules&gt; is a child to &lt;namedElements&gt; <br/>No, when &lt;rules&gt; is a child to any other element | When *ID* is specified, any child elements are not processed. Instead, any other &lt;rules&gt; elements with the same name that are declared within &lt;namedElements&gt; are processed. |
-| context | No <br/>(default = UserAndSystem) | Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the component element. For example, if a &lt;component&gt; element has a context of User and a &lt;rules&gt; element had a context of UserAndSystem, then the &lt;rules&gt; element would act as though it has a context of User. If &lt;rules&gt; had a context of System, it would act as though &lt;rules&gt; was not there. <ul><li>**User.** Evaluates the variables for each user.</li><li>**System.** Evaluates the variables only once for the system.</li><li>**UserAndSystem.** Evaluates the variables for the entire operating system and each user.</li></ul> |
+| name | Yes, when **&lt;rules&gt;** is a child to **&lt;namedElements&gt;** <br/>No, when **&lt;rules&gt;** is a child to any other element | When *ID* is specified, any child elements are not processed. Instead, any other **&lt;rules&gt;** elements with the same name that are declared within **&lt;namedElements&gt;** are processed. |
+| context | No <br/>(default = UserAndSystem) | Defines the scope of this parameter — whether to process this component in the context of the specific user, across the entire operating system, or both. <br/>The largest possible scope is set by the component element. For example, if a **&lt;component&gt;** element has a context of **User** and a **&lt;rules&gt;** element had a context of **UserAndSystem**, then the **&lt;rules&gt;** element would act as though it has a context of **User**. If **&lt;rules&gt;** had a context of **System**, it would act as though **&lt;rules&gt;** was not there. <ul><li>**User**: Evaluates the variables for each user.</li><li>**System**: Evaluates the variables only once for the system.</li><li>**UserAndSystem**: Evaluates the variables for the entire operating system and each user.</li></ul> |
 
 The following example is from the MigUser.xml file:
 
@@ -1945,40 +1915,39 @@ The following example is from the MigUser.xml file:
 </component>
 ```
 
-## <a href="" id="script"></a>&lt;script&gt;
+## &lt;script&gt;
 
-
-The return value that is required by &lt;script&gt; depends on the parent element.
+The return value that is required by **&lt;script&gt;** depends on the parent element.
 
 **Number of occurrences:** Once for [&lt;variable&gt;](#variable), unlimited for [&lt;objectSet&gt;](#objectset) and [&lt;processing&gt;](#processing)
 
-**Parent elements:**[&lt;objectSet&gt;](#objectset), [&lt;variable&gt;](#variable), [&lt;processing&gt;](#processing)
+**Parent elements:** [&lt;objectSet&gt;](#objectset), [&lt;variable&gt;](#variable), [&lt;processing&gt;](#processing)
 
 **Child elements:** none
 
 **Syntax and helper functions:**
 
--   General Syntax: `<script>ScriptWithArguments</script>`
+- General Syntax: `<script>ScriptWithArguments</script>`
 
--   You can use [GetStringContent](#scriptfunctions) when &lt;script&gt; is within &lt;variable&gt;.
+- You can use [GetStringContent](#script-functions) when **&lt;script&gt;** is within **&lt;variable&gt;**.
 
     Syntax: `<script>MigXmlHelper.GetStringContent("ObjectType","EncodedLocationPattern", "ExpandContent")</script>`
 
     Example: `<script>MigXMLHelper.GetStringContent("Registry","HKLM\Software\MyApp\Installer [EXEPATH]")</script>`
 
--   You can use [GenerateUserPatterns](#scriptfunctions) when &lt;script&gt; is within &lt;objectSet&gt;.
+- You can use [GenerateUserPatterns](#script-functions) when **&lt;script&gt;** is within **&lt;objectSet&gt;**.
 
     Syntax: `<script>MigXmlHelper.GenerateUserPatterns("ObjectType","EncodedLocationPattern","ProcessCurrentUser")</script>`
 
     Example: `<script>MigXmlHelper.GenerateUserPatterns ("File","%USERPROFILE%\* [*.doc]", "FALSE")</script>`
 
--   You can use [GenerateDrivePatterns](#scriptfunctions) when &lt;script&gt; is within &lt;objectSet&gt;.
+- You can use [GenerateDrivePatterns](#script-functions) when **&lt;script&gt;** is within **&lt;objectSet&gt;**.
 
     Syntax: `<script>MigXmlHelper.GenerateDrivePatterns("PatternSegment","DriveType")</script>`
 
     Example: `<script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script>`
 
--   You can use the [Simple executing scripts](#scriptfunctions) with &lt;script&gt; elements that are within &lt;processing&gt; elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM.
+- You can use the [Simple executing scripts](#script-functions) with **&lt;script&gt;** elements that are within **&lt;processing&gt;** elements: AskForLogoff, ConvertToShortFileName, KillExplorer, RemoveEmptyDirectories, RestartExplorer, RegisterFonts, StartService, StopService, SyncSCM.
 
     Syntax: `<script>MigXmlHelper.ExecutingScript</script>`
 
@@ -1986,11 +1955,11 @@ The return value that is required by &lt;script&gt; depends on the parent elemen
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-| *ScriptWithArguments* | Yes | A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;)`. <br/>The script will be called for each object that is enumerated by the object sets in the &lt;include&gt; rule. The filter script returns a Boolean value. If the return value is TRUE, the object will be migrated. If it is FALSE, it will not be migrated. <br/>The return value that is required by &lt;script&gt; depends on the parent element. <ul><li>When used within &lt;variable&gt;, the return value must be a string.</li><li>When used within &lt;objectSet&gt;, the return value must be a two-dimensional array of strings.</li><li>When used within &lt;location&gt;, the return value must be a valid location that aligns with the type attribute of &lt;location&gt;. For example, if &lt;location type=&quot;File&quot;&gt;, the child script element, if specified, must be a valid file location. <div class="alert">**Note**<br/>If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named &quot;file].txt&quot;, specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.</div></li></ul> |
+| *ScriptWithArguments* | Yes | A script followed by any number of string arguments that are separated by a comma and enclosed in parenthesis. For example, `MyScripts.AScript (&quot;Arg1&quot;,&quot;Arg2&quot;)`. <br/>The script will be called for each object that is enumerated by the object sets in the **&lt;include&gt;** rule. The filter script returns a Boolean value. If the return value is **TRUE**, the object will be migrated. If it is **FALSE**, it will not be migrated. <br/>The return value that is required by **&lt;script&gt;** depends on the parent element. <ul><li>When used within **&lt;variable&gt;**, the return value must be a string.</li><li>When used within **&lt;objectSet&gt;**, the return value must be a two-dimensional array of strings.</li><li>When used within **&lt;location&gt;**, the return value must be a valid location that aligns with the type attribute of **&lt;location&gt;**. For example, if &lt;location type=&quot;File&quot;&gt;, the child script element, if specified, must be a valid file location. <div class="alert">**Note**<br/>If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named &quot;file].txt&quot;, specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.</div></li></ul> |
 
 Examples:
 
-To migrate the Sample.doc file from any drive on the source computer, use &lt;script&gt; as follows. If multiple files exist with the same name, all such files will get migrated.
+To migrate the Sample.doc file from any drive on the source computer, use **&lt;script&gt;** as follows. If multiple files exist with the same name, all such files will get migrated.
 
 ```xml
 <script>MigXmlHelper.GenerateDrivePatterns("* [sample.doc]", "Fixed")</script> 
@@ -1998,29 +1967,29 @@ To migrate the Sample.doc file from any drive on the source computer, use &lt;sc
 
 For more examples of how to use this element, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md), [Reroute Files and Settings](usmt-reroute-files-and-settings.md), and [Custom XML Examples](usmt-custom-xml-examples.md).
 
-### <a href="" id="scriptfunctions"></a>&lt;script&gt; functions
+### &lt;script&gt; functions
 
-You can use the following functions with the &lt;script&gt; element
+You can use the following functions with the **&lt;script&gt;** element
 
--   [String and pattern generating functions](#stringgeneratingfunctions)
+- [String and pattern generating functions](#string-and-pattern-generating-functions)
 
--   [Simple executing scripts](#simple)
+- [Simple executing scripts](#simple-executing-scripts)
 
-### <a href="" id="stringgeneratingfunctions"></a>String and pattern generating functions
+### String and pattern generating functions
 
 These functions return either a string or a pattern.
 
--   **GetStringContent**
+- **GetStringContent**
 
-    You can use GetStringContent with &lt;script&gt; elements that are within &lt;variable&gt; elements. If possible, this function returns the string representation of the given object. Otherwise, it returns NULL. For file objects this function always returns NULL.
+    You can use GetStringContent with **&lt;script&gt;** elements that are within **&lt;variable&gt;** elements. If possible, this function returns the string representation of the given object. Otherwise, it returns **NULL**. For file objects this function always returns **NULL**.
 
     Syntax: `GetStringContent("ObjectType","EncodedLocationPattern", "ExpandContent")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
     | *ObjectType* | Yes | The type of object. Can be Registry or Ini (for an .ini file). |
-    | *EncodedLocationPattern* | Yes | <ul><li>If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, HKLM\SOFTWARE\MyKey[].</li><li>If the type of object is Ini, then EncodedLocationPattern must be in the following format: <br/>IniFilePath&#124;SectionName[SettingName]</li></ul> |
-    | *ExpandContent* | No (default=TRUE) | Can be TRUE or FALSE. If FALSE, then the given location will not be expanded before it is returned. |
+    | *EncodedLocationPattern* | Yes | <ul><li>If type of object is Registry, EncodedLocationPattern must be a valid registry path. For example, `HKLM\SOFTWARE\MyKey[]`.</li><li>If the type of object is Ini, then EncodedLocationPattern must be in the following format: <br/>**IniFilePath&#124;SectionName[SettingName]**</li></ul> |
+    | *ExpandContent* | No (default=TRUE) | Can be **TRUE** or **FALSE**. If **FALSE**, then the given location will not be expanded before it is returned. |
 
   For example:
 
@@ -2032,40 +2001,40 @@ These functions return either a string or a pattern.
 
 - **GenerateDrivePatterns**
 
-  The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with &lt;script&gt; elements that are within [&lt;objectSet&gt;](#objectset) that are within &lt;include&gt;/&lt;exclude&gt;.
+  The `GenerateDrivePatterns` function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and *DriveType* is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use `GenerateDrivePatterns` with **&lt;script&gt;** elements that are within [&lt;objectSet&gt;](#objectset) that are within **&lt;include&gt;**/**&lt;exclude&gt;**.
 
   Syntax: `GenerateDrivePatterns("PatternSegment","DriveType")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
-    | *PatternSegment* | Yes | The suffix of an encoded pattern. It will be concatenated with a drive specification, such as &quot;c:&quot;, to form a complete [encoded file pattern](#locations). For example, &quot;* [*.doc]&quot;. *PatternSegment* cannot be an environment variable. |
+    | *PatternSegment* | Yes | The suffix of an encoded pattern. It will be concatenated with a drive specification, such as &quot;c:&quot;, to form a complete [encoded file pattern](#specifying-locations). For example, &quot;* [*.doc]&quot;. *PatternSegment* cannot be an environment variable. |
     | *DriveType* | Yes | The drive type for which the patterns are to be generated. You can specify one of: <ul><li>Fixed</li><li>CDROM</li><li>Removable</li><li>Remote</li></ul> |
 
   See the last component in the MigUser.xml file for an example of this element.
 
 - **GenerateUserPatterns**
 
-  The function will iterate through all users that are being migrated, excluding the currently processed user if &lt;ProcessCurrentUser&gt; is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns:
+  The `GenerateUserPatterns` function will iterate through all users that are being migrated, excluding the currently processed user if **&lt;ProcessCurrentUser&gt;** is **FALSE**, and will expand the specified pattern in the context of each user. For example, if users A, B, and C have profiles in `C:\Documents and Settings`, by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns:
 
-  -   "C:\\Documents and Settings\\A\\\* \[\*.doc\]"
+  - "C:\\Documents and Settings\\A\\\* \[\*.doc\]"
 
-  -   "C:\\Documents and Settings\\B\\\* \[\*.doc\]"
+  - "C:\\Documents and Settings\\B\\\* \[\*.doc\]"
 
-  -   "C:\\Documents and Settings\\C\\\* \[\*.doc\]"
+  - "C:\\Documents and Settings\\C\\\* \[\*.doc\]"
 
   Syntax: `GenerateUserPatterns("ObjectType","EncodedLocationPattern","ProcessCurrentUser")`
 
     |Setting|Required?|Value|
     |--- |--- |--- |
     |*ObjectType*|Yes|Defines the object type. Can be File or Registry.|
-    |*EncodedLocationPattern*|Yes|The [location pattern](#locations). Environment variables are allowed.|
-    |*ProcessCurrentUser*|Yes|Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user.|
+    |*EncodedLocationPattern*|Yes|The [location pattern](#specifying-locations). Environment variables are allowed.|
+    |*ProcessCurrentUser*|Yes|Can be **TRUE** or **FALSE**. Indicates if the patterns should be generated for the current user.|
 
 **Example:**
 
-If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X's profile.
+If `GenerateUserPattens('File','%userprofile% [*.doc]','FALSE')` is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all `.doc` files from the source computer — but if user X is not migrated, then do not migrate any of the `.doc` files from user X's profile.
 
-The following is example code for this scenario. The first &lt;rules&gt; element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second &lt;rules&gt; elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second &lt;rules&gt; element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
+The following is example code for this scenario. The first **&lt;rules&gt;** element migrates all `.doc` files on the source computer with the exception of those inside `C:\Documents and Settings`. The second **&lt;rules&gt;** elements will migrate all `.doc` files from `C:\Documents and Settings` with the exception of the `.doc` files in the profiles of the other users. Because the second **&lt;rules&gt;** element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
 
 ```xml
 <rules context="System">
@@ -2096,13 +2065,13 @@ The following is example code for this scenario. The first &lt;rules&gt; element
 
 ### MigXmlHelper.GenerateDocPatterns
 
-This helper function invokes the document finder to scan the system for all files that can be migrated. It can be invoked in either System or User context to focus the scan.
+The `MigXmlHelper.GenerateDocPatterns` helper function invokes the document finder to scan the system for all files that can be migrated. It can be invoked in either **System** or **User** context to focus the scan.
 
 |Setting|Required?|Value|
 |--- |--- |--- |
-|*ScanProgramFiles*|No (default = FALSE)|Can be TRUE or FALSE. The *ScanProgramFiles* parameter determines whether or not the document finder scans the **Program Files** directory to gather registered file extensions for known applications. For example, when set to TRUE it will discover and migrate .jpg files under the Photoshop directory, if .jpg is a file extension registered to Photoshop.|
-|*IncludePatterns*|No (default = TRUE)|Can be TRUE or FALSE. TRUE will generate include patterns and can be added under the &lt;include&gt; element. FALSE will generate exclude patterns and can be added under the &lt;exclude&gt; element.|
-|*SystemDrive*|No (default = FALSE)|Can be TRUE or FALSE. If TRUE, restricts all patterns to the system drive.|
+|*ScanProgramFiles*|No (default = FALSE)|Can be **TRUE** or **FALSE**. The *ScanProgramFiles* parameter determines whether or not the document finder scans the **Program Files** directory to gather registered file extensions for known applications. For example, when set to **TRUE** it will discover and migrate .jpg files under the Photoshop directory, if `.jpg` is a file extension registered to Photoshop.|
+|*IncludePatterns*|No (default = TRUE)|Can be **TRUE** or **FALSE**. **TRUE** will generate include patterns and can be added under the **&lt;include&gt;** element. **FALSE** will generate exclude patterns and can be added under the **&lt;exclude&gt;** element.|
+|*SystemDrive*|No (default = FALSE)|Can be **TRUE** or **FALSE**. If **TRUE**, restricts all patterns to the system drive.|
 
 ```xml
  <!-- This component migrates data in user context -->
@@ -2125,11 +2094,11 @@ This helper function invokes the document finder to scan the system for all file
   </component>
 ```
 
-### <a href="" id="simple"></a>Simple executing scripts
+### Simple executing scripts
 
-The following scripts have no return value. You can use the following errors with &lt;script&gt; elements that are within &lt;processing&gt; elements
+The following scripts have no return value. You can use the following errors with **&lt;script&gt;** elements that are within **&lt;processing&gt;** elements
 
--   **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example:
+- **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example:
 
   ```xml
   <processing when="apply-success">
@@ -2137,9 +2106,9 @@ The following scripts have no return value. You can use the following errors wit
   </processing>
   ```
 
--   **ConvertToShortFileName(RegistryEncodedLocation)**. If *RegistryEncodedLocation* is the full path of an existing file, this function will convert the file to its short file name and then it will update the registry value.
+- **ConvertToShortFileName(RegistryEncodedLocation)**. If *RegistryEncodedLocation* is the full path of an existing file, this function will convert the file to its short file name and then it will update the registry value.
 
--   **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example:
+- **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example:
 
   ```xml
   <processing when="pre-apply">
@@ -2147,7 +2116,7 @@ The following scripts have no return value. You can use the following errors wit
   </processing>
   ```
 
--   **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example:
+- **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example:
 
  ```xml
   <processing when="apply-success">
@@ -2155,9 +2124,9 @@ The following scripts have no return value. You can use the following errors wit
   </processing>
   ```
 
--   **RemoveEmptyDirectories (DirectoryEncodedPattern).** Deletes any empty directories that match *DirectoryEncodedPattern* on the destination computer.
+- **RemoveEmptyDirectories (DirectoryEncodedPattern).** Deletes any empty directories that match *DirectoryEncodedPattern* on the destination computer.
 
--   **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example:
+- **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example:
 
   ```xml
   <processing when="post-apply">
@@ -2165,22 +2134,21 @@ The following scripts have no return value. You can use the following errors wit
   </processing>
   ```
 
--   **StartService (ServiceName, OptionalParam1, OptionalParam2,…).** Starts the service identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service. The optional parameters, if any, will be passed to the StartService API. For more information, see [this Microsoft Web site](/windows/win32/api/winsvc/nf-winsvc-startservicea).
+- **StartService (ServiceName, OptionalParam1, OptionalParam2,…).** Starts the service identified by *ServiceName. ServiceName* is the subkey in `HKLM\System\CurrentControlSet\Services` that holds the data for the given service. The optional parameters, if any, will be passed to the StartService API. For more information, see the [StartServiceA function (winsvc.h)](/windows/win32/api/winsvc/nf-winsvc-startservicea) article.
 
--   **StopService (ServiceName)**. Stops the service that is identified by *ServiceName. ServiceName* is the subkey in HKLM\\System\\CurrentControlSet\\Services that holds the data for the given service.
+- **StopService (ServiceName)**. Stops the service that is identified by *ServiceName. ServiceName* is the subkey in `HKLM\System\CurrentControlSet\Services` that holds the data for the given service.
 
--   **SyncSCM(ServiceShortName).** Reads the Start type value from the registry (HKLM\\System\\CurrentControlSet\\Services\\ServiceShortName \[Start\]) after it is changed by the migration engine, and then synchronizes Service Control Manager (SCM) with the new value.
+- **SyncSCM(ServiceShortName).** Reads the Start type value from the registry `(HKLM\System\CurrentControlSet\Services\ServiceShortName [Start])` after it is changed by the migration engine, and then synchronizes Service Control Manager (SCM) with the new value.
 
-## <a href="" id="text"></a>&lt;text&gt;
+## &lt;text&gt;
 
+You can use the **&lt;text&gt;** element to set a value for any environment variables that are inside one of the migration .xml files.
 
-You can use the &lt;text&gt; element to set a value for any environment variables that are inside one of the migration .xml files.
+- **Number of occurrences:** Once in each [&lt;variable&gt;](#variable) element.
 
--   **Number of occurrences:** Once in each [&lt;variable&gt;](#variable) element.
+- **Parent elements:** [&lt;variable&gt;](#variable)
 
--   **Parent elements:**[&lt;variable&gt;](#variable)
-
--   **Child elements:** None.
+- **Child elements:** None.
 
 Syntax:
 
@@ -2200,18 +2168,17 @@ For example:
 </variable>
 ```
 
-## <a href="" id="unconditionalexclude"></a>&lt;unconditionalExclude&gt;
+## &lt;unconditionalExclude&gt;
 
+The **&lt;unconditionalExclude&gt;** element excludes the specified files and registry values from the migration, regardless of the other include rules in any of the migration .xml files or in the `Config.xml` file. The objects declared here will not be migrated because this element takes precedence over all other rules. For example, even if there are explicit **&lt;include&gt;** rules to include `.mp3` files, if you specify to exclude them with this option, then they will not be migrated.
 
-The &lt;unconditionalExclude&gt; element excludes the specified files and registry values from the migration, regardless of the other include rules in any of the migration .xml files or in the Config.xml file. The objects declared here will not be migrated because this element takes precedence over all other rules. For example, even if there are explicit &lt;include&gt; rules to include .mp3 files, if you specify to exclude them with this option, then they will not be migrated.
+Use this element if you want to exclude all `.mp3` files from the source computer. Or, if you are backing up `C:\UserData` using another method, you can exclude the entire folder from the migration. Use this element with caution, however, because if an application needs a file that you exclude, the application may not function properly on the destination computer.
 
-Use this element if you want to exclude all .mp3 files from the source computer. Or, if you are backing up C:\\UserData using another method, you can exclude the entire folder from the migration. Use this element with caution, however, because if an application needs a file that you exclude, the application may not function properly on the destination computer.
+- **Number of occurrences:** Unlimited.
 
--   **Number of occurrences:** Unlimited.
+- **Parent elements:** [&lt;rules&gt;](#rules)
 
--   **Parent elements:**[&lt;rules&gt;](#rules)
-
--   **Child elements:**[&lt;objectSet&gt;](#objectset)
+- **Child elements:** [&lt;objectSet&gt;](#objectset)
 
 Syntax:
 
@@ -2219,7 +2186,7 @@ Syntax:
 <unconditionalExclude></unconditionalExclude>
 ```
 
-The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
+The following .xml file excludes all `.mp3` files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md).
 
 ```xml
 <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/excludefiles">
@@ -2238,22 +2205,21 @@ The following .xml file excludes all .mp3 files from migration. For additional e
 </migration>
 ```
 
-## <a href="" id="variable"></a>&lt;variable&gt;
+## &lt;variable&gt;
 
+The **&lt;variable&gt;** element is required in an **&lt;environment&gt;** element. For each **&lt;variable&gt;** element there must be one **&lt;objectSet&gt;**, **&lt;script&gt;**, or **&lt;text&gt;** element. The content of the **&lt;variable&gt;** element assigns a text value to the environment variable. This element has the following three options:
 
-The &lt;variable&gt; element is required in an &lt;environment&gt; element. For each &lt;variable&gt; element there must be one &lt;objectSet&gt;, &lt;script&gt;, or &lt;text&gt; element. The content of the &lt;variable&gt; element assigns a text value to the environment variable. This element has the following three options:
+1. If the **&lt;variable&gt;** element contains a **&lt;text&gt;** element, then the value of the variable element will be the value of the **&lt;text&gt;** element.
 
-1.  If the &lt;variable&gt; element contains a &lt;text&gt; element, then the value of the variable element will be the value of the &lt;text&gt; element.
+2. If the **&lt;variable&gt;** element contains a **&lt;script&gt;** element and the invocation of the script produces a non-null string, then the value of the **&lt;variable&gt;** element will be the result of the script invocation.
 
-2.  If the &lt;variable&gt; element contains a &lt;script&gt; element and the invocation of the script produces a non-null string, then the value of the &lt;variable&gt; element will be the result of the script invocation.
+3. If the **&lt;variable&gt;** element contains an **&lt;objectSet&gt;** element and the evaluation of the **&lt;objectSet&gt;** element produces at least one object pattern, then the value of the first object to match the resulting object pattern will be the value of the variable element.
 
-3.  If the &lt;variable&gt; element contains an &lt;objectSet&gt; element and the evaluation of the &lt;objectSet&gt; element produces at least one object pattern, then the value of the first object to match the resulting object pattern will be the value of the variable element.
+- **Number of occurrences:** Unlimited
 
--   **Number of occurrences:** Unlimited
+- **Parent elements:** [&lt;environment&gt;](#environment)
 
--   **Parent elements:**[&lt;environment&gt;](#bkmk-environment)
-
--   **Required child elements:** either [&lt;text&gt;](#text), or [&lt;script&gt;](#script), or [&lt;objectSet&gt;](#objectset)
+- **Required child elements:** either [&lt;text&gt;](#text), or [&lt;script&gt;](#script), or [&lt;objectSet&gt;](#objectset)
 
 Syntax:
 
@@ -2267,7 +2233,7 @@ Syntax:
 |name|Yes|*ID* is a string value that is the name used to reference the environment variable. We recommend that *ID* start with the component's name to avoid namespace collisions. For example, if your component's name is MyComponent, and you want a variable that is your component's install path, you could specify `MyComponent.InstallPath`.|
 |remap|No, default = FALSE|Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable's value are automatically moved to where the environment variable points on the destination computer.|
 
-The following example is from the MigApp.xml file:
+The following example is from the `MigApp.xml` file:
 
 ```xml
 <environment>
@@ -2280,16 +2246,15 @@ The following example is from the MigApp.xml file:
 </environment>
 ```
 
-## <a href="" id="version"></a>&lt;version&gt;
+## &lt;version&gt;
 
+The **&lt;version&gt;** element defines the version for the component, but does not affect the migration.
 
-The &lt;version&gt; element defines the version for the component, but does not affect the migration.
+- **Number of occurrences:** zero or one
 
--   **Number of occurrences:** zero or one
+- **Parent elements:** [&lt;component&gt;](#component)
 
--   **Parent elements:**[&lt;component&gt;](#component)
-
--   **Child elements:** none
+- **Child elements:** none
 
 Syntax:
 
@@ -2307,80 +2272,80 @@ For example:
 <version>4.*</version>
 ```
 
-## <a href="" id="windowsobjects"></a>&lt;windowsObjects&gt;
+## &lt;windowsObjects&gt;
 
-The &lt;windowsObjects&gt; element is for USMT internal use only. Do not use this element.
+The **&lt;windowsObjects&gt;** element is for USMT internal use only. Do not use this element.
 
 ## Appendix
 
-### <a href="" id="locations"></a>Specifying locations
+### Specifying locations
 
--   **Specifying encoded locations**. The encoded location used in all of the helper functions is an unambiguous string representation for the name of an object. It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
+- **Specifying encoded locations**. The encoded location used in all of the helper functions is an unambiguous string representation for the name of an object. It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves.
 
-    For example, specify the file C:\\Windows\\Notepad.exe like this: `c:\Windows[Notepad.exe]`. Similarly, specify the directory C:\\Windows\\System32 like this: `c:\Windows\System32`. (Notice the absence of the \[\] construct.)
+    For example, specify the file `C:\Windows\Notepad.exe` like this: `c:\Windows[Notepad.exe]`. Similarly, specify the directory `C:\Windows\System32` like this: `c:\Windows\System32`. (Notice the absence of the `[]` construct.)
 
-    Representing the registry is very similar. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key will be `HKLM\SOFTWARE\MyKey[]`.
+    Representing the registry is very similar. The default value of a registry key is represented as an empty `[]` construct. For example, the default value for the `HKLM\SOFTWARE\MyKey` registry key will be `HKLM\SOFTWARE\MyKey[]`.
 
--   **Specifying location patterns**. You specify a location pattern in a way that is similar to how you specify an actual location. The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
+- **Specifying location patterns**. You specify a location pattern in a way that is similar to how you specify an actual location. The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf.
 
-    For example, the pattern `c:\Windows\*` will match the Windows directory and all subdirectories. But it will not match any of the files in those directories. To match the files as well, you must specify `c:\Windows\*[*]`.
+    For example, the pattern `c:\Windows\*` will match the Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify `c:\Windows\*[*]`.
 
-### <a href="" id="internalusmtfunctions"></a>Internal USMT functions
+### Internal USMT functions
 
 The following functions are for internal USMT use only. Do not use them in an .xml file.
 
--   AntiAlias
+- *AntiAlias*
 
--   ConvertScreenSaver
+- *ConvertScreenSaver*
 
--   ConvertShowIEOnDesktop
+- *ConvertShowIEOnDesktop*
 
--   ConvertToOfficeLangID
+- *ConvertToOfficeLangID*
 
--   MigrateActiveDesktop
+- *MigrateActiveDesktop*
 
--   MigrateAppearanceUPM
+- *MigrateAppearanceUPM*
 
--   MigrateDisplayCS
+- *MigrateDisplayCS*
 
--   MigrateDisplaySS
+- *MigrateDisplaySS*
 
--   MigrateIEAutoSearch
+- *MigrateIEAutoSearch*
 
--   MigrateMouseUPM
+- *MigrateMouseUPM*
 
--   MigrateSoundSysTray
+- *MigrateSoundSysTray*
 
--   MigrateTaskBarSS
+- *MigrateTaskBarSS*
 
--   SetPstPathInMapiStruc
+- *SetPstPathInMapiStruc*
 
-### <a href="" id="allowed"></a>Valid version tags
+### Valid version tags
 
 You can use the following version tags with various helper functions:
 
--   "CompanyName"
+- "CompanyName"
 
--   "FileDescription"
+- "FileDescription"
 
--   "FileVersion"
+- "FileVersion"
 
--   "InternalName"
+- "InternalName"
 
--   "LegalCopyright"
+- "LegalCopyright"
 
--   "OriginalFilename"
+- "OriginalFilename"
 
--   "ProductName"
+- "ProductName"
 
--   "ProductVersion"
+- "ProductVersion"
 
 The following version tags contain values that can be compared:
 
--   "FileVersion"
+- "FileVersion"
 
--   "ProductVersion"
+- "ProductVersion"
 
-## Related topics
+## Related articles
 
-[USMT XML Reference](usmt-xml-reference.md)
+[USMT XML reference](usmt-xml-reference.md)
diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md
index eaad60c807..af25e49152 100644
--- a/windows/deployment/usmt/usmt-xml-reference.md
+++ b/windows/deployment/usmt/usmt-xml-reference.md
@@ -2,28 +2,29 @@
 title: USMT XML Reference (Windows 10)
 description: Learn about working with and customizing the migration XML files using User State Migration Tool (USMT) XML Reference for Windows 10.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# USMT XML Reference
+# USMT XML reference
 
-This section contains topics that you can use to work with and to customize the migration XML files.
+This section contains articles that you can use to work with and to customize the migration XML files.
 
-## In This Section
+## In this section
 
 | Link | Description |
 |--- |--- |
-|[Understanding Migration XML Files](understanding-migration-xml-files.md)|Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.|
-|[Config.xml File](usmt-configxml-file.md)|Describes the Config.xml file and policies concerning its configuration.|
-|[Customize USMT XML Files](usmt-customize-xml-files.md)|Describes how to customize USMT XML files.|
-|[Custom XML Examples](usmt-custom-xml-examples.md)|Gives examples of XML files for various migration scenarios.|
-|[Conflicts and Precedence](usmt-conflicts-and-precedence.md)|Describes the precedence of migration rules and how conflicts are handled.|
-|[General Conventions](usmt-general-conventions.md)|Describes the XML helper functions.|
-|[XML File Requirements](xml-file-requirements.md)|Describes the requirements for custom XML files.|
-|[Recognized Environment Variables](usmt-recognized-environment-variables.md)|Describes environment variables recognized by USMT.|
-|[XML Elements Library](usmt-xml-elements-library.md)|Describes the XML elements and helper functions for authoring migration XML files to use with USMT.|
+|[Understanding migration XML files](understanding-migration-xml-files.md)|Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.|
+|[Config.xml file](usmt-configxml-file.md)|Describes the `Config.xml` file and policies concerning its configuration.|
+|[Customize USMT XML files](usmt-customize-xml-files.md)|Describes how to customize USMT XML files.|
+|[Custom XML examples](usmt-custom-xml-examples.md)|Gives examples of XML files for various migration scenarios.|
+|[Conflicts and precedence](usmt-conflicts-and-precedence.md)|Describes the precedence of migration rules and how conflicts are handled.|
+|[General conventions](usmt-general-conventions.md)|Describes the XML helper functions.|
+|[XML file requirements](xml-file-requirements.md)|Describes the requirements for custom XML files.|
+|[Recognized environment variables](usmt-recognized-environment-variables.md)|Describes environment variables recognized by USMT.|
+|[XML elements library](usmt-xml-elements-library.md)|Describes the XML elements and helper functions for authoring migration XML files to use with USMT.|
diff --git a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
index a6ad05ad42..60856e7a7e 100644
--- a/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
+++ b/windows/deployment/usmt/verify-the-condition-of-a-compressed-migration-store.md
@@ -1,125 +1,104 @@
 ---
 title: Verify the Condition of a Compressed Migration Store (Windows 10)
-description: Use these tips and tricks to verify the condition of a compressed migration store when using User State Migration Tool (USMT).
+description: Use these tips and tricks to verify the condition of a compressed migration store when using User State Migration Tool (USMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# Verify the Condition of a Compressed Migration Store
-
+# Verify the condition of a compressed migration store
 
 When you migrate files and settings during a typical PC-refresh migration, the user state is usually stored in a compressed folder on the intermediate store. This compressed folder, also called the compressed migration store, is a single image file that contains:
 
--   All of the files being migrated.
+- All of the files being migrated.
 
--   The user’s settings.
+- The user's settings.
 
--   A catalog file that contains metadata for all files in the migration store.
+- A catalog file that contains metadata for all files in the migration store.
 
-When you run the **LoadState** command to load the data from these files to the destination computer, LoadState requires a valid catalog file in order to open the migration store. You can run the **UsmtUtils** command with the **/verify** option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the **/verify** option on the migration store before you overwrite the original user-state files and settings.
+When you run the `LoadState.exe` command to load the data from these files to the destination computer, **LoadState** requires a valid catalog file in order to open the migration store. You can run the `UsmtUtils.exe` command with the `/verify` option to determine whether the compressed migration store is intact, or whether it contains corrupted files or a corrupted catalog. You should run the `/verify` option on the migration store before you overwrite the original user-state files and settings.
 
-When you use the **/verify** option, you can specify what type of information to report in the UsmtUtils log file. These report types are:
+When you use the `/verify` option, you can specify what type of information to report in the **UsmtUtils** log file. These report types are:
 
--   **Catalog**: Displays the status of only the catalog file.
+- **Catalog**: Displays the status of only the catalog file.
 
--   **All**: Displays the status of all files, including the catalog file.
+- **All**: Displays the status of all files, including the catalog file.
 
--   **Failure only**: Displays only the files that are corrupted.
+- **Failure only**: Displays only the files that are corrupted.
 
-## In This Topic
+The following sections demonstrate how to run the `UsmtUtils.exe` command with the `/verify` option, and how to specify the information to display in the **UsmtUtils** log file.
 
-
-The following sections demonstrate how to run the **UsmtUtils** command with the **/verify** option, and how to specify the information to display in the UsmtUtils log file.
-
--   [The UsmtUtils syntax for the /verify option](#bkmk-verifysyntax)
-
--   [To verify that the migration store is intact](#bkmk-verifyintactstore)
-
--   [To verify the status of only the catalog file](#bkmk-verifycatalog)
-
--   [To verify the status of all files](#bkmk-verifyallfiles)
-
--   [To verify the status of the files and return only the corrupted files](#bkmk-returncorrupted)
-
-### <a href="" id="bkmk-verifysyntax"></a>The UsmtUtils Syntax for the /verify Option
+## The UsmtUtils syntax for the /verify option
 
 To verify the condition of a compressed migration store, use the following UsmtUtils syntax:
 
-cd /d&lt;USMTpath&gt;usmtutils /verify\[:&lt;reportType&gt;\] &lt;filePath&gt; \[/l:&lt;logfile&gt;\] \[/decrypt \[:&lt;AlgID&gt;\] {/key:&lt;keystring&gt; | /keyfile:&lt;filename&gt;}\]
+> UsmtUtils.exe /verify\[:&lt;*reportType*&gt;\] &lt;*filePath*&gt; \[/l:&lt;*logfile*&gt;\] \[/decrypt \[:&lt;*AlgID*&gt;\] {/key:&lt;*keystring*&gt; | /keyfile:&lt;*filename*&gt;}\]
 
 Where the placeholders have the following values:
 
--   *&lt;USMTpath&gt;* is the location where you have saved the USMT files and tools.
+- *&lt;USMTpath&gt;* is the location where you've saved the USMT files and tools.
 
--   *&lt;reportType&gt;* specifies whether to report on all files, corrupted files only, or the status of the catalog.
+- *&lt;reportType&gt;* specifies whether to report on all files, corrupted files only, or the status of the catalog.
 
--   *&lt;filePath&gt;* is the location of the compressed migration store.
+- *&lt;filePath&gt;* is the location of the compressed migration store.
 
--   *&lt;logfile&gt;* is the location and name of the log file.
+- *&lt;logfile&gt;* is the location and name of the log file.
 
--   *&lt;AlgID&gt;* is the cryptographic algorithm that was used to create the migration store on the **ScanState** command line.
+- *&lt;AlgID&gt;* is the cryptographic algorithm that was used to create the migration store on the `ScanState.exe` command line.
 
--   *&lt;keystring&gt;* is the encryption key that was used to encrypt the migration store.
+- *&lt;keystring&gt;* is the encryption key that was used to encrypt the migration store.
 
--   *&lt;filename&gt;* is the location and name of the text file that contains the encryption key.
+- *&lt;filename&gt;* is the location and name of the text file that contains the encryption key.
 
-### <a href="" id="bkmk-verifyintactstore"></a>To Verify that the Migration Store is Intact
+## To verify that the migration store is intact
 
-To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, type:
+To verify whether the migration store is intact or whether it contains corrupted files or a corrupted catalog, enter:
 
-``` syntax
-usmtutils /verify D:\MyMigrationStore\store.mig
+```cmd
+UsmtUtils.exe /verify D:\MyMigrationStore\store.mig
 ```
 
-Because no report type is specified, UsmtUtils displays the default summary report.
+Because no report type is specified, **UsmtUtils** displays the default summary report.
 
-### <a href="" id="bkmk-verifycatalog"></a>To Verify the Status of Only the Catalog File
+## To verify the status of only the catalog file
 
-To verify whether the catalog file is corrupted or intact, type:
+To verify whether the catalog file is corrupted or intact, enter:
 
-``` syntax
-usmtutils /verify:catalog D:\MyMigrationStore\store.mig
+```cmd
+UsmtUtils.exe /verify:catalog D:\MyMigrationStore\store.mig
 ```
 
-### <a href="" id="bkmk-verifyallfiles"></a>To Verify the Status of all Files
+## To verify the status of all files
 
-To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, type:
+To verify whether there are any corrupted files in the compressed migration store, and to specify the name and location of the log file, enter:
 
-`usmtutils /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
+```cmd
+UsmtUtils.exe /verify:all D:\MyMigrationStore\store.mig /decrypt /l:D:\UsmtUtilsLog.txt`
+```
 
-In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, UsmtUtils uses the default 3DES cryptographic algorithm.
+In addition to verifying the status of all files, this example decrypts the files. Because no encryption algorithm is specified, **UsmtUtils** uses the default 3DES cryptographic algorithm.
 
-### <a href="" id="bkmk-returncorrupted"></a>To Verify the Status of the Files and Return Only the Corrupted Files
+## To verify the status of the files and return only the corrupted files
 
-In this example, the log file will only list the files that became corrupted during the ScanState process. This list will include the catalog file if it is also corrupted.
+In this example, the log file will only list the files that became corrupted during the **ScanState** process. This list will include the catalog file if it's also corrupted.
 
-``` syntax
-usmtutils /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt
+```cmd
+UsmtUtils.exe /verify:failureonly D:\MyMigrationStore\USMT\store.mig /decrypt:AES_192 /keyfile:D:\encryptionKey.txt
 ```
 
 This example also decrypts the files by specifying the cryptographic algorithm and the location of the file that contains the encryption key.
 
-### Next Steps
-
-If the **/verify** option indicates that there are corrupted files in the migration store, you can use the **/extract** option in the UsmtUtils tool to recover data from some corrupted stores. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).
-
-## Related topics
-
-
-[UsmtUtils Syntax](usmt-utilities.md)
-
-[Return Codes](usmt-return-codes.md)
-
- 
-
- 
-
+## Next steps
 
+If the `/verify` option indicates that there are corrupted files in the migration store, you can use the `/extract` option in the **UsmtUtils** tool to recover data from some corrupted stores. For more information, see [Extract files from a compressed USMT migration store](usmt-extract-files-from-a-compressed-migration-store.md).
 
+## Related articles
 
+[UsmtUtils syntax](usmt-utilities.md)
 
+[Return codes](/troubleshoot/windows-client/deployment/usmt-return-codes)
diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md
index 9fa7659525..156809cb6d 100644
--- a/windows/deployment/usmt/xml-file-requirements.md
+++ b/windows/deployment/usmt/xml-file-requirements.md
@@ -2,45 +2,36 @@
 title: XML File Requirements (Windows 10)
 description: Learn about the XML file requirements for creating custom .xml files, like the file must be in UTF-8 and have a unique migration URL ID.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/19/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/01/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
-# XML File Requirements
-
+# XML file requirements
 
 When creating custom .xml files, note the following requirements:
 
--   **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
+- **The file must be in Unicode Transformation Format-8 (UTF-8).** Save the file in this format, and you must specify the following syntax at the beginning of each .xml file:
 
-    ``` xml
+    ```xml
     <?xml version="1.0" encoding="UTF-8"?>
     ```
 
--   **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
+- **The file must have a unique migration URL ID**. The URL ID of each file that you specify on the command line must be different. If two migration .xml files have the same URL ID, the second .xml file that is specified on the command line won't be processed. The second file won't be processed because USMT uses the URL ID to define the components within the file. For example, you must specify the following syntax at the beginning of each file:
 
-    ``` xml
+    ```xml
     <?xml version="1.0" encoding="UTF-8"?>
     <migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/<CustomFileName>">
     ```
 
--   **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the Config.xml file defines the components by the display name and the migration URL ID. For example, specify the following syntax:
+- **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This condition is because the `Config.xml` file defines the components by the display name and the migration URL ID. For example, specify the following syntax:
 
-    ``` xml
+    ```xml
     <displayName>My Application</displayName>
     ```
 
-For examples of custom .xml files, see [Custom XML Examples](usmt-custom-xml-examples.md).
-
- 
-
- 
-
-
-
-
-
+For examples of custom .xml files, see [Custom XML examples](usmt-custom-xml-examples.md).
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 187ec9c7c0..fbbf1013ee 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -2,21 +2,21 @@
 title: Configure VDA for Windows subscription activation
 description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
 ms.custom: seo-marvel-apr2020
 ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
 ms.topic: how-to
 ms.collection: M365-modern-desktop
-ms.date: 09/26/2022
+ms.date: 11/23/2022
 ---
 
 # Configure VDA for Windows subscription activation
 
-Applies to:
+*Applies to:*
 
 - Windows 10
 - Windows 11
@@ -61,42 +61,55 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
 ## Active Directory-joined VMs
 
 1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
-2. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
+
+2. (Optional) To disable network level authentication, enter the following command at an elevated command prompt:
 
     ```cmd
-    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+    REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
     ```
 
-3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
+3. At an elevated command prompt, enter **sysdm.cpl**.
+
 4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
-5. Select **Add**, type **Authenticated users**, and then select **OK** three times.
+
+5. Select **Add**, enter **Authenticated users**, and then select **OK** three times.
+
 6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again.
+
 7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8.
     1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-    1. Open Windows Configuration Designer and select **Provision desktop services**.
-    1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
+
+    2. Open Windows Configuration Designer and select **Provision desktop services**.
+
+    3. Under **Name**, enter **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
 
         > [!NOTE]
         > You can use a different project name, but this name is also used with dism.exe in a later step.
 
-    1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
-    1. On the Set up network page, choose **Off**.
-    1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
+    4. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
+
+    5. On the Set up network page, choose **Off**.
+
+    6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
 
         > [!NOTE]
         > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
 
-    1. On the Add applications page, add applications if desired. This step is optional.
-    1. On the Add certificates page, add certificates if desired. This step is optional.
-    1. On the Finish page, select **Create**.
-    1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
-    1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
+    7. On the Add applications page, add applications if desired. This step is optional.
+
+    8. On the Add certificates page, add certificates if desired. This step is optional.
+
+    9. On the Finish page, select **Create**.
+
+    10. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
+
+    11. Enter the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
 
         ```cmd
         Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
         ```
 
-    1. Right-click the mounted image in file explorer and select **Eject**.
+    12. Right-click the mounted image in file explorer and select **Eject**.
 
 8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image.
 
@@ -107,33 +120,50 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
 
 For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
 
-- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
+- During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
+
 - During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
+
 - When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg**
+
 - When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure).
 
 ## Azure Gallery VMs
 
-1. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
+1. (Optional) To disable network level authentication, enter the following command at an elevated command prompt:
 
     ```cmd
-    REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
+    REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
     ```
 
-2. At an elevated command prompt, type `sysdm.cpl` and press ENTER.
+2. At an elevated command prompt, enter `sysdm.cpl`.
+
 3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
-4. Select **Add**, type **Authenticated users**, and then select **OK** three times.
+
+4. Select **Add**, enter **Authenticated users**, and then select **OK** three times.
+
 5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+
 6. Open Windows Configuration Designer and select **Provision desktop services**.
+
 7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
-    1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
-    2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
-8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
+
+    1. Under **Name**, enter **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
+
+    2. Under **Enter product key** enter the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
+
+8. Under **Name**, enter **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
+
 9. On the Set up network page, choose **Off**.
+
 10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
+
 11. On the Add applications page, add applications if desired. This step is optional.
+
 12. On the Add certificates page, add certificates if desired. This step is optional.
+
 13. On the Finish page, select **Create**.
+
 14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system.
 
 > [!NOTE]
@@ -142,9 +172,13 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
 ## Create custom RDP settings for Azure
 
 1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
+
 2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it.
+
 3. Close the Remote Desktop Connection window and open Notepad.
+
 4. Open the RDP file in Notepad to edit it.
+
 5. Enter or replace the line that specifies authentication level with the following two lines of text:
 
     ```text
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
index 8b4201322d..b5ccb893f4 100644
--- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
@@ -2,17 +2,18 @@
 title: Activate by Proxy an Active Directory Forest (Windows 10)
 description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Activate by Proxy an Active Directory Forest
 
-You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that does not have Internet access. ADBA enables certain volume products to inherit activation from the domain.
+You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest for an isolated workgroup that doesn't have Internet access. ADBA enables certain volume products to inherit activation from the domain.
 
 > [!IMPORTANT]
 > ADBA is only applicable to *Generic Volume License Keys (GVLKs)* and *KMS Host key (CSVLK)*. To use ADBA, one or more KMS Host keys (CSVLK) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
@@ -25,28 +26,42 @@ In a typical proxy-activation scenario, the VAMT host computer distributes a pro
 ## Requirements
 
 Before performing proxy activation, ensure that the network and the VAMT installation meet the following requirements:
-- There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup.
+
+- There's an instance of VAMT that is installed on a computer that has Internet access. If you're performing proxy activation for an isolated workgroup, you must also have VAMT installed on one of the computers in the workgroup.
 - VAMT has administrative permissions to the Active Directory domain.
 
-**To perform an Active Directory forest proxy activation**
+### To perform an Active Directory forest proxy activation
 
-1.  Open VAMT.
-2.  In the left-side pane, click the **Active Directory-Based Activation** node.
-3.  In the right-side **Actions** pane, click **Proxy activate forest** to open the **Install Product Key** dialog box.
-4.  In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate.
-5.  If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
-6.  Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then click **Open**. If you are activating an AD forest in an isolated workgroup, save the .cilx file to a removable media device.
-7.  Click **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
-9.  Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
-10. In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
-11. In the **Acquire confirmation IDs for file** dialog box, browse to where the .cilx file you exported from the isolated workgroup host computer is located. Select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs.
-12. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Click **OK** to close the message.
-13. Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup.
-14. Open VAMT and then click the **Active Directory-Based Activation** node in the left-side pane.
-15. In the right-side **Actions** pane, click **Apply confirmation ID to Active Directory domain**, browse to the .cilx file and then click **Open**.
+1. Open VAMT.
+
+2. In the left-side pane, select the **Active Directory-Based Activation** node.
+
+3. In the right-side **Actions** pane, select **Proxy activate forest** to open the **Install Product Key** dialog box.
+
+4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to activate.
+
+5. If you want to rename the ADBA object, enter a new Active Directory-Based Activation Object name. If you want to rename the ADBA object, you must do it now. After you select **Install Key**, the name can't be changed.
+
+6. Enter the name of the file where you want to save the offline installation ID, or browse to the file location and then select **Open**. If you're activating an AD forest in an isolated workgroup, save the `.cilx` file to a removable media device.
+
+7. Select **Install Key**. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
+
+8. Insert the removable media into the VAMT host that has Internet access. Make sure that you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
+
+9. In the right-side **Actions** pane, select **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
+
+10. In the **Acquire confirmation IDs for file** dialog box, browse to where the `.cilx` file you exported from the isolated workgroup host computer is located. Select the file, and then select **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and acquires the CIDs.
+
+11. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows how many confirmation IDs were successfully acquired, and the name of the file to which the IDs were saved. Select **OK** to close the message.
+
+12. Remove the storage device that contains the `.cilx` file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated workgroup.
+
+13. Open VAMT and then select the **Active Directory-Based Activation** node in the left-side pane.
+
+14. In the right-side **Actions** pane, select **Apply confirmation ID to Active Directory domain**, browse to the `.cilx` file and then select **Open**.
 
 VAMT displays the **Activating Active Directory** dialog box until it completes the requested action. The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
 
-## Related topics
+## Related articles
 
 - [Add and Remove Computers](add-remove-computers-vamt.md)
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index 3cbecb7694..70940f40ec 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -2,45 +2,54 @@
 title: Activate an Active Directory Forest Online (Windows 10)
 description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Activate an Active Directory Forest Online
 
 You can use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest over the Internet. ADBA enables certain products to inherit activation from the domain.
 
-**Important**  
-ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
+> [!IMPORTANT]
+> ADBA is only applicable to Generic Volume License Keys (GVLKs) and KMS Host keys (CSVLKs). To use ADBA, one or more KMS Host keys (CSVLKs) must be installed on the AD forest, and client keys (GVLKs) must be installed on the client products.
 
 ## Requirements
 
 Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
--   VAMT is installed on a host computer that has Internet access.
--   VAMT has administrative permissions to the Active Directory domain.
--   The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
 
-**To perform an online Active Directory forest activation**
+- VAMT is installed on a host computer that has Internet access.
 
-1.  Open VAMT.
-2.  In the left-side pane, click the **Active Directory-Based Activation** node.
-3.  In the right-side **Actions** pane, click **Online activate forest** to open the **Install Product Key** dialog box.
-4.  In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
-5.  If required, enter a new Active Directory-Based Activation Object name
+- VAMT has administrative permissions to the Active Directory domain.
 
-    **Important**  
-    If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
+- The KMS Host key (CSVLK) you intend to use is added to VAMT in the **Product Keys** node.
 
-6.  Click **Install Key**.
-7.  VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
+### To perform an online Active Directory forest activation
 
-The activated object and the date that is was created appear in the **Active Directory-Based Activation** node in the center pane.
+1. Open VAMT.
 
-## Related topics
+2. In the left-side pane, select the **Active Directory-Based Activation** node.
+
+3. In the right-side **Actions** pane, select **Online activate forest** to open the **Install Product Key** dialog box.
+
+4. In the **Install Product Key** dialog box, select the KMS Host key (CSVLK) that you want to apply to the AD forest.
+
+5. If necessary, enter a new Active Directory-Based Activation Object name.
+
+    > [!IMPORTANT]
+    > If you want to rename the ADBA object, you must do it now. After you click **Install Key**, the name cannot be changed.
+
+6. Select **Install Key**.
+
+7. VAMT displays the **Activating Active Directory** dialog box until it completes the requested action.
+
+The activated object and the date that it was created appear in the **Active Directory-Based Activation** node in the center pane.
+
+## Related articles
 
 - [Scenario 1: Online Activation](scenario-online-activation-vamt.md)
 - [Add and Remove Computers](add-remove-computers-vamt.md)
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 8dc4f7f75d..3892da1105 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,20 +1,20 @@
 ---
 title: Activate using Active Directory-based activation
 description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
+manager: aaroncz
+author: frankroj
+ms.author: frankroj
 ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
-ms.date: 09/16/2022
+ms.date: 11/07/2022
 ms.topic: how-to
 ms.collection: highpri
 ---
 
 # Activate using Active Directory-based activation
 
-**Applies to supported versions of**
+*Applies to:*
 
 - Windows
 - Windows Server
@@ -23,18 +23,18 @@ ms.collection: highpri
 > [!TIP]
 > Are you looking for information on retail activation?
 >
-> - [Product activation for Windows](https://support.microsoft.com/windows/product-activation-for-windows-online-support-telephone-numbers-35f6a805-1259-88b4-f5e9-b52cccef91a0)
-> - [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227)
+> - [Activate Windows](https://support.microsoft.com/help/12440/)
+> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
-Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using *adprep.exe* on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
+Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using `adprep.exe` on a supported server OS. After the schema is updated, older domain controllers can still activate clients.
 
 Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They'll stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention.
 
-To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
+To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console, or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10.
 
 The process proceeds as follows:
 
-1. Do _one_ of the following tasks:
+1. Do *one* of the following tasks:
 
     - Install the Volume Activation Services server role on a domain controller. Then add a KMS host key by using the Volume Activation Tools Wizard.
 
@@ -134,6 +134,6 @@ To verify your Active Directory-based activation configuration, complete the fol
     >
     > To manage individual activations or apply multiple (mass) activations, use the [VAMT](./volume-activation-management-tool.md).
 
-## See also
+## Related articles
 
 [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 8c64ff18da..e136dd82b5 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -1,19 +1,20 @@
 ---
 title: Activate using Key Management Service (Windows 10)
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: How to activate using Key Management Service in Windows 10.
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
-ms.date: 10/16/2017
+ms.date: 11/07/2022
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-fundamentals
 ---
 
 # Activate using Key Management Service
 
-**Applies to**
+*Applies to:*
 
 - Windows 10
 - Windows 8.1
@@ -23,82 +24,91 @@ ms.collection: highpri
 - Windows Server 2012
 - Windows Server 2008 R2
 
-**Looking for retail activation?**
+> [!TIP]
+> Are you looking for information on retail activation?
+>
+> - [Activate Windows](https://support.microsoft.com/help/12440/)
+> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
-- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/)
-- [Get Help Activating Microsoft Windows 7 or Windows 8.1 ](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
 
-There are three possible scenarios for volume activation of Windows 10 or Windows Server 2012 R2 by using a Key Management Service (KMS) host:
-
-- Host KMS on a computer running Windows 10
-- Host KMS on a computer running Windows Server 2012 R2
+- Host KMS on a computer running Windows 10
+- Host KMS on a computer running Windows Server 2012 R2
 - Host KMS on a computer running an earlier version of Windows
 
 Check out [Windows 10 Volume Activation Tips](/archive/blogs/askcore/windows-10-volume-activation-tips).
 
-## Key Management Service in Windows 10
+## Key Management Service in Windows 10
+
+Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
 
-Installing a KMS host key on a computer running Windows 10 allows you to activate other computers running Windows 10 against this KMS host and earlier versions of the client operating system, such as Windows 8.1 or Windows 7.
 Clients locate the KMS server by using resource records in DNS, so some configuration of DNS may be required. This scenario can be beneficial if your organization uses volume activation for clients and MAK-based activation for a smaller number of servers.
 To enable KMS functionality, a KMS key is installed on a KMS host; then, the host is activated over the Internet or by phone using Microsoft activation services.
 
 ### Configure KMS in Windows 10
 
-To activate, use the slmgr.vbs command. Open an elevated command prompt and run one of the following commands:
+To activate, use the `slmgr.vbs` command. Open an elevated command prompt and run one of the following commands:
+
+- To install the KMS key, run the command `slmgr.vbs /ipk <KmsKey>`.
+
+- To activate online, run the command `slmgr.vbs /ato`.
 
-- To install the KMS key, type `slmgr.vbs /ipk <KmsKey>`.
-- To activate online, type `slmgr.vbs /ato`.
 - To activate by telephone, follow these steps:
+
   1. Run `slmgr.vbs /dti` and confirm the installation ID.
+
   2. Call [Microsoft Licensing Activation Centers worldwide telephone numbers](https://www.microsoft.com/licensing/existing-customer/activation-centers) and follow the voice prompts to enter the installation ID that you obtained in step 1 on your telephone.
+
   3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
+
   4. Run `slmgr.vbs /atp \<confirmation ID\>`.
 
-For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)).
+For more information, see the information for Windows 7 in [Deploy KMS Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn502531(v=ws.11)).
 
-## Key Management Service in Windows Server 2012 R2
+## Key Management Service in Windows Server 2012 R2
 
-Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
+Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista.
 
 > [!NOTE]
 > You cannot install a client KMS key into the KMS in Windows Server.
 
-This scenario is commonly used in larger organizations that do not find the overhead of using a server a burden.
+This scenario is commonly used in larger organizations that don't find the overhead of using a server a burden.
 
 > [!NOTE]
-> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [KB 3086418](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10).
+> If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, see [Error 0xC004F015 when you activate Windows 10 Enterprise on a Windows Server 2012 R2 KMS host](/troubleshoot/windows-server/deployment/error-0xc004f015-activate-windows-10).
 
-### Configure KMS in Windows Server 2012 R2
+### Configure KMS in Windows Server 2012 R2
 
 1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials.
+
 2. Launch Server Manager.
+
 3. Add the Volume Activation Services role, as shown in Figure 4.
 
    ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg)
 
    **Figure 4**. Adding the Volume Activation Services role in Server Manager
 
-4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
+4. When the role installation is complete, select the link to launch the Volume Activation Tools (Figure 5).
 
    ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg)
 
    **Figure 5**. Launching the Volume Activation Tools
 
-5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
-      This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
+5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). This computer can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
 
    ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg)
 
    **Figure 6**. Configuring the computer as a KMS host
 
-6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
+6. Install your KMS host key by typing it in the text box, and then select **Commit** (Figure 7).
 
    ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg)
 
    **Figure 7**. Installing your KMS host key
 
-7. If asked to confirm replacement of an existing key, click **Yes**.
-8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
+7. If asked to confirm replacement of an existing key, select **Yes**.
+8. After the product key is installed, you must activate it. Select **Next** (Figure 8).
 
    ![Activating the software.](../images/volumeactivationforwindows81-08.jpg)
 
@@ -114,26 +124,28 @@ Now that the KMS host is configured, it will begin to listen for activation requ
 
 ## Verifying the configuration of Key Management Service
 
-You can verify KMS volume activation from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
+KMS volume activation can be verified from the KMS host server or from the client computer. KMS volume activation requires a minimum threshold of 25 computers before activation requests will be processed. The verification process described here will increment the activation count each time a client computer contacts the KMS host, but unless the activation threshold is reached, the verification will take the form of an error message rather than a confirmation message.
 
 > [!NOTE]
-> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
+> If you configured Active Directory-based activation before configuring KMS activation, you must use a client computer that will not first try to activate itself by using Active Directory-based activation. You could use a workgroup computer that is not joined to a domain or a computer running Windows 7 or Windows Server 2008 R2.
 
 To verify that KMS volume activation works, complete the following steps:
 
 1. On the KMS host, open the event log and confirm that DNS publishing is successful.
-2. On a client computer, open a Command Prompt window, type **Slmgr.vbs /ato**, and then press ENTER.
 
-   The **/ato** command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
-3. On a client computer or the KMS host, open an elevated Command Prompt window, type **Slmgr.vbs /dlv**, and then press ENTER.
+2. On a client computer, open a Command Prompt window and run the command `Slmgr.vbs /ato`.
 
-   The **/dlv** command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This confirms that KMS is functioning correctly, even though the client has not been activated.
+   The `/ato` command causes the operating system to attempt activation by using whichever key has been installed in the operating system. The response should show the license state and detailed Windows version information.
+
+3. On a client computer or the KMS host, open an elevated Command Prompt window and run the command `Slmgr.vbs /dlv`.
+
+   The `/dlv` command displays the detailed licensing information. The response should return an error that states that the KMS activation count is too low. This test confirms that KMS is functioning correctly, even though the client hasn't been activated.
 
 For more information about the use and syntax of slmgr.vbs, see [Slmgr.vbs Options](/windows-server/get-started/activation-slmgr-vbs-options).
 
 ## Key Management Service in earlier versions of Windows
 
-If you have already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
+If you've already established a KMS infrastructure in your organization for an earlier version of Windows, you may want to continue using that infrastructure to activate computers running Windows 10 or Windows Server 2012 R2. Your existing KMS host must be running Windows 7 or later. To upgrade your KMS host, complete the following steps:
 
 1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
 2. Request a new KMS host key from the Volume Licensing Service Center.
@@ -142,6 +154,6 @@ If you have already established a KMS infrastructure in your organization for an
 
 For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
 
-## See also
+## Related articles
 
 - [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 4c3a45ae2e..9be66de526 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -1,58 +1,69 @@
 ---
 title: Activate clients running Windows 10 (Windows 10)
-description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
+description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Activate clients running Windows 10
 
-**Applies to**
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012 R2
--   Windows Server 2012
--   Windows Server 2008 R2
+*Applies to:*
 
-**Looking for retail activation?**
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
 
--   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+> [!TIP]
+> Are you looking for information on retail activation?
+>
+> - [Activate Windows](https://support.microsoft.com/help/12440/)
+> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+
+After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
 
-After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy. If the computer has been configured with a Generic Volume License Key (GVLK), neither IT nor the user need take any action. It just works.
 Enterprise edition images and installation media should already be configured with the GVLK. When the client computer starts, the Licensing service examines the current licensing condition of the computer.
-If activation or reactivation is required, the following sequence occurs:
-1.  If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
-2.  If the computer is not a member of a domain or if the volume activation object is not available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer’s GVLK.
-3.  The computer tries to activate against Microsoft servers if it is configured with a MAK.
 
-If the client is not able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
+If activation or reactivation is required, the following sequence occurs:
+
+1. If the computer is a member of a domain, it asks a domain controller for a volume activation object. If Active Directory-based activation is configured, the domain controller returns the object. If the object matches the edition of the software that is installed and the computer has a matching GVLK, the computer is activated (or reactivated), and it will not need to be activated again for 180 days, although the operating system will attempt reactivation at much shorter, regular intervals.
+
+2. If the computer isn't a member of a domain or if the volume activation object isn't available, the computer will issue a DNS query to attempt to locate a KMS server. If a KMS server can be contacted, activation occurs if the KMS has a key that matches the computer's GVLK.
+
+3. The computer tries to activate against Microsoft servers if it's configured with a MAK.
+
+If the client isn't able to activate itself successfully, it will periodically try again. The frequency of the retry attempts depends on the current licensing state and whether the client computer has been successfully activated in the past. For example, if the client computer had been previously activated by Active Directory-based activation, it will periodically try to contact the domain controller at each restart.
 
 ## How Key Management Service works
 
-KMS uses a client–server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
+KMS uses a client-server topology. KMS client computers can locate KMS host computers by using DNS or a static configuration. KMS clients contact the KMS host by using RPCs carried over TCP/IP.
 
 ### Key Management Service activation thresholds
 
 You can activate physical computers and virtual machines by contacting a KMS host. To qualify for KMS activation, there must be a minimum number of qualifying computers (called the activation threshold). KMS clients will be activated only after this threshold has been met. Each KMS host counts the number of computers that have requested activation until the threshold is met.
 
-A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold are not activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
-When KMS clients are waiting for the KMS to reach the activation threshold, they will connect to the KMS host every two hours to get the current activation count. They will be activated when the threshold is met.
+A KMS host responds to each valid activation request from a KMS client with the count of how many computers have already contacted the KMS host for activation. Client computers that receive a count below the activation threshold aren't activated. For example, if the first two computers that contact the KMS host are running Windows 10, the first receives an activation count of 1, and the second receives an activation count of 2. If the next computer is a virtual machine on a computer running Windows 10, it receives an activation count of 3, and so on. None of these computers will be activated, because computers running Windows 10, like other client operating system versions, must receive an activation count of 25 or more.
 
-In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it is activated. If a computer running Windows 10 receives an activation count of 25 or more, it is activated.
+When KMS clients are waiting for the KMS to reach the activation threshold, they'll connect to the KMS host every two hours to get the current activation count. They'll be activated when the threshold is met.
+
+In our example, if the next computer that contacts the KMS host is running Windows Server 2012 R2, it receives an activation count of 4, because activation counts are cumulative. If a computer running Windows Server 2012 R2 receives an activation count that is 5 or more, it's activated. If a computer running Windows 10 receives an activation count of 25 or more, it's activated.
 
 ### Activation count cache
 
-To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30day period begins again. If a KMS client computer does not renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
-However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
-The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
+To track the activation threshold, the KMS host keeps a record of the KMS clients that request activation. The KMS host gives each KMS client a client ID designation, and the KMS host saves each client ID in a table. By default, each activation request remains in the table for up to 30 days. When a client renews its activation, the cached client ID is removed from the table, a new record is created, and the 30 day period begins again. If a KMS client computer doesn't renew its activation within 30 days, the KMS host removes the corresponding client ID from the table and reduces the activation count by one.
+
+However, the KMS host only caches twice the number of client IDs that are required to meet the activation threshold. Therefore, only the 50 most recent client IDs are kept in the table, and a client ID could be removed much sooner than 30 days.
+The total size of the cache is set by the type of client computer that is attempting to activate. If a KMS host receives activation requests only from servers, the cache will hold only 10 client IDs (twice the required 5). If a client computer running Windows 10 contacts that KMS host, KMS increases the cache size to 50 to accommodate the higher threshold. KMS never reduces the cache size.
 
 ### Key Management Service connectivity
 
@@ -60,63 +71,67 @@ KMS activation requires TCP/IP connectivity. By default, KMS hosts and clients u
 
 ### Key Management Service activation renewal
 
-KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every 7 days. If KMS activation fails, the client computer retries every two hours. After a client computer’s activation is renewed, the activation validity interval begins again.
+KMS activations are valid for 180 days (the *activation validity interval*). To remain activated, KMS client computers must renew their activation by connecting to the KMS host at least once every 180 days. By default, KMS client computers attempt to renew their activation every seven days. If KMS activation fails, the client computer retries every two hours. After a client computer's activation is renewed, the activation validity interval begins again.
 
 ### Publication of the Key Management Service
 
-The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update is not available or the KMS host does not have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
+The KMS uses service (SRV) resource records in DNS to store and communicate the locations of KMS hosts. KMS hosts use the DNS dynamic update protocol, if available, to publish the KMS service (SRV) resource records. If dynamic update isn't available or the KMS host doesn't have rights to publish the resource records, the DNS records must be published manually, or you must configure client computers to connect to specific KMS hosts.
 
 ### Client discovery of the Key Management Service
 
 By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
-Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
-If the KMS host that a client computer selects does not respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host does not respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
-By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
+
+Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
+
+If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.
+
+By default, client computers connect to the KMS host for activation by using anonymous RPCs through TCP port 1688. (You can change the default port.) After establishing a TCP session with the KMS host, the client computer sends a single request packet. The KMS host responds with the activation count. If the count meets or exceeds the activation threshold for that operating system, the client computer is activated, and the session is closed. The KMS client computer uses this same process for renewal requests. 250 bytes are used for communication each way.
 
 ### Domain Name System server configuration
 
-The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
-The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
+The default KMS automatic publishing feature requires the service (SRV) resource record and support for DNS dynamic update protocol. KMS client computer default behavior and the KMS service (SRV) resource record publishing are supported on a DNS server that is running Microsoft software or any other DNS server that supports service (SRV) resource records (per Internet Engineering Task Force \[IETF\] Request for Comments \[RFC\] 2782) and dynamic updates (per IETF RFC 2136). For example, Berkeley Internet Domain Name versions 8.x and 9.x support service (SRV) resource records and dynamic update.
+The KMS host must be configured so that it has the credentials needed to create and update the following resource records on the DNS servers: service (SRV), IPv4 host (A), and IPv6 host (AAAA), or the records need to be created manually. The recommended solution for giving the KMS host the needed credentials is to create a security group in AD DS, then add all KMS hosts to that group. On a DNS server that is running Microsoft software, ensure that this security group is given full control over the \_VLMCS.\_TCP record in each DNS domain that will contain the KMS service (SRV) resource records.
 
 ### Activating the first Key Management Service host
 
-KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host does not communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
+KMS hosts on the network need to install a KMS key, and then be activated with Microsoft. Installation of a KMS key enables the KMS on the KMS host. After installing the KMS key, complete the activation of the KMS host by telephone or online. Beyond this initial activation, a KMS host doesn't communicate any information to Microsoft. KMS keys are only installed on KMS hosts, never on individual KMS client computers.
 
 ### Activating subsequent Key Management Service hosts
 
-Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization’s KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
+Each KMS key can be installed on up to six KMS hosts. These hosts can be physical computers or virtual machines. After activating a KMS host, the same host can be reactivated up to nine times with the same key. If the organization needs more than six KMS hosts, you can request additional activations for your organization's KMS key by calling a Microsoft Volume [Licensing Activation Center](https://go.microsoft.com/fwlink/p/?LinkID=618264) to request an exception.
 
 ## How Multiple Activation Key works
 
-A MAK is used for one-time activation with Microsoft’s hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization’s exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
+A MAK is used for one-time activation with Microsoft's hosted activation services. Each MAK has a predetermined number of allowed activations. This number is based on volume licensing agreements, and it might not match the organization's exact license count. Each activation that uses a MAK with the Microsoft hosted activation service counts toward the activation limit.
 
 You can activate computers by using a MAK in two ways:
--   **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
+
+- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that don't maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
 
     ![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg)
-    
+
     **Figure 16**. MAK independent activation
--   **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
+
+- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It's also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
 
     ![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg)
-    
+
     **Figure 17**. MAK proxy activation with the VAMT
 
-A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation does not meet the KMS activation threshold.
+A MAK is recommended for computers that rarely or never connect to the corporate network and for environments in which the number of computers that require activation doesn't meet the KMS activation threshold.
 
-You can use a MAK for individual computers or with an image that can be duplicated or installed by using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. This is useful for moving a computer off the core network to a disconnected environment.
+You can use a MAK for individual computers or with an image that can be duplicated or installed using Microsoft deployment solutions. You can also use a MAK on a computer that was originally configured to use KMS activation. Switching from KMS to a MAK is useful for moving a computer off the core network to a disconnected environment.
 
 ### Multiple Activation Key architecture and activation
 
 MAK independent activation installs a MAK product key on a client computer. The key instructs that computer to activate itself with Microsoft servers over the Internet.
+
 In MAK proxy activation, the VAMT installs a MAK product key on a client computer, obtains the installation ID from the target computer, sends the installation ID to Microsoft on behalf of the client, and obtains a confirmation ID. The tool then activates the client computer by installing the confirmation ID.
 
 ## Activating as a standard user
 
-Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 do not require administrator privileges for activation, but this change does not allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as “rearm.”
+Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 don't require administrator privileges for activation, but this change doesn't allow standard user accounts to remove computers running Windows 7 or Windows Server 2008 R2 from the activated state. An administrator account is still required for other activation- or license-related tasks, such as "rearm."
 
-## See also
+## Related articles
 
--   [Volume Activation for Windows 10](volume-activation-windows-10.md)
- 
- 
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
index 9e64bfc93f..0fb8970234 100644
--- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md
+++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
@@ -2,38 +2,38 @@
 title: Active Directory-Based Activation Overview (Windows 10)
 description: Enable your enterprise to activate its computers through a connection to their domain using Active Directory-Based Activation (ADBA).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 12/07/2018
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Active Directory-Based Activation overview
 
-Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain.
+Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company's domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it's distributed throughout the domain.
 
 ## ADBA scenarios
 
 You might use ADBA if you only want to activate domain joined devices.
 
-If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. 
+If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. Reactivating licenses isn't necessary When ADBA is used.
 
-ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values.
-
-Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. 
+ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. ADBA is simpler than using the DNS service to load balance by configuring priority and weight values.
 
+Some VDI solutions also require that new clients activate during creation before they're added to the pool. In this VDI scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage.
 
 ## ADBA methods
 
 VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods:
--   Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name.
--   Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
 
-## Related topics
+- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name.
+
+- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function.
+
+## Related articles
 
 - [How to Activate an Active Directory Forest Online](./activate-forest-vamt.md)
 - [How to Proxy Activate an Active Directory Forest](./activate-forest-by-proxy-vamt.md)
- 
- 
diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md
index d177646453..5f9bfce03d 100644
--- a/windows/deployment/volume-activation/add-manage-products-vamt.md
+++ b/windows/deployment/volume-activation/add-manage-products-vamt.md
@@ -2,25 +2,23 @@
 title: Add and Manage Products (Windows 10)
 description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Add and Manage Products
+# Add and manage products
 
 This section describes how to add client computers into the Volume Activation Management Tool (VAMT). After the computers are added, you can manage the products that are installed on your network.
 
 ## In this Section
 
-|Topic |Description |
-|------|------------|
+|Article |Description |
+|-------|------------|
 |[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. |
 |[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. |
 |[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. |
- 
- 
- 
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index b5ddea11f7..95bad2b880 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -2,58 +2,73 @@
 title: Add and Remove Computers (Windows 10)
 description: The Discover products function on the Volume Activation Management Tool (VAMT) allows you to search the Active Directory domain or a general LDAP query.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Add and Remove Computers
+# Add and remove computers
 
 You can add computers that have any of the supported Windows or Office products installed to a Volume Activation Management Tool (VAMT) database by using the **Discover products** function. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query. You can remove computers from a VAMT database by using the **Delete** function. After you add the computers, you can add the products that are installed on the computers by running the **Update license status** function.
 
-Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information see [Configure Client Computers](configure-client-computers-vamt.md).
+Before adding computers, ensure that the Windows Management Instrumentation (WMI) firewall exception required by VAMT has been enabled on all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
 
 ## To add computers to a VAMT database
 
-1.  Open VAMT.
-2.  Click **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box.
-3.  In the **Discover products** dialog box, click **Search for computers in the Active Directory** to display the search options, then click the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query.
-    -   To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names click the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
-    -   To search by individual computer name or IP address, click **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing.
-    -   To search for computers in a workgroup, click **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names click the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
-    -   To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks.
-4.  Click **Search**.
-5.  VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
-    To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane.
-    
+1. Open VAMT.
+
+2. Select **Discover products** in the **Actions** menu in the right-side pane to open the **Discover Products** dialog box.
+
+3. In the **Discover products** dialog box, select **Search for computers in the Active Directory** to display the search options, then select the search option you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query.
+
+    - To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**, then under **Domain Filter Criteria**, in the list of domain names select the name of the domain you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+
+    - To search by individual computer name or IP address, select **Manually enter name or IP address**, then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. VAMT supports both IPv4 and IPV6 addressing.
+
+    - To search for computers in a workgroup, select **Search for computers in the workgroup**, then under **Workgroup Filter Criteria**, in the list of workgroup names select the name of the workgroup you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer within the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+
+    - To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box provided. VAMT will validate only the LDAP query syntax, but will otherwise run the query without further checks.
+
+4. Select **Search**.
+
+5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
+
+    To cancel the search, select **Cancel**. When the search is complete, the names of the newly discovered computers appear in the product list view in the center pane.
+
     ![VAMT, Finding computers dialog box.](images/dep-win8-l-vamt-findingcomputerdialog.gif)
-    
-    **Important**  
-    This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
-    
+
+    > [!IMPORTANT]
+    > This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
+
 ## To add products to VAMT
 
-1.  In the **Products** list, select the computers that need to have their product information added to the VAMT database.
-2.  You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4.  Click **Filter**. VAMT displays the filtered list in the center pane.
-5.  In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer. If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
-6.  VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
+1. In the **Products** list, select the computers that need to have their product information added to the VAMT database.
 
-    **Note**  
+2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+4. Select **Filter**. VAMT displays the filtered list in the center pane.
+
+5. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials different from the ones you used to log into the computer. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**.
+
+6. VAMT displays the **Collecting product information** dialog box while it collects the licensing status of all supported products on the selected computers. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
+
+    > [!NOTE]
     If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
-    
+
 ## To remove computers from a VAMT database
 
-You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, click **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database.
+You can delete a computer by clicking on it in the product list view, and then clicking **Delete** in the **Selected Item** menu in the right-hand pane. In the **Confirm Delete Selected Products** dialog box that appears, select **Yes** to delete the computer. If a computer has multiple products listed, you must delete each product to completely remove the computer from the VAMT database.
 
-## Related topics
+## Related articles
 
 - [Add and Manage Products](add-manage-products-vamt.md)
- 
- 
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index c628b7e30b..0e37c178fc 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -2,34 +2,40 @@
 title: Add and Remove a Product Key (Windows 10)
 description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Add and Remove a Product Key
+# Add and remove a product key
 
 Before you can use a Multiple Activation Key (MAK), retail, or KMS Host key (CSVLK) product key, you must first add it to the Volume Activation Management Tool (VAMT) database.
 
-## To Add a Product Key
+## To add a product key
 
-1.  Open VAMT.
-2.  In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
-3.  Click **Add product keys** to open the **Add Product Keys** dialog box.
-4.  In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
-    -   To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and click **Add Key(s)**.
-    -   To import a Comma Separated Values (CSV) file containing a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+1. Open VAMT.
 
-    **Note**  
-    If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
+2. In the left-side pane, right-click the **Product Keys** node to open the **Actions** menu.
 
-## Remove a Product Key
+3. Select **Add product keys** to open the **Add Product Keys** dialog box.
 
--   To remove a product key from the list, simply select the key in the list and click **Delete** on the **Selected Items** menu in the right-side pane. Click **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database will not affect the activation state of any products or computers on the network.
+4. In the **Add Product Keys** dialog box, select from one of the following methods to add product keys:
 
-## Related topics
+    - To add product keys manually, select **Enter product key(s) separated by line breaks**, enter one or more product keys separated by line breaks, and select **Add Key(s)**.
+
+    - To import a Comma Separated Values (CSV) file containing a list of product keys, select **Select a product key file to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**.
+
+    > [!NOTE]
+    > If you are activating a large number of products with a MAK, you should refresh the activation count of the MAK, to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
+
+## Remove a product key
+
+- To remove a product key from the list, select the key in the list and select **Delete** on the **Selected Items** menu in the right-side pane. Select **Yes** to confirm deletion of the product key. Removing a product key from the VAMT database won't affect the activation state of any products or computers on the network.
+
+## Related articles
 
 - [Manage Product Keys](manage-product-keys-vamt.md)
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index e47aaec9e7..bb61a1db81 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -2,56 +2,71 @@
 title: Appendix Information sent to Microsoft during activation (Windows 10)
 description: Learn about the information sent to Microsoft during activation.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
-ms.prod: w10
-ms.technology: windows
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/07/2022
 ms.topic: article
 ---
 
 # Appendix: Information sent to Microsoft during activation
-**Applies to**
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012 R2
--   Windows Server 2012
--   Windows Server 2008 R2
+
+*Applies to:*
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
 
 **Looking for retail activation?**
 
--   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
 When you activate a computer running Windows 10, the following information is sent to Microsoft:
 
--   The Microsoft product code (a five-digit code that identifies the Windows product you're activating)
--   A channel ID or site code that identifies how the Windows product was originally obtained
+- The Microsoft product code (a five-digit code that identifies the Windows product you're activating)
+- A channel ID or site code that identifies how the Windows product was originally obtained
 
     For example, a channel ID or site code identifies whether the product was originally purchased from a retail store, obtained as an evaluation copy, obtained through a volume licensing program, or preinstalled by a computer manufacturer.
-    
--   The date of installation and whether the installation was successful
--   Information that helps confirm that your Windows product key hasn't been altered
--   Computer make and model
--   Version information for the operating system and software
--   Region and language settings
--   A unique number called a *globally unique identifier*, which is assigned to your computer
--   Product key (hashed) and product ID
--   BIOS name, revision number, and revision date
--   Volume serial number (hashed) of the hard disk drive
--   The result of the activation check
+
+- The date of installation and whether the installation was successful
+- Information that helps confirm that your Windows product key hasn't been altered
+
+- Computer make and model
+
+- Version information for the operating system and software
+
+- Region and language settings
+
+- A unique number called a *globally unique identifier*, which is assigned to your computer
+
+- Product key (hashed) and product ID
+
+- BIOS name, revision number, and revision date
+
+- Volume serial number (hashed) of the hard disk drive
+
+- The result of the activation check
 
     This result includes error codes and the following information about any activation exploits and related malicious or unauthorized software that was found or disabled:
-    
-    -   The activation exploit's identifier
-    -   The activation exploit's current state, such as cleaned or quarantined
-    -   Computer manufacturer's identification
-    -   The activation exploit's file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
--   The name and a hash of the contents of your computer's startup instructions file
--   If your Windows license is on a subscription basis, information about how your subscription works
+
+  - The activation exploit's identifier
+
+  - The activation exploit's current state, such as cleaned or quarantined
+
+  - Computer manufacturer's identification
+
+  - The activation exploit's file name and hash in addition to a hash of related software components that may indicate the presence of an activation exploit
+
+- The name and a hash of the contents of your computer's startup instructions file
+
+- If your Windows license is on a subscription basis, information about how your subscription works
 
 Standard computer information is also sent, but your computer's IP address is only kept temporarily.
 
@@ -60,6 +75,6 @@ Standard computer information is also sent, but your computer's IP address is on
 Microsoft uses the information to confirm that you have a licensed copy of the software. Microsoft doesn't use the information to contact individual consumers.
 For more information, see [Windows 10 Privacy Statement](https://go.microsoft.com/fwlink/p/?LinkId=619879).
 
-## See also
+## Related articles
 
--   [Volume Activation for Windows 10](volume-activation-windows-10.md)
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 6893932b20..382a9b53d3 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -2,20 +2,22 @@
 title: Configure Client Computers (Windows 10)
 description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly.
 ms.reviewer: 
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
-ms.prod: w10
-ms.date: 04/30/2020
+manager: aaroncz
+author: frankroj
+ms.author: frankroj
+ms.prod: windows-client
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Configure Client Computers
+# Configure client computers
 
 To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers:
 
 - An exception must be set in the client computer's firewall.
-- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
+
+- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) won't allow remote administrative operations.
 
 Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
 
@@ -27,11 +29,16 @@ Organizations where the VAMT will be widely used may benefit from making these c
 Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
 
 1. Open Control Panel and double-click **System and Security**.
-2. Click **Windows Firewall**.
-3. Click **Allow a program or feature through Windows Firewall**.
-4. Click the **Change settings** option.
+
+2. Select **Windows Firewall**.
+
+3. Select **Allow a program or feature through Windows Firewall**.
+
+4. Select the **Change settings** option.
+
 5. Select the **Windows Management Instrumentation (WMI)** checkbox.
-6. Click **OK**.
+
+6. Select **OK**.
 
 > [!WARNING]
 > By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
@@ -43,11 +50,15 @@ Enable the VAMT to access client computers across multiple subnets using the **W
 ![VAMT Firewall configuration for multiple subnets.](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
 
 1. Open the Control Panel and double-click **Administrative Tools**.
-2. Click **Windows Firewall with Advanced Security**.
+
+2. Select **Windows Firewall with Advanced Security**.
+
 3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
 
    - Windows Management Instrumentation (ASync-In)
+
    - Windows Management Instrumentation (DCOM-In)
+
    - Windows Management Instrumentation (WMI-In)
 
 4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel.
@@ -55,10 +66,12 @@ Enable the VAMT to access client computers across multiple subnets using the **W
 5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box.
   
    - On the **General** tab, select the **Allow the connection** checkbox.
+
    - On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
+
    - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
 
-   In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
+   In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically allocated ports. Limiting the range of dynamically allocated ports is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
 
    For more info, see [How to configure RPC dynamic port allocation to work with firewalls](/troubleshoot/windows-server/networking/default-dynamic-port-range-tcpip-chang).
 
@@ -70,6 +83,7 @@ Enable the VAMT to access client computers across multiple subnets using the **W
 On the client computer, create the following registry key using regedit.exe.
 
 1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
+
 2. Enter the following details:
 
    - **Value Name: LocalAccountTokenFilterPolicy**
@@ -84,12 +98,15 @@ On the client computer, create the following registry key using regedit.exe.
 There are several options for organizations to configure the WMI firewall exception for computers:
 
 - **Image.** Add the configurations to the master Windows image deployed to all clients.
-- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
-- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility.
+
+- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security** > **Inbound Rules**.
+
+- **Script.** Execute a script using Microsoft Configuration Manager or a third-party remote script execution facility.
+
 - **Manual.** Configure the WMI firewall exception individually on each client.
 
 The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
 
-## Related topics
+## Related articles
 
 - [Install and Configure VAMT](install-configure-vamt.md)
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 1e89cb087d..7a5aaa426b 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -2,12 +2,12 @@
 title: Import and export VAMT data
 description: Learn how to use the VAMT to import product-activation data from a file into SQL Server.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-ms.technology: windows
-author: aczechowski
-ms.date: 05/02/2022
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: how-to
 ---
 
@@ -16,10 +16,12 @@ ms.topic: how-to
 You can use the Volume Activation Management Tool (VAMT) to import product-activation data from a computer information list (`.cilx` or `.cil`) file into SQL Server. Also use VAMT to export product-activation data into a `.cilx` file. A `.cilx` file is an XML file that stores computer and product-activation data.
 
 You can import data or export data during the following scenarios:
+
 - Import and merge data from previous versions of VAMT.
+
 - Export data to perform proxy activations.
 
-> [!Warning]
+> [!WARNING]
 > Editing a `.cilx` file through an application other than VAMT can corrupt the `.cilx` file. This method isn't supported.
 
 ## Import VAMT data
@@ -27,8 +29,11 @@ You can import data or export data during the following scenarios:
 To import data into VAMT, use the following process:
 
 1. Open VAMT.
+
 2. In the right-side **Actions** pane, select **Import list** to open the **Import List** dialog box.
+
 3. In the **Import List** dialog box, navigate to the `.cilx` file location, choose the file, and select **Open**.
+
 4. In the **Volume Activation Management Tool** dialog box, select **OK** to begin the import. VAMT displays a progress message while the file is being imported. Select **OK** when a message appears and confirms that the import has completed successfully.
 
 ## Export VAMT data
@@ -36,14 +41,23 @@ To import data into VAMT, use the following process:
 Exporting VAMT data from a VAMT host computer that's not internet-connected is the first step of proxy activation using multiple VAMT hosts. To export product-activation data to a `.cilx` file:
 
 1. In the left-side pane, select a product you want to export data for, or select **Products** if the list contains data for all products.
+
 2. If you want to export only part of the data in a product list, in the product-list view in the center pane, select the products you want to export.
+
 3. In the right-side **Actions** pane on, select **Export list** to open the **Export List** dialog box.
+
 4. In the **Export List** dialog box, select **Browse** to navigate to the `.cilx` file.
+
 5. Under **Export options**, select one of the following data-type options:
+
     - Export products and product keys
+
     - Export products only
+
     - Export proxy activation data only. Selecting this option makes sure that the export contains only the licensing information required for the proxy web service to obtain CIDs from Microsoft. No personally identifiable information (PII) is contained in the exported `.cilx` file when this selection is checked.
+
 6. If you've selected products to export, select the **Export selected product rows only** check box.
+
 7. Select **Save**. VAMT displays a progress message while the data is being exported. Select **OK** when a message appears and confirms that the export has completed successfully.
 
 ## Related articles
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index 2a0db88665..b468f34546 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -2,29 +2,28 @@
 title: Install and Configure VAMT (Windows 10)
 description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Install and Configure VAMT
+# Install and configure VAMT
 
 This section describes how to install and configure the Volume Activation Management Tool (VAMT).
 
-## In this Section
+## In this section
 
-|Topic |Description |
-|------|------------|
+|Article |Description |
+|-------|------------|
 |[VAMT Requirements](vamt-requirements.md) |Provides system requirements for installing VAMT on a host computer. |
 |[Install VAMT](install-vamt.md) |Describes how to get and install VAMT. |
 |[Configure Client Computers](configure-client-computers-vamt.md) |Describes how to configure client computers on your network to work with VAMT. |
 
-## Related topics
+## Related articles
 
 - [Introduction to VAMT](introduction-vamt.md)
- 
- 
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index e00654d103..eb28f3ff3a 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -2,38 +2,49 @@
 title: Install a KMS Client Key (Windows 10)
 description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Install a KMS Client Key
 
-You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you are converting a MAK-activated product to KMS activation.
+You can use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys. For example, if you're converting a MAK-activated product to KMS activation.
 
-**Note**  
-By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
+> [!NOTE]
+> By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products.
 
-**To install a KMS Client key**
-1.  Open VAMT.
-2.  In the left-side pane click **Products** to open the product list view in the center pane.
-3.  In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5.  Click **Filter**. VAMT displays the filtered list in the center pane.
-6.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-7.  The **Install Product Key** dialog box displays the keys that are available to be installed.
-8.  Select the **Automatically select an AD or KMS client key** option and then click **Install Key**.
+## To install a KMS Client key
+
+1. Open VAMT.
+
+2. In the left-side pane, select **Products** to open the product list view in the center pane.
+
+3. In the products list view in the center pane, select the products that need to have GVLKs installed. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+5. Select **Filter**. VAMT displays the filtered list in the center pane.
+
+6. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+
+7. The **Install Product Key** dialog box displays the keys that are available to be installed.
+
+8. Select the **Automatically select an AD or KMS client key** option and then select **Install Key**.
+
+    VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
 
-    VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
-    
     The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
 
-## Related topics
+## Related articles
 
 - [Perform KMS Activation](kms-activation-vamt.md)
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 1c7b394ef5..350971254b 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -2,39 +2,49 @@
 title: Install a Product Key (Windows 10)
 description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Install a Product Key
 
 You can use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
 
-**To install a Product key**
-1.  Open VAMT.
-2.  In the left-side pane, click the product that you want to install keys onto.
-3.  You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5.  Click **Filter**.
-6.  In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-7.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-8.  The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key you want to install, click **Install Key**. Note that only one key can be installed at a time.
-9.  VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+## To install a Product key
+
+1. Open VAMT.
+
+2. In the left-side pane, select the product that you want to install keys onto.
+
+3. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+5. Select **Filter**.
+
+6. In the products list view in the center pane, sort the list if needed and then select the products that need to have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+
+7. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+
+8. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAK based on the selected products. You can select a recommended product key or a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you've selected the product key you want to install, select **Install Key**. Only one key can be installed at a time.
+
+9. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
 
     The same status is shown under the **Status of Last Action** column in the product list view in the center pane.
 
-    **Note**  
-    Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right 
-    Volume License Key for Windows](/previous-versions/tn-archive/ee939271(v=technet.10)).
+    > [!NOTE]
+    > Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct MAK or KMS Host key (CSVLK), see [How to Choose the Right Volume License Key for Windows](/previous-versions/tn-archive/ee939271(v=technet.10)).
 
-## Related topics
+## Related articles
 
 - [Manage Product Keys](manage-product-keys-vamt.md)
- 
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 18f56fb621..8cb4d09f92 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,35 +1,38 @@
 ---
 title: Install VAMT (Windows 10)
 description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
-ms.date: 03/11/2019
+ms.date: 11/07/2022
 ms.topic: article
-ms.collection: highpri
+ms.technology: itpro-fundamentals
 ---
 
 # Install VAMT
 
-This topic describes how to install the Volume Activation Management Tool (VAMT).
+This article describes how to install the Volume Activation Management Tool (VAMT).
 
-## Install VAMT
+## Installing VAMT
 
-You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
+You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
 
 >[!IMPORTANT]
->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator. 
+>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products' license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
 
 >[!NOTE]
->The VAMT Microsoft Management Console snap-in ships as an x86 package. 
+>The VAMT Microsoft Management Console snap-in ships as an x86 package.
 
 ### Requirements
 
 - [Windows Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
+
 - Latest version of the [Windows 10 ADK](/windows-hardware/get-started/adk-install)
+
 - Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
+
 - Alternatively, any supported **full** SQL instance
 
 ### Install SQL Server Express / alternatively use any full SQL instance
@@ -42,7 +45,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
 4. Enter an install location or use the default path, and then select **Install**.
 
-5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. 
+5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
 
     ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png)
 
@@ -50,7 +53,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
 1. Download the latest version of [Windows 10 ADK](/windows-hardware/get-started/adk-install).
 
-   If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
+   If an older version is already installed, it's recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
 
 2. Enter an install location or use the default path, and then select **Next**.
 
@@ -58,7 +61,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
 4. Accept the license terms.
 
-5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
+5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. If desired, you can select additional features to install as well.
 
 6. On the completion page, select **Close**.
 
@@ -72,15 +75,10 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
    For remote SQL Server, use `servername.yourdomain.com`.
 
-
-
 ## Uninstall VAMT
 
 To uninstall VAMT using the **Programs and Features** Control Panel:
 
-1.  Open **Control Panel** and select **Programs and Features**.
+1. Open **Control Panel** and select **Programs and Features**.
 
-2.  Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
-
-
- 
+2. Select **Assessment and Deployment Kit** from the list of installed programs and select **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index e8e03b1772..292a9965b1 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -2,12 +2,12 @@
 title: Introduction to VAMT (Windows 10)
 description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 ms.prod: windows-client
-ms.technology: itpro-deploy
-author: aczechowski
-ms.date: 09/16/2022
+ms.technology: itpro-fundamentals
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: overview
 ---
 
@@ -18,7 +18,7 @@ The Volume Activation Management Tool (VAMT) enables network administrators and
 > [!NOTE]
 > VAMT can be installed on, and can manage, physical or virtual instances. VAMT can't detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated.
 
-## <a href="" id="bkmk-managingmak"></a>Managing MAK and retail activation
+## Managing MAK and retail activation
 
 You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios:
 
@@ -26,23 +26,25 @@ You can use a MAK or a retail product key to activate Windows, Windows Server, o
 
 - **Proxy activation**: This activation method enables you to perform volume activation for products installed on client computers that don't have internet access. The VAMT host computer distributes a MAK, KMS host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs internet access. You can also activate products installed on computers in a workgroup that's isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the internet-connected VAMT host.
 
-## <a href="" id="bkmk-managingkms"></a>Managing KMS activation
+## Managing KMS activation
 
 In addition to MAK or retail activation, you can use VAMT to perform volume activation using the KMS. VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by volume license editions of Windows, Windows Server, and Office.
 
 VAMT treats a KMS host key (CSVLK) product key identically to a retail-type product key. The experience for product key entry and activation management are identical for both these product key types.
 
-## <a href="" id="bkmk-enterpriseenvironment"></a>Enterprise environment
+## Enterprise environment
 
 VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments: core network, secure zone, and isolated lab.
 
 ![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg)
 
 - In the core network environment, all computers are within a common network managed by Active Directory Domain Services (AD DS).
+
 - The secure zone represents higher-security core network computers that have extra firewall protection.
+
 - The isolated lab environment is a workgroup that is physically separate from the core network, and its computers don't have internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab.
 
-## <a href="" id="bkmk-userinterface"></a>VAMT user interface
+## VAMT user interface
 
 The following screenshot shows the VAMT graphical user interface:
 
@@ -58,7 +60,7 @@ VAMT provides a single, graphical user interface for managing activations, and f
 
 - **Managing product keys**: You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs.
 
-- **Managing activation data**: VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
+- **Managing activation data**: VAMT stores activation data in an SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format.
 
 ## Next steps
 
diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md
index e3ae850a19..6cb46bb913 100644
--- a/windows/deployment/volume-activation/kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/kms-activation-vamt.md
@@ -1,45 +1,63 @@
 ---
 title: Perform KMS Activation (Windows 10)
-description: The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). 
+description: The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Perform KMS Activation
+# Perform KMS activation
 
-The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products.
+The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS). You can use VAMT to activate Generic Volume Licensing Keys, or KMS client keys, on products accessible to VAMT. GVLKs are the default product keys used by the volume-license editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft Office 2010. GVLKs are already installed in volume-license editions of these products.
 
 ## Requirements
 
 Before configuring KMS activation, ensure that your network and VAMT installation meet the following requirements:
--   KMS host is set up and enabled.
--   KMS clients can access the KMS host.
--   VAMT is installed on a central computer with network access to all client computers.
--   The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
--   VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+- KMS host is set up and enabled.
+
+- KMS clients can access the KMS host.
+
+- VAMT is installed on a central computer with network access to all client computers.
+
+- The products to be activated have been added to VAMT. For more information on adding product keys, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
+
+- VAMT has administrative permissions on all computers to be activated, and Windows Management Instrumentation (WMI) is accessible through the Windows Firewall. For more information, see [Configure client computers](configure-client-computers-vamt.md).
 
 ## To configure devices for KMS activation
 
-**To configure devices for KMS activation**
-1.  Open VAMT.
-2.  If necessary, set up the KMS activation preferences. If you don’t need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2.
-3.  To set up the preferences, on the menu bar click **View**, then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
-4.  Under **Key Management Services host selection**, select one of the following options:
-    -   **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation.
-    -   **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation.
-    -   **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments which do not use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host.
-5.  Click **Apply**, and then click **OK** to close the **Volume Activation Management Tool Preferences** dialog box.
-6.  Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-7.  Click **Filter**. VAMT displays the filtered list in the center pane.
-8.  In the right-side pane, click **Activate** in the **Selected Items** menu, and then click **Volume activate**.
-9.  Click a credential option. Choose **Alternate credentials** only if you are activating products that require administrator credentials different from the ones you are currently using.
-10. If you are supplying alternate credentials, at the prompt, type the appropriate user name and password and click **OK**.
+1. Open VAMT.
+
+2. If necessary, set up the KMS activation preferences. If you don't need to set up the preferences, skip to step 6 in this procedure. Otherwise, continue to step 2.
+
+3. To set up the preferences, on the menu bar select **View**, then select **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
+
+4. Under **Key Management Services host selection**, select one of the following options:
+
+    - **Find a KMS host automatically using DNS (default)**. If you choose this option, VAMT first clears any previously configured KMS host on the target computer, and instructs the computer to query the Domain Name Service (DNS) to locate a KMS host and attempt activation.
+
+    - **Find a KMS host using DNS in this domain for supported products**. Enter the domain name. If you choose this option, VAMT first clears any previously configured KMS host on the target computer, and instructs the computer to query the DNS in the specified domain to locate a KMS host and attempt activation.
+
+    - **Use specific KMS host**. Enter the KMS host name and KMS host port. For environments that don't use DNS for KMS host identification, VAMT sets the specified KMS host name and KMS host port on the target computer, and then instructs the computer to attempt activation with the specific KMS host.
+
+5. Select **Apply**, and then select **OK** to close the **Volume Activation Management Tool Preferences** dialog box.
+
+6. Select the products to be activated by selecting individual products in the product list view in the center pane. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+7. Select **Filter**. VAMT displays the filtered list in the center pane.
+
+8. In the right-side pane, select **Activate** in the **Selected Items** menu, and then select **Volume activate**.
+
+9. Select a credential option. Choose **Alternate credentials** only if you're activating products that require administrator credentials different from the ones you're currently using.
+
+10. If you're supplying alternate credentials, at the prompt, type the appropriate user name and password and select **OK**.
 VAMT displays the **Volume Activation** dialog box until it completes the requested action. When the process is finished, the updated activation status of each product appears in the product list view in the center pane.
- 
diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md
index 10efe983e0..e761c3c2f5 100644
--- a/windows/deployment/volume-activation/local-reactivation-vamt.md
+++ b/windows/deployment/volume-activation/local-reactivation-vamt.md
@@ -2,42 +2,53 @@
 title: Perform Local Reactivation (Windows 10)
 description: An initially activated a computer using scenarios like MAK, retail, or CSLVK (KMS host), can be reactivated with Volume Activation Management Tool (VAMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Perform Local Reactivation
+# Perform local reactivation
 
 If you reinstall Windows® or Microsoft® Office 2010 on a computer that was initially activated using proxy activation (MAK, retail, or CSLVK (KMS host)), and have not made significant changes to the hardware, use this local reactivation procedure to reactivate the program on that computer.
 Local reactivation relies upon data that was created during the initial proxy activation and stored in the Volume Activation Management Tool (VAMT) database. The database contains the installation ID (IID) and confirmation ID (Pending CID). Local reactivation uses this data to reapply the CID and reactivate those products. Reapplying the same CID conserves the remaining activations on the key.
 
-**Note**  
-During the initial proxy activation, the CID is bound to a digital “fingerprint”, which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft.
+> [!NOTE]
+> During the initial proxy activation, the CID is bound to a digital "fingerprint", which is calculated from values assigned to several different hardware components in the computer. If the computer has had significant hardware changes, this fingerprint will no longer match the CID. In this case, you must obtain a new CID for the computer from Microsoft.
 
-## To Perform a Local Reactivation
+## To perform a local reactivation
+
+1. Open VAMT. Make sure that you're connected to the desired database.
+
+2. In the left-side pane, select the product you want to reactivate to display the products list.
+
+3. In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+5. Select **Filter**. VAMT displays the filtered list in the center pane.
+
+6. In the right-side pane, select **Activate**, and then select **Apply Confirmation ID**.
+
+7. Select a credential option. Choose **Alternate credentials** only if you're reactivating products that require administrator credentials different from the ones you're currently using.
+
+8. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name, and password and select **OK**.
 
-**To perform a local reactivation**
-1.  Open VAMT. Make sure that you are connected to the desired database.
-2.  In the left-side pane, click the product you want to reactivate to display the products list.
-3.  In the product list view in the center pane, select the desired products to be reactivated. You can sort the list by computer name by clicking on the **Computer Name** heading. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5.  Click **Filter**. VAMT displays the filtered list in the center pane.
-6.  In the right-side pane, click **Activate**, and then click **Apply Confirmation ID**.
-7.  Click a credential option. Choose **Alternate credentials** only if you are reactivating products that require administrator credentials different from the ones you are currently using.
-8.  If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
-    
     VAMT displays the **Apply Confirmation ID** dialog box.
 
-10. If you are using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID.
-11. If you are activating a product that requires administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** check box.
-12. Click **OK**.
+9. If you're using a different product key than the product key used for initial activation, you must complete a new activation to obtain a new CID.
 
-## Related topics
+10. If you're activating a product that requires administrator credentials different from the ones you're currently using, select the **Use Alternate Credentials** check box.
+
+11. Select **OK**.
+
+## Related article
 
 - [Manage Activations](manage-activations-vamt.md)
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index e70082002b..80263f739c 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -2,12 +2,13 @@
 title: Manage Activations (Windows 10)
 description: Learn how to manage activations and how to activate a client computer by using various activation methods.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Manage Activations
@@ -16,14 +17,11 @@ This section describes how to activate a client computer, by using various activ
 
 ## In this Section
 
-|Topic |Description |
-|------|------------|
+|Article |Description |
+|-------|------------|
 |[Perform Online Activation](online-activation-vamt.md) |Describes how to activate a client computer over the Internet. |
 |[Perform Proxy Activation](proxy-activation-vamt.md) |Describes how to perform volume activation for client products that don't have Internet access. |
 |[Perform KMS Activation](kms-activation-vamt.md) |Describes how to perform volume activation using the Key Management Service (KMS). |
 |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. |
 |[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to activate an Active Directory forest, online. |
 |[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that isn't connected to the Internet. |
- 
- 
- 
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index c39474fcff..423133a3b4 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -2,24 +2,23 @@
 title: Manage Product Keys (Windows 10)
 description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Manage Product Keys
 
-This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product or products you select in the VAMT database.
+This section describes how to add and remove a product key from the Volume Activation Management Tool (VAMT). After you add a product key to VAMT, you can install that product key on a product, or products you select in the VAMT database.
+
 ## In this Section
 
-|Topic |Description |
-|------|------------|
+|Article |Description |
+|-------|------------|
 |[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. |
 |[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. |
 |[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. |
- 
- 
- 
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index 298f4300e6..5d61f42b3b 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -2,12 +2,13 @@
 title: Manage VAMT Data (Windows 10)
 description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Manage VAMT Data
@@ -15,7 +16,8 @@ ms.topic: article
 This section describes how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
 
 ## In this Section
-|Topic |Description |
-|------|------------|
+
+|Article |Description |
+|-------|------------|
 |[Import and Export VAMT Data](import-export-vamt-data.md) |Describes how to import and export VAMT data. |
 |[Use VAMT in Windows PowerShell](use-vamt-in-windows-powershell.md) |Describes how to access Windows PowerShell and how to import the VAMT PowerShell module. |
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index 7f73814284..d811b9bb87 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -1,18 +1,21 @@
 ---
 title: Monitor activation (Windows 10)
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 description: Understand the most common methods to monitor the success of the activation process for a computer running Windows.
-ms.prod: w10
-author: aczechowski
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-fundamentals
+ms.date: 11/07/2022
 ---
 
 # Monitor activation
 
-**Applies to**
+*Applies to:*
+
 - Windows 10
 - Windows 8.1
 - Windows 8
@@ -21,19 +24,28 @@ ms.topic: article
 - Windows Server 2012
 - Windows Server 2008 R2
 
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+> [!TIP]
+> Are you looking for information on retail activation?
+>
+> - [Activate Windows](https://support.microsoft.com/help/12440/)
+> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
 You can monitor the success of the activation process for a computer running Windows in several ways. The most popular methods include:
-- Using the Volume Licensing Service Center website to track use of MAK keys.
-- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](/previous-versions//ff793433(v=technet.10)).)
-- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
-- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
-- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
-- See [Troubleshooting activation error codes](/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
-- The VAMT provides a single site from which to manage and monitor volume activations. This is explained in the next section.
 
-## See also
+- Using the Volume Licensing Service Center website to track use of MAK keys.
+
+- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options](/previous-versions//ff793433(v=technet.10)).
+
+- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it's available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)
+
+- Most licensing actions and events are recorded in the Event log (ex: Application Log events 12288-12290).
+
+- Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager.
+
+- See [Troubleshooting activation error codes](/windows-server/get-started/activation-error-codes) for information about troubleshooting procedures for Multiple Activation Key (MAK) or the Key Management Service (KMS).
+
+- The VAMT provides a single site from which to manage and monitor volume activations. This feature is explained in the next section.
+
+## Related articles
 
 [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index 27b477d92d..4e3c76dae1 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -2,50 +2,63 @@
 title: Perform Online Activation (Windows 10)
 description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Perform Online Activation
+# Perform online activation
 
 You can use the Volume Activation Management Tool (VAMT) to enable client products to be activated over the Internet. You can install the client products with any kind of product key that is eligible for online activation—Multiple Activation Key (MAK), retail, and Windows Key Management Services (KMS) host key.
 
 ## Requirements
 
 Before performing online activation, ensure that the network and the VAMT installation meet the following requirements:
--   VAMT is installed on a central computer that has network access to all client computers.
--   Both the VAMT host and client computers have Internet access.
--   The products that you want to activate are added to VAMT.
--   VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
 
-The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking 
-**Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
+- VAMT is installed on a central computer that has network access to all client computers.
 
-## To Perform an Online Activation
+- Both the VAMT host and client computers have Internet access.
 
-**To perform an online activation**
-1.  Open VAMT.
-2.  In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4.  Click **Filter**. VAMT displays the filtered list in the center pane.
-5.  Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-6.  Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane is not displayed, click the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
-7.  Point to **Online activate**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-8.  VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+- The products that you want to activate are added to VAMT.
+
+- VAMT has administrative permissions on all computers that you intend to activate, and that Windows Management Instrumentation (WMI) can be accessed through the Windows firewall. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+
+The product keys that are installed on the client products must have a sufficient number of remaining activations. If you're activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This action retrieves the number of remaining activations for the MAK from Microsoft. This step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
+
+## To perform an online activation
+
+1. Open VAMT.
+
+2. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+4. Select **Filter**. VAMT displays the filtered list in the center pane.
+
+5. Select the products that you want to activate. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+
+6. Select **Activate** in the **Selected Items** menu in the right-side **Actions** pane and then point to **Activate**. If the **Actions** pane isn't displayed, select the Show/Hide Action Pane button, which is located on the toolbar to the right of the Help button.
+
+7. Point to **Online activate**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password.
+
+8. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
 
     The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
 
-    **Note**  
-    Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
-    
-    **Note**  
-    You can use online activation to select products that have different key types and activate the products at the same time.
+    > [!NOTE]
+    > Online activation does not enable you to save the Confirmation IDs (CIDs). As a result, you cannot perform local reactivation.
 
-## Related topics
-- [Manage Activations](manage-activations-vamt.md)
+    > [!NOTE]  
+    > You can use online activation to select products that have different key types and activate the products at the same time.
+
+## Related articles
+
+- [Manage activations](manage-activations-vamt.md)
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 899939d263..43a1c717d5 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -2,17 +2,20 @@
 title: Plan for volume activation (Windows 10)
 description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-fundamentals
+ms.date: 11/07/2022
 ---
 
 # Plan for volume activation
 
-**Applies to**
+*Applies to:*
+
 - Windows 10
 - Windows 8.1
 - Windows 8
@@ -21,16 +24,18 @@ ms.topic: article
 - Windows Server 2012
 - Windows Server 2008 R2
 
-**Looking for retail activation?**
+> [!TIP]
+> Are you looking for information on retail activation?
+>
+> - [Activate Windows](https://support.microsoft.com/help/12440/)
+> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
-- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and hasn't been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
 
-*Product activation* is the process of validating software with the manufacturer after it has been installed on a specific computer. Activation confirms that the product is genuine—not a fraudulent copy—and that the product key or serial number is valid and has not been compromised or revoked. Activation also establishes a link or relationship between the product key and the particular installation.
-
-During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they cannot be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft does not use this information to identify or contact the user or the organization.
+During the activation process, information about the specific installation is examined. For online activations, this information is sent to a server at Microsoft. This information may include the software version, the product key, the IP address of the computer, and information about the device. The activation methods that Microsoft uses are designed to help protect user privacy, and they can't be used to track back to the computer or user. The gathered data confirms that the software is a legally licensed copy, and this data is used for statistical analysis. Microsoft doesn't use this information to identify or contact the user or the organization.
 
 >[!NOTE]
->The IP address is used only to verify the location of the request, because some editions of Windows (such as “Starter” editions) can only be activated within certain geographical target markets.
+>The IP address is used only to verify the location of the request, because some editions of Windows (such as "Starter" editions) can only be activated within certain geographical target markets.
 
 ## Distribution channels and activation
 
@@ -38,69 +43,78 @@ In general, Microsoft software is obtained through three main channels: retail,
 
 ### Retail activations
 
-The retail activation method has not changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
+The retail activation method hasn't changed in several versions of Windows and Windows Server. Each purchased copy comes with one unique product key (often referred to as a retail key). The user enters this key during product installation. The computer uses this retail key to complete the activation after the installation is complete. Most activations are performed online, but telephone activation is also available.
 Recently, retail keys have been expanded into new distribution scenarios. Product key cards are available to activate products that have been preinstalled or downloaded. Programs such as Windows Anytime Upgrade and Get Genuine allow users to acquire legal keys separately from the software. These electronically distributed keys may come with media that contains software, they can come as a software shipment, or they may be provided on a printed card or electronic copy. Products are activated the same way with any of these retail keys.
 
 ### Original equipment manufacturer
 
-Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware (BIOS) of the computer. This occurs before the computer is sent to the customer, and no additional actions are required.
+Most original equipment manufacturers (OEMs) sell systems that include a standard build of the Windows operating system. The hardware vendor activates Windows by associating the operating system with the firmware/BIOS of the computer. This activation occurs before the computer is sent to the customer, and no additional actions are required.
+
 OEM activation is valid as long as the customer uses the OEM-provided image on the system. OEM activation is available only for computers that are purchased through OEM channels and have the Windows operating system preinstalled.
 
 ### Volume licensing
 
-Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft.There is a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
--   Have the license preinstalled through the OEM.
--   Purchase a fully packaged retail product.
+Volume licensing offers customized programs that are tailored to the size and purchasing preference of the organization. To become a volume licensing customer, the organization must set up a volume licensing agreement with Microsoft. There's a common misunderstanding about acquiring licenses for a new computer through volume licensing. There are two legal ways to acquire a full Windows client license for a new computer:
 
-The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
+- Have the license preinstalled through the OEM
+
+- Purchase a fully packaged retail product
+
+The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
 Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
 
-**Note**  
-Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
+> [!NOTE]
+> Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.
 
 ## Activation models
 
 For a user or IT department, there are no significant choices about how to activate products that are acquired through retail or OEM channels. The OEM performs the activation at the factory, and the user or the IT department need take no activation steps.
 
 With a retail product, the Volume Activation Management Tool (VAMT), which is discussed later in this guide, helps you track and manage keys. For each retail activation, you can choose:
--   Online activation
--   Telephone activation
--   VAMT proxy activation
 
-Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
--   MAKs
--   KMS
--   Active Directory-based activation
+- Online activation
 
-**Note**  
-Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
+- Telephone activation
+
+- VAMT proxy activation
+
+Telephone activation is primarily used in situations where a computer is isolated from all networks. VAMT proxy activation (with retail keys) is sometimes used when an IT department wants to centralize retail activations or when a computer with a retail version of the operating system is isolated from the Internet but connected to the LAN. For volume-licensed products, however, you must determine the best method or combination of methods to use in your environment. For Windows 10 Pro and Enterprise, you can choose from three models:
+
+- MAKs
+
+- KMS
+
+- Active Directory-based activation
+
+> [!NOTE]
+> Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
 Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
 
 ### Multiple activation key
 
-A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also
-allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS.
+A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they don't meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also
+allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that doesn't have enough computers to use the KMS.
 
 To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation.
-In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can assist in tracking the number of activations that have been performed with each key and how many remain.
+In the simplest terms, a MAK acts like a retail key, except that a MAK is valid for activating multiple computers. Each MAK can be used a specific number of times. The VAMT can help with tracking the number of activations that have been performed with each key and how many remain.
 
 Organizations can download MAK and KMS keys from the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkId=618213) website. Each MAK has a preset number of activations, which are based on a percentage of the count of licenses the organization purchases; however, you can increase the number of activations that are available with your MAK by calling Microsoft.
 
 ### Key Management Service
 
-With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that does not require a dedicated system and can easily be cohosted on a system that provides other services.
+With the Key Management Service (KMS), IT pros can complete activations on their local network, eliminating the need for individual computers to connect to Microsoft for product activation. The KMS is a lightweight service that doesn't require a dedicated system and can easily be cohosted on a system that provides other services.
 
-Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
+Volume editions of Windows 10 and Windows Server 2012 R2 (in addition to volume editions of operating system editions since Windows Vista and Windows Server 2008) automatically connect to a system that hosts the KMS to request activation. No action is required from the user.
 
-The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
+The KMS requires a minimum number of computers (physical computers or virtual machines) in a network environment. The organization must have at least five computers to activate Windows Server 2012 R2 and at least 25 computers to activate client computers that are running Windows 10. These minimums are referred to as *activation thresholds*.
 
-Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. Only rarely will more than two KMS hosts be used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
+Planning to use the KMS includes selecting the best location for the KMS host and how many KMS hosts to have. One KMS host can handle a large number of activations, but organizations will often deploy two KMS hosts to ensure availability. It will be rare that more than two KMS hosts are used. The KMS can be hosted on a client computer or on a server, and it can be run on older versions of the operating system if proper configuration steps are taken. Setting up your KMS is discussed later in this guide.
 
 ### Active Directory-based activation
 
-Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer does not need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
+Active Directory-based activation is the newest type of volume activation, and it was introduced in Windows 8. In many ways, Active Directory-based activation is similar to activation by using the KMS, but the activated computer doesn't need to maintain periodic connectivity with the KMS host. Instead, a domain-joined computer running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 queries AD DS for a volume activation object that is stored in the domain. The operating system checks the digital signatures that are contained in the activation object, and then activates the device.
 
-Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it is impractical to connect to a KMS, or would not reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company’s domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
+Active Directory-based activation allows enterprises to activate computers through a connection to their domain. Many companies have computers at remote or branch locations, where it's impractical to connect to a KMS, or wouldn't reach the KMS activation threshold. Rather than use MAKs, Active Directory-based activation provides a way to activate computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 as long as the computers can contact the company's domain. Active Directory-based activation offers the advantage of extending volume activation services everywhere you already have a domain presence.
 
 ## Network and connectivity
 
@@ -108,11 +122,11 @@ A modern business network has many nuances and interconnections. This section ex
 
 ### Core network
 
-Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that is not a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the vast majority of the business network.
+Your core network is that part of your network that enjoys stable, high-speed, reliable connectivity to infrastructure servers. In many cases, the core network is also connected to the Internet, although that isn't a requirement to use the KMS or Active Directory-based activation after the KMS server or AD DS is configured and active. Your core network likely consists of many network segments. In many organizations, the core network makes up the majority of the business network.
 
-In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that are not joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
+In the core network, a centralized KMS solution is recommended. You can also use Active Directory-based activation, but in many organizations, KMS will still be required to activate older client computers and computers that aren't joined to the domain. Some administrators prefer to run both solutions to have the most flexibility, while others prefer to choose only a KMS-based solution for simplicity. Active Directory-based activation as the only solution is workable if all of the clients in your organization are running Windows 10, Windows 8.1, or Windows 8.
 
-A typical core network that includes a KMS host is shown in Figure 1.
+A typical core network that includes a KMS host is shown in Figure 1.
 
 ![Typical core network.](../images/volumeactivationforwindows81-01.jpg)
 
@@ -120,106 +134,124 @@ A typical core network that includes a KMS host is shown in Figure 1.
 
 ### Isolated networks
 
-In a large network, it is all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
+In a large network, it's all but guaranteed that some segments will be isolated, either for security reasons or because of geography or connectivity issues.
 
-**Isolated for security**
+#### Isolated for security
 
 Sometimes called a *high-security zone*, a particular network segment may be isolated from the core network by a firewall or disconnected from other networks totally. The best solution for activating computers in an isolated network depends on the security policies in place in the organization.
 
-If the isolated network can access the core network by using outbound requests on TCP port 1688, and it is allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
+If the isolated network can access the core network by using outbound requests on TCP port 1688, and it's allowed to receive remote procedure calls (RPCs), you can perform activation by using the KMS in the core network, thereby avoiding the need to reach additional activation thresholds.
 
-If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
+If the isolated network participates fully in the corporate forest, and it can make typical connections to domain controllers, such as using Lightweight Directory Access Protocol (LDAP) for queries and Domain Name Service (DNS) for name resolution, this is a good opportunity to use Active Directory-based activation for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012 R2.
 
-If the isolated network cannot communicate with the core network’s KMS server, and it cannot use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
+If the isolated network can't communicate with the core network's KMS server, and it can't use Active Directory-based activation, you can set up a KMS host in the isolated network. This configuration is shown in Figure 2. However, if the isolated network contains only a few computers, it will not reach the KMS activation threshold. In that case, you can activate by using MAKs.
 
-If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
+If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they're placed in the isolated network.
 
 ![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg)
 
-**Figure 2**. New KMS host in an isolated network
+**Figure 2**. New KMS host in an isolated network
 
-**Branch offices and distant networks**
-From mining operations to ships at sea, organizations often have a few computers that are not easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
--   **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
--   **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
--   **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
--   **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
+#### Branch offices and distant networks
+
+From mining operations to ships at sea, organizations often have a few computers that aren't easily connected to the core network or the Internet. Some organizations have network segments at branch offices that are large and well-connected internally, but have a slow or unreliable WAN link to the rest of the organization. In these situations, you have several options:
+
+- **Active Directory-based activation**. In any site where the client computers are running Windows 10, Active Directory-based activation is supported, and it can be activated by joining the domain.
+
+- **Local KMS**. If a site has 25 or more client computers, it can activate against a local KMS server.
+
+- **Remote (core) KMS**. If the remote site has connectivity to an existing KMS (perhaps through a virtual private network (VPN) to the core network), that KMS can be used. Using the existing KMS means that you only need to meet the activation threshold on that server.
+
+- **MAK activation**. If the site has only a few computers and no connectivity to an existing KMS host, MAK activation is the best option.
 
 ### Disconnected computers
 
-Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this an “isolated network,” where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
-If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it does not support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
+Some users may be in remote locations or may travel to many locations. This scenario is common for roaming clients, such as the computers that are used by salespeople or other users who are offsite but not at branch locations. This scenario can also apply to remote branch office locations that have no connection to the core network. You can consider this branch office an "isolated network," where the number of computers is one. Disconnected computers can use Active Directory-based activation, the KMS, or MAK depending on the client version and how often the computers connect to the core network.
+
+If the computer is joined to the domain and running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2 8, you can use Active Directory-based activation—directly or through a VPN—at least once every 180 days. If the computer connects to a network with a KMS host at least every 180 days, but it doesn't support Active Directory-based activation, you can use KMS activation. Otherwise for computers that rarely or never connect to the network, use MAK independent activation (by using the telephone or the Internet).
 
 ### Test and development labs
 
-Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they cannot activate immediately.
-If you have ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they will be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network and use the methods described earlier in this guide.
-In labs that have a high turnover of computers and a small number of KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
+Lab environments often have large numbers of virtual machines, and physical computers and virtual machines in labs are reconfigured frequently. Therefore, first determine whether the computers in test and development labs require activation. Editions of Windows 10 that include volume licensing will operate normally, even if they can't activate immediately.
+
+If you've ensured that your test or development copies of the operating system are within the license agreement, you may not need to activate the lab computers if they'll be rebuilt frequently. If you require that the lab computers be activated, treat the lab as an isolated network, and use the methods described earlier in this guide.
+In labs that have a high turnover of computers and a few KMS clients, you must monitor the KMS activation count. You might need to adjust the time that the KMS caches the activation requests. The default is 30 days.
 
 ## Mapping your network to activation methods
 
-Now it’s time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you have collected the information you need to determine which activation methods will work best for you. You can fill-in information in Table 1 to help you make this determination.
+Now it's time to assemble the pieces into a working solution. By evaluating your network connectivity, the numbers of computers you have at each site, and the operating system versions in use in your environment, you've collected the information you need to determine which activation methods will work best for you. You can fill in information in Table 1 to help you make this determination.
 
 **Table 1**. Criteria for activation methods
 
 |Criterion |Activation method |
 |----------|------------------|
-|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
-|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days<p><strong>Note</strong><br>The core network must meet the KMS activation threshold. |KMS (central) |
-|Number of computers that do not connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK |
+|Number of domain-joined computers that support Active Directory-based activation (computers running Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2, or Windows Server 2012 R2) and will connect to a domain controller at least every 180 days. Computers can be mobile, semi-isolated, or located in a branch office or the core network. |Active Directory-based activation |
+|Number of computers in the core network that will connect (directly or through a VPN) at least every 180 days<div class="alert">**Note**<br>The core network must meet the KMS activation threshold.</div> |KMS (central) |
+|Number of computers that don't connect to the network at least once every 180 days (or if no network meets the activation threshold) | MAK |
 |Number of computers in semi-isolated networks that have connectivity to the KMS in the core network |KMS (central) |
 |Number of computers in isolated networks where the KMS activation threshold is met |KMS (local) |
-|Number of computers in isolated networks where the KMS activation threshold is not met |MAK |
-|Number of computers in test and development labs that will not be activated |None|
-|Number of computers that do not have a retail volume license |Retail (online or phone) |
-|Number of computers that do not have an OEM volume license |OEM (at factory) |
-|Total number of computer activations<p><strong>Note</strong><br>This total should match the total number of licensed computers in your organization. |
+|Number of computers in isolated networks where the KMS activation threshold isn't met |MAK |
+|Number of computers in test and development labs that won't be activated |None|
+|Number of computers that don't have a retail volume license |Retail (online or phone) |
+|Number of computers that don't have an OEM volume license |OEM (at factory) |
+|Total number of computer activations<div class="alert">**Note**<br>This total should match the total number of licensed computers in your organization.</div> |
 
 ## Choosing and acquiring keys
 
 When you know which keys you need, you must obtain them. Generally speaking, volume licensing keys are collected in two ways:
--   Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
--   Contact your [Microsoft Activation Center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
+
+- Go to the **Product Keys** section of the [Volume Licensing Service Center](https://go.microsoft.com/fwlink/p/?LinkID=618213) for the following agreements: Open, Open Value, Select, Enterprise, and Services Provider License.
+
+- Contact your [Microsoft activation center](https://go.microsoft.com/fwlink/p/?LinkId=618264).
 
 ### KMS host keys
 
-A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is usually referred to as the *KMS host key*, but it is formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
+A KMS host needs a key that activates, or authenticates, the KMS host with Microsoft. This key is referred to as the *KMS host key*, but it's formally known as a *Microsoft Customer Specific Volume License Key* (CSVLK). Most documentation and Internet references earlier than Windows 8.1 use the term KMS key, but CSVLK is becoming more common in current documentation and management tools.
 
-A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You will need a KMS host key for any KMS that you want to set up and if you are going to use Active Directory-based activation.
+A KMS host running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate both Windows Server and Windows client operating systems. A KMS host key is also needed to create the activation objects in AD DS, as described later in this guide. You'll need a KMS host key for any KMS that you want to set up and if you're going to use Active Directory-based activation.
 
 ### Generic volume licensing keys
 
-When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you are creating. GVLKs are also referred to as KMS client setup keys.
+When you create installation media or images for client computers that will be activated by KMS or Active Directory-based activation, install a generic volume license key (GVLK) for the edition of Windows you're creating. GVLKs are also referred to as KMS client setup keys.
 
-Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK will not activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential.
+Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. The GLVK won't activate the software against Microsoft activation servers, but rather against a KMS or Active Directory-based activation object. In other words, the GVLK doesn't work unless a valid KMS host key can be found. GVLKs are the only product keys that don't need to be kept confidential.
 
-Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)).
+Typically, you won't need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it's being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS client setup keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)).
 
 ### Multiple activation keys
 
-You will also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
+You'll also need MAK keys with the appropriate number of activations available. You can see how many times a MAK has been used on the Volume Licensing Service Center website or in the VAMT.
 
 ## Selecting a KMS host
 
-The KMS does not require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
-KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
+The KMS doesn't require a dedicated server. It can be cohosted with other services, such as AD DS domain controllers and read-only domain controllers.
+
+KMS hosts can run on physical computers or virtual machines that are running any supported Windows operating system. A KMS host that is running Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 can activate any Windows client or server operating system that supports volume activation. A KMS host that is running Windows 10 can activate only computers running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
+
 A single KMS host can support unlimited numbers of KMS clients, but Microsoft recommends deploying a minimum of two KMS hosts for failover purposes. However, as more clients are activated through Active Directory-based activation, the KMS and the redundancy of the KMS will become less important. Most organizations can use as few as two KMS hosts for their entire infrastructure.
 
-The flow of KMS activation is shown in Figure 3, and it follows this sequence:
+The flow of KMS activation is shown in Figure 3, and it follows this sequence:
 
-1.  An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
-2.  Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
-3.  The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment does not support DNS dynamic update protocol.)
-4.  A client configured with a GVLK uses DNS to locate the KMS host.
-5.  The client sends one packet to the KMS host.
-6.  The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs are not stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
-7.  If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
-8.  If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
+1. An administrator uses the VAMT console to configure a KMS host and install a KMS host key.
+
+2. Microsoft validates the KMS host key, and the KMS host starts to listen for requests.
+
+3. The KMS host updates resource records in DNS to allow clients to locate the KMS host. (Manually adding DNS records is required if your environment doesn't support DNS dynamic update protocol.)
+
+4. A client configured with a GVLK uses DNS to locate the KMS host.
+
+5. The client sends one packet to the KMS host.
+
+6. The KMS host records information about the requesting client (by using a client ID). Client IDs are used to maintain the count of clients and detect when the same computer is requesting activation again. The client ID is only used to determine whether the activation thresholds are met. The IDs aren't stored permanently or transmitted to Microsoft. If the KMS is restarted, the client ID collection starts again.
+
+7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
+
+8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold hasn't yet been met, the client will try again.
 
 ![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg)
 
 **Figure 3**. KMS activation flow
 
-## See also
--   [Volume Activation for Windows 10](volume-activation-windows-10.md)
- 
+## Related articles
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md
index fd612a7f9b..65f7e79d8d 100644
--- a/windows/deployment/volume-activation/proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/proxy-activation-vamt.md
@@ -1,54 +1,68 @@
 ---
 title: Perform Proxy Activation (Windows 10)
-description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that do not have Internet access.
+description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that don't have Internet access.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Perform Proxy Activation
 
-You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that do not have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key.
+You can use the Volume Activation Management Tool (VAMT) to perform activation for client computers that don't have Internet access. The client products can be installed with any type of product key that is eligible for proxy activation: Multiple activation Key (MAK), KMS Host key (CSVLK), or retail key.
 
 In a typical proxy-activation scenario, the VAMT host computer distributes a MAK to one or more client computers and collects the installation ID (IID) from each computer. The VAMT host computer sends the IIDs to Microsoft on behalf of the client computers and obtains the corresponding Confirmation IDs (CIDs). The VAMT host computer then installs the CIDs on the client computer to complete the activation. Using this activation method, only the VAMT host computer needs Internet access.
 
-**Note**  
-For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet. 
+> [!NOTE]
+> For workgroups that are completely isolated from any larger network, you can still perform MAK, KMS Host key (CSVLK), or retail proxy activation. This requires installing a second instance of VAMT on a computer within the isolated group and using removable media to transfer activation data between that computer and another VAMT host computer that has Internet access. For more information about this scenario, see [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md). Similarly, you can proxy activate a KMS Host key (CSVLK) located in an isolated network. You can also proxy activate a KMS Host key (CSVLK) in the core network if you do not want the KMS host computer to connect to Microsoft over the Internet.
 
 ## Requirements
 
 Before performing proxy activation, ensure that your network and the VAMT installation meet the following requirements:
--   There is an instance of VAMT that is installed on a computer that has Internet access. If you are performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup.
--   The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products have not been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key.
--   VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall.
--   For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
-The product keys that are installed on the client products must have a sufficient number of remaining activations. If you are activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This retrieves the number of remaining activations for the MAK from Microsoft. Note that this step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
+
+- There's an instance of VAMT that is installed on a computer that has Internet access. If you're performing proxy activation for an isolated workgroup, you also need to have VAMT installed on one of the computers in the workgroup.
+
+- The products to be activated have been added to VAMT and are installed with a retail product key, a KMS Host key (CSVLK) or a MAK. If the products haven't been installed with a proper product key, refer to the steps in the [Add and Remove a Product Key](add-remove-product-key-vamt.md) section for instructions on how to install a product key.
+
+- VAMT has administrative permissions on all products to be activated and Windows Management Instrumentation (WMI) is accessible through the Windows firewall.
+
+- For workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure client computers](configure-client-computers-vamt.md).
+
+    The product keys that are installed on the client products must have a sufficient number of remaining activations. If you're activating a MAK key, you can retrieve the remaining number of activations for that key by selecting the MAK in the product key list in the center pane and then clicking **Refresh product key data online** in the right-side pane. This action retrieves the number of remaining activations for the MAK from Microsoft. This step requires Internet access and that the remaining activation count can only be retrieved for MAKs.
 
 ## To Perform Proxy Activation
 
-**To perform proxy activation**
+1. Open VAMT.
 
-1.  Open VAMT.
-2.  If necessary, install product keys. For more information see:
-    -   [Install a Product Key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK).
-    -   [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys.
-3.  In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5.  Click **Filter**. VAMT displays the filtered list in the center pane.
-6.  In the right-side pane, click **Activate** and then click **Proxy activate** to open the **Proxy Activate** dialog box.
-7.  In the **Proxy Activate** dialog box click **Apply Confirmation ID, apply to selected machine(s) and activate**.
-8.  If you are activating products that require administrator credentials different from the ones you are currently using, select the **Use Alternate Credentials** checkbox.
-9.  Click **OK**.
-10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you will be prompted to enter the credentials.
+2. If necessary, install product keys. For more information, see:
 
-    **Note**  
+    - [Install a product key](install-product-key-vamt.md) to install retail, MAK, or KMS Host key (CSVLK).
+
+    - [Install a KMS Client Key](install-kms-client-key-vamt.md) to install GVLK (KMS client) keys.
+
+3. In the **Products** list in the center pane, select the individual products to be activated. You can use the **Filter** function to narrow your search for products by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+5. Select **Filter**. VAMT displays the filtered list in the center pane.
+
+6. In the right-side pane, select **Activate** and then select **Proxy activate** to open the **Proxy Activate** dialog box.
+
+7. In the **Proxy Activate** dialog box select **Apply Confirmation ID, apply to selected machine(s) and activate**.
+
+8. If you're activating products that require administrator credentials different from the ones you're currently using, select the **Use Alternate Credentials** checkbox.
+
+9. Select **OK**.
+
+10. VAMT displays the **Activating products** dialog box until it completes the requested action. If you selected the **Alternate Credentials** option, you'll be prompted to enter the credentials.
+
+    > [!NOTE]
     You can use proxy activation to select products that have different key types and activate the products at the same time.
- 
- 
- 
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index fb4282d3ac..231f5081c2 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -2,30 +2,39 @@
 title: Remove Products (Windows 10)
 description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Remove Products
+# Remove products
 
 To remove one or more products from the Volume Activation Management Tool (VAMT), you can delete them from the product list view in the center pane.
 
-**To delete one or more products**
-1.  Click a product node in the left-side pane.
-2.  You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-3.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-4.  Click **Filter**. VAMT displays the filtered list in the center pane.
-5.  Select the products you want to delete.
-6.  Click **Delete** in the **Selected Items** menu in the right-side pane.
-7.  On the **Confirm Delete Selected Products** dialog box, click **OK**.
+## To delete one or more products
+
+1. Select a product node in the left-side pane.
+
+2. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+3. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+4. Select **Filter**. VAMT displays the filtered list in the center pane.
+
+5. Select the products you want to delete.
+
+6. Select **Delete** in the **Selected Items** menu in the right-side pane.
+
+7. On the **Confirm Delete Selected Products** dialog box, select **OK**.
+
+## Related articles
 
-## Related topics
 - [Add and Manage Products](add-manage-products-vamt.md)
- 
- 
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index d7635a95d0..2985a6bc04 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -2,43 +2,58 @@
 title: Scenario 3 KMS Client Activation (Windows 10)
 description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Scenario 3: KMS Client Activation
+# Scenario 3: KMS client activation
 
-In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You do not have to enter a key to activate a product as a GVLK, unless you are converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
+In this scenario, you use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs). This type of activation can be performed on either Core Network or Isolated Lab computers. By default, volume license editions of Windows Vista, Windows® 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. GVLKs are already installed in volume license editions of these products. You don't have to enter a key to activate a product as a GVLK, unless you're converting a MAK-activated product to a KMS activation. For more information, see [Install a KMS Client Key](install-kms-client-key-vamt.md).
 
-The procedure that is described below assumes the following:
--   The KMS Service is enabled and available to all KMS clients.
--   VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
+The procedure that is described below assumes the following configuration:
 
-## Activate KMS Clients
+- The KMS Service is enabled and available to all KMS clients.
 
-1.  Open VAMT.
-2.  To set the KMS activation options, on the menu bar click **View**. Then click **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
-3.  In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
-    -   **Find a KMS host automatically using DNS**. This is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
-    -   **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
-    -   **Use specific KMS host**. Select this option for environments which do not use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
-4.  In the left-side pane, in the **Products** node, click the product that you want to activate.
-5.  In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-6.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by Product Name, Product Key Type, or License Status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-7.  Click **Filter**. VAMT displays the filtered list in the center pane.
-8.  Select the products that you want to activate.
-9.  Click **Activate** in the **Selected Items** menu in the right-side **Actions** pane, click **Activate**, point to **Volume activate**, and then click the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
-10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+- VAMT has been installed and computers have been added to the VAMT database. See Parts 1 through 4 in either [Scenario 1: Online Activation](scenario-online-activation-vamt.md) or [Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) for more information.
+
+## Activate KMS clients
+
+1. Open VAMT.
+
+2. To set the KMS activation options, on the menu bar select **View**. Then select **Preferences** to open the **Volume Activation Management Tool Preferences** dialog box.
+
+3. In the **Volume Activation Management Tool Preferences** dialog box, under **KMS Management Services host selection** select from the following options:
+
+    - **Find a KMS host automatically using DNS**. This setting is the default setting. VAMT will instruct the computer to query the Domain Name Service (DNS) to locate a KMS host and perform activation. If the client contains a registry key with a valid KMS host, that value will be used instead.
+
+    - **Find a KMS host using DNS in this domain for supported products**. Select this option if you use a specific domain, and enter the name of the domain.
+
+    - **Use specific KMS host**. Select this option for environments that don't use DNS for KMS host identification, and manually enter the KMS host name and select the KMS host port. VAMT will set the specified KMS host name and KMS host port on the target computer, and then instruct the computer to perform activation with the specific KMS host.
+
+4. In the left-side pane, in the **Products** node, select the product that you want to activate.
+
+5. In the products list view in the center pane, sort the list if necessary. You can use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+6. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by Product Name, Product Key Type, or License Status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+7. Select **Filter**. VAMT displays the filtered list in the center pane.
+
+8. Select the products that you want to activate.
+
+9. Select **Activate** in the **Selected Items** menu in the right-side **Actions** pane, select **Activate**, point to **Volume activate**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password.
+
+10. VAMT displays the **Activating products** dialog box until it completes the requested action. When activation is complete, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
 
 The same status is shown under the **Status of Last Action** column in the products list view in the center pane.
 
-## Related topics
-- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
- 
- 
+## Related articles
+
+- [VAMT step-by-step scenarios](vamt-step-by-step.md)
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index 93960a399c..68ca97def3 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -2,130 +2,158 @@
 title: Scenario 1 Online Activation (Windows 10)
 description: Achieve network access by deploying the Volume Activation Management Tool (VAMT) in a Core Network environment.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Scenario 1: Online Activation
 
 In this scenario, the Volume Activation Management Tool (VAMT) is deployed in the Core Network environment. VAMT is installed on a central computer that has network access to all of the client computers. Both the VAMT host and the client computers have Internet access. The following illustration shows a diagram of an online activation scenario for Multiple Activation Keys (MAKs). You can use this scenario for online activation of the following key types:
--   Multiple Activation Key (MAK)
--   Windows Key Management Service (KMS) keys:
-    -   KMS Host key (CSVLK)
-    -   Generic Volume License Key (GVLK), or KMS client key
--   Retail
+
+- Multiple Activation Key (MAK)
+
+- Windows Key Management Service (KMS) keys:
+
+  - KMS Host key (CSVLK)
+
+  - Generic Volume License Key (GVLK), or KMS client key
+
+- Retail
 The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
 
 ![VAMT firewall configuration for multiple subnets.](images/dep-win8-l-vamt-makindependentactivationscenario.jpg)
 
-## In This Topic
--   [Install and start VAMT on a networked host computer](#bkmk-partone)
--   [Configure the Windows Management Instrumentation firewall exception on target computers](#bkmk-parttwo)
--   [Connect to VAMT database](#bkmk-partthree)
--   [Discover products](#bkmk-partfour)
--   [Sort and filter the list of computers](#bkmk-partfive)
--   [Collect status information from the computers in the list](#bkmk-partsix)
--   [Add product keys and determine the remaining activation count](#bkmk-partseven)
--   [Install the product keys](#bkmk-parteight)
--   [Activate the client products](#bkmk-partnine)
+## Step 1: Install and start VAMT on a networked host computer
 
-## <a href="" id="bkmk-partone"></a>Step 1: Install and start VAMT on a networked host computer
+1. Install VAMT on the host computer.
 
-1.  Install VAMT on the host computer.
-2.  Click the VAMT icon in the **Start** menu to open VAMT.
+2. Select the VAMT icon in the **Start** menu to open VAMT.
 
-## <a href="" id="bkmk-parttwo"></a>Step 2: Configure the Windows Management Instrumentation firewall exception on target computers
+## Step 2: Configure the Windows Management Instrumentation firewall exception on target computers
 
--   Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
 
-    **Note**  
-    To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+    > [!NOTE]
+    > To retrieve product license status, VAMT must have administrative permissions on the remote computers and WMI must be available through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
 
-## <a href="" id="bkmk-partthree"></a>Step 3: Connect to a VAMT database
+## Step 3: Connect to a VAMT database
 
-1.  If you are not already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located.
-2.  Click **Connect**.
-3.  If you are already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md)
+1. If you aren't already connected to a database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database where the keys that must be activated are located.
 
-## <a href="" id="bkmk-partfour"></a>Step 4: Discover products
+2. Select **Connect**.
 
-1.  In the left-side pane, in the **Products** node Products, click the product that you want to activate.
-2.  To open the **Discover Products** dialog box, click **Discover products** in the **Actions** menu in the right-side pane.
-3.  In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query:
-    -   To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
-    -   To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Note that VAMT supports both IPv4 and IPV6 addressing.
-    -   To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
-    -   To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
-4.  Click **Search**.
+3. If you're already connected to a database, VAMT displays an inventory of the products and product keys in the center pane, and a license overview of the computers in the database. If you need to connect to a different database, select **Successfully connected to Server** to open **the Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data](manage-vamt-data.md)
+
+## Step 4: Discover products
+
+1. In the left-side pane, in the **Products** node Products, select the product that you want to activate.
+
+2. To open the **Discover Products** dialog box, select **Discover products** in the **Actions** menu in the right-side pane.
+
+3. In the **Discover Products** dialog box, select **Search for computers in the Active Directory** to display the search options, and then select the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general Lightweight Directory Access Protocol (LDAP) query:
+
+    - To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names select the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
+
+    - To search by individual computer name or IP address, select **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. VAMT supports both IPv4 and IPV6 addressing.
+
+    - To search for computers in a workgroup, select **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, select the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+
+    - To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without additional checks.
+
+4. Select **Search**.
 
     When the search is complete, the products that VAMT discovers appear in the product list view in the center pane.
 
-## <a href="" id="bkmk-partfive"></a>Step 5: Sort and filter the list of computers
+## Step 5: Sort and filter the list of computers
 
-You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
-1.  On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
-2.  To sort the list further, you can click one of the column headings to sort by that column.
-3.  You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5.  Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
+You can sort the list of products so that it's easier to find the computers that require product keys to be activated:
 
-## <a href="" id="bkmk-partsix"></a>Step 6: Collect status information from the computers in the list
+1. On the menu bar at the top of the center pane, select **Group by**, and then select **Product**, **Product Key Type**, or **License Status**.
+
+2. To sort the list further, you can select one of the column headings to sort by that column.
+
+3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by product name, product key type, or license status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+5. Select **Filter**. VAMT displays the filtered list in the product list view in the center pane.
+
+## Step 6: Collect status information from the computers in the list
 
 To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
-- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
-- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
-  **To collect status information from the selected computers**
-- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**.
+
+- To select a block of consecutively listed computers, select the first computer that you want to select, and then select the last computer while pressing the **Shift** key.
+
+- To select computers that aren't listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
+
+### To collect status information from the selected computers
+
+- In the right-side **Actions** pane, select **Update license status** in the **Selected Items** menu and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials that are different from the ones that you used to sign into the computer. Otherwise, select **Current Credentials** and continue to step 2. If you're supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then select **OK**.
+
 - VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
 
-  **Note**  
-  If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
+  > [!NOTE]  
+  > If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
 
-## <a href="" id="bkmk-partseven"></a>Step 7: Add product keys and determine the remaining activation count
+## Step 7: Add product keys and determine the remaining activation count
 
-1.  Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
-2.  In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys:
-    -   To add product keys manually, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add Key(s)**.
-    -   To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key file to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+1. Select the **Product Keys** node in the left-side pane, and then select **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
+
+2. In the **Add Product Key** dialog box, you can select from one of the following methods to add product keys:
+
+    - To add product keys manually, select **Enter product key(s) separated by line breaks**, enter one or more product keys, and then select **Add Key(s)**.
+
+    - To import a Comma Separated Values File (CSV) that contains a list of product keys, select **Select a product key file to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**.
 
     The keys that you have added appear in the **Product Keys** list view in the center pane.
 
-    **Important**  
-    If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
+    > [!IMPORTANT]
+    > If you are activating many products with a MAK, refresh the activation count of the MAK to ensure that the MAK can support the required number of activations. In the product key list in the center pane, select the MAK and then click **Refresh product key data online** in the right-side pane to contact Microsoft and retrieve the number of remaining activations for the MAK. This step requires Internet access. You can only retrieve the remaining activation count for MAKs.
 
-## <a href="" id="bkmk-parteight"></a>Step 8: Install the product keys
+## Step 8: Install the product keys
 
-1.  In the left-side pane, click the product that you want to install keys on to.
-2.  If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#bkmk-partfive).
-3.  In the **Products** list view pane, select the individual products which must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-4.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-5.  The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing a MAK you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Note that only one key can be installed at a time.
-6.  VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+1. In the left-side pane, select the product that you want to install keys on to.
+
+2. If necessary, sort and filter the list of products so that it's easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#step-5-sort-and-filter-the-list-of-computers).
+
+3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+
+4. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+
+5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you're installing a MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you aren't installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you want to view the **Description** for each key. When you've selected the product key that you want to install, select **Install Key**. Only one key can be installed at a time.
+
+6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
 
     The same status appears under the **Status of Last Action** column in the product list view in the center pane.
-    **Note**  
 
-    Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10))
+    > [!NOTE]
+    > Product key installation will fail if VAMT finds mismatched key types or editions. VAMT will display the failure status and will continue the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10))
 
-## <a href="" id="bkmk-partnine"></a>Step 9: Activate the client products
+## Step 9: Activate the client products
 
-1.  Select the individual products that you want to activate in the list-view pane.
-2.  On the menu bar, click **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also click **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option.
-3.  If you are activating product keys using your current credential, click **Current credential** and continue to step 5. If you are activating products that require an administrator credential that is different from the one you are currently using, click the **Alternate credential** option.
-4.  Enter your alternate user name and password and click **OK**.
-5.  The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed.
+1. Select the individual products that you want to activate in the list-view pane.
 
-    **Note**  
-    Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network.
-    
-    RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+2. On the menu bar, select **Action**, point to **Activate** and point to **Online activate**. You can also right-click the selected computers(s) to display the **Action** menu, point to **Activate** and point to **Online activate**. You can also select **Activate** in the **Selected Items** menu in the right-hand pane to access the **Activate** option.
+
+3. If you're activating product keys using your current credential, select **Current credential** and continue to step 5. If you're activating products that require an administrator credential that is different from the one you're currently using, select the **Alternate credential** option.
+
+4. Enter your alternate user name and password and select **OK**.
+
+5. The **Activate** option contacts the Microsoft product-activation server over the Internet and requests activation for the selected products. VAMT displays the **Activating products** dialog box until the requested actions are completed.
+
+    > [!NOTE]
+    > Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network.
+    > RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+
+## Related articles
 
-## Related topics
 - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
- 
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 0bf79390db..ccb63b5311 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -2,12 +2,13 @@
 title: Scenario 2 Proxy Activation (Windows 10)
 description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Scenario 2: Proxy Activation
@@ -18,148 +19,198 @@ In this scenario, the Volume Activation Management Tool (VAMT) is used to activa
 
 ## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab
 
-1.  Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012.
-2.  Click the VAMT icon in the **Start** menu to open VAMT.
+1. Install VAMT on a host computer in the isolated lab workgroup. This computer can be running Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, or Windows Server® 2012.
 
-## Step 2: Configure the Windows Management Instrumentation Firewall Exception on Target Computers
+2. Select the VAMT icon in the **Start** menu to open VAMT.
 
--   Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+## Step 2: Configure the Windows Management Instrumentation Firewall Exception on target computers
 
-    **Note**  
-    To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
+- Ensure that the Windows Management Instrumentation (WMI) firewall exception has been enabled for all target computers. For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
 
-## Step 3: Connect to a VAMT Database
+    > [!NOTE]
+    > To retrieve the license status on the selected computers, VAMT must have administrative permissions on the remote computers and WMI must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
 
-1.  If the host computer in the isolated lab workgroup is not already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup.
-2.  Click **Connect**.
-3.  If you are already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, click **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md)
+## Step 3: Connect to a VAMT database
 
-## Step 4: Discover Products
+1. If the host computer in the isolated lab workgroup isn't already connected to the database, the **Database Connection Settings** dialog box appears when you open VAMT. Select the server and database that contains the computers in the workgroup.
 
-1.  In the left-side pane, in the **Products** node, click the product that you want to activate.
-2.  To open the **Discover Products** dialog box, click **Discover products** in the right-side pane.
-3.  In the **Discover Products** dialog box, click **Search for computers in the Active Directory** to display the search options, and then click the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query:
-    -   To search for computers in an Active Directory domain, click **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, click the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
-    -   To search by individual computer name or IP address, click **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported.
-    -   To search for computers in a workgroup, click **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, click the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only those computer names that start with the letter "a".
-    -   To search for computers by using a general LDAP query, click **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks.
-4.  Click **Search**.
+2. Select **Connect**.
+
+3. If you're already connected to a database, in the center pane VAMT displays an inventory of the products and product keys, and a license overview of the computers in the database. If you need to connect to a different database, select **Successfully connected to the Server** to open the **Database Connection Settings** dialog box. For more information about how to create VAMT databases and adding VAMT data, see [Manage VAMT Data.](manage-vamt-data.md)
+
+## Step 4: Discover products
+
+1. In the left-side pane, in the **Products** node, select the product that you want to activate.
+
+2. To open the **Discover Products** dialog box, select **Discover products** in the right-side pane.
+
+3. In the **Discover Products** dialog box, select **Search for computers in the Active Directory** to display the search options, and then select the search options that you want to use. You can search for computers in an Active Directory domain, by individual computer name or IP address, in a workgroup, or by a general LDAP query:
+
+    - To search for computers in an Active Directory domain, select **Search for computers in the Active Directory**. Then under **Domain Filter Criteria**, in the list of domain names, select the name of the domain that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for specific computers in the domain. This filter supports the asterisk (\*) wildcard. For example, typing "a\*" will display only computer names that start with the letter "a".
+
+    - To search by individual computer name or IP address, select **Manually enter name or IP address**. Then enter the full name or IP address in the **One or more computer names or IP addresses separated by commas** text box. Separate multiple entries with a comma. Both IPv4 and IPv6addressing are supported.
+
+    - To search for computers in a workgroup, select **Search for computers in the workgroup**. Then under **Workgroup Filter Criteria**, in the list of workgroup names, select the name of the workgroup that you want to search. You can narrow the search further by typing a name in the **Filter by computer name** field to search for a specific computer in the workgroup. This filter supports the asterisk (`*`) wildcard. For example, typing `a*` will display only those computer names that start with the letter **a**.
+
+    - To search for computers by using a general LDAP query, select **Search with LDAP query** and enter your query in the text box that appears. VAMT will validate the LDAP query syntax, but will otherwise run the query without extra checks.
+
+4. Select **Search**.
 
     The **Finding Computers** window appears and displays the search progress as the computers are located.
 
 When the search is complete, the products that VAMT discovers appear in the list view in the center pane.
 
-## Step 5: Sort and Filter the List of Computers
+## Step 5: Sort and filter the list of computers
 
-You can sort the list of products so that it is easier to find the computers that require product keys to be activated:
+You can sort the list of products so that it's easier to find the computers that require product keys to be activated:
 
-1.  On the menu bar at the top of the center pane, click **Group by**, and then click **Product**, **Product Key Type**, or **License Status**.
-2.  To sort the list further, you can click one of the column headings to sort by that column.
-3.  You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
-4.  In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
-    -   To filter the list by computer name, enter a name in the **Computer Name** box.
-    -   To filter the list by product name, product key type, or license status, click the list you want to use for the filter and select an option. If necessary, click **clear all filters** to create a new filter.
-5.  Click **Filter**. VAMT displays the filtered list in the product list view in the center pane.
+1. On the menu bar at the top of the center pane, select **Group by**, and then select **Product**, **Product Key Type**, or **License Status**.
 
-## Step 6: Collect Status Information from the Computers in the Isolated Lab
+2. To sort the list further, you can select one of the column headings to sort by that column.
+
+3. You can also use the **Filter** function to narrow your search for computers by clicking **Filter** in the right-side pane to open the **Filter Products** dialog box.
+
+4. In the **Filter Products** dialog box, you can filter the list by computer name, product name, product key type, license status, or by any combination of these options.
+
+    - To filter the list by computer name, enter a name in the **Computer Name** box.
+
+    - To filter the list by product name, product key type, or license status, select the list you want to use for the filter and select an option. If necessary, select **clear all filters** to create a new filter.
+
+5. Select **Filter**. VAMT displays the filtered list in the product list view in the center pane.
+
+## Step 6: Collect status information from the computers in the Isolated lab
 
 To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods:
-- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key.
-- To select computers that are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
+
+- To select a block of consecutively listed computers, select the first computer that you want to select, and then select the last computer while pressing the **Shift** key.
+
+- To select computers that aren't listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information.
   **To collect status information from the selected computers**
-- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**.
+
+- In the right-side **Actions** pane, select **Update license status** in the **Selected Items** menu and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials that are different from the ones that you used to sign in to the computer. Otherwise, select **Current Credentials** and continue to step 2.If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then select **OK**.
+
 - VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane.
 
-  **Note**  
-  If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
+  > [!NOTE]  
+  > If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading.
 
 ## Step 7: Add Product Keys
 
-1.  Click the **Product Keys** node in the left-side pane, and then click **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
-2.  In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys:
-    -   To add a single product key, click **Enter product key(s) separated by line breaks**, enter one or more product keys, and then click **Add key(s)**.
-    -   To import a Comma Separated Values File (CSV) that contains a list of product keys, click **Select a product key to import**, browse to the file location, click **Open** to import the file, and then click **Add Key(s)**.
+1. Select the **Product Keys** node in the left-side pane, and then select **Add Product Keys** in the right-side pane to open the **Add Product Keys** dialog box.
+
+2. In the **Add Product Keys** dialog box, you can select from one of the following methods to add product keys:
+
+    - To add a single product key, select **Enter product key(s) separated by line breaks**, enter one or more product keys, and then select **Add key(s)**.
+
+    - To import a Comma Separated Values File (CSV) that contains a list of product keys, select **Select a product key to import**, browse to the file location, select **Open** to import the file, and then select **Add Key(s)**.
 
     The keys that you have added appear in the **Product Keys** list view in the center pane.
 
 ## Step 8: Install the Product Keys on the Isolated Lab Computers
 
-1.  In the left-side pane, in the **Products** node click the product that you want to install keys onto.
-2.  If necessary, sort and filter the list of products so that it is easier to find the computers that must have a product key installed. See [Step 5: Sort and Filter the List of Computers](#step-5-sort-and-filter-the-list-of-computers).
-3.  In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
-4.  Click **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
-5.  The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you are installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you are not installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you have selected the product key that you want to install, click **Install Key**. Only one key can be installed at a time.
-6.  VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+1. In the left-side pane, in the **Products** node select the product that you want to install keys onto.
+
+2. If necessary, sort and filter the list of products so that it's easier to find the computers that must have a product key installed. See [Step 5: Sort and filter the list of computers](#step-5-sort-and-filter-the-list-of-computers).
+
+3. In the **Products** list view pane, select the individual products that must have keys installed. You can use the **CTRL** key or the **SHIFT** key to select more than one product.
+
+4. Select **Install product key** in the **Selected Items** menu in the right-side pane to display the **Install Product Key** dialog box.
+
+5. The **Select Product Key** dialog box displays the keys that are available to be installed. Under **Recommended MAKs**, VAMT might display one or more recommended MAKs based on the selected products. If you're installing an MAK, you can select a recommended product key or any other MAK from the **All Product Keys List**. If you aren't installing a MAK, select a product key from the **All Product Keys** list. Use the scroll bar if you need to view the **Description** for each key. When you've selected the product key that you want to install, select **Install Key**. Only one key can be installed at a time.
+
+6. VAMT displays the **Installing product key** dialog box while it attempts to install the product key for the selected products. When the process is finished, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
 
     The same status appears under the **Status of Last Action** column in the product list view in the center pane.
 
-    **Note**  
-    Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10))
+    > [!NOTE]
+    > Product key installation will fail if VAMT finds mismatched key types or editions. VAMT displays the failure status and continues the installation for the next product in the list. For more information on choosing the correct product key, see [How to Choose the Right Volume License Key for Windows.](/previous-versions/tn-archive/ee939271(v=technet.10))
 
-    **Note**  
-    Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+    > [!NOTE]
+    > Installing a MAK and overwriting the GVLK on client products must be done with care. If the RTM version of Windows Vista has been installed on the computer for more than 30 days, then its initial grace period has expired. As a result, it will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are available on the network. RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
 
-## Step 9: Export VAMT Data to a .cilx File
+## Step 9: Export VAMT data to a `.cilx` file
 
-In this step, you export VAMT from the workgroup’s host computer and save it in a .cilx file. Then you copy the .cilx file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it is critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products.
+In this step, you export VAMT from the workgroup's host computer and save it in a `.cilx` file. Then you copy the `.cilx` file to removable media so that you can take it to a VAMT host computer that is connected to the Internet. In MAK proxy activation, it's critical to retain this file, because VAMT uses it to apply the Confirmation IDs (CIDs) to the proper products.
 
-1.  Select the individual products that successfully received a product key in Step 8. If needed, sort and filter the list to find the products.
-2.  In the right-side **Actions** pane, click **Export list** to open the **Export List** dialog box.
-3.  In the **Export List** dialog box, click **Browse** to navigate to the .cilx file, or enter the name of the .cilx file to which you want to export the data.
-4.  Under **Export options**, select one of the following data-type options:
-    -   Export products and product keys.
-    -   Export products only.
-    -   Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported .cilx file when this selection is selected. This option should be used when an enterprise’s security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the .cilx file that is transferred to the Core Network VAMT host.
-5.  If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box.
-6.  Click **Save**. VAMT displays a progress message while the data is being exported. Click **OK** when a message appears and confirms that the export has completed successfully.
-7.  If you exported the list to a file on the host computer’s hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device.
+1. Select the individual products that successfully received a product key in Step 8. If needed, sort and filter the list to find the products.
 
-    **Important**  
-    Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the .cilx file. Therefore, the .cilx file must be re-imported into the SQL Server database on the isolated lab workgroup’s VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Step 10) can be correctly assigned to the computers in the isolated lab group.
+2. In the right-side **Actions** pane, select **Export list** to open the **Export List** dialog box.
 
-## Step 10: Acquire Confirmation IDs from Microsoft on the Internet-Connected Host Computer
+3. In the **Export List** dialog box, select **Browse** to navigate to the `.cilx` file, or enter the name of the `.cilx` file to which you want to export the data.
 
-1.  Insert the removable media into the VAMT host that has Internet access.
-2.  Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
-3.  In the right-side **Actions** pane, click **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
-4.  In the **Acquire confirmation IDs for file** dialog box, browse to the location of the .cilx file that you exported from the isolated lab host computer, select the file, and then click **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs.
-5.  When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Click **OK** to close the message.
+4. Under **Export options**, select one of the following data-type options:
 
-## Step 11: Import the .cilx File onto the VAMT Host within the Isolated Lab Workgroup
+    - Export products and product keys.
 
-1.  Remove the storage device that contains the .cilx file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab.
-2.  Open VAMT and verify that you are connected to the database that contains the computer with the product keys that you are activating.
-3.  In the right-side **Actions** pane, click **Import list** to open the **Import List** dialog box.
-4.  In the **Import list** dialog box, browse to the location of the .cilx file that contains the CIDs, select the file, and then click **Open**.
-5.  Click **OK** to import the file and to overwrite any conflicting data in the database with data from the file.
-6.  VAMT displays a progress message while the data is being imported. Click **OK** when a message appears and confirms that the data has been successfully imported.
+    - Export products only.
+
+    - Export proxy activation data only. Selecting this option ensures that the export contains only the license information required for the proxy web service to obtain CIDs from Microsoft. No Personally Identifiable Information (PII) is contained in the exported `.cilx` file when this selection is selected. This option should be used when an enterprise's security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab and, therefore, this type of data must be excluded from the `.cilx` file that is transferred to the Core Network VAMT host.
+
+5. If you have selected products to export, and not the entire set of data from the database, select the **Export selected product rows only** check box.
+
+6. Select **Save**. VAMT displays a progress message while the data is being exported. Select **OK** when a message appears and confirms that the export has completed successfully.
+
+7. If you exported the list to a file on the host computer's hard drive, copy the file to removable media, such as a disk drive, CD/DVD, or USB storage device.
+
+    > [!IMPORTANT]
+    > Choosing the **Export proxy activation data only** option excludes Personally Identifiable Information (PII) from being saved in the `.cilx` file. Therefore, the `.cilx` file must be re-imported into the SQL Server database on the isolated lab workgroup's VAMT host computer, so that the CIDs that are requested from Microsoft (discussed in Step 10) can be correctly assigned to the computers in the isolated lab group.
+
+## Step 10: Acquire confirmation IDs from Microsoft on the internet connected host computer
+
+1. Insert the removable media into the VAMT host that has Internet access.
+
+2. Open VAMT. Make sure you are on the root node, and that the **Volume Activation Management Tool** view is displayed in the center pane.
+
+3. In the right-side **Actions** pane, select **Acquire confirmation IDs for CILX** to open the **Acquire confirmation IDs for file** dialog box.
+
+4. In the **Acquire confirmation IDs for file** dialog box, browse to the location of the `.cilx` file that you exported from the isolated lab host computer, select the file, and then select **Open**. VAMT displays an **Acquiring Confirmation IDs** message while it contacts Microsoft and collects the CIDs.
+
+5. When the CID collection process is complete, VAMT displays a **Volume Activation Management Tool** message that shows the number of confirmation IDs that were successfully acquired, and the name of the file where the IDs were saved. Select **OK** to close the message.
+
+## Step 11: Import the `.cilx` file onto the VAMT host within the Isolated lab workgroup
+
+1. Remove the storage device that contains the `.cilx` file from the Internet-connected VAMT host computer and insert it into the VAMT host computer in the isolated lab.
+
+2. Open VAMT and verify that you're connected to the database that contains the computer with the product keys that you're activating.
+
+3. In the right-side **Actions** pane, select **Import list** to open the **Import List** dialog box.
+
+4. In the **Import list** dialog box, browse to the location of the `.cilx` file that contains the CIDs, select the file, and then select **Open**.
+
+5. Select **OK** to import the file and to overwrite any conflicting data in the database with data from the file.
+
+6. VAMT displays a progress message while the data is being imported. Select **OK** when a message appears and confirms that the data has been successfully imported.
 
 ## Step 12: Apply the CIDs and Activate the Isolated Lab Computers
 
-1.  Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products.
-2.  In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products.
 
-    VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+2. In the right-side **Selected Items** menu, select **Activate**, select **Apply Confirmation ID**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password.
+
+    VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
     The same status appears under the **Status of Last Action** column in the product list view in the center pane.
 
 ## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab
 
-If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers has not changed, VAMT can reactivate those computers using the CIDs that are stored in the database.
-1.  Redeploy products to each computer, using the same computer names as before.
-2.  Open VAMT.
-3.  In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password.
+If you have captured new images of the computers in the isolated lab, but the underlying hardware of those computers hasn't changed, VAMT can reactivate those computers using the CIDs that are stored in the database.
 
-    VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears.
+1. Redeploy products to each computer, using the same computer names as before.
+
+2. Open VAMT.
+
+3. In the right-side **Selected Items** menu, select **Activate**, select **Apply Confirmation ID**, and then select the appropriate credential option. If you select the **Alternate Credentials** option, you'll be prompted to enter an alternate user name and password.
+
+    VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Select **Close** to close the dialog box. You can also select the **Automatically close when done** check box when the dialog box appears.
     The same status appears under the **Status of Last Action** column in the product list view in the center pane.
 
-    **Note**  
-    Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network. 
-    
-    RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 will not enter RFM.
+    > [!NOTE]
+    > Installing a MAK and overwriting the GVLK on the client products must be done with care. If the Windows activation initial grace period has expired, Windows will enter Reduced Functionality Mode (RFM) if online activation is not completed successfully before the next logon attempt. However, you can use online activation to recover properly configured computers from RFM, as long as the computers are accessible on the network.
 
-    **Note**  
-    Reapplying the same CID conserves the remaining activations on the MAK.
+    RFM only applies to the RTM version of Windows Vista or the retail editions of Microsoft Office 2010. Windows Vista with SP1 or later, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, and volume editions of Office 2010 won't enter RFM.
+
+    > [!NOTE]
+    > Reapplying the same CID conserves the remaining activations on the MAK.
+
+## Related articles
 
-## Related topics
 - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md)
- 
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index 69fd4f603b..eb5553920d 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -2,33 +2,38 @@
 title: Update Product Status (Windows 10)
 description: Learn how to use the Update license status function to add the products that are installed on the computers.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# Update Product Status
+# Update product status
 
 After you add computers to the VAMT database, you need to use the **Update license status** function to add the products that are installed on the computers. You can also use the **Update license status** at any time to retrieve the most current license status for any products in the VAMT database.
 To retrieve license status, VAMT must have administrative permissions on all selected computers and Windows Management Instrumentation (WMI) must be accessible through the Windows Firewall. In addition, for workgroup computers, a registry key must be created to enable remote administrative actions under User Account Control (UAC). For more information, see [Configure Client Computers](configure-client-computers-vamt.md).
 
-**Note**  
+> [!NOTE]
 The license-status query requires a valid computer name for each system queried. If the VAMT database contains computers that were added without Personally Identifiable Information, computer names will not be available for those computers, and the status for these computers will not be updated.
 
 ## Update the license status of a product
 
-1.  Open VAMT.
-2.  In the **Products** list, select one or more products that need to have their status updated.
-3.  In the right-side **Actions** pane, click **Update license status** and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials different from the ones you used to log into the computer.
-4.  If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and click **OK**.
+1. Open VAMT.
+
+2. In the **Products** list, select one or more products that need to have their status updated.
+
+3. In the right-side **Actions** pane, select **Update license status** and then select a credential option. Choose **Alternate Credentials** only if you're updating products that require administrator credentials different from the ones you used to log into the computer.
+
+4. If you're supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and select **OK**.
 
     VAMT displays the **Collecting product information** dialog box while it collects the status of all selected products. When the process is finished, the updated licensing status of each product will appear in the product list view in the center pane.
 
-    **Note**  
-    If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
- 
-## Related topics
+    > [!NOTE]
+    If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view.
+
+## Related articles
+
 - [Add and Manage Products](add-manage-products-vamt.md)
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index d330d9c58c..b733a5046e 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -2,48 +2,54 @@
 title: Use the Volume Activation Management Tool (Windows 10)
 description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Use the Volume Activation Management Tool
 
-**Applies to**
--   Windows 10
--   Windows 8.1
--   Windows 8
--   Windows 7
--   Windows Server 2012 R2
--   Windows Server 2012
--   Windows Server 2008 R2
+*Applies to:*
 
-**Looking for retail activation?**
--   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+> [!TIP]
+> Are you looking for information on retail activation?
+>
+> - [Activate Windows](https://support.microsoft.com/help/12440/)
+> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
 The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to perform VAMT proxy activation and to track and monitor several types of product keys.
 
-By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It is a standard Microsoft Management Console snap-in, and it can be 
-installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
+By using the VAMT, you can automate and centrally manage the volume, retail, and MAK activation process for Windows, Office, and select other Microsoft products. The VAMT can manage volume activation by using MAKs or KMS. It's a standard Microsoft Management Console snap-in, and it can be installed on any computer running Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2.
 
-The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
+The VAMT is distributed as part of the Windows Assessment and Deployment Kit (Windows ADK), which is a free download available from Microsoft Download Center. For more information, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740).
 
-In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
+In Windows Server 2012 R2, you can install the VAMT directly from Server Manager without downloading the Windows ADK by selecting the Volume Activation Services role or the Remote Server Administration Tools/Role Administration Tools/Volume Activation Tools feature.
 
 ## Activating with the Volume Activation Management Tool
 
 You can use the VAMT to complete the activation process in products by using MAK and retail keys, and you can work with computers individually or in groups. The VAMT enables two activation scenarios:
--   **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
--   **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
+
+- **Online activation**. Online activation enables you to activate over the Internet any products that are installed with MAK, KMS host, or retail product keys. You can activate one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft.
+
+- **Proxy activation**. This activation method enables you to perform volume activation for products that are installed on client computers that don't have Internet access. The VAMT host computer distributes a MAK, KMS host key, or retail product key to one or more client products and collects the installation ID from each client product. The VAMT host sends the installation IDs to Microsoft on behalf of the client products and obtains the corresponding confirmation IDs. The VAMT host then installs the confirmation IDs on the client products to complete their activation.
     By using this method, only the VAMT host computer requires Internet access. Proxy activation by using the VAMT is beneficial for isolated network segments and for cases where your organization has a mix of retail, MAK, and KMS-based activations.
 
 ## Tracking products and computers with the Volume Activation Management Tool
 
-The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
+The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
 
 ![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg)
 
@@ -51,7 +57,7 @@ The VAMT provides an overview of the activation and licensing status of computer
 
 ## Tracking key usage with the Volume Activation Management Tool
 
-The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
+The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it's and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
 
 ![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg)
 
@@ -59,16 +65,19 @@ The VAMT makes it easier to track the various keys that are issued to your organ
 
 ## Other Volume Activation Management Tool features
 
-The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
--   **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
--   **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
--   **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
+The VAMT stores information in a Microsoft SQL Server database for performance and flexibility, and it provides a single graphical user interface for managing activations and performing other activation-related tasks, such as:
+
+- **Adding and removing computers**. You can use the VAMT to discover computers in the local environment. The VAMT can discover computers by querying AD DS, workgroups, or individual computer names or IP addresses, or through a general LDAP query.
+
+- **Discovering products**. You can use the VAMT to discover Windows, Windows Server, Office, and select other products that are installed on the client computers.
+
+- **Managing activation data**. The VAMT stores activation data in a SQL Server database. The tool can export this data in XML format to other VAMT hosts or to an archive.
 
 For more information, see:
--   [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md)
--   [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md)
 
-## See also
--   [Volume Activation for Windows 10](volume-activation-windows-10.md)
- 
- 
+- [Volume Activation Management Tool (VAMT) Overview](./volume-activation-management-tool.md)
+- [VAMT Step-by-Step Scenarios](./vamt-step-by-step.md)
+
+## Related articles
+
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 1bb0fe7458..71e97c1a03 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -2,73 +2,100 @@
 title: Use VAMT in Windows PowerShell (Windows 10)
 description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Use VAMT in Windows PowerShell
 
 The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool.
 
-**To install PowerShell 3.0**
-- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](/powershell/scripting/install/installing-powershell).
+## Configuring VAMT in Windows PowerShell
 
-**To install the Windows Assessment and Deployment Kit**
-- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
+### Install PowerShell 3.0
 
-**To prepare the VAMT PowerShell environment**
-- To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**.
+VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](/powershell/scripting/install/installing-powershell).
 
-  **Important**  
-  If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are supported for the x86 architecture only. You must use an x86 version of Windows PowerShell to import the VAMT module, which are available in these directories:
-  -   The x86 version of PowerShell is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
-  -   The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe
-- For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located.
+### Install the Windows Assessment and Deployment Kit**
 
-  For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type:
-    
-  ``` powershell
-  cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0”
+In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK).
+
+### Prepare the VAMT PowerShell environment
+
+To open PowerShell with administrative credentials, select **Start** and enter `PowerShell` to locate the program. Right-click **Windows PowerShell**, and then select **Run as administrator**. To open PowerShell in Windows 7, select **Start**, select **All Programs**, select **Accessories**, select **Windows PowerShell**, right-click **Windows PowerShell**, and then select **Run as administrator**.
+
+  > [!IMPORTANT]  
+  > If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are only supported for x86 architecture. You must use an x86 version of Windows PowerShell to import the VAMT module
+  
+  The x86 versions of Windows PowerShell are available in the following directories:
+
+- PowerShell:
+  
+  `C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe`
+- PowerShell ISE:
+  
+  `C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe`
+
+For all supported operating systems, you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, enter:
+
+  ```powershell
+  cd "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0"
   ```
-- Import the VAMT PowerShell module. To import the module, type the following at a command prompt:
-  ``` powershell
+
+### Import the VAMT PowerShell module
+
+To import the VAMT PowerShell module, enter the following command at a PowerShell command prompt:
+
+  ```powershell
   Import-Module .\VAMT.psd1
   ```
-  Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`.
 
-## To Get Help for VAMT PowerShell cmdlets
+  where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, enter `get-help about_profiles`.
 
-You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you are interested in. To view all of the Help content for a VAMT cmdlet, type:
-``` powershell
+## To get help for VAMT PowerShell cmdlets
+
+You can view all of the help sections for a VAMT PowerShell cmdlet, or you can view only the section that you're interested in. To view all of the Help content for a VAMT cmdlet, enter:
+
+```powershell
 get-help <cmdlet name> -all
 ```
-For example, type:
-``` powershell
+
+For example, enter:
+
+```powershell
 get-help get-VamtProduct -all
 ```
 
-**Warning**  
-The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](/powershell/module/vamt).
+> [!WARNING]
+> The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the `-online` option with the `get-help` cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](/powershell/module/vamt).
 
-**To view VAMT PowerShell Help sections**
+### View VAMT PowerShell help sections
 
-1. To get the syntax to use with a cmdlet, type the following at a command prompt:
-   ``` powershell
+1. To get the syntax to use with a cmdlet, enter the following command at a PowerShell command prompt:
+
+   ```powershell
    get-help <cmdlet name>
    ```
-   For example, type:
-   ``` powershell
+
+   For example, enter:
+
+   ```powershell
    get-help get-VamtProduct 
    ```
-2. To see examples using a cmdlet, type:
-   ``` powershell
+
+2. To see examples using a cmdlet, enter:
+
+   ```powershell
    get-help <cmdlet name> -examples
    ```
-   For example, type:
-   ``` powershell
+
+   For example, enter:
+
+   ```powershell
    get-help get-VamtProduct -examples
    ```
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 3b40e5ba6c..0507f060c7 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -2,15 +2,16 @@
 title: VAMT known issues (Windows 10)
 description: Find out the current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 12/17/2019
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
 ms.custom: 
-- CI 111496
-- CSSTroubleshooting
+  - CI 111496
+  - CSSTroubleshooting
+ms.technology: itpro-fundamentals
 ---
 
 # VAMT known issues
@@ -18,7 +19,9 @@ ms.custom:
 The current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1, include:
 
 - VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state.
-- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. You must update the product status again to obtain the edition information.
+
+- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information isn't shown for each product in the center pane. You must update the product status again to obtain the edition information.
+
 - The remaining activation count can only be retrieved for Multiple Activation Key (MAKs).
 
 ## Workarounds for adding CSVLKs for Windows 10 activation to VAMT 3.1
@@ -27,11 +30,11 @@ Another known issue is that when you try to add a Windows 10 Key Management Serv
 
 ![VAMT error message.](./images/vamt-known-issue-message.png)
 
-This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
+This issue occurs because VAMT 3.1 doesn't contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
 
 ### Method 1
 
-Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
+Don't add the CSVLK to the VAMT 3.1 tool. Instead, use the ` slmgr.vbs /ipk <CSVLK>` command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the `Slmgr.vbs` tool, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
 
 ### Method 2
 
@@ -39,20 +42,32 @@ On the KMS host computer, perform the following steps:
 
 1. Download the hotfix from [July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/3172614/).
 
-1. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
+2. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
 
-1. To extract the contents of the update, run the following command:
+3. To extract the contents of the update, run the following command:
 
-   ```console
+   ```cmd
    expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
    ```
 
-1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
+4. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
 
-   ```console
+   ```cmd
    expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
    ```
 
-1. In the C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716 folder, copy the pkeyconfig-csvlk.xrm-ms file. Paste this file into the C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig folder.
+5. In the
+   
+   `C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716`
+   
+   folder, copy the
+   
+   `pkeyconfig-csvlk.xrm-ms`
+   
+   file. Paste this file into the
+   
+   `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig`
+   
+   folder.
 
-1. Restart VAMT.
+6. Restart VAMT.
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index 7866a50e98..a304218987 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -2,19 +2,20 @@
 title: VAMT Requirements (Windows 10)
 description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# VAMT Requirements
+# VAMT requirements
 
-This topic includes info about the product key and system requirements for VAMT.
+This article includes info about the product key and system requirements for VAMT.
 
-## Product Key Requirements
+## Product key requirements
 
 The Volume Activation Management Tool (VAMT) can be used to perform activations using any of the following types of product keys.
 
@@ -23,7 +24,7 @@ The Volume Activation Management Tool (VAMT) can be used to perform activations
 |<ul><li>Multiple Activation Key (MAK)</li><li>Key Management Service (KMS) host key (CSVLK)</li><li>KMS client setup keys (GVLK)</li></ul> |Volume licensing keys can only be obtained with a signed contract from Microsoft. For more info, see the [Microsoft Volume Licensing portal](https://go.microsoft.com/fwlink/p/?LinkId=227282). |
 |Retail product keys |Obtained at time of product purchase. |
 
-## System Requirements
+## System requirements
 
 The following table lists the system requirements for the VAMT host computer.
 
@@ -36,7 +37,8 @@ The following table lists the system requirements for the VAMT host computer.
 | Display | 1024x768 or higher resolution monitor |
 | Network | Connectivity to remote computers via Windows Management Instrumentation (TCP/IP) and Microsoft Activation Web Service on the Internet via HTTPS |
 | Operating System | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, or later. |
-| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](/powershell/scripting/install/installing-powershell).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
+| Additional Requirements | <ul><li>Connection to a SQL Server database. For more info, see [Install VAMT](install-vamt.md).</li><li>PowerShell 3.0: For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012, PowerShell is included in the installation. For previous versions of Windows and Windows Server, you must download PowerShell 3.0. To download PowerShell, go to [Download Windows PowerShell 3.0](/powershell/scripting/install/installing-powershell).</li><li>If installing on Windows Server 2008 R2, you must also install .NET Framework 3.51.</li></ul> |
 
-## Related topics
-- [Install and Configure VAMT](install-configure-vamt.md)
+## Related articles
+
+- [Install and configure VAMT](install-configure-vamt.md)
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index 96e2238db0..880a8cf474 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -2,27 +2,27 @@
 title: VAMT Step-by-Step Scenarios (Windows 10)
 description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
-ms.date: 04/25/2017
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
-# VAMT Step-by-Step Scenarios
+# VAMT step-by-step scenarios
 
 This section provides instructions on how to implement the Volume Activation Management Tool (VAMT) in typical environments. VAMT supports many common scenarios; it describes here some of the most common to get you started.
 
-## In this Section
+## In this section
 
-|Topic |Description |
-|------|------------|
+|Article |Description |
+|-------|------------|
 |[Scenario 1: Online Activation](scenario-online-activation-vamt.md) |Describes how to distribute Multiple Activation Keys (MAKs) to products installed on one or more connected computers within a network, and how to instruct these products to contact Microsoft over the Internet for activation. |
 |[Scenario 2: Proxy Activation](scenario-proxy-activation-vamt.md) |Describes how to use two VAMT host computers—the first one with Internet access and a second computer within an isolated workgroup—as proxies to perform MAK volume activation for workgroup computers that don't have Internet access. |
-|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
+|[Scenario 3: Key Management Service (KMS) Client Activation](scenario-kms-activation-vamt.md) |Describes how to use VAMT to configure client products for Key Management Service (KMS) activation. By default, volume license editions of Windows 10, Windows Vista, Windows® 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server® 2012, and Microsoft® Office 2010 use KMS for activation. |
 
 ## Related articles
+
 - [Introduction to VAMT](introduction-vamt.md)
- 
- 
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index fd360dd5f2..9771f187cd 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -1,15 +1,14 @@
 ---
 title: VAMT technical reference
 description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
-manager: dougeby
-ms.author: aaroncz
+manager: aaroncz
+ms.author: frankroj
 ms.prod: windows-client
-ms.technology: itpro-deploy
-author: aczechowski
-ms.date: 09/16/2022
+ms.technology: itpro-fundamentals
+author: frankroj
+ms.date: 11/07/2022
 ms.topic: overview
 ms.custom: seo-marvel-apr2020
-ms.collection: highpri
 ---
 
 # Volume Activation Management Tool (VAMT) technical reference
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index c255592df6..3cc524e10f 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -2,34 +2,40 @@
 title: Volume Activation for Windows 10
 description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-ms.prod: w10
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/07/2022
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Volume Activation for Windows 10
 
-> Applies to
+*Applies to:*
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows Server 2008 R2
+
+> [!TIP]
+> Are you looking for volume licensing information?
 >
->- Windows 10
->- Windows Server 2012 R2
->- Windows Server 2012
->- Windows Server 2016
->- Windows Server 2019
+> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104)
 
-**Looking for volume licensing information?**
+> [!TIP]
+> Are you looking for information on retail activation?
+>
+> - [Activate Windows](https://support.microsoft.com/help/12440/)
+> - [Product activation for Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
 
-- [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104)
-
-**Looking for retail activation?**
-
-- [Get Help Activating Microsoft Windows](https://support.microsoft.com/help/12440/windows-10-activate)
-
-This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
+This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
 
 *Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [MSDN Subscriptions](https://visualstudio.microsoft.com/msdn-platforms/).
 
@@ -37,25 +43,31 @@ Volume activation is a configurable solution that helps automate and manage the
 
 This guide provides information and step-by-step guidance to help you choose a volume activation method that suits your environment, and then to configure that solution successfully. This guide describes the volume activation features and the tools to manage volume activation.
 
-Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions.
+Because most organizations won't immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it doesn't discuss the tools that are provided with earlier operating system versions.
 
-Volume activation -and the need for activation itself- is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
+Volume activation -and the need for activation itself- isn't new, and this guide doesn't review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
 
-If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)).
+If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)).
 
 To successfully plan and implement a volume activation strategy, you must:
 
 - Learn about and understand product activation.
+
 - Review and evaluate the available activation types or models.
+
 - Consider the connectivity of the clients to be activated.
+
 - Choose the method or methods to be used with each type of client.
-- Determine the types and number of product keys you will need.
+
+- Determine the types and number of product keys you'll need.
+
 - Determine the monitoring and reporting needs in your organization.
+
 - Install and configure the tools required to support the methods selected.
 
-Keep in mind that the method of activation does not change an organization’s responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
+Keep in mind that the method of activation doesn't change an organization's responsibility to the licensing requirements. You must ensure that all software used in your organization is properly licensed and activated in accordance with the terms of the licensing agreements in place.
 
-## Additional information
+## Related articles
 
 - [Plan for volume activation](plan-for-volume-activation-client.md)
 - [Activate using Key Management Service](activate-using-key-management-service-vamt.md)
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 3476d250c5..32807ff581 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -1,20 +1,22 @@
 ---
 title: Windows Deployment Services (WDS) boot.wim support
 description: This article provides details on the support capabilities of WDS for end to end operating system deployment.
-ms.prod: w11
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.topic: article
 ms.custom: seo-marvel-apr2020
-ms.collection: highpri
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Windows Deployment Services (WDS) boot.wim support
 
-Applies to: 
-- Windows 10 
+*Applies to:*
+
+- Windows 10
 - Windows 11
 
 The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode will no longer be supported.
@@ -25,9 +27,9 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install
 
 ## Deployment scenarios affected
 
-The table below provides support details for specific deployment scenarios (Boot Image Version).
+The table below provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows.
 
-||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11|
+|Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11|
 |--- |--- |--- |--- |--- |--- |
 |**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.|
 |**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.|
@@ -35,25 +37,24 @@ The table below provides support details for specific deployment scenarios (Boot
 |**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.|
 |**Windows 11**|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|
 
-
 ## Reason for the change
 
-Alternatives to WDS, such as [Microsoft Endpoint Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images. 
+Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
 
 ## Not affected
 
-WDS PXE boot is not affected by this change. You can still use WDS to PXE boot devices with custom boot images, but you cannot use **boot.wim** as the boot image and run Windows Setup in WDS mode.
+WDS PXE boot isn't affected by this change. You can still use WDS to PXE boot devices with custom boot images, but you can't use **boot.wim** as the boot image and run Windows Setup in WDS mode.
 
-You can still run Windows Setup from a network share. Workflows that use a custom boot.wim, such as MDT or Configuration Manager are not affected by this change.
+You can still run Windows Setup from a network share. Workflows that use a custom boot.wim, such as MDT or Configuration Manager aren't affected by this change.
 
 ## Summary
 
-- Windows 11 workflows that rely on **boot.wim** from installation media will be blocked. You cannot perform an end to end deployment of Windows 11 using only WDS.
-- Windows 10, Windows Server 2019, and previous operating system versions are not affected by this change.
-- Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow is not blocked.
+- Windows 11 workflows that rely on **boot.wim** from installation media will be blocked. You can't perform an end to end deployment of Windows 11 using only WDS.
+- Windows 10, Windows Server 2019, and previous operating system versions aren't affected by this change.
+- Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked.
 - Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked.
 
-If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version is not supported, deprecated, or blocked, it is recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image. 
+If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
 
 ## Also see
 
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index c4377a6979..677807d5c7 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -1,22 +1,24 @@
 ---
 title: Windows 10 deployment process posters
-description: View and download Windows 10 deployment process flows for Microsoft Endpoint Manager and Windows Autopilot.
+description: View and download Windows 10 deployment process flows for Microsoft Configuration Manager and Windows Autopilot.
 ms.reviewer: 
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
+manager: aaroncz
+author: frankroj
+ms.author: frankroj
 ms.prod: windows-client
 ms.technology: itpro-deploy
 ms.localizationpriority: medium
 ms.topic: reference
+ms.date: 11/23/2022
 ---
 
 # Windows 10 deployment process posters
 
-**Applies to**
--   Windows 10
+*Applies to:*
 
-The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager.
+- Windows 10
+
+The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager.
 
 ## Deploy Windows 10 with Autopilot
 
@@ -24,7 +26,7 @@ The Windows Autopilot poster is two pages in portrait mode (11x17). Select the i
 
 [![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf)
 
-## Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+## Deploy Windows 10 with Microsoft Configuration Manager
 
 The Configuration Manager poster is one page in landscape mode (17x11). Select the image to download a PDF version.
 
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 654f40c28a..18e44ca25b 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -1,28 +1,29 @@
 ---
 title: Windows 10 deployment scenarios (Windows 10)
 description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios.
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.topic: article
-ms.collection: highpri
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Windows 10 deployment scenarios
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
-To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
+To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each.
 
 ## Deployment categories
 
 The following tables summarize various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
 
-- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
+- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
 
    > [!NOTE]
    > Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
@@ -43,7 +44,7 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
 |Scenario|Description|More information|
 |--- |--- |--- |
 |[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)|
-|[AAD / MDM](#dynamic-provisioning)|The device is automatically joined to Azure Active Directory and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
+|[Azure Active Directory / MDM](#dynamic-provisioning)|The device is automatically joined to Azure Active Directory and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
 |[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
 
 ### Traditional
@@ -54,83 +55,84 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
 |[Refresh](#computer-refresh)|Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state. | [Refresh a Windows 7 computer with Windows 10](/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10)<br>[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager)|
 |[Replace](#computer-replace)|Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.| [Replace a Windows 7 computer with a Windows 10 computer](/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer)<br>[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager)|
 
->[!IMPORTANT]
->The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
->Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS. 
+> [!IMPORTANT]
+> The Windows Autopilot and Subscription Activation scenarios require that the beginning OS be Windows 10 version 1703, or later.<br>
+> Except for clean install scenarios such as traditional bare metal and Windows Autopilot, all the methods described can optionally migrate apps and settings to the new OS.
 
 ## Modern deployment methods
 
-Modern deployment methods embrace both traditional on-prem and cloud services to deliver a simple, streamlined, cost effective deployment experience.
+Modern deployment methods embrace both traditional on-premises and cloud services to deliver a simple, streamlined, and cost effective deployment experience.
 
 ### Windows Autopilot
 
-Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
+Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
 
 For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
 
 ### In-place upgrade
 
-For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
+For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 uses the Windows installation program (Setup.exe) is to perform an in-place upgrade. An in-place upgrade:
 
-Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
+- Automatically preserves all data, settings, applications, and drivers from the existing operating system version
+- Requires the least IT effort, because there's no need for any complex deployment infrastructure
 
-The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
+Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. Control is accomplished by using tools like Microsoft Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
 
-Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images are not needed and cannot be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
+The in-place upgrade process is designed to be reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by using the automatically created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications don't need to be reinstalled as part of the process.
 
-Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
+Existing applications are preserved through the process. So, the upgrade process uses the standard Windows installation media image (Install.wim). Custom images aren't needed and can't be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.)
 
-- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
+Scenarios that support in-place upgrade with some other procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
 
--   **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
-    - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
-    - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
+- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
 
-There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
+- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
+  - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
+  - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
 
--   Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process cannot change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
+There are some situations where you can't use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
 
--   Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
+- Changing from Windows 7, Windows 8, or Windows 8.1 x86 to Windows 10 x64. The upgrade process can't change from a 32-bit operating system to a 64-bit operating system, because of possible complications with installed applications and drivers.
 
--   Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, this is not supported – preparing an upgraded OS for imaging (using Sysprep.exe) is not supported and will not work when it detects the upgraded OS.
+- Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed.
 
--   Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not leveraging virtual machines for the second and subsequent operating systems), additional care should be taken.
+- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail.
 
+- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken.
 
 ## Dynamic provisioning
 
-For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image, because this was often faster and easier than leveraging the preinstalled version. But this is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it is now possible to avoid this.
+For new PCs, organizations have historically replaced the version of Windows included on the device with their own custom Windows image. A custom image was used because a custom image was often faster and easier than using the preinstalled version. However, reimaging with a custom image is an added expense due to the time and effort required. With the new dynamic provisioning capabilities and tools provided with Windows 10, it's now possible to avoid using custom images.
 
 The goal of dynamic provisioning is to take a new PC out of the box, turn it on, and transform it into a productive organization device, with minimal time and effort. The types of transformations that are available include:
 
-### Windows 10 Subscription Activation<A ID="windows-10-subscription-activation"></A>
+### Windows 10 Subscription Activation
 
-Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
+Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
 
+### Azure Active Directory (Azure AD) join with automatic mobile device management (MDM) enrollment
 
-### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment
-
-In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
 
 ### Provisioning package configuration
 
-Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
+When you use the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through various means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
 
-These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
+These scenarios can be used to enable "choose your own device" (CYOD) programs. With these programs, organization users can pick their own PC and aren't restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
 
-While the initial Windows 10 release includes a variety of provisioning settings and deployment mechanisms, these will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts.
+While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts.
 
-## Traditional deployment: 
+## Traditional deployment
 
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
 
-With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
+With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important, and will continue to be available to organizations that need them.
 
-The traditional deployment scenario can be divided into different sub-scenarios. These are explained in detail in the following sections, but the following provides a brief summary:
+The traditional deployment scenario can be divided into different sub-scenarios. These sub-scenarios are explained in detail in the following sections, but the following list provides a brief summary:
 
--   **New computer.** A bare-metal deployment of a new machine.
--   **Computer refresh.** A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
--   **Computer replace.** A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
+- **New computer**: A bare-metal deployment of a new machine.
+- **Computer refresh**: A reinstall of the same machine (with user-state migration and an optional full Windows Imaging (WIM) image backup).
+- **Computer replace**: A replacement of the old machine with a new machine (with user-state migration and an optional full WIM image backup).
 
 ### New computer
 
@@ -138,15 +140,15 @@ Also called a "bare metal" deployment. This scenario occurs when you have a blan
 
 The deployment process for the new machine scenario is as follows:
 
-1.  Start the setup from boot media (CD, USB, ISO, or PXE).
+1. Start the setup from boot media (CD, USB, ISO, or PXE).
 
-2.  Wipe the hard disk clean and create new volume(s).
+2. Wipe the hard disk clean and create new volume(s).
 
-3.  Install the operating system image.
+3. Install the operating system image.
 
-4.  Install other applications (as part of the task sequence).
+4. Install other applications (as part of the task sequence).
 
-After taking these steps, the computer is ready for use.
+After you follow these steps, the computer is ready for use.
 
 ### Computer refresh
 
@@ -154,37 +156,37 @@ A refresh is sometimes called wipe-and-load. The process is normally initiated i
 
 The deployment process for the wipe-and-load scenario is as follows:
 
-1.  Start the setup on a running operating system.
+1. Start the setup on a running operating system.
 
-2.  Save the user state locally.
+2. Save the user state locally.
 
-3.  Wipe the hard disk clean (except for the folder containing the backup).
+3. Wipe the hard disk clean (except for the folder containing the backup).
 
-4.  Install the operating system image.
+4. Install the operating system image.
 
-5.  Install other applications.
+5. Install other applications.
 
-6.  Restore the user state.
+6. Restore the user state.
 
-After taking these steps, the machine is ready for use.
+After you follow these steps, the machine is ready for use.
 
 ### Computer replace
 
-A computer replace is similar to the refresh scenario. However, since we are replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
+A computer replace is similar to the refresh scenario. However, since we're replacing the machine, we divide this scenario into two main tasks: backup of the old client and bare-metal deployment of the new client. As with the refresh scenario, user data and settings are backed up and restored.
 
 The deployment process for the replace scenario is as follows:
 
-1.  Save the user state (data and settings) on the server through a backup job on the running operating system.
+1. Save the user state (data and settings) on the server through a backup job on the running operating system.
 
-2.  Deploy the new computer as a bare-metal deployment.
+2. Deploy the new computer as a bare-metal deployment.
 
     > [!NOTE]
     > In some situations, you can use the replace scenario even if the target is the same machine. For example, you can use replace if you want to modify the disk layout from the master boot record (MBR) to the GUID partition table (GPT), which will allow you to take advantage of the Unified Extensible Firmware Interface (UEFI) functionality. You can also use replace if the disk needs to be repartitioned since user data needs to be transferred off the disk.
 
-## Related topics
+## Related articles
 
 - [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
+- [Upgrade to Windows 10 with Microsoft Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md)
 - [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md)
 - [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
 - [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference)
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index e135d2415d..fec86dadb3 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -1,25 +1,26 @@
 ---
 title: Windows 10 deployment tools reference
-description: Learn about the tools available to deploy Windows 10, like Volume Activation Management Tool (VAMT) and User State Migration Tool (USMT).
+description: Learn about the tools available to deploy Windows 10, like Volume Activation Management Tool (VAMT) and User State Migration Tool (USMT).
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
-ms.prod: w10
-ms.date: 07/12/2017
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
+ms.prod: windows-client
+ms.date: 10/31/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Windows 10 deployment tools reference
 
-Learn about the tools available to deploy Windows 10.
+Learn about the tools available to deploy Windows 10.
 
-|Topic |Description |
+|Article |Description |
 |------|------------|
-|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
-|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it's essential that you know about the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This article provides detailed instructions for using the MBR2GPT partition conversion tool. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
-|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. |
 |[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows&reg;, Microsoft&reg; Office, and select other Microsoft products volume and retail-activation process. |
-|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
+|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index a37d1cd3d0..e20b0e50ff 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -2,24 +2,25 @@
 title: Windows 10 deployment tools
 description: Learn how to use Windows 10 deployment tools to successfully deploy Windows 10 to your organization.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
-ms.prod: w10
-ms.date: 10/16/2017
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
+ms.prod: windows-client
+ms.date: 10/31/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Windows 10 deployment tools
 
-Learn about the tools available to deploy Windows 10.
+Learn about the tools available to deploy Windows 10.
 
-|Topic |Description |
+|Article |Description |
 |------|------------|
-|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. |
-|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
+|[Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) |To successfully deploy the Windows 10 operating system and applications for your organization, it's essential that you know about the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment. |
+|[Convert MBR partition to GPT](mbr-to-gpt.md) |This article provides detailed instructions for using the MBR2GPT partition conversion tool. |
 |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
 |[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
-|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
+|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This article helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you've reviewed the articles [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this article to start your Windows To Go deployment. |
 |[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows&reg;, Microsoft&reg; Office, and select other Microsoft products volume and retail-activation process. |
-|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
+|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 69e99173d4..972ef1adaf 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,128 +1,127 @@
 ---
 title: Windows 10/11 Enterprise E3 in CSP
 description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-ms.date: 09/28/2021
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
-ms.collection:
+ms.date: 11/23/2022
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
+ms.collection: 
   - M365-modern-desktop
-  - highpri
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Windows 10/11 Enterprise E3 in CSP
 
-Applies to:
+*Applies to:*
+
 - Windows 10
 - Windows 11
 
-Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.  
+Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.
 
-Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
+Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites:
 
--   Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
--   Azure Active Directory (Azure AD) available for identity management
+- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
+- Azure Active Directory (Azure AD) available for identity management
 
-You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before — with no keys, and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
+You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
 
-Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
+Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
 
-When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits:
+When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits:
 
--   **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB).
--   **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
--   **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
--   **Roll back to Windows 10/11 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
--   **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
--   **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
+- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit doesn't include Long Term Service Branch (LTSB).
+- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program doesn't have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
+- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
+- **Roll back to Windows 10/11 Pro at any time**. When a user's subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
+- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
+- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
 
-How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
+How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
 
--   [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
--   [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
+- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
+- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
 
-    -   **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
-    -   **Training**. These benefits include training vouchers, online e-learning, and a home use program.
-    -   **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
-    -   **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
+  - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
+  - **Training**. These benefits include training vouchers, online e-learning, and a home use program.
+  - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
+  - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
 
-    In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
+    In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
 
-In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11.
+In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11.
 
-## Compare Windows 10 Pro and Enterprise editions
+## Compare Windows 10 Pro and Enterprise editions
 
 > [!NOTE]
 > The following table only lists Windows 10. More information will be available about differences between Windows 11 editions after Windows 11 is generally available.
 
-Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
+Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
 
-*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro*
+### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro
 
 |Feature|Description|
 |--- |--- |
-|Credential Guard|This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<p>Credential Guard has the following features:<li>**Hardware-level security**.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security**.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats**.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability**.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<p>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<p>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
-|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<p>Device Guard does the following:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<p>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
-|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<p>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
-|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<p>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
-|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<p>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<p>UE-V provides the ability to do the following:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<p>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
-|Managed User Experience|This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
+|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** -  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
+|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
+|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
+|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
+|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<br><br>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
+|Managed User Experience|This feature helps customize and lock down a Windows device's user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as:<li>Removing and preventing access to the Shut Down, Restart, Sleep, and Hibernate commands<li>Removing Log Off (the User tile) from the Start menu<li>Removing frequent programs from the Start menu<li>Removing the All Programs list from the Start menu<li>Preventing users from customizing their Start screen<li>Forcing Start menu to be either full-screen size or menu size<li>Preventing changes to Taskbar and Start menu settings|
 
 ## Deployment of Windows 10/11 Enterprise E3 licenses
 
 See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
 
-## Deploy Windows 10/11 Enterprise features
+## Deploy Windows 10/11 Enterprise features
 
-Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)?
+Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-10-pro-and-enterprise-editions)?
 
-The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features.
+The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features.
 
 ### Credential Guard
 
 > [!NOTE]
 > Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present).
 
-You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
+You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
 
--   **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
+- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
 
--   **Manual**. You can manually turn on Credential Guard by doing the following:
+- **Manual**. You can manually turn on Credential Guard by taking one of the following actions:
 
-    -   Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
+  - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM).
 
-    -   Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+  - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
-    You can automate these manual steps by using a management tool such as Microsoft Endpoint Configuration Manager.
+    You can automate these manual steps by using a management tool such as Microsoft Configuration Manager.
 
 For more information about implementing Credential Guard, see the following resources:
 
--   [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
--   [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
--   [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
-
-
+- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
+- [PC OEM requirements for Device Guard and Credential Guard](/windows-hardware/design/device-experiences/oem-security-considerations)
+- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337)
 
 ### Device Guard
 
-Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
+Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
 
-1.  **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate.
+1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To sign catalog files or code integrity policies internally, you'll either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you'll need to create a code signing certificate.
 
-2.  **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
+2. **Create code integrity policies from "golden" computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up "golden" computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each "golden" computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
 
-3.  **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
+3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use "audit mode" to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
 
-4.  **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
+4. **Create a "catalog file" for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy.
 
-5.  **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
+5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies.
 
-6.  **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
+6. **Deploy code integrity policies and catalog files**. After you confirm that you've completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly.
 
-7.  **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
+7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies.
 
 For more information about implementing Device Guard, see:
 
@@ -131,7 +130,7 @@ For more information about implementing Device Guard, see:
 
 ### AppLocker management
 
-You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that you have AD DS and that the Windows 10/11 Enterprise devices are joined to your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
+You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that you have AD DS and that the Windows 10/11 Enterprise devices are joined to your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
 
 For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide).
 
@@ -139,20 +138,21 @@ For more information about AppLocker management by using Group Policy, see [AppL
 
 App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that you must have are as follows:
 
--   **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
+- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server.
 
--   **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
+- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
 
--   **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
+- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
 
 For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
 
--   [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started)
--   [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
--   [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
+- [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started)
+- [Deploying the App-V server](/windows/application-management/app-v/appv-deploying-the-appv-server)
+- [Deploying the App-V Sequencer and Configuring the Client](/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client)
 
 ### UE-V
-UE-V requires server- and client-side components that you’ll need to download, activate, and install. These components include:
+
+UE-V requires server and client-side components that you'll need to download, activate, and install. These components include:
 
 - **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices.
 
@@ -160,7 +160,7 @@ UE-V requires server- and client-side components that you’ll need to download,
 
 - **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings.
 
-- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications.
+- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates aren't required for Windows applications.
 
 - **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications.
 
@@ -172,20 +172,20 @@ For more information about deploying UE-V, see the following resources:
 
 ### Managed User Experience
 
-The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
+The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain.
 
-*Table 2. Managed User Experience features*
+#### Table 2. Managed User Experience features
 
 | Feature          | Description     |
 |------------------|-----------------|
-| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.<br>For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
-| Unbranded boot             | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.<br>For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot).       |
-| Custom logon               | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.<br>For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).                        |
-| Shell launcher             | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.<br>For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher).     |
-| Keyboard filter            | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.<br>For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).    |
-| Unified write filter       | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.<br>For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).    |
+| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. The XML file enables you to customize Start layouts for different departments or organizations, with minimal management overhead.<br>For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
+| Unbranded boot             | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it can't recover.<br>For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
+| Custom logon               | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.<br>For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
+| Shell launcher             | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.<br>For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
+| Keyboard filter            | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This isn't desirable on devices intended for a dedicated purpose.<br>For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
+| Unified write filter       | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.<br>For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
 
-## Related topics
+## Related articles
 
 [Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)<br>
 [Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)<br>
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 7740f7c09f..66d08877b8 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -1,35 +1,35 @@
 ---
 title: Windows 10 volume license media
 description: Learn about volume license media in Windows 10, and channels such as the Volume License Service Center (VLSC).
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 11/23/2022
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Windows 10 volume license media
 
+*Applies to:*
 
-**Applies to**
+- Windows 10
 
--   Windows 10
-
-With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
+With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This article provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10.
 
 ## Windows 10 media
 
-To download Windows 10 installation media from the VLSC, use the product search filter to find “Windows 10.”  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions.
+To download Windows 10 installation media from the VLSC, use the product search filter to find "Windows 10."  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions.
 
-When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness).
+When you select a product, for example "Windows 10 Enterprise" or "Windows 10 Education", you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness).
 
 > [!NOTE]
 > If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx).
 
-Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. 
+Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together.
 
 ### Language packs
 
@@ -39,18 +39,12 @@ Instead of having separate media and packages for Windows 10 Pro (volume licensi
 
 [Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
 
-Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image.
+Features on demand is a method for adding features to your Windows 10 image that aren't included in the base operating system image.
 
-
-## Related topics
+## Related articles
 
 [Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/download/details.aspx?id=10585)
 <br>[Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
 <br>[Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
 <br>[VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
 <br>[Download and burn an ISO file on the volume licensing site (VLSC)](/troubleshoot/windows-client/deployment/iso-file-on-vlsc)
-
-
- 
-
- 
diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md
index 920d673e67..364c23a213 100644
--- a/windows/deployment/windows-10-missing-fonts.md
+++ b/windows/deployment/windows-10-missing-fonts.md
@@ -1,59 +1,63 @@
 ---
 title: How to install fonts missing after upgrading to Windows client
 description: Some of the fonts are missing from the system after you upgrade to Windows client.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.topic: article
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 # How to install fonts that are missing after upgrading to Windows client
 
-**Applies to**
+*Applies to:*
 
-- Windows 10
+- Windows 10
 - Windows 11
 
-When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10 or Windows 11, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows client. If you install a fresh instance of Windows client, or upgrade an older version of Windows to Windows client, these optional features are not enabled by default. As a result, these fonts appear to be missing from the system.
+When you upgrade from the Windows 7, Windows 8, or Windows 8.1 operating system to Windows 10 or Windows 11, certain fonts are no longer available by default post-upgrade. To reduce the operating system footprint, improve performance, and optimize disk space usage, we moved many of the fonts that were previously shipped with prior versions of Windows to the optional features of Windows client. If you install a fresh instance of Windows client, or upgrade an older version of Windows to Windows client, these optional features aren't enabled by default. As a result, these fonts appear to be missing from the system.
 
 If you have documents created using the missing fonts, these documents might display differently on Windows client.
 
-For example, if you have an English (or French, German, or Spanish) version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing:
+For example, if you've an English, French, German, or Spanish version of Windows 10 installed, you might notice that fonts such as the following are appear to be missing:
 
-- Gautami
-- Meiryo
-- Narkism/Batang
-- BatangChe
-- Dotum
-- DotumChe
-- Gulim
-- GulimChe
-- Gungsuh
-- GungsuhChe
+- `Gautami`
+- `Meiryo`
+- `Narkism/Batang`
+- `BatangChe`
+- `Dotum`
+- `DotumChe`
+- `Gulim`
+- `GulimChe`
+- `Gungsuh`
+- `GungsuhChe`
 
-If you want to use these fonts, you can enable the optional feature to add them back to your system. This is a permanent change in behavior for Windows client, and it will remain this way in future releases.
+If you want to use these fonts, you can enable the optional feature to add them back to your system. The removal of these fonts is a permanent change in behavior for Windows client, and it will remain this way in future releases.
 
-## Installing language-associated features via language settings:
+## Installing language-associated features via language settings
 
-If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app.
+If you want to use the fonts from the optional feature and you know that you'll want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. Use the Settings app.
 
 For example, here are the steps to install the fonts associated with the Hebrew language:
 
 1. Select **Start > Settings**.
 
-2. In **Settings**, select **Time & language**, and then select **Region & language**.
+2. For Windows 10, in **Settings**, select **Time & language**, and then select **Region & language**.
 
-3. If Hebrew is not included in the list of languages, select the plus sign (**+**) to add a language.
+   For Windows 11, in **Settings**, select **Time & language**, and then select **Language & Region**.
+
+3. If Hebrew isn't included in the list of languages, select the plus sign (**+**) to add a language.
 
 4. Find **Hebrew**, and then select it to add it to your language list.
 
-Once you have added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This process should only take a few minutes.
+Once you've added Hebrew to your language list, then the optional Hebrew font feature and other optional features for Hebrew language support are installed. This process should only take a few minutes.
 
 > [!NOTE]
 > The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
 
-## Install optional fonts manually without changing language settings:
+## Install optional fonts manually without changing language settings
 
 If you want to use fonts in an optional feature but don't need to search web pages, edit documents, or use apps in the associated language, you can install the optional font features manually without changing your language settings.
 
@@ -70,34 +74,34 @@ For example, here are the steps to install the fonts associated with the Hebrew
 > [!NOTE]
 > The optional features are installed by Windows Update. You need to be online for the Windows Update service to work.
 
-## Fonts included in optional font features
+## Fonts included in optional font features
 
-Here is a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles.
+Here's a comprehensive list of the font families in each of the optional features. Some font families might include multiple fonts for different weights and styles.
 
-- Arabic Script Supplemental Fonts: Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting
-- Bangla Script Supplemental Fonts: Shonar Bangla, Vrinda
-- Canadian Aboriginal Syllabics Supplemental Fonts: Euphemia
-- Cherokee Supplemental Fonts: Plantagenet Cherokee
-- Chinese (Simplified) Supplemental Fonts: DengXian, FangSong, KaiTi, SimHei
-- Chinese (Traditional) Supplemental Fonts: DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU
-- Devanagari Supplemental Fonts: Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah
-- Ethiopic Supplemental Fonts: Nyala
-- Gujarati Supplemental Fonts: Shruti
-- Gurmukhi Supplemental Fonts: Raavi
-- Hebrew Supplemental Fonts: Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod
-- Japanese Supplemental Fonts: Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho
-- Kannada Supplemental Fonts: Tunga
-- Khmer Supplemental Fonts: DaunPenh, Khmer UI, MoolBoran
-- Korean Supplemental Fonts: Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe
-- Lao Supplemental Fonts: DokChampa, Lao UI
-- Malayalam Supplemental Fonts: Karthika
-- Odia Supplemental Fonts: Kalinga
-- Pan-European Supplemental Fonts: Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro
-- Sinhala Supplemental Fonts: Iskoola Pota
-- Syriac Supplemental Fonts: Estrangelo Edessa
-- Tamil Supplemental Fonts: Latha, Vijaya
-- Telugu Supplemental Fonts: Gautami, Vani
-- Thai Supplemental Fonts: Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC
+- Arabic Script Supplemental Fonts: `Aldhabi, Andalus, Arabic Typesetting, Microsoft Uighur, Sakkal Majalla, Simplified Arabic, Traditional Arabic, Urdu Typesetting`
+- Bangla Script Supplemental Fonts: `Shonar Bangla, Vrinda`
+- Canadian Aboriginal Syllabics Supplemental Fonts: `Euphemia`
+- Cherokee Supplemental Fonts: `Plantagenet Cherokee`
+- Chinese (Simplified) Supplemental Fonts: `DengXian, FangSong, KaiTi, SimHei`
+- Chinese (Traditional) Supplemental Fonts: `DFKai-SB, MingLiU, MingLiU_HKSCS, PMingLiU`
+- Devanagari Supplemental Fonts: `Aparajita, Kokila, Mangal, Sanskrit Text, Utsaah`
+- Ethiopic Supplemental Fonts: `Nyala`
+- Gujarati Supplemental Fonts: `Shruti`
+- Gurmukhi Supplemental Fonts: `Raavi`
+- Hebrew Supplemental Fonts: `Aharoni Bold, David, FrankRuehl, Gisha, Levanim MT, Miriam, Miriam Fixed, Narkism, Rod`
+- Japanese Supplemental Fonts: `Meiryo, Meiryo UI, MS Gothic, MS PGothic, MS UI Gothic, MS Mincho, MS PMincho, Yu Mincho`
+- Kannada Supplemental Fonts: `Tunga`
+- Khmer Supplemental Fonts: `DaunPenh, Khmer UI, MoolBoran`
+- Korean Supplemental Fonts: `Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe`
+- Lao Supplemental Fonts: `DokChampa, Lao UI`
+- Malayalam Supplemental Fonts: `Karthika`
+- Odia Supplemental Fonts: `Kalinga`
+- Pan-European Supplemental Fonts: `Arial Nova, Georgia Pro, Gill Sans Nova, Neue Haas Grotesk, Rockwell Nova, Verdana Pro`
+- Sinhala Supplemental Fonts: `Iskoola Pota`
+- Syriac Supplemental Fonts: `Estrangelo Edessa`
+- Tamil Supplemental Fonts: `Latha, Vijaya`
+- Telugu Supplemental Fonts: `Gautami, Vani`
+- Thai Supplemental Fonts: `Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DilleniaUPC, EucrosiaUPC, FreesiaUPC, IrisUPC, JasmineUPC, KodchiangUPC, Leelawadee, LilyUPC`
 
 ## Related articles
 
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index fda363bfff..3741412fbb 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -1,35 +1,39 @@
 ---
 title: Step by step - Deploy Windows 10 in a test lab using MDT
 description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-ms.date: 10/11/2017
+ms.date: 11/23/2022
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
 ms.topic: how-to
+ms.technology: itpro-deploy
 ---
 
 # Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
 
-**Applies to**
+*Applies to:*
 
--   Windows 10
+- Windows 10
 
 > [!IMPORTANT]
-> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide: 
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-
-Please complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
-- [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
+>
+> [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
+>
+> Complete all steps in the prerequisite guide before starting this guide. This guide requires about 5 hours to complete, but can require less time or more time depending on the speed of the Hyper-V host. After completing the current guide, also see the companion guide:
+>
+> [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
 
 The PoC environment is a virtual network running on Hyper-V with three virtual machines (VMs):
+
 - **DC1**: A contoso.com domain controller, DNS server, and DHCP server.
 - **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
 - **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
 
-This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
+This guide uses the Hyper-V server role. If you don't complete all steps in a single session, consider using [checkpoints](/virtualization/hyper-v-on-windows/user-guide/checkpoints) to pause, resume, or restart your work.
 
 ## In this guide
 
@@ -49,10 +53,13 @@ Topics and procedures in this guide are summarized in the following table. An es
 
 ## About MDT
 
-MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods. 
+MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch Installation (ZTI), and User-Driven Installation (UDI) deployment methods.
+
 - LTI is the deployment method used in the current guide, requiring only MDT and performed with a minimum amount of user interaction.
-- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Endpoint Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
-- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Endpoint Configuration Manager. 
+
+- ZTI is fully automated, requiring no user interaction and is performed using MDT and Microsoft Configuration Manager. After completing the steps in the current guide, see [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md) to use the ZTI deployment method in the PoC environment.
+
+- UDI requires manual intervention to respond to installation prompts such as machine name, password and language settings. UDI requires MDT and Microsoft Configuration Manager.
 
 ## Install MDT
 
@@ -79,16 +86,17 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
 
 A reference image serves as the foundation for Windows 10 devices in your organization.
 
-1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+1. In [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md), the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
 
     ```powershell
     Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
     ```
+
 2. On SRV1, verify that the Windows Enterprise installation DVD is mounted as drive letter D.
 
-3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, click **Start**, type **deployment**, and then click **Deployment Workbench**.
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
 
-4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then click **Pin this program to the taskbar**.
+4. To enable quick access to the application, right-click **Deployment Workbench** on the taskbar and then select **Pin this program to the taskbar**.
 
 5. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
 
@@ -96,65 +104,64 @@ A reference image serves as the foundation for Windows 10 devices in your organi
     - Deployment share path: **C:\MDTBuildLab**<BR>
     - Share name: **MDTBuildLab$**<BR>
     - Deployment share description: **MDT build lab**<BR>
-    - Options: click **Next** to accept the default<BR>
-    - Summary: click **Next**<BR>
+    - Options: Select **Next** to accept the default<BR>
+    - Summary: Select **Next**<BR>
     - Progress: settings will be applied<BR>
-    - Confirmation: click **Finish**
-
+    - Confirmation: Select **Finish**
 
 7. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
 
-8. Right-click the **Operating Systems** node, and then click **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and click **Finish**.
+8. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
 
-9. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+9. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
 
-10. Use the following settings for the Import Operating System Wizard: 
+10. Use the following settings for the Import Operating System Wizard:
     - OS Type: **Full set of source files**<BR>
     - Source: **D:\\** <BR>
     - Destination: **W10Ent_x64**<BR>
-    - Summary: click **Next**
+    - Summary: Select **Next**
     - Progress: wait for files to be copied
-    - Confirmation: click **Finish**
+    - Confirmation: Select **Finish**
 
-    For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+    For purposes of this test lab, we'll only add the prerequisite .NET Framework feature. Commercial applications (ex: Microsoft Office) won't be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) article.
+
+11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
 
-11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
     - Task sequence ID: **REFW10X64-001**<BR>
     - Task sequence name: **Windows 10 Enterprise x64 Default Image** <BR>
     - Task sequence comments: **Reference Build**<BR>
     - Template: **Standard Client Task Sequence**
-    - Select OS: click **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
+    - Select OS: Select **Windows 10 Enterprise Evaluation in W10Ent_x64 install.wim**
     - Specify Product Key: **Do not specify a product key at this time**
     - Full Name: **Contoso**
     - Organization: **Contoso**
     - Internet Explorer home page: `http://www.contoso.com`
     - Admin Password: **Do not specify an Administrator password at this time**
-    - Summary: click **Next**
-    - Confirmation: click **Finish**
-
+    - Summary: Select **Next**
+    - Confirmation: Select **Finish**
 
 12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
 
-13. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**.
+13. Select the **Task Sequence** tab. Under **State Restore** select **Tattoo** to highlight it, then select **Add** and choose **New Group**.
 
-14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. Click another location in the window to see the name change.
+14. On the Properties tab of the group that was created in the previous step, change the Name from **New Group** to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. Select another location in the window to see the name change.
 
-15. Click the **Custom Tasks (Pre-Windows Update)** group again, click **Add**, point to **Roles**, and then click **Install Roles and Features**.
+15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
 
-16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then click **Apply**.
+16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
 
 17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
-    
+
     > [!NOTE]
     > Since we are not installing applications in this test lab, there is no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you are also installing applications.
 
-18. Click **OK** to complete editing the task sequence.
+18. Select **OK** to complete editing the task sequence.
 
-19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and click **Properties**, and then click the **Rules** tab.
+19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click **MDT build lab (C:\MDTBuildLab)** and select **Properties**, and then select the **Rules** tab.
 
 20. Replace the default rules with the following text:
 
-    ```text
+    ```ini
     [Settings]
     Priority=Default
 
@@ -187,9 +194,9 @@ A reference image serves as the foundation for Windows 10 devices in your organi
     SkipFinalSummary=NO
     ```
 
-21. Click **Apply** and then click **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
+21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
 
-    ```text
+    ```ini
     [Settings]
     Priority=Default
 
@@ -201,18 +208,18 @@ A reference image serves as the foundation for Windows 10 devices in your organi
     SkipBDDWelcome=YES
     ```
 
-22. Click **OK** to complete the configuration of the deployment share.
+22. Select **OK** to complete the configuration of the deployment share.
 
-23. Right-click **MDT build lab (C:\MDTBuildLab)** and then click **Update Deployment Share**.
+23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
 
-24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice.  The update process will take 5 to 10 minutes. When it has completed, click **Finish**.
+24. Accept all default values in the Update Deployment Share Wizard by clicking **Next** twice.  The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
 
-25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. Note that in MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
+25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
 
     > [!TIP]
     > To copy the file, right-click the **LiteTouchPE_x86.iso** file and click **Copy** on SRV1, then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder and click **Paste**.
 
-26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
 
     ```powershell
     New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
@@ -221,86 +228,87 @@ A reference image serves as the foundation for Windows 10 devices in your organi
     Start-VM REFW10X64-001
     vmconnect localhost REFW10X64-001
     ```
-    
-    The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file. 
 
-27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then click **Next**.
+    The VM will require a few minutes to prepare devices and boot from the LiteTouchPE_x86.iso file.
 
-28. Accept the default values on the Capture Image page, and click **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (do not press a key). The process is fully automated.
+27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
 
-	Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
+28. Accept the default values on the Capture Image page, and select **Next**. Operating system installation will complete after 5 to 10 minutes, and then the VM will reboot automatically. Allow the system to boot normally (don't press a key). The process is fully automated.
 
-	- Install the Windows 10 Enterprise operating system.
-	- Install added applications, roles, and features.
-	- Update the operating system using Windows Update (or WSUS if optionally specified).
-	- Stage Windows PE on the local disk.
-	- Run System Preparation (Sysprep) and reboot into Windows PE.
-	- Capture the installation to a Windows Imaging (WIM) file.
-	- Turn off the virtual machine.<BR><BR>
+    Additional system restarts will occur to complete updating and preparing the operating system. Setup will complete the following procedures:
 
-    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
+    - Install the Windows 10 Enterprise operating system.
+    - Install added applications, roles, and features.
+    - Update the operating system using Windows Update (or WSUS if optionally specified).
+    - Stage Windows PE on the local disk.
+    - Run System Preparation (Sysprep) and reboot into Windows PE.
+    - Capture the installation to a Windows Imaging (WIM) file.
+    - Turn off the virtual machine.<BR><BR>
+
+    This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host. After some time, you'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on your deployment server (SRV1). The file name is **REFW10X64-001.wim**.
 
 ## Deploy a Windows 10 image using MDT
 
 This procedure will demonstrate how to deploy the reference image to the PoC environment using MDT.
 
-1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then click **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
+1. On SRV1, open the MDT Deployment Workbench console, right-click **Deployment Shares**, and then select **New Deployment Share**. Use the following values in the New Deployment Share Wizard:
+
      - **Deployment share path**: C:\MDTProd
      - **Share name**: MDTProd$
      - **Deployment share description**: MDT Production
      - **Options**: accept the default
 
+2. Select **Next**, verify the new deployment share was added successfully, then select **Finish**.
 
-2. Click **Next**, verify the new deployment share was added successfully, then click **Finish**.
+3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then select **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
 
-3. In the Deployment Workbench console, expand the MDT Production deployment share, right-click **Operating Systems**, and then click **New Folder**. Name the new folder **Windows 10** and complete the wizard using default values.
+4. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
 
-4. Right-click the **Windows 10** folder created in the previous step, and then click **Import Operating System**.
+5. On the **OS Type** page, choose **Custom image file** and then select **Next**.
 
-5. On the **OS Type** page, choose **Custom image file** and then click **Next**.
+6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, select **Open**, and then select **Next**.
 
-6. On the Image page, browse to the **C:\MDTBuildLab\Captures\REFW10X64-001.wim** file created in the previous procedure, click **Open**, and then click **Next**.
+7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**.
 
-7. On the Setup page, select **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path**. 
+8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** select **OK** and then select **Next**.
 
-8. Under **Setup source directory**, browse to **C:\MDTBuildLab\Operating Systems\W10Ent_x64** click **OK** and then click **Next**.
+9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, select **Next** twice, wait for the import process to complete, and then select **Finish**.
 
-9. On the Destination page, accept the default Destination directory name of **REFW10X64-001**, click **Next** twice, wait for the import process to complete, and then click **Finish**.
-
-10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
+10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then select **OK**. See the following example:
 
     ![custom image.](images/image.png)
 
-
 ### Create the deployment task sequence
 
-1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, click **New Folder** and create a folder with the name: **Windows 10**.
+1. Using the Deployment Workbench, right-click **Task Sequences** under the **MDT Production** node, select **New Folder** and create a folder with the name: **Windows 10**.
+
+2. Right-click the **Windows 10** folder created in the previous step, and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
 
-2. Right-click the **Windows 10** folder created in the previous step, and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
     - Task sequence ID: W10-X64-001
     - Task sequence name: Windows 10 Enterprise x64 Custom Image
     - Task sequence comments: Production Image
     - Select Template: Standard Client Task Sequence
     - Select OS: Windows 10 Enterprise x64 Custom Image
-    - Specify Product Key: Do not specify a product key at this time
+    - Specify Product Key: Don't specify a product key at this time
     - Full Name: Contoso
     - Organization: Contoso
-    - Internet Explorer home page: http://www.contoso.com
-    - Admin Password: pass@word1 
-    
+    - Internet Explorer home page: `http://www.contoso.com`
+    - Admin Password: pass@word1
+
 ### Configure the MDT production deployment share
 
-1. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
+1. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands:
 
     ```powershell
     copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini" C:\MDTProd\Control\Bootstrap.ini -Force
     copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini" C:\MDTProd\Control\CustomSettings.ini -Force
-    ``` 
-2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then click **Properties**.
+    ```
 
-3. Click the **Rules** tab and replace the rules with the following text (don't click OK yet):
+2. In the Deployment Workbench console on SRV1, right-click the **MDT Production** deployment share and then select **Properties**.
 
-    ```text
+3. Select the **Rules** tab and replace the rules with the following text (don't select OK yet):
+
+    ```ini
     [Settings]
     Priority=Default
     
@@ -339,26 +347,26 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
     > [!NOTE]
     > The contents of the Rules tab are added to c:\MDTProd\Control\CustomSettings.ini.
-    
-    In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
 
-    If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
+    In this example, a **MachineObjectOU** entry isn't provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab, clients are added to the default computers OU, which requires that this parameter be unspecified.
 
-    ```console
+    If desired, edit the following line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (`ue`) all users except for CONTOSO users specified by the user include option (ui):
+
+    ```cmd
     ScanStateArgs=/ue:*\* /ui:CONTOSO\*
     ```
 
-    For example, to migrate **all** users on the computer, replace this line with the following:
+    For example, to migrate **all** users on the computer, replace this line with the following line:
 
-    ```console
+    ```cmd
     ScanStateArgs=/all
     ```
 
     For more information, see [ScanState Syntax](/windows/deployment/usmt/usmt-scanstate-syntax).
 
-4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
+4. Select **Edit Bootstap.ini** and replace text in the file with the following text:
 
-    ```text
+    ```ini
     [Settings]
     Priority=Default
     
@@ -370,23 +378,23 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
     SkipBDDWelcome=YES
     ```
 
-5. Click **OK** when finished. 
+5. Select **OK** when finished.
 
 ### Update the deployment share
 
-1. Right-click the **MDT Production** deployment share and then click **Update Deployment Share**.
+1. Right-click the **MDT Production** deployment share and then select **Update Deployment Share**.
 
 2. Use the default options for the Update Deployment Share Wizard. The update process requires 5 to 10 minutes to complete.
 
-3. Click **Finish** when the update is complete.
+3. Select **Finish** when the update is complete.
 
 ### Enable deployment monitoring
 
-1. In the Deployment Workbench console, right-click **MDT Production** and then click **Properties**.
+1. In the Deployment Workbench console, right-click **MDT Production** and then select **Properties**.
 
-2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
+2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
 
-3. Verify the monitoring service is working as expected by opening the following link on SRV1: `http://localhost:9800/MDTMonitorEvent/`. If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring).
+3. Verify the monitoring service is working as expected by opening the following link on SRV1: `http://localhost:9800/MDTMonitorEvent/`. If you don't see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring).
 
 4. Close Internet Explorer.
 
@@ -394,25 +402,25 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 1. Initialize Windows Deployment Services (WDS) by typing the following command at an elevated Windows PowerShell prompt on SRV1:
 
-    ```powershell
-    WDSUTIL /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
-    WDSUTIL /Set-Server /AnswerClients:All
+    ```cmd
+    WDSUTIL.exe /Verbose /Progress /Initialize-Server /Server:SRV1 /RemInst:"C:\RemoteInstall"
+    WDSUTIL.exe /Set-Server /AnswerClients:All
     ```
 
-2. Click **Start**, type **Windows Deployment**, and then click **Windows Deployment Services**.
+2. Select **Start**, type **Windows Deployment**, and then select **Windows Deployment Services**.
 
-3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then click **Add Boot Image**.
+3. In the Windows Deployment Services console, expand **Servers**, expand **SRV1.contoso.com**, right-click **Boot Images**, and then select **Add Boot Image**.
 
-4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, click **Open**, click **Next**, and accept the defaults in the Add Image Wizard. Click **Finish** to complete adding a boot image.
+4. Browse to the **C:\MDTProd\Boot\LiteTouchPE_x64.wim** file, select **Open**, select **Next**, and accept the defaults in the Add Image Wizard. Select **Finish** to complete adding a boot image.
 
 ### Deploy the client image
 
-1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This is just an artifact of the lab environment. In a typical deployment environment WDS would not be installed on the default gateway. 
+1. Before using WDS to deploy a client image, you must temporarily disable the external network adapter on SRV1. This configuration is just an artifact of the lab environment. In a typical deployment environment WDS wouldn't be installed on the default gateway.
 
     > [!NOTE]
-    > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, type **Get-NetIPAddress | ft interfacealias, ipaddress**
-    
-    Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and type the following command:
+    > Do not disable the *internal* network interface. To quickly view IP addresses and interface names configured on the VM, enter **`Get-NetIPAddress | ft interfacealias, ipaddress** in a PowerShell prompt.
+
+    Assuming the external interface is named "Ethernet 2", to disable the *external* interface on SRV1, open a Windows PowerShell prompt on SRV1 and enter the following command:
 
     ```powershell
     Disable-NetAdapter "Ethernet 2" -Confirm:$false
@@ -420,15 +428,14 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
     >Wait until the disable-netadapter command completes before proceeding.
 
-
-2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt:
+2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, enter the following commands at an elevated Windows PowerShell prompt:
 
     ```powershell
-    New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+    New-VM -Name "PC2" -NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
     Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20
     ```
 
-    Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle.
+    Dynamic memory is configured on the VM to conserve resources. However, dynamic memory can cause memory allocation to be reduced below what is required to install an operating system. If memory is reduced below what is required, reset the VM and begin the OS installation task sequence immediately. The reset ensures the VM memory allocation isn't decreased too much while it's idle.
 
 3. Start the new VM and connect to it:
 
@@ -439,34 +446,34 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 4. When prompted, hit ENTER to start the network boot process.
 
-5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
+5. In the Windows Deployment Wizard, choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
 
-6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. This is needed so the client can use Windows Update after operating system installation is complete.To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and type the following command:
+6. After MDT lite touch installation has started, be sure to re-enable the external network adapter on SRV1. Re-enabling the external network adapter is needed so the client can use Windows Update after operating system installation is complete. To re-enable the external network interface, open an elevated Windows PowerShell prompt on SRV1 and enter the following command:
 
     ```powershell
     Enable-NetAdapter "Ethernet 2"
     ```
 
-7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
-8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes.  When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
-    
-    ![finish.](images/deploy-finish.png)
+7. On SRV1, in the Deployment Workbench console, select on **Monitoring** and view the status of installation. Right-click **Monitoring** and select **Refresh** if no data is displayed.
 
+8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes.  When the new client computer is finished updating, select **Finish**. You'll be automatically signed in to the local computer as administrator.
+
+    ![finish.](images/deploy-finish.png)
 
 This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
 
 ## Refresh a computer with Windows 10
 
-This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). 
+This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md).
+
+1. If the PC1 VM isn't already running, then start and connect to it:
 
-1. If the PC1 VM is not already running, then start and connect to it:
-    
     ```powershell
     Start-VM PC1
     vmconnect localhost PC1
     ```
 
-2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios.  Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and  performing additional scenarios.  Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```powershell
     Checkpoint-VM -Name PC1 -SnapshotName BeginState
@@ -474,20 +481,20 @@ This section will demonstrate how to export user data from an existing client co
 
 3. Sign on to PC1 using the CONTOSO\Administrator account.
 
-    Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
+    Specify **contoso\administrator** as the user name to ensure you don't sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share.
 
-4. Open an elevated command prompt on PC1 and type the following:
+4. Open an elevated command prompt on PC1 and enter the following command:
 
-    ```console
-    cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
+    ```cmd
+    cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
     ```
 
     > [!NOTE]
     > For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
 
-5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
+5. Choose the **Windows 10 Enterprise x64 Custom Image** and then select **Next**.
 
-6. Choose **Do not back up the existing computer** and click **Next**.
+6. Choose **Do not back up the existing computer** and select **Next**.
 
     > [!NOTE]
     > The USMT will still back up the computer.
@@ -502,33 +509,36 @@ This section will demonstrate how to export user data from an existing client co
 
 8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share).
 
-9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```powershell
     Checkpoint-VM -Name PC1 -SnapshotName RefreshState
     ```
 
-10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+10. Restore the PC1 VM to its previous state in preparation for the replace procedure. To restore a checkpoint, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```powershell
     Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false
     Start-VM PC1
     vmconnect localhost PC1
     ```
-    
+
 11. Sign in to PC1 using the contoso\administrator account.
 
 ## Replace a computer with Windows 10
 
-At a high level, the computer replace process consists of:<BR>
+At a high level, the computer replace process consists of:
+
 - A special replace task sequence that runs the USMT backup and an optional full Windows Imaging (WIM) backup.<BR>
 - A standard OS deployment on a new computer. At the end of the deployment, the USMT backup from the old computer is restored.
 
 ### Create a backup-only task sequence
 
-1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, click **Properties**, click the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
-2. Click **OK**, right-click **MDT Production**, click **Update Deployment Share** and accept the default options in the wizard to update the share.
-3. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+1. On SRV1, in the deployment workbench console, right-click the MDT Production deployment share, select **Properties**, select the **Rules** tab, and change the line **SkipUserData=YES** to **SkipUserData=NO**.
+
+2. Select **OK**, right-click **MDT Production**, select **Update Deployment Share** and accept the default options in the wizard to update the share.
+
+3. enter the following commands at an elevated Windows PowerShell prompt on SRV1:
 
     ```powershell
     New-Item -Path C:\MigData -ItemType directory
@@ -536,46 +546,57 @@ At a high level, the computer replace process consists of:<BR>
     icacls C:\MigData /grant '"contoso\administrator":(OI)(CI)(M)'
     ```
 
-4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and click **New Folder**.
+4. On SRV1 in the deployment workbench, under **MDT Production**, right-click the **Task Sequences** node, and select **New Folder**.
+
 5. Name the new folder **Other**, and complete the wizard using default options.
-6. Right-click the **Other** folder and then click **New Task Sequence**. Use the following values in the wizard:
+
+6. Right-click the **Other** folder and then select **New Task Sequence**. Use the following values in the wizard:
+
     - **Task sequence ID**: REPLACE-001
     - **Task sequence name**: Backup Only Task Sequence
     - **Task sequence comments**: Run USMT to back up user data and settings
-    - **Template**: Standard Client Replace Task Sequence (note: this is not the default template)
-7. Accept defaults for the rest of the wizard and then click **Finish**. The replace task sequence will skip OS selection and settings.
-8. Open the new task sequence that was created and review it. Note the type of capture and backup tasks that are present. Click **OK** when you are finished reviewing the task sequence.
+    - **Template**: Standard Client Replace Task Sequence (note: this template isn't the default template)
+
+7. Accept defaults for the rest of the wizard and then select **Finish**. The replace task sequence will skip OS selection and settings.
+
+8. Open the new task sequence that was created and review it. Note the enter of capture and backup tasks that are present. Select **OK** when you're finished reviewing the task sequence.
 
 ### Run the backup-only task sequence
 
-1. If you are not already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, type the following command at an elevated command prompt:
+1. If you aren't already signed on to PC1 as **contoso\administrator**, sign in using this account. To verify the currently signed in account, enter the following command at an elevated command prompt:
 
-    ```console
-    whoami
+    ```cmd
+    whoami.exe
     ```
-2. To ensure a clean environment before running the backup task sequence, type the following at an elevated Windows PowerShell prompt on PC1:
+
+2. To ensure a clean environment before running the backup task sequence, enter the following commands at an elevated Windows PowerShell prompt on PC1:
 
     ```powershell
     Remove-Item c:\minint -recurse
     Remove-Item c:\_SMSTaskSequence -recurse
     Restart-Computer
     ```
-3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt:
 
-    ```console
-    cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
+3. Sign in to PC1 using the contoso\administrator account, and then enter the following command at an elevated command prompt:
+
+    ```cmd
+    cscript.exe \\SRV1\MDTProd$\Scripts\Litetouch.vbs
     ```
 
-4. Complete the deployment wizard using the following:
+4. Complete the deployment wizard using the following settings:
+
     - **Task Sequence**: Backup Only Task Sequence
     - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1**
-    - **Computer Backup**: Do not back up the existing computer.
-5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.  
-6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete.
+    - **Computer Backup**: Don't back up the existing computer.
+
+5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and select the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks.  
+
+6. On PC1, verify that **The user state capture was completed successfully** is displayed, and select **Finish** when the capture is complete.
+
 7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example:
 
-    ```powershell
-    PS C:\> dir C:\MigData\PC1\USMT
+    ```cmd
+    dir C:\MigData\PC1\USMT
 
         Directory: C:\MigData\PC1\USMT
 
@@ -584,16 +605,16 @@ At a high level, the computer replace process consists of:<BR>
     -a---          9/6/2016  11:34 AM   14248685 USMT.MIG
     ```
 
-### Deploy PC3 
+### Deploy PC3
 
-1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt:
+1. On the Hyper-V host, enter the following commands at an elevated Windows PowerShell prompt:
 
     ```powershell
-    New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
+    New-VM -Name "PC3" -NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
     Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20
     ```
 
-2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1:
+2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, enter the following command at an elevated Windows PowerShell prompt on SRV1:
 
     ```powershell
     Disable-NetAdapter "Ethernet 2" -Confirm:$false
@@ -601,7 +622,6 @@ At a high level, the computer replace process consists of:<BR>
 
     As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding.
 
-
 3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
      ```powershell
@@ -613,7 +633,7 @@ At a high level, the computer replace process consists of:<BR>
 
 5. On PC3, use the following settings for the Windows Deployment Wizard:
      - **Task Sequence**: Windows 10 Enterprise x64 Custom Image
-     - **Move Data and Settings**: Do not move user data and settings
+     - **Move Data and Settings**: Don't move user data and settings
      - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1**
 
 6. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1:
@@ -624,7 +644,7 @@ At a high level, the computer replace process consists of:<BR>
 
 7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1.
 
-8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**.
+8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, select **Finish**.
 
 9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure.
 
@@ -633,15 +653,16 @@ At a high level, the computer replace process consists of:<BR>
 ## Troubleshooting logs, events, and utilities
 
 Deployment logs are available on the client computer in the following locations:
+
 - Before the image is applied: X:\MININT\SMSOSD\OSDLOGS
 - After the system drive has been formatted: C:\MININT\SMSOSD\OSDLOGS
 - After deployment: %WINDIR%\TEMP\DeploymentLogs
 
-You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
+You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then select **Enable Log**.
 
 Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
 
-## Related Topics
+## Related articles
 
 [Microsoft Deployment Toolkit](/mem/configmgr/mdt/)
 
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 5e58c2a014..46c6a2b39c 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,23 +1,24 @@
 ---
 title: Steps to deploy Windows 10 with Configuration Manager
-description: Learn how to deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager.
-ms.prod: w10
-ms.technology: windows
+description: Learn how to deploy Windows 10 in a test lab using Microsoft Configuration Manager.
+ms.prod: windows-client
+ms.technology: itpro-deploy
 ms.localizationpriority: medium
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
 ms.topic: tutorial
+ms.date: 11/23/2022
 ---
 
 # Deploy Windows 10 in a test lab using Configuration Manager
 
-*Applies to*
+*Applies to:*
 
 - Windows 10
 
-> [!Important]
+> [!IMPORTANT]
 > This guide uses the proof of concept (PoC) environment, and some settings that are configured in the following guides:
 >
 > - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md)
@@ -37,14 +38,14 @@ Multiple features and services are installed on SRV1 in this guide. This configu
 
 ## In this guide
 
-This guide provides end-to-end instructions to install and configure Microsoft Endpoint Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
+This guide provides end-to-end instructions to install and configure Microsoft Configuration Manager, and use it to deploy a Windows 10 image. Depending on the speed of your Hyper-V host, the procedures in this guide will require 6-10 hours to complete.
 
 The procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
 
 |Procedure|Description|Time|
 |--- |--- |--- |
 |[Install prerequisites](#install-prerequisites)|Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.|60 minutes|
-|[Install Microsoft Endpoint Configuration Manager](#install-microsoft-endpoint-configuration-manager)|Download Microsoft Endpoint Configuration Manager, configure prerequisites, and install the package.|45 minutes|
+|[Install Microsoft Configuration Manager](#install-microsoft-configuration-manager)|Download Microsoft Configuration Manager, configure prerequisites, and install the package.|45 minutes|
 |[Download MDOP and install DaRT](#download-mdop-and-install-dart)|Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.|15 minutes|
 |[Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)|Prerequisite procedures to support Zero Touch installation.|60 minutes|
 |[Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)|Use the MDT wizard to create the boot image in Configuration Manager.|20 minutes|
@@ -58,7 +59,7 @@ The procedures in this guide are summarized in the following table. An estimate
 
 ## Install prerequisites
 
-1. Before installing Microsoft Endpoint Configuration Manager, we must install prerequisite services and features. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+1. Before installing Microsoft Configuration Manager, we must install prerequisite services and features. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
 
     ```powershell
     Install-WindowsFeature Web-Windows-Auth,Web-ISAPI-Ext,Web-Metabase,Web-WMI,BITS,RDC,NET-Framework-Features,Web-Asp-Net,Web-Asp-Net45,NET-HTTP-Activation,NET-Non-HTTP-Activ
@@ -68,7 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate
     > If the request to add features fails, retry the installation by typing the command again.
 
 2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
-3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
+3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```powershell
     Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso
@@ -76,15 +77,15 @@ The procedures in this guide are summarized in the following table. An estimate
 
     This command mounts the .ISO file to drive D on SRV1.
 
-4. Type the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
+4. Enter the following command at an elevated Windows PowerShell prompt on SRV1 to install SQL Server:
 
-    ```powershell
+    ```cmd
     D:\setup.exe /q /ACTION=Install /ERRORREPORTING="False" /FEATURES=SQLENGINE,RS,IS,SSMS,TOOLS,ADV_SSMS,CONN /INSTANCENAME=MSSQLSERVER /INSTANCEDIR="C:\Program Files\Microsoft SQL Server" /SQLSVCACCOUNT="NT AUTHORITY\System" /SQLSYSADMINACCOUNTS="BUILTIN\ADMINISTRATORS" /SQLSVCSTARTUPTYPE=Automatic /AGTSVCACCOUNT="NT AUTHORITY\SYSTEM" /AGTSVCSTARTUPTYPE=Automatic /RSSVCACCOUNT="NT AUTHORITY\System" /RSSVCSTARTUPTYPE=Automatic /ISSVCACCOUNT="NT AUTHORITY\System" /ISSVCSTARTUPTYPE=Disabled /ASCOLLATION="Latin1_General_CI_AS" /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS" /TCPENABLED="1" /NPENABLED="1" /IAcceptSQLServerLicenseTerms
     ```
 
     Installation will take several minutes. When installation is complete, the following output will be displayed:
 
-    ```dos
+    ```console
     Microsoft (R) SQL Server 2014 12.00.5000.00
     Copyright (c) Microsoft Corporation.  All rights reserved.
 
@@ -98,10 +99,9 @@ The procedures in this guide are summarized in the following table. An estimate
     Success
     One or more affected files have operations pending.
     You should restart your computer to complete this process.
-    PS C:\>
     ```
 
-5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
 
     ```powershell
     New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action allow
@@ -113,7 +113,7 @@ The procedures in this guide are summarized in the following table. An estimate
 
 6. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 2004. Installation might require several minutes to acquire all components.
 
-## Install Microsoft Endpoint Configuration Manager
+## Install Microsoft Configuration Manager
 
 1. On SRV1, temporarily disable IE Enhanced Security Configuration for Administrators by typing the following commands at an elevated Windows PowerShell prompt:
 
@@ -123,13 +123,13 @@ The procedures in this guide are summarized in the following table. An estimate
     Stop-Process -Name Explorer
     ```
 
-1. Download [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
+2. Download [Microsoft Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
 
-1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+3. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
 
-1. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
+4. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
 
-    ```dos
+    ```powershell
     Get-Service Winmgmt
 
     Status   Name               DisplayName
@@ -156,36 +156,48 @@ The procedures in this guide are summarized in the following table. An estimate
 
     If the WMI service isn't started, attempt to start it or reboot the computer.  If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
 
-1. To extend the Active Directory schema, type the following command at an elevated Windows PowerShell prompt:
+5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt:
 
-    ```powershell
-    cmd /c C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
+    ```cmd
+    C:\configmgr\SMSSETUP\BIN\X64\extadsch.exe
     ```
 
-1. Temporarily switch to the DC1 VM, and type the following command at an elevated command prompt on DC1:
+6. Temporarily switch to the DC1 VM, and enter the following command at an elevated command prompt on DC1:
 
-    ```dos
+    ```cmd
     adsiedit.msc
     ```
 
-1. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
-1. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
-1. Select **container** and then select **Next**.
-1. Next to **Value**, type **System Management**, select **Next**, and then select **Finish**.
-1. Right-click **CN=system Management** and then select **Properties**.
-1. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
-1. Under **Enter the object names to select**, type **SRV1** and select **OK**.
-1. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
-1. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
-1. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
-1. Close the ADSI Edit console and switch back to SRV1.
-1. To start Configuration Manager installation, type the following command at an elevated Windows PowerShell prompt on SRV1:
+7. Right-click **ADSI Edit**, select **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then select **OK**.
 
-    ```powershell
-    cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
+8. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then select **Object**.
+
+9. Select **container** and then select **Next**.
+
+10. Next to **Value**, enter **System Management**, select **Next**, and then select **Finish**.
+
+11. Right-click **CN=system Management** and then select **Properties**.
+
+12. On the **Security** tab, select **Add**, select **Object Types**, select **Computers**, and select **OK**.
+
+13. Under **Enter the object names to select**, enter **SRV1** and select **OK**.
+
+14. The **SRV1** computer account will be highlighted, select **Allow** next to **Full control**.
+
+15. Select **Advanced**, select **SRV1 (CONTOSO\SRV1$)** and select **Edit**.
+
+16. Next to **Applies to**, choose **This object and all descendant objects**, and then select **OK** three times.
+
+17. Close the ADSI Edit console and switch back to SRV1.
+
+18. To start Configuration Manager installation, enter the following command at an elevated Windows PowerShell prompt on SRV1:
+
+    ```cmd
+    C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
     ```
 
-1. Provide the following information in the Configuration Manager Setup Wizard:
+19. Provide the following information in the Configuration Manager Setup Wizard:
+
     - **Before You Begin**: Read the text and select *Next*.
     - **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
         - Select **Yes** in response to the popup window.
@@ -205,7 +217,7 @@ The procedures in this guide are summarized in the following table. An estimate
 
     Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Select **Close** when installation is complete.
 
-1. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
+20. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1:
 
     ```powershell
     Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
@@ -216,24 +228,30 @@ The procedures in this guide are summarized in the following table. An estimate
 
 > [!IMPORTANT]
 > This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
+<!--
+
+THE LINK REFERENCED IN THE BELOW URL IS DEAD SO COMMENTING OUT
+
 > If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](/archive/blogs/zainnab/bizspark-free-msdn-subscription-for-start-up-companies/).
+-->
 
 1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
 
-2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
+2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
 
     ```powershell
     Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso
     ```
 
-3. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+3. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
 
-    ```powershell
-    cmd /c "D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi"
+    ```cmd
+    D:\DaRT\DaRT 10\Installers\en-us\x64\MSDaRT100.msi
     ```
 
 4. Install DaRT 10 using default settings.
-5. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+
+5. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
 
     ```powershell
     Copy-Item "C:\Program Files\Microsoft DaRT\v10\Toolsx64.cab" -Destination "C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64"
@@ -242,11 +260,11 @@ The procedures in this guide are summarized in the following table. An estimate
 
 ## Prepare for Zero Touch installation
 
-This section contains several procedures to support Zero Touch installation with Microsoft Endpoint Configuration Manager.
+This section contains several procedures to support Zero Touch installation with Microsoft Configuration Manager.
 
 ### Create a folder structure
 
-1. Type the following commands at a Windows PowerShell prompt on SRV1:
+1. Enter the following commands at a Windows PowerShell prompt on SRV1:
 
     ```powershell
     New-Item -ItemType Directory -Path "C:\Sources\OSD\Boot"
@@ -261,56 +279,78 @@ This section contains several procedures to support Zero Touch installation with
 
 ### Enable MDT ConfigMgr integration
 
-1. On SRV1, select **Start**, type `configmgr`, and then select **Configure ConfigMgr Integration**.
-2. Type `PS1` as the **Site code**, and then select **Next**.
+1. On SRV1, select **Start**, enter `configmgr`, and then select **Configure ConfigMgr Integration**.
+
+2. Enter `PS1` as the **Site code**, and then select **Next**.
+
 3. Verify **The process completed successfully** is displayed, and then select **Finish**.
 
 ### Configure client settings
 
-1. On SRV1, select **Start**, type **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
+1. On SRV1, select **Start**, enter **configuration manager**, right-click **Configuration Manager Console**, and then select **Pin to Taskbar**.
+
 2. Select **Desktop**, and then launch the Configuration Manager console from the taskbar.
+
 3. If the console notifies you that an update is available, select **OK**. It isn't necessary to install updates to complete this lab.
+
 4. In the console tree, open the **Administration** workspace (in the lower left corner) and select **Client Settings**.
+
 5. In the display pane, double-click **Default Client Settings**.
-6. Select **Computer Agent**, next to **Organization name displayed in Software Center** type **Contoso**, and then select **OK**.
+
+6. Select **Computer Agent**, next to **Organization name displayed in Software Center** enter **Contoso**, and then select **OK**.
 
 ### Configure the network access account
 
-1. In the Administration workspace, expand **Site Configuration** and select **Sites**.
+1. in the **Administration** workspace, expand **Site Configuration** and select **Sites**.
+
 2. On the **Home** ribbon at the top of the console window, select **Configure Site Components** and then select **Software Distribution**.
+
 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
+
 4. Select the yellow starburst and then select **New Account**.
-5. Select **Browse** and then under **Enter the object name to select**, type **CM_NAA** and select **OK**.
-6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then select **OK** twice.
+
+5. Select **Browse** and then under **Enter the object name to select**, enter **CM_NAA** and select **OK**.
+
+6. Next to **Password** and **Confirm Password**, enter **pass\@word1**, and then select **OK** twice.
 
 ### Configure a boundary group
 
-1. In the Administration workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
-2. Next to **Description**, type **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
+1. in the **Administration** workspace, expand **Hierarchy Configuration**, right-click **Boundaries** and then select **Create Boundary**.
+
+2. Next to **Description**, enter **PS1**, next to **Type** choose **Active Directory Site**, and then select **Browse**.
+
 3. Choose **Default-First-Site-Name** and then select **OK** twice.
-4. In the Administration workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
-5. Next to **Name**, type **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
+
+4. in the **Administration** workspace, right-click **Boundary Groups** and then select **Create Boundary Group**.
+
+5. Next to **Name**, enter **PS1 Site Assignment and Content Location**, select **Add**, select the **Default-First-Site-Name** boundary and then select **OK**.
+
 6. On the **References** tab in the **Create Boundary Group** window, select the **Use this boundary group for site assignment** checkbox.
+
 7. Select **Add**, select the **\\\SRV1.contoso.com** checkbox, and then select **OK** twice.
 
 ### Add the state migration point role
 
-1. In the Administration workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
+1. in the **Administration** workspace, expand **Site Configuration**, select **Sites**, and then in on the **Home** ribbon at the top of the console select **Add Site System Roles**.
+
 2. In the Add site System Roles Wizard, select **Next** twice and then on the Specify roles for this server page, select the **State migration point** checkbox.
-3. Select **Next**, select the yellow starburst, type **C:\MigData** for the **Storage folder**, and select **OK**.
+
+3. Select **Next**, select the yellow starburst, enter **C:\MigData** for the **Storage folder**, and select **OK**.
+
 4. Select **Next**, and then verify under **Boundary groups** that **PS1 Site Assignment and Content Location** is displayed.
+
 5. Select **Next** twice and then select **Close**.
 
 ### Enable PXE on the distribution point
 
 > [!IMPORTANT]
-> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, type the following commands at an elevated Windows PowerShell prompt on SRV1:
+> Before enabling PXE in Configuration Manager, ensure that any previous installation of WDS does not cause conflicts. Configuration Manager will automatically configure the WDS service to manage PXE requests. To disable a previous installation, if it exists, enter the following commands at an elevated Windows PowerShell prompt on SRV1:
 
-```powershell
-WDSUTIL /Set-Server /AnswerClients:None
+```cmd
+WDSUTIL.exe /Set-Server /AnswerClients:None
 ```
 
-1. Determine the MAC address of the internal network adapter on SRV1. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+1. Determine the MAC address of the internal network adapter on SRV1. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
 
     ```powershell
     (Get-NetAdapter "Ethernet").MacAddress
@@ -320,8 +360,11 @@ WDSUTIL /Set-Server /AnswerClients:None
     > If the internal network adapter, assigned an IP address of 192.168.0.2, isn't named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
 
 2. In the Configuration Manager console, in the **Administration** workspace, select **Distribution Points**.
+
 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then select **Properties**.
+
 4. On the PXE tab, select the following settings:
+
    - **Enable PXE support for clients**. Select **Yes** in the popup that appears.
    - **Allow this distribution point to respond to incoming PXE requests**
    - **Enable unknown computer support**. Select **OK** in the popup that appears.
@@ -333,10 +376,11 @@ WDSUTIL /Set-Server /AnswerClients:None
      ![Config Mgr PXE.](images/configmgr-pxe.png)
 
 5. Select **OK**.
-6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
 
-    ```powershell
-    cmd /c dir /b C:\RemoteInstall\SMSBoot\x64
+6. Wait for a minute, then enter the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
+
+    ```cmd
+    dir /b C:\RemoteInstall\SMSBoot\x64
 
     abortpxe.com
     bootmgfw.efi
@@ -348,12 +392,12 @@ WDSUTIL /Set-Server /AnswerClients:None
     ```
 
     > [!NOTE]
-    > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
+    > If these files aren't present in the C:\RemoteInstall directory, verify that the REMINST share is configured as C:\RemoteInstall. You can view the properties of this share by typing `net.exe share REMINST` at a command prompt. If the share path is set to a different value, then replace C:\RemoteInstall with your REMINST share path.
     >
-    > You can also type the following command at an elevated Windows PowerShell prompt to open the CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
+    > You can also enter the following command at an elevated Windows PowerShell prompt to open CMTrace. In the tool, select **File**, select **Open**, and then open the **distmgr.log** file. If errors are present, they will be highlighted in red:
     >
-    > ```powershell
-    > Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
+    > ```cmd
+    > "C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe"
     > ```
     >
     > The log file is updated continuously while Configuration Manager is running. Wait for Configuration Manager to repair any issues that are present, and periodically recheck that the files are present in the REMINST share location. Close CMTrace when done. You'll see the following line in distmgr.log that indicates the REMINST share is being populated with necessary files:
@@ -365,7 +409,8 @@ WDSUTIL /Set-Server /AnswerClients:None
 ### Create a branding image file
 
 1. If you have a bitmap (.BMP) image for suitable use as a branding image, copy it to the C:\Sources\OSD\Branding folder on SRV1. Otherwise, use the following step to copy a branding image.
-2. Type the following command at an elevated Windows PowerShell prompt:
+
+2. Enter the following command at an elevated Windows PowerShell prompt:
 
     ```powershell
     Copy-Item -Path "C:\ProgramData\Microsoft\User Account Pictures\user.bmp" -Destination "C:\Sources\OSD\Branding\contoso.bmp"
@@ -377,16 +422,26 @@ WDSUTIL /Set-Server /AnswerClients:None
 ### Create a boot image for Configuration Manager
 
 1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then select **Create Boot Image using MDT**.
-2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
+
+2. On the Package Source page, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then select **Next**.
+
     - The Zero Touch WinPE x64 folder doesn't yet exist. The folder will be created later.
-3. On the General Settings page, type **Zero Touch WinPE x64** next to **Name**, and select **Next**.
+
+3. On the General Settings page, enter **Zero Touch WinPE x64** next to **Name**, and select **Next**.
+
 4. On the Options page, under **Platform** choose **x64**, and select **Next**.
+
 5. On the Components page, in addition to the default selection of **Microsoft Data Access Components (MDAC/ADO) support**, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox, and select **Next**.
-6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, type or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
+
+6. On the Customization page, select the **Use a custom background bitmap file** checkbox, and under **UNC path**, enter or browse to **\\\SRV1\Sources$\OSD\Branding\contoso.bmp**, and then select **Next** twice. It will take a few minutes to generate the boot image.
+
 7. Select **Finish**.
+
 8. In the console display pane, right-click the **Zero Touch WinPE x64** boot image, and then select **Distribute Content**.
+
 9. In the Distribute Content Wizard, select **Next**, select **Add** and select **Distribution Point**, select the **SRV1.CONTOSO.COM** checkbox, select **OK**, select **Next** twice, and then select **Close**.
-10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, type the following command at an elevated Windows PowerShell prompt on SRV1:
+
+10. Use the CMTrace application to view the **distmgr.log** file again and verify that the boot image has been distributed. To open CMTrace, enter the following command at an elevated Windows PowerShell prompt on SRV1:
 
     ```powershell
     Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe'
@@ -399,12 +454,15 @@ WDSUTIL /Set-Server /AnswerClients:None
     ```
 
 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
+
 12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then select the **Data Source** tab.
+
 13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and select **OK**.
+
 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example:
 
-    ```console
-    cmd /c dir /s /b C:\RemoteInstall\SMSImages
+    ```cmd
+    dir /s /b C:\RemoteInstall\SMSImages
 
     C:\RemoteInstall\SMSImages\PS100004
     C:\RemoteInstall\SMSImages\PS100005
@@ -421,19 +479,19 @@ WDSUTIL /Set-Server /AnswerClients:None
 
 If you've already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you've already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 OS image](#add-a-windows-10-os-image). If you've not yet created a Windows 10 reference image, complete the steps in this section.
 
-1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and type the following command:
+1. In [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) the Windows 10 Enterprise .iso file was saved to the c:\VHD directory as **c:\VHD\w10-enterprise.iso**. The first step in creating a deployment share is to mount this file on SRV1.  To mount the Windows 10 Enterprise DVD on SRV1, open an elevated Windows PowerShell prompt on the Hyper-V host computer and enter the following command:
 
     ```powershell
     Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\w10-enterprise.iso
     ```
 
-1. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
+2. Verify that the Windows Enterprise installation DVD is mounted on SRV1 as drive letter D.
 
-1. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, type **deployment**, and then select **Deployment Workbench**.
+3. The Windows 10 Enterprise installation files will be used to create a deployment share on SRV1 using the MDT deployment workbench. To open the deployment workbench, select **Start**, enter **deployment**, and then select **Deployment Workbench**.
 
-1. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
+4. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
 
-1. Use the following settings for the New Deployment Share Wizard:
+5. Use the following settings for the New Deployment Share Wizard:
     - Deployment share path: **C:\MDTBuildLab**
     - Share name: **MDTBuildLab$**
     - Deployment share description: **MDT build lab**
@@ -442,22 +500,23 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
     - Progress: settings will be applied
     - Confirmation: Select **Finish**
 
-1. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
+6. Expand the **Deployment Shares** node, and then expand **MDT build lab**.
 
-1. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
+7. Right-click the **Operating Systems** node, and then select **New Folder**. Name the new folder **Windows 10**. Complete the wizard using default values and select **Finish**.
 
-1. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
+8. Right-click the **Windows 10** folder created in the previous step, and then select **Import Operating System**.
 
-1. Use the following settings for the Import Operating System Wizard:
+9. Use the following settings for the Import Operating System Wizard:
     - OS Type: **Full set of source files**
     - Source: **D:\\**
     - Destination: **W10Ent_x64**
     - Summary: Select **Next**
     - Confirmation: Select **Finish**
 
-1. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
+10. For purposes of this test lab, we won't add applications, such as Microsoft Office, to the deployment share. For more information about adding applications, see [Add applications](deploy-windows-mdt/create-a-windows-10-reference-image.md#add-applications).
+
+11. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
 
-1. The next step is to create a task sequence to reference the OS that was imported. To create a task sequence, right-click the **Task Sequences** node under **MDT Build Lab** and then select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
     - Task sequence ID: **REFW10X64-001**
     - Task sequence name: **Windows 10 Enterprise x64 Default Image**
     - Task sequence comments: **Reference Build**
@@ -466,31 +525,31 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
     - Specify Product Key: **Do not specify a product key at this time**
     - Full Name: **Contoso**
     - Organization: **Contoso**
-    - Internet Explorer home page: **http://www.contoso.com**
+    - Internet Explorer home page: **`http://www.contoso.com`**
     - Admin Password: **Do not specify an Administrator password at this time**
     - Summary: Select **Next**
     - Confirmation: Select **Finish**
 
-1. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
+12. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
 
-1. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
+13. Select the **Task Sequence** tab. Under **State Restore**, select **Tattoo** to highlight it, then select **Add** and choose **New Group**. A new group will be added under Tattoo.
 
-1. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
+14. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then select **Apply**. To see the name change, select **Tattoo**, then select the new group again.
 
-1. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
+15. Select the **Custom Tasks (Pre-Windows Update)** group again, select **Add**, point to **Roles**, and then select **Install Roles and Features**.
 
-1. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
+16. Under **Select the roles and features that should be installed**, select **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** and then select **Apply**.
 
-1. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
+17. Enable Windows Update in the task sequence by clicking the **Windows Update (Post-Application Installation)** step, clicking the **Options** tab, and clearing the **Disable this step** checkbox.
 
     > [!NOTE]
     > Since we aren't installing applications in this test lab, there's no need to enable the Windows Update Pre-Application Installation step. However, you should enable this step if you're also installing applications.
 
-1. Select **OK** to complete editing the task sequence.
+18. Select **OK** to complete editing the task sequence.
 
-1. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
+19. The next step is to configure the MDT deployment share rules. To configure rules in the Deployment Workbench, right-click MDT build lab (C:\MDTBuildLab) and select **Properties**, and then select the **Rules** tab.
 
-1. Replace the default rules with the following text:
+20. Replace the default rules with the following text:
 
     ```ini
     [Settings]
@@ -525,7 +584,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
     SkipFinalSummary=NO
     ```
 
-1. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
+21. Select **Apply** and then select **Edit Bootstrap.ini**. Replace the contents of the Bootstrap.ini file with the following text, and save the file:
 
     ```ini
     [Settings]
@@ -539,18 +598,18 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
     SkipBDDWelcome=YES
     ```
 
-1. Select **OK** to complete the configuration of the deployment share.
+22. Select **OK** to complete the configuration of the deployment share.
 
-1. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
+23. Right-click **MDT build lab (C:\MDTBuildLab)** and then select **Update Deployment Share**.
 
-1. Accept all default values in the Update Deployment Share Wizard by clicking **Next**.  The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
+24. Accept all default values in the Update Deployment Share Wizard by clicking **Next**.  The update process will take 5 to 10 minutes. When it has completed, select **Finish**.
 
-1. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
+25. Copy **c:\MDTBuildLab\Boot\LiteTouchPE_x86.iso** on SRV1 to the **c:\VHD** directory on the Hyper-V host computer. In MDT, the x86 boot image can deploy both x86 and x64 operating systems, except on computers based on Unified Extensible Firmware Interface (UEFI).
 
     > [!TIP]
     > To copy the file, right-click the **LiteTouchPE_x86.iso** file, and select **Copy** on SRV1. Then open the **c:\VHD** folder on the Hyper-V host, right-click inside the folder, and select **Paste**.
 
-1. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
+26. Open a Windows PowerShell prompt on the Hyper-V host computer and enter the following commands:
 
     ```powershell
     New-VM -Name REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
@@ -560,9 +619,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
     vmconnect localhost REFW10X64-001
     ```
 
-1. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
+27. In the Windows Deployment Wizard, select **Windows 10 Enterprise x64 Default Image**, and then select **Next**.
 
-1. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
+28. Accept the default values on the Capture Image page, and select **Next**. OS installation will complete after 5 to 10 minutes and then the VM will reboot automatically. Allow the system to boot normally, don't press a key. The process is fully automated.
 
     Other system restarts will occur to complete updating and preparing the OS. Setup will complete the following procedures:
 
@@ -578,7 +637,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 
 ### Add a Windows 10 OS image
 
-1. Type the following commands at an elevated Windows PowerShell prompt on SRV1:
+1. Enter the following commands at an elevated Windows PowerShell prompt on SRV1:
 
     ```powershell
     New-Item -ItemType Directory -Path "C:\Sources\OSD\OS\Windows 10 Enterprise x64"
@@ -587,9 +646,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 
 2. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Operating System Images**, and then select **Add Operating System Image**.
 
-3. On the Data Source page, under **Path:**, type or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
+3. On the Data Source page, under **Path:**, enter or browse to **\\\SRV1\Sources$\OSD\OS\Windows 10 Enterprise x64\REFW10X64-001.wim**, and select **Next**.
 
-4. On the General page, next to **Name:**, type **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
+4. On the General page, next to **Name:**, enter **Windows 10 Enterprise x64**, select **Next** twice, and then select **Close**.
 
 5. Distribute the OS image to the SRV1 distribution point by right-clicking the **Windows 10 Enterprise x64** OS image and then clicking **Distribute Content**.
 
@@ -609,9 +668,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 
 2. On the Choose Template page, select the **Client Task Sequence** template and select **Next**.
 
-3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
+3. On the General page, enter **Windows 10 Enterprise x64** under **Task sequence name:** and then select **Next**.
 
 4. On the Details page, enter the following settings:
+
    - Join a domain: **contoso.com**
    - Account: Select **Set**
      - User name: **contoso\CM_JD**
@@ -631,9 +691,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 
 6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, select **OK**, and then select **Next**.
 
-7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
+7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then select **Next**.
 
-8. On the MDT Details page, next to **Name:** type **MDT** and then select **Next**.
+8. On the MDT Details page, next to **Name:** enter **MDT** and then select **Next**.
 
 9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, select **OK**, and then select **Next**.
 
@@ -643,9 +703,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 
 12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, select **OK**, and then select **Next**.
 
-13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
+13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, enter **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then select **Next**.
 
-14. On the Settings Details page, next to **Name:**, type **Windows 10 x64 Settings**, and select **Next**.
+14. On the Settings Details page, next to **Name:**, enter **Windows 10 x64 Settings**, and select **Next**.
 
 15. On the Sysprep Package page, select **Next** twice.
 
@@ -662,6 +722,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 4. In the **State Restore** group, select the **Set Status 5** action, select **Add** in the upper left corner, point to **User State**, and select **Request State Store**. This action adds a new step immediately after **Set Status 5**.
 
 5. Configure this **Request State Store** step with the following settings:
+
     - Request state storage location to: **Restore state from another computer**
     - Select the **If computer account fails to connect to state store, use the Network Access account** checkbox.
     - Options tab: Select the **Continue on error** checkbox.
@@ -675,6 +736,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 6. In the **State Restore** group, select **Restore User State**, select **Add**, point to **User State**, and select **Release State Store**.
 
 7. Configure this **Release State Store** step with the following settings:
+
     - Options tab: Select the **Continue on error** checkbox.
     - Add Condition: **Task Sequence Variable**:
         - Variable: **USMTLOCAL**
@@ -703,10 +765,10 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 
 4. Select the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then select **OK**.
 
-5. Type the following command at an elevated Windows PowerShell prompt on SRV1:
+5. Enter the following command at an elevated Windows PowerShell prompt on SRV1:
 
-    ```powershell
-    notepad "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
+    ```cmd
+    notepad.exe "C:\Sources\OSD\Settings\Windows 10 x64 Settings\CustomSettings.ini"
     ```
 
 6. Replace the contents of the file with the following text, and then save the file:
@@ -734,9 +796,9 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
     > OSDMigrateAdditionalCaptureOptions=/all
     > ```
 
-7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
+7. Return to the Configuration Manager console, and in the **Software Library** workspace, expand **Application Management**, select **Packages**, right-click **Windows 10 x64 Settings**, and then select **Update Distribution Points**. Select **OK** in the popup that appears.
 
-8. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
+8. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Distribute Content**.
 
 9. In the Distribute Content Wizard, select **Next** twice, select **Add**, select **Distribution Point**, select the **SRV1.CONTOSO.COM** distribution point, select **OK**, select **Next** twice and then select **Close**.
 
@@ -744,13 +806,13 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 
 ### Create a deployment for the task sequence
 
-1. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
+1. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then select **Deploy**.
 
 2. On the General page, next to **Collection**, select **Browse**, select the **All Unknown Computers** collection, select **OK**, and then select **Next**.
 
 3. On the Deployment Settings page, use the following settings:
     - Purpose: **Available**
-    - Make available to the following: **Only media and PXE**
+    - Make available to the following clients: **Only media and PXE**
     - Select **Next**.
 4. Select **Next** five times to accept defaults on the Scheduling, User Experience, Alerts, and Distribution Points pages.
 
@@ -760,7 +822,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
 
 In this first deployment scenario, you'll deploy Windows 10 using PXE. This scenario creates a new computer that doesn't have any migrated users or settings.
 
-1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+1. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```powershell
     New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 40GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@@ -775,7 +837,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
 
 4. Before you select **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open.
 
-5. At the command prompt, type **explorer.exe** and review the Windows PE file structure.
+5. At the command prompt, enter **explorer.exe** and review the Windows PE file structure.
 
 6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
    - X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted.
@@ -795,6 +857,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
 10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Select **Next** to continue with the deployment.
 
 11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
+
     - Install Windows 10
     - Install the Configuration Manager client and hotfix
     - Join the computer to the contoso.com domain
@@ -802,7 +865,7 @@ In this first deployment scenario, you'll deploy Windows 10 using PXE. This scen
 
 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account.
 
-13. Right-click **Start**, select **Run**, type **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
+13. Right-click **Start**, select **Run**, enter **control appwiz.cpl**, press ENTER, select **Turn Windows features on or off**, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This feature is included in the reference image.
 
 14. Shut down the PC4 VM.
 
@@ -820,19 +883,25 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe
 
 ### Create a replace task sequence
 
-1. On SRV1, in the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
+1. On SRV1, in the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Task Sequences**, and then select **Create MDT Task Sequence**.
 
 2. On the Choose Template page, select **Client Replace Task Sequence** and select **Next**.
 
-3. On the General page, type the following information:
+3. On the General page, enter the following information:
+
     - Task sequence name: **Replace Task Sequence**
     - Task sequence comments: **USMT backup only**
 
 4. Select **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Select **OK** and then select **Next** to continue.
+
 5. On the MDT Package page, browse and select the **MDT** package. Select **OK** and then select **Next** to continue.
+
 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Select **OK** and then select **Next** to continue.
+
 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Select **OK** and then select **Next** to continue.
+
 8. On the Summary page, review the details and then select **Next**.
+
 9. On the Confirmation page, select **Finish**.
 
 > [!NOTE]
@@ -840,7 +909,7 @@ In the replace procedure, PC1 won't be migrated to a new OS. It's simplest to pe
 
 ### Deploy PC4
 
-Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+Create a VM named PC4 to receive the applications and settings from PC1. This VM represents a new computer that will replace PC1. To create this VM, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
 ```powershell
 New-VM -Name "PC4" -NewVHDPath "c:\vhd\pc4.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2
@@ -855,61 +924,66 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
 1. Verify that the PC1 VM is running and in its original state, which was saved as a checkpoint and then restored in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
 
-1. If you haven't already saved a checkpoint for PC1, then do it now. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+2. If you haven't already saved a checkpoint for PC1, then do it now. Enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```powershell
     Checkpoint-VM -Name PC1 -SnapshotName BeginState
     ```
 
-1. On SRV1, in the Configuration Manager console, in the Administration workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
-1. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
-1. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
-1. When a popup dialog box asks if you want to run full discovery, select **Yes**.
-1. In the Assets and Compliance workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
+3. On SRV1, in the Configuration Manager console, in the **Administration** workspace, expand **Hierarchy Configuration** and select on **Discovery Methods**.
+
+4. Double-click **Active Directory System Discovery** and on the **General** tab select the **Enable Active Directory System Discovery** checkbox.
+
+5. Select the yellow starburst, select **Browse**, select **contoso\Computers**, and then select **OK** three times.
+
+6. When a popup dialog box asks if you want to run full discovery, select **Yes**.
+
+7. In the **Assets and Compliance** workspace, select **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
 
     > [!TIP]
     > If you don't see the computer account for PC1, select **Refresh** in the upper right corner of the console.
 
     The **Client** column indicates that the Configuration Manager client isn't currently installed. This procedure will be carried out next.
 
-1. Sign in to PC1 using the contoso\administrator account and type the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
+8. Sign in to PC1 using the contoso\administrator account and enter the following command at an elevated command prompt to remove any pre-existing client configuration, if it exists.
 
     > [!Note]
-    > This command requires an elevated _command prompt_, not an elevated Windows PowerShell prompt.
+    > This command requires an elevated command prompt, not an elevated Windows PowerShell prompt.
 
-    ```dos
-    sc stop ccmsetup
+    ```cmd
+    sc.exe stop ccmsetup
     "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
     ```
 
     > [!NOTE]
     > If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by `CCMSetup /Uninstall` and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client).
 
-1. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type:
+9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, enter:
 
-    ```dos
-    net stop wuauserv
-    net stop BITS
+    ```cmd
+    net.exe stop wuauserv
+    net.exe stop BITS
     ```
 
-    Verify that both services were stopped successfully, then type the following command at an elevated command prompt:
+    Verify that both services were stopped successfully, then enter the following command at an elevated command prompt:
 
-    ```dos
+    ```cmd
     del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
-    net start BITS
-    bitsadmin /list /allusers
+    net.exe start BITS
+    bitsadmin.exe /list /allusers
     ```
 
     Verify that BITSAdmin displays zero jobs.
 
-1. To install the Configuration Manager client as a standalone process, type the following command at an elevated command prompt:
+10. To install the Configuration Manager client as a standalone process, enter the following command at an elevated command prompt:
 
-    ```dos
+    ```cmd
     "\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /mp:SRV1.contoso.com /logon SMSSITECODE=PS1
     ```
 
-1. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
-1. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can type the following command at an elevated Windows PowerShell prompt to monitor installation progress:
+11. On PC1, using file explorer, open the **C:\Windows\ccmsetup** directory. During client installation, files will be downloaded here.
+
+12. Installation progress will be captured in the file: **c:\windows\ccmsetup\logs\ccmsetup.log**. You can periodically open this file in notepad, or you can enter the following command at an elevated Windows PowerShell prompt to monitor installation progress:
 
     ```powershell
     Get-Content -Path c:\windows\ccmsetup\logs\ccmsetup.log -Wait
@@ -917,21 +991,21 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
     Installation might require several minutes, and display of the log file will appear to hang while some applications are installed. This behavior is normal. When setup is complete, verify that **CcmSetup is existing with return code 0** is displayed on the last line of the ccmsetup.log file. Then press **CTRL-C** to break out of the Get-Content operation. If you're viewing the log file in Windows PowerShell, the last line will be wrapped. A return code of `0` indicates that installation was successful and you should now see a directory created at **C:\Windows\CCM** that contains files used in registration of the client with its site.
 
-1. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
+13. On PC1, open the Configuration Manager control panel applet by typing the following command from a command prompt:
 
-    ```dos
-    control smscfgrc
+    ```cmd
+    control.exe smscfgrc
     ```
 
-1. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
+14. Select the **Site** tab, select **Configure Settings**, and select **Find Site**. The client will report that it has found the PS1 site. See the following example:
 
     ![site.](images/configmgr-site.png)
 
     If the client isn't able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the client can't locate the site code is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode**, delete or update this entry.
 
-1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
+15. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **All Desktop and Server Clients**. This node will be added under **Devices**.
 
-1. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here.  See the following example:
+16. Select **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here.  See the following example:
 
     ![client.](images/configmgr-client.png)
 
@@ -940,9 +1014,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
 ### Create a device collection and deployment
 
-1. On SRV1, in the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
+1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**.
 
 2. Use the following settings in the **Create Device Collection Wizard**:
+
     - General > Name: **Install Windows 10 Enterprise x64**
     - General > Limiting collection: **All Systems**
     - Membership Rules > Add Rule: **Direct Rule**
@@ -955,12 +1030,12 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
 3. Double-click the Install Windows 10 Enterprise x64 device collection and verify that the PC1 computer account is displayed.
 
-4. In the Software Library workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
+4. In the **Software Library** workspace, expand **Operating Systems**, select **Task Sequences**, right-click **Windows 10 Enterprise x64** and then select **Deploy**.
 
 5. Use the following settings in the Deploy Software wizard:
     - General > Collection: Select Browse and select **Install Windows 10 Enterprise x64**
     - Deployment Settings > Purpose: **Available**
-    - Deployment Settings > Make available to the following: **Configuration Manager clients, media and PXE**
+    - Deployment Settings > Make available to the following clients: **Configuration Manager clients, media and PXE**
     - Scheduling > select **Next**
     - User Experience > select **Next**
     - Alerts > select **Next**
@@ -970,24 +1045,25 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
 ### Associate PC4 with PC1
 
-1. On SRV1 in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices** and then select **Import Computer Information**.
+1. On SRV1 in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Devices** and then select **Import Computer Information**.
 
 2. On the Select Source page, choose **Import single computer** and select **Next**.
 
 3. On the Single Computer page, use the following settings:
+
     - Computer Name: **PC4**
     - MAC Address: **00:15:5D:83:26:FF**
-    - Source Computer: \<type the hostname of PC1, or select **Search** twice, select the hostname, and select **OK**\>
+    - Source Computer: \<enter the hostname of PC1, or select **Search** twice, select the hostname, and select **OK**\>
 
 4. Select **Next**, and on the User Accounts page choose **Capture and restore specified user accounts**, then select the yellow starburst next to **User accounts to migrate**.
 
-5. Select **Browse** and then under Enter the object name to select type **user1** and select OK twice.
+5. Select **Browse** and then under **Enter the object name to select** enter **user1** and select **OK** twice.
 
 6. Select the yellow starburst again and repeat the previous step to add the **contoso\administrator** account.
 
 7. Select **Next** twice, and on the Choose Target Collection page, choose **Add computers to the following collection**, select **Browse**, choose **Install Windows 10 Enterprise x64**, select **OK**, select **Next** twice, and then select **Close**.
 
-8. In the Assets and Compliance workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration type will be **side-by-side**.
+8. In the **Assets and Compliance** workspace, select **User State Migration** and review the computer association in the display pane. The source computer will be the computername of PC1 (GREGLIN-PC1 in this example), the destination computer will be **PC4**, and the migration enter will be **side-by-side**.
 
 9. Right-click the association in the display pane and then select **Specify User Accounts**. You can add or remove user account here. Select **OK**.
 
@@ -999,9 +1075,10 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
 
 ### Create a device collection for PC1
 
-1. On SRV1, in the Configuration Manager console, in the Assets and Compliance workspace, right-click **Device Collections** and then select **Create Device Collection**.
+1. On SRV1, in the Configuration Manager console, in the **Assets and Compliance** workspace, right-click **Device Collections** and then select **Create Device Collection**.
 
 2. Use the following settings in the **Create Device Collection Wizard**:
+
     - General > Name: **USMT Backup (Replace)**
     - General > Limiting collection: **All Systems**
     - Membership Rules > Add Rule: **Direct Rule**
@@ -1020,7 +1097,7 @@ In the Configuration Manager console, in the **Software Library** workspace, und
 
 - General > Collection: **USMT Backup (Replace)**
 - Deployment Settings > Purpose: **Available**
-- Deployment Settings > Make available to the following: **Only Configuration Manager Clients**
+- Deployment Settings > Make available to the following clients: **Only Configuration Manager Clients**
 - Scheduling: Select **Next**
 - User Experience: Select **Next**
 - Alerts: Select **Next**
@@ -1031,15 +1108,15 @@ In the Configuration Manager console, in the **Software Library** workspace, und
 
 1. On PC1, open the Configuration Manager control panel applet by typing the following command in a command prompt:
 
-    ```dos
-    control smscfgrc
+    ```cmd
+    control.exe smscfgrc
     ```
 
 2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, select **Run Now**, select **OK**, and then select **OK** again. This method is one that you can use to run a task sequence in addition to the Client Notification method that will be demonstrated in the computer refresh procedure.
 
-3. Type the following command at an elevated command prompt to open the Software Center:
+3. Enter the following command at an elevated command prompt to open the Software Center:
 
-    ```dos
+    ```cmd
     C:\Windows\CCM\SCClient.exe
     ```
 
@@ -1051,26 +1128,30 @@ In the Configuration Manager console, in the **Software Library** workspace, und
     > If you don't see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
 
 5. Select **INSTALL SELECTED** and then select **INSTALL OPERATING SYSTEM**.
+
 6. Allow the **Replace Task Sequence** to complete, then verify that the C:\MigData folder on SRV1 contains the USMT backup.
 
 ### Deploy the new computer
 
-1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```powershell
     Start-VM PC4
     vmconnect localhost PC4
     ```
 
-1. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**.
-1. Choose the **Windows 10 Enterprise X64** image.
-1. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
-1. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host.
+2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and select **Next**.
+
+3. Choose the **Windows 10 Enterprise X64** image.
+
+4. Setup will install the OS using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1.
+
+5. Save checkpoints for all VMs if you wish to review their status at a later date. This action isn't required, as checkpoints do take up space on the Hyper-V host.
 
     > [!Note]
     > The next procedure will install a new OS on PC1, and update its status in Configuration Manager and in Active Directory as a Windows 10 device. So you can't return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this action for all VMs.
 
-    To save a checkpoint for all VMs, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
+    To save a checkpoint for all VMs, enter the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
 
     ```powershell
     Checkpoint-VM -Name DC1 -SnapshotName cm-refresh
@@ -1082,14 +1163,17 @@ In the Configuration Manager console, in the **Software Library** workspace, und
 
 ### Initiate the computer refresh
 
-1. On SRV1, in the Assets and Compliance workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
+1. On SRV1, in the **Assets and Compliance** workspace, select **Device Collections** and then double-click **Install Windows 10 Enterprise x64**.
+
 2. Right-click the computer account for PC1, point to **Client Notification**, select **Download Computer Policy**, and select **OK** in the popup dialog box.
+
 3. On PC1, in the notification area, select **New software is available** and then select **Open Software Center**.
+
 4. In the Software Center, select **Operating Systems**, select **Windows 10 Enterprise x64**, select **Install** and then select **INSTALL OPERATING SYSTEM**. See the following example:
 
     ![installOS.](images/configmgr-install-os.png)
 
-    The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed.  See the following example:
+    The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the **Monitoring** workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then select **More Details**. Select the **Status** tab to see a list of tasks that have been performed.  See the following example:
 
     ![asset.](images/configmgr-asset.png)
 
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index f69d28d3bf..0998486d71 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -2,19 +2,19 @@
 title: Configure a test lab to deploy Windows 10
 description: Learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
 ms.reviewer: 
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
-ms.prod: w10
-ms.technology: windows
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
+ms.prod: windows-client
+ms.technology: itpro-deploy
 ms.localizationpriority: medium
 ms.topic: tutorial
-ms.date: 05/12/2022
+ms.date: 11/23/2022
 ---
 
 # Step by step guide: Configure a test lab to deploy Windows 10
 
-*Applies to*
+*Applies to:*
 
 - Windows 10
 
@@ -25,7 +25,7 @@ This guide contains instructions to configure a proof of concept (PoC) environme
 
 This lab guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides:
 
-- [Step by step: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step: Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
 - [Step by step: Deploy Windows 10 in a test lab using MDT](windows-10-poc-mdt.md)
 
 The proof of concept (PoC) deployment guides are intended to provide a demonstration of Windows 10 deployment tools and processes for IT professionals that aren't familiar with these tools, and you want to set up a PoC environment. Don't use the instructions in this guide in a production setting. They aren't meant to replace the instructions found in production deployment guidance.
@@ -69,6 +69,7 @@ The procedures in this guide are summarized in the following table. An estimate
 One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process.
 
 - **Computer 1**: the computer you'll use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor.
+
 - **Computer 2**: a client computer from your network. It's shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you don't have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you can't create this VM using computer 2.
 
 Hardware requirements are displayed below:
@@ -80,7 +81,7 @@ Hardware requirements are displayed below:
 |**OS**|Windows 8.1/10 or Windows Server 2012/2012 R2/2016|Windows 8.1 or a later|
 |**Edition**|Enterprise, Professional, or Education|Any|
 |**Architecture**|64-bit|Any <br/><br/> Retaining applications and settings requires that architecture (32-bit or 64-bit) is the same before and after the upgrade.|
-|**RAM**|8-GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.<br>16-GB RAM to test Windows 10 deployment with Microsoft Endpoint Configuration Manager.|Any|
+|**RAM**|8-GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.<br>16-GB RAM to test Windows 10 deployment with Microsoft Configuration Manager.|Any|
 |**Disk**|200-GB available hard disk space, any format.|Any size, MBR formatted.|
 |**CPU**|SLAT-Capable CPU|Any|
 |**Network**|Internet connection|Any|
@@ -92,7 +93,9 @@ The lab architecture is summarized in the following diagram:
 ![PoC diagram.](images/poc.png)
 
 - Computer 1 is configured to host four VMs on a private, PoC network.
+
   - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
+
   - Two VMs are client systems: One VM is intended to mirror a host on your network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario.
 
 > [!NOTE]
@@ -120,8 +123,8 @@ Starting with Windows 8, the host computer's microprocessor must support second
 
 1. To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
 
-    ```console
-    C:\>systeminfo
+    ```cmd
+    C:\>systeminfo.exe
 
     ...
     Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
@@ -136,8 +139,8 @@ Starting with Windows 8, the host computer's microprocessor must support second
 
     You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
 
-    ```console
-    C:\>coreinfo -v
+    ```cmd
+    C:\>coreinfo.exe -v
 
     Coreinfo v3.31 - Dump information on system CPU and memory topology
     Copyright (C) 2008-2014 Mark Russinovich
@@ -205,7 +208,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 
      The following example displays the procedures described in this section, both before and after downloading files:
 
-    ```console
+    ```cmd
      C:>mkdir VHD
      C:>cd VHD
      C:\VHD&gt;ren 9600*.vhd 2012R2-poc-1.vhd
@@ -225,13 +228,23 @@ When you have completed installation of Hyper-V on the host computer, begin conf
 
 If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
 
-1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.<!-- only works with locale :( -->
+1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
+
+    > [!NOTE]
+    > The above link may not be available in all locales.
+
 2. Under **Virtual machine**, choose **IE11 on Win7**.
+
 3. Under **Select platform**, choose **HyperV (Windows)**.
+
 4. Select **Download .zip**. The download is 3.31 GB.
+
 5. Extract the zip file. Three directories are created.
+
 6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
+
 7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
+
 8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
 
 If you have a PC available to convert to VM (computer 2):
@@ -242,6 +255,7 @@ If you have a PC available to convert to VM (computer 2):
     > The account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the network.
 
 2. [Determine the VM generation and partition type](#determine-the-vm-generation-and-partition-type) that is required.
+
 3. Based on the VM generation and partition type, perform one of the following procedures: [Prepare a generation 1 VM](#prepare-a-generation-1-vm), [Prepare a generation 2 VM](#prepare-a-generation-2-vm), or [prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
 
 #### Determine the VM generation and partition type
@@ -256,6 +270,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
 If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
 
 - To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
+
 - To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
 
   ```powershell
@@ -265,7 +280,7 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
 If the **Type** column doesn't indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
 
 ```powershell
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
 
 SystemName                           Caption                                 Type
 ----------                           -------                                 ----
@@ -276,7 +291,7 @@ USER-PC1                             Disk #0, Partition #1                   GPT
 On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
 
 ```powershell
-PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
 
 SystemName                            Caption                               Type
 ----------                            -------                               ----
@@ -293,34 +308,32 @@ Number Friendly Name                  OperationalStatus                     Tota
 0      INTEL SSDSCMMW240A3L           Online                                223.57 GB GPT
 ```
 
-<span id="determine-vm-generation"/>
-
-**Choosing a VM generation**
+##### Choosing a VM generation
 
 The following tables display the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
 
-**Windows 7 MBR**
+###### Windows 7 MBR
 
 |Architecture|VM generation|Procedure|
 |--- |--- |--- |
 |32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
 |64|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
 
-**Windows 7 GPT**
+###### Windows 7 GPT
 
 |Architecture|VM generation|Procedure|
 |--- |--- |--- |
 |32|N/A|N/A|
 |64|1|[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)|
 
-**Windows 8 or later MBR**
+###### Windows 8 or later MBR
 
 |Architecture|VM generation|Procedure|
 |--- |--- |--- |
 |32|1|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
 |64|1, 2|[Prepare a generation 1 VM](#prepare-a-generation-1-vm)|
 
-**Windows 8 or later GPT**
+###### Windows 8 or later GPT
 
 |Architecture|VM generation|Procedure|
 |--- |--- |--- |
@@ -347,7 +360,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 3. Select the checkboxes next to the `C:\` and the **system reserved** (BIOS/MBR) volumes. The system volume isn't assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to `\?\Volume{`. See the following example.
 
     > [!IMPORTANT]
-    > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+    > You must include the system volume in order to create a bootable VHD. If this volume isn't displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Choosing a VM generation](#choosing-a-vm-generation).
 
 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and select **Create**. See the following example:
 
@@ -374,13 +387,14 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 2. On the computer you wish to convert, open an elevated command prompt and type the following command:
 
-    ```console
-    mountvol s: /s
+    ```cmd
+    mountvol.exe s: /s
     ```
 
     This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
 
 3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+
 4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy won't work if the EFI system partition is selected.
 
     > [!IMPORTANT]
@@ -394,7 +408,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
 
 6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
 
-    ```console
+    ```cmd
     C:\vhd>dir /B
     2012R2-poc-1.vhd
     2012R2-poc-2.vhd
@@ -409,6 +423,7 @@ The following tables display the Hyper-V VM generation to choose based on the OS
     You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+
 3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**.
 
     > [!NOTE]
@@ -524,7 +539,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
     > [!NOTE]
     > The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues.
 
-5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
+5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Choosing a VM generation](#choosing-a-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT.
 
     To create a generation 1 VM (using c:\vhd\w7.vhdx):
 
@@ -574,19 +589,23 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
     The VM will automatically boot into Windows Setup. In the PC1 window:
 
    1. Select **Next**.
+
    2. Select **Repair your computer**.
+
    3. Select **Troubleshoot**.
+
    4. Select **Command Prompt**.
+
    5. Type the following command to save an image of the OS drive:
 
-      ```console
-      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+      ```cmd
+      dism.exe /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
       ```
 
    6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
 
-      ```console
-      diskpart
+      ```cmd
+      diskpart.exe
       select disk 0
       clean
       convert MBR
@@ -601,14 +620,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
 
    7. Type the following commands to restore the OS image and boot files:
 
-      ```console
-      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
-      bcdboot c:\windows
+      ```cmd
+      dism.exe /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+      bcdboot.exe c:\windows
       exit
       ```
 
    8. Select **Continue** and verify the VM boots successfully. Don't boot from DVD.
+
    9. Select **Ctrl+Alt+Del**, and then in the bottom right corner, select **Shut down**.
+
    10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
 
         ```powershell
@@ -626,8 +647,14 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
     ```
 
 2. Select **Next** to accept the default settings, read the license terms and select **I accept**, provide a strong administrator password, and select **Finish**.
+
 3. Select **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
-4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
+
+4. Right-click **Start**, point to **Shut down or sign out**, and select **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, select **Connect** and sign in again with the local Administrator account.
+
+   > [!NOTE]
+   > Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It's only necessary to do this action the first time you sign in to a new VM.
+
 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
 
     ```powershell
@@ -690,7 +717,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
 
     The following output should be displayed:
 
-    ```powershell
+    ```console
     UseRootHint        : True
     Timeout(s)         : 3
     EnableReordering   : True
@@ -752,8 +779,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
 
     To open Windows PowerShell on Windows 7, select **Start**, and search for "**power**." Right-click **Windows PowerShell** and then select **Pin to Taskbar** so that it's simpler to use Windows PowerShell during this lab. Select **Windows PowerShell** on the taskbar, and then type `ipconfig` at the prompt to see the client's current IP address. Also type `ping dc1.contoso.com` and `nltest /dsgetdc:contoso.com` to verify that it can reach the domain controller. See the following examples of a successful network connection:
 
-    ```console
-    ipconfig
+    ```cmd
+    ipconfig.exe
 
     Windows IP Configuration
 
@@ -841,7 +868,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
 
 25. Accept the default settings, read license terms and accept them, provide a strong administrator password, and select **Finish**. When you're prompted about finding PCs, devices, and content on the network, select **Yes**.
 
-26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
+26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. Enhanced session mode will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
 
 27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
 
@@ -909,11 +936,11 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
 
 33. In most cases, this process completes configuration of the PoC network. However, if your network has a firewall that filters queries from local DNS servers, you'll also need to configure a server-level DNS forwarder on SRV1 to resolve internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
 
-    ```powershell
-    ping www.microsoft.com
+    ```cmd
+    ping.exe www.microsoft.com
     ```
 
-    If you see "Ping request could not find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
+    If you see "Ping request couldn't find host `www.microsoft.com`" on PC1 and DC1, but not on SRV1, then you'll need to configure a server-level DNS forwarder on SRV1. To do this action, open an elevated Windows PowerShell prompt on SRV1 and type the following command.
 
     > [!NOTE]
     > This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
@@ -924,8 +951,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
 
 34. If DNS and routing are both working correctly, you'll see the following output on DC1 and PC1 (the IP address might be different, but that's OK):
 
-    ```powershell
-    PS C:\> ping www.microsoft.com
+    ```cmd
+    ping www.microsoft.com
 
     Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
     Reply from 23.222.146.170: bytes=32 time=3ms TTL=51
@@ -943,7 +970,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40 GB to
 36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in three days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
 
     ```powershell
-    runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
+    runas.exe /noprofile /env /user:administrator@contoso.com "cmd.exe /c slmgr -rearm"
     Restart-Computer
     ```
 
@@ -963,7 +990,7 @@ Use the following procedures to verify that the PoC environment is configured pr
     Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
     Get-DhcpServerInDC
     Get-DhcpServerv4Statistics
-    ipconfig /all
+    ipconfig.exe /all
     ```
 
     **Get-Service** displays a status of "Running" for all three services.
@@ -988,8 +1015,8 @@ Use the following procedures to verify that the PoC environment is configured pr
     Get-Service DNS,RemoteAccess
     Get-DnsServerForwarder
     Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
-    ipconfig /all
-    netsh int ipv4 show address
+    ipconfig.exe /all
+    netsh.exe int ipv4 show address
     ```
 
     **Get-Service** displays a status of "Running" for both services.
@@ -1004,38 +1031,38 @@ Use the following procedures to verify that the PoC environment is configured pr
 
 3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
 
-    ```powershell
-    whoami
-    hostname
-    nslookup www.microsoft.com
-    ping -n 1 dc1.contoso.com
-    tracert www.microsoft.com
+    ```cmd
+    whoami.exe
+    hostname.exe
+    nslookup.exe www.microsoft.com
+    ping.exe -n 1 dc1.contoso.com
+    tracert.exe www.microsoft.com
     ```
 
-    **whoami** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
+    **whoami.exe** displays the current user context, for example in an elevated Windows PowerShell prompt, contoso\administrator is displayed.
 
-    **hostname** displays the name of the local computer, for example W7PC-001.
+    **hostname.exe** displays the name of the local computer, for example W7PC-001.
 
-    **nslookup** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
+    **nslookup.exe** displays the DNS server used for the query, and the results of the query. For example, server `dc1.contoso.com`, address 192.168.0.1, Name `e2847.dspb.akamaiedge.net`.
 
-    **ping** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "could not find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
+    **ping.exe** displays if the source can resolve the target name, and whether or not the target responds to ICMP. If it can't be resolved, "couldn't find host" will be displayed. If the target is found and also responds to ICMP, you'll see "Reply from" and the IP address of the target.
 
-    **tracert** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
+    **tracert.exe** displays the path to reach the destination, for example `srv1.contoso.com` [192.168.0.2] followed by a list of hosts and IP addresses corresponding to subsequent routing nodes between the source and the destination.
 
 ## Appendix B: Terminology used in this guide
 
 |Term|Definition|
 |--- |--- |
-|GPT|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
-|Hyper-V|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
-|Hyper-V host|The computer where Hyper-V is installed.|
-|Hyper-V Manager|The user-interface console used to view and configure Hyper-V.|
-|MBR|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
-|Proof of concept (PoC)|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
-|Shadow copy|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
-|Virtual machine (VM)|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
-|Virtual switch|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
-|VM snapshot|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
+|**GPT**|GUID partition table (GPT) is an updated hard-disk formatting scheme that enables the use of newer hardware. GPT is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions.|
+|**Hyper-V**|Hyper-V is a server role introduced with Windows Server 2008 that lets you create a virtualized computing environment. Hyper-V can also be installed as a Windows feature on Windows client operating systems, starting with Windows 8.|
+|**Hyper-V host**|The computer where Hyper-V is installed.|
+|**Hyper-V Manager**|The user-interface console used to view and configure Hyper-V.|
+|**MBR**|Master Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.|
+|**Proof of concept (PoC)**|Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.|
+|**Shadow copy**|A copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.|
+|**Virtual machine (VM)**|A VM is a virtual computer with its own operating system, running on the Hyper-V host.|
+|**Virtual switch**|A virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.|
+|**VM snapshot**|A point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken.|
 
 ## Next steps
 
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index 8b30ea5825..7bfe334519 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -1,26 +1,23 @@
 ---
 title: Switch to Windows 10 Pro/Enterprise from S mode
 description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.localizationpriority: medium
-ms.prod: w10
-ms.collection:
+ms.prod: windows-client
+ms.collection: 
   - M365-modern-desktop
-  - highpri
 ms.topic: article
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Switch to Windows 10 Pro or Enterprise from S mode
 
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later. 
-
-
-A number of other transformations are possible depending on which version and edition of Windows 10 you are starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
-
-
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro, Home, or Enterprise (not in S mode). You can switch devices running Windows 10, version 1709 or later.
 
+Many other transformations are possible depending on which version and edition of Windows 10 you're starting with. Depending on the details, you might *switch* between S mode and the ordinary version or *convert* between different editions while staying in or out of S mode. The following quick reference table summarizes all of the switches or conversions that are supported by various means:
 
 | If a device is running this version of Windows 10 | and this edition of Windows 10       | then you can switch or convert it to this edition of Windows 10 by these methods: |             &nbsp;                         | &nbsp;|
 |-------------|---------------------|-----------------------------------|-------------------------------|--------------------------------------------|
@@ -39,47 +36,50 @@ A number of other transformations are possible depending on which version and ed
 |             | Home in S mode      | Not by any method                    | Home                          | Home                                       |
 |             | Home                | Not by any method                    | Not by any method                | Not by any method                             |
 
-
 Use the following information to switch to Windows 10 Pro through the Microsoft Store.
+
 > [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+> While it's free to switch to Windows 10 Pro, it's not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
 
 ## Switch one device through the Microsoft Store
+
 Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
 
 Note these differences affecting switching modes in various releases of Windows 10:
 
 - In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store or **Settings**. No other switches are possible.
+
 - In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or **Settings**.
--  Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
 
+- Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store, **Settings**, or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
+
+1. Sign into the Microsoft Store using your Microsoft account.
 
-1. Sign into the Microsoft Store using your Microsoft account. 
 2. Search for "S mode".
+
 3. In the offer, select **Buy**, **Get**, or **Learn more.**
 
 You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
 
 ## Switch one or more devices by using Microsoft Intune
 
-Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
+Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE. Switching out of S mode gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
 
 1. Start Microsoft Intune.
-2. Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
-3. Follow the instructions to complete the switch.
 
+2. Navigate to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch**.
+
+3. Follow the instructions to complete the switch.
 
 ## Block users from switching
 
-You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
-To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
+You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10. To set this policy, go to **Device configuration** > **Profiles** > **Windows 10 and later** > **Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
 
 ## S mode management with CSPs
 
 In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
 
-
-## Related topics
+## Related articles
 
 [FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)<br>
 [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)<BR>
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index e59eefbb34..af9938ad6a 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -2,21 +2,21 @@
 title: Windows subscription activation
 description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions.
 ms.prod: windows-client
-ms.technology: itpro-deploy
+ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
-ms.collection:
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
+ms.collection: 
   - M365-modern-desktop
   - highpri
-search.appverid:
-- MET150
+search.appverid: 
+  - MET150
 ms.topic: conceptual
-ms.date: 07/12/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+ms.date: 11/23/2022
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
 ---
 
 # Windows subscription activation
@@ -83,7 +83,7 @@ The following list illustrates how deploying Windows client has evolved with eac
 
 - **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled.
 
-- **Windows 10, version 1903** updated Windows 10 subscription activation to enable step up from Windows 10 Pro Education to Windows 10 Education for devices with a qualifying Windows 10 or Microsoft 365 subscription.
+- **Windows 10, version 1903** updated Windows 10 subscription activation to enable step-up from Windows 10 Pro Education to Windows 10 Education for devices with a qualifying Windows 10 or Microsoft 365 subscription.
 
 - **Windows 11, version 21H2** updated subscription activation to work on both Windows 10 and Windows 11 devices.
 
@@ -98,7 +98,7 @@ The following list illustrates how deploying Windows client has evolved with eac
 > The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
 
 > [!IMPORTANT]
-> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
+> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants.<!-- 6783128 --> For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
 
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
 
@@ -144,7 +144,7 @@ You can benefit by moving to Windows as an online service in the following ways:
 > [!NOTE]
 > The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
 
-The device is Azure AD-joined from **Settings > Accounts > Access work or school**.
+The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**.
 
 You assign Windows 10 Enterprise to a user:
 
@@ -161,9 +161,9 @@ The following figure summarizes how the subscription activation model works:
 
 > [!NOTE]
 >
-> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
+> - A Windows 10 Pro Education device will only step-up to Windows 10 Education edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
 >
-> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
+> - A Windows 10 Pro device will only step-up to Windows 10 Enterprise edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
 
 ### Scenarios
 
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index a95ebcecdc..f38cf33ebe 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -1,87 +1,83 @@
 ---
 title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
 description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
-ms.prod: w10
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
+ms.prod: windows-client
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/23/2022
 ms.topic: article
+ms.technology: itpro-deploy
 ---
 
 # Windows ADK for Windows 10 scenarios for IT Pros
 
+The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
 
-The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
-
-In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/).
+In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/).
 
 Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
 
-### Create a Windows image using command-line tools
+## Create a Windows image using command-line tools
 
 [DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images.
 
 Here are some things you can do with DISM:
 
--   [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
--   [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
--   [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
--   [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
--   [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
--   [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
--   [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
+- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
+- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
+- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
+- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
+- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
+- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
 
 [Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation.
 
 Here are some things you can do with Sysprep:
 
--   [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
--   [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
--   [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
+- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
+- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
+- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
 
-[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that doesn't have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
 
 Here are ways you can create a WinPE image:
 
--   [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
--   [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
 
 [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems.
 
 Here are some things you can do with Windows RE:
 
--   [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
--   [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
+- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
+- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
 
 [Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation.
 
 Here are some things you can do with Windows SIM:
 
--   [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
--   [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
--   [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
--   [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
+- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
+- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
+- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
+- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
 
 For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center.
 
 ### Create a provisioning package using Windows ICD
 
-Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) or Windows 10 IoT Core (IoT Core) image.
+Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) or Windows 10 IoT Core (IoT Core) image.
 
 Here are some things you can do with Windows ICD:
 
--   [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
--   [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
 
 ### IT Pro Windows deployment tools
 
 There are also a few tools included in the Windows ADK that are specific to IT Pros and this documentation is available on TechNet:
 
--   [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
--   [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
-
- 
-
- 
+- [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
+- [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index f2950818eb..5d1978ac7a 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -50,6 +50,19 @@
                       href: operate/windows-autopatch-wqu-end-user-exp.md
                     - name: Windows quality update signals
                       href: operate/windows-autopatch-wqu-signals.md
+                    - name: Windows quality update reports
+                      href: operate/windows-autopatch-wqu-reports-overview.md
+                      items:
+                        - name: Summary dashboard
+                          href: operate/windows-autopatch-wqu-summary-dashboard.md
+                        - name: All devices report
+                          href: operate/windows-autopatch-wqu-all-devices-report.md
+                        - name: All devices report—historical
+                          href: operate/windows-autopatch-wqu-all-devices-historical-report.md
+                        - name: Eligible devices report—historical
+                          href: operate/windows-autopatch-wqu-eligible-devices-historical-report.md
+                        - name: Ineligible devices report—historical
+                          href: operate/windows-autopatch-wqu-ineligible-devices-historical-report.md
                 - name: Windows feature updates
                   href: operate/windows-autopatch-fu-overview.md
                   items:
@@ -86,4 +99,9 @@
         - name: Privacy
           href: references/windows-autopatch-privacy.md
         - name: Windows Autopatch preview addendum
-          href: references/windows-autopatch-preview-addendum.md
\ No newline at end of file
+          href: references/windows-autopatch-preview-addendum.md
+    - name: What's new
+      href:
+      items: 
+        - name: What's new 2022
+          href: whats-new/windows-autopatch-whats-new-2022.md
\ No newline at end of file
diff --git a/windows/deployment/windows-autopatch/deploy/index.md b/windows/deployment/windows-autopatch/deploy/index.md
index b91c6a7098..00fc06d01d 100644
--- a/windows/deployment/windows-autopatch/deploy/index.md
+++ b/windows/deployment/windows-autopatch/deploy/index.md
@@ -2,8 +2,8 @@
 title: Deploying with Windows Autopatch
 description: Landing page for the deploy section
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index 7793b6cb5d..d3cf70f023 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -1,9 +1,9 @@
 ---
 title: Add and verify admin contacts
-description:  This article explains how to add and verify admin contacts
+description: This article explains how to add and verify admin contacts
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
@@ -35,7 +35,7 @@ Your admin contacts will receive notifications about support request updates and
 
 **To add admin contacts:**
 
-1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
+1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**.
 1. Select **+Add**.
 1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index db27bd42d6..d1e52e4ced 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -1,9 +1,9 @@
 ---
 title: Device registration overview
-description:  This article provides an overview on how to register devices in Autopatch
+description: This article provides an overview on how to register devices in Autopatch
 ms.date: 10/5/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -44,7 +44,7 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
 | ----- | ----- |
 | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
 | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. |
-| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.<ol><li>Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
+| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.<ol><li>Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
 | **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatch’s managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.</li><li>A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
 | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
 | **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li></ol> |
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index ad127f56ad..985c852e6f 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -1,9 +1,9 @@
 ---
 title: Post-device registration readiness checks
-description:  This article details how post-device registration readiness checks are performed in Windows Autopatch
+description: This article details how post-device registration readiness checks are performed in Windows Autopatch
 ms.date: 09/16/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -49,7 +49,7 @@ Windows Autopatch has three tabs within its Devices blade. Each tab is designed
 | Tab | Description |
 | ----- | ----- |
 | Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:<ul><li>Passed the prerequisite checks.</li><li>Registered with Windows Autopatch.</li></ul>This tab also lists devices that have passed all postdevice registration readiness checks. |
-| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.<ul><li>**Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.</li><li>**Inactive**: Devices that haven’t communicated with the Microsoft Endpoint Manager-Intune service in the last 28 days.</li></ul> |
+| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.<ul><li>**Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.</li><li>**Inactive**: Devices that haven’t communicated with the Microsoft Intune service in the last 28 days.</li></ul> |
 | Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn’t pass one or more prerequisite checks during the device registration process. |
 
 ## Details about the post-device registration readiness checks
@@ -67,9 +67,9 @@ The following list of post-device registration readiness checks is performed in
 | Check | Description |
 | ----- | ----- |
 | **Windows OS build, architecture, and edition** | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. |
-| **Windows update policies managed via Microsoft Endpoint Manager-Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Endpoint Manager-Intune (MDM). |
-| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Endpoint Manager-Intune. |
-| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Endpoint Manager-Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
+| **Windows update policies managed via Microsoft Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Intune (MDM). |
+| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Intune. |
+| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
 | **Windows Autopatch network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. |
 | **Microsoft Teams network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Teams must be able to reach for software updates management. |
 | **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. |
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 24e6cd2c31..eff03275a8 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,9 +1,9 @@
 ---
 title: Register your devices
-description:  This article details how to register devices in Autopatch
+description: This article details how to register devices in Autopatch
 ms.date: 09/07/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
@@ -71,13 +71,13 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
 
 - Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture).
 - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
-- Managed by Microsoft Endpoint Manager.
-    - [Already enrollled into Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) and/or [Configuration Manager co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
-        - Must switch the following Microsoft Endpoint Manager-Configuration Manager [co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune):
+- Managed by Microsoft Intune.
+    - [Already enrolled into Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) and/or [Configuration Manager co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
+        - Must switch the following Microsoft Configuration Manager [co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Intune (either set to Pilot Intune or Intune):
             - Windows updates policies
             - Device configuration
             - Office Click-to-run
-- Last Intune device check-in completed within the last 28 days.
+- Last Intune device check in completed within the last 28 days.
 - Devices must have Serial Number, Model and Manufacturer.
 	> [!NOTE]
 	> Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
@@ -102,7 +102,7 @@ See all possible device readiness statuses in Windows Autopatch:
 | ----- | ----- | ----- |
 | Active | Devices with this status successfully passed all prerequisite checks and then successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. |  Ready |
 | Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready |
-| Inactive | Devices with this status haven't communicated with Microsoft Endpoint Manager-Intune in the last 28 days. | Not ready |
+| Inactive | Devices with this status haven't communicated with Microsoft Intune in the last 28 days. | Not ready |
 | Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered |
 
 ## Built-in roles required for device registration
@@ -116,7 +116,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo
 For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
 
 > [!NOTE]
-> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
+> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Intune roles, and allows you to create and configure custom Intune roles.
 
 ## Details about the device registration process
 
@@ -134,7 +134,7 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID
 
 **To register devices with Windows Autopatch:**
 
-1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** from the left navigation menu.
 3. Under the **Windows Autopatch** section, select **Devices**.
 4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
@@ -154,7 +154,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W
 
 **To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:**
 
-1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
+1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. In the left pane, select **Devices**.
 1. Navigate to Provisioning > **Windows 365**.
 1. Select Provisioning policies > **Create policy**.
@@ -211,7 +211,7 @@ There's a few more device management lifecycle scenarios to consider when planni
 
 ### Device refresh
 
-If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Endpoint Manager to reimage the device.
+If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Intune to reimage the device.
 
 The device will be rejoined to Azure AD (either Hybrid or Azure AD-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Azure AD device ID record of that device remains the same.
 
diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml
index b99aeb0317..ee3fd80449 100644
--- a/windows/deployment/windows-autopatch/index.yml
+++ b/windows/deployment/windows-autopatch/index.yml
@@ -13,6 +13,8 @@ metadata:
   ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
   ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
   ms.custom: intro-hub-or-landing
+  ms.collection:
+  - highpri
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
 
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png
new file mode 100644
index 0000000000..4a7cf97197
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png
new file mode 100644
index 0000000000..31350b563f
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png
new file mode 100644
index 0000000000..cb56852f3d
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png
new file mode 100644
index 0000000000..2aeacfd0d5
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png b/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png
new file mode 100644
index 0000000000..82cb1b1fcd
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png differ
diff --git a/windows/deployment/windows-autopatch/operate/index.md b/windows/deployment/windows-autopatch/operate/index.md
index 88dfceb72d..125ddc43b1 100644
--- a/windows/deployment/windows-autopatch/operate/index.md
+++ b/windows/deployment/windows-autopatch/operate/index.md
@@ -2,8 +2,8 @@
 title: Operating with Windows Autopatch
 description: Landing page for the operate section
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
index 4fe92e457d..15b45c91d4 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
@@ -1,9 +1,9 @@
 ---
 title: Deregister a device
-description:  This article explains how to deregister devices
+description: This article explains how to deregister devices
 ms.date: 06/15/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
@@ -18,7 +18,7 @@ To avoid end-user disruption, device deregistration in Windows Autopatch only de
 
 **To deregister a device:**
 
-1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
+1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Windows Autopatch** in the left navigation menu.
 1. Select **Devices**.
 1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
@@ -42,7 +42,7 @@ You can hide unregistered devices you don't expect to be remediated anytime soon
 
 **To hide unregistered devices:**
 
-1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
+1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Windows Autopatch** in the left navigation menu.
 1. Select **Devices**.
 1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
index 988fb95d21..bc8fc2e428 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@@ -1,9 +1,9 @@
 ---
 title: Microsoft Edge
-description:  This article explains how Microsoft Edge updates are managed in Windows Autopatch
+description: This article explains how Microsoft Edge updates are managed in Windows Autopatch
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
index 50e4fd586e..dec4bcff3a 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
@@ -1,9 +1,9 @@
 ---
 title: Windows feature update end user experience
-description:  This article explains the Windows feature update end user experience
+description: This article explains the Windows feature update end user experience
 ms.date: 07/11/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -25,7 +25,7 @@ In this section we'll review what an end user would see in the following three s
 3. Feature update grace period
 
 > [!NOTE]
-> Windows Autopatch doesn't yet support feature updates without notifying end users.
+> Windows Autopatch doesn't yet support feature updates without notifying end users.<p>The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification.</p>
 
 ### Typical update experience
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
index 1f19a0fd64..fbf827b7a7 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
@@ -1,9 +1,9 @@
 ---
 title: Windows feature updates
-description:  This article explains how Windows feature updates are managed in Autopatch
+description: This article explains how Windows feature updates are managed in Autopatch
 ms.date: 07/11/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -31,7 +31,7 @@ For a device to be eligible for Windows feature updates as a part of Windows Aut
 | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
 | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
 | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
-| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) |
+| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) |
 
 ## Windows feature update releases
 
@@ -73,7 +73,7 @@ When releasing a feature update, there are two policies that are configured by t
 
 During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline.  
 
-To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods effect devices.
+To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods affect devices.
 
 | Policy | Description |
 | ----- | ----- |
@@ -93,7 +93,7 @@ To allow customers to test Windows 11 in their environment, there's a separate D
 
 ## Pausing and resuming a release
 
-You can pause or resume a Windows feature update from the Release management tab in Microsoft Endpoint Manager.
+You can pause or resume a Windows feature update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 ## Rollback
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index dc4f572c12..c5a7514fc4 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -1,9 +1,9 @@
 ---
 title: Maintain the Windows Autopatch environment
-description:  This article details how to maintain the Windows Autopatch environment
+description: This article details how to maintain the Windows Autopatch environment
 ms.date: 07/11/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index d3ef9e518e..3089035470 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -1,9 +1,9 @@
 ---
 title: Microsoft 365 Apps for enterprise
-description:  This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch
+description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch
 ms.date: 08/08/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -23,9 +23,8 @@ Windows Autopatch aims to keep at least 90% of eligible devices on a [supported
 
 ## Device eligibility
 
-For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a part of Windows Autopatch, they must meet the following criteria:  
+For a device to be eligible for Microsoft 365 Apps for enterprise updates (both 32-bit and 64-bit versions), as a part of Windows Autopatch, they must meet the following criteria:  
 
-- Microsoft 365 Apps for enterprise 64-bit must be installed.
 - There are no policy conflicts between Microsoft Autopatch policies and customer policies.
 - The device must have checked into the Intune service in the last five days.
 
@@ -86,7 +85,7 @@ Since quality updates are bundled together into a single release in the [Monthly
 
 [Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting.
 
-A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
+A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
 
 However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload.
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
index dbb8cdf6e1..ab63a52ddf 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -1,9 +1,9 @@
 ---
 title: Submit a support request
-description:  Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
+description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
@@ -25,7 +25,7 @@ Support requests are triaged and responded to as they're received.
 
 **To submit a new support request:**
 
-1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu.
+1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu.
 1. In the **Windows Autopatch** section, select **Support requests**.
 1. In the **Support requests** section, select **+ New support request**.
 1. Enter your question(s) and/or a description of the problem.
@@ -42,7 +42,7 @@ You can see the summary status of all your support requests. At any time, you ca
 
 **To view all your active support requests:**
 
-1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
 1. In the **Windows Autopatch** section, select **Support request**.
 1. From this view, you can export the summary view or select any case to view the details.
 
@@ -52,7 +52,7 @@ You can edit support request details, for example, updating the primary case con
 
 **To edit support request details:**
 
-1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.
+1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu.
 1. In the **Windows Autopatch** section, select **Support request**.
 1. In the **Support requests** section, use the search bar or filters to find the case you want to edit.
 1. Select the case to open the request's details.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
index 8cf360c310..3a14dd0be0 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
@@ -1,9 +1,9 @@
 ---
 title: Microsoft Teams
-description:  This article explains how Microsoft Teams updates are managed in Windows Autopatch
+description: This article explains how Microsoft Teams updates are managed in Windows Autopatch
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
index 9d1f37b506..ec414612c4 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
@@ -1,9 +1,9 @@
 ---
 title: Unenroll your tenant
-description:  This article explains what unenrollment means for your organization and what actions you must take. 
+description: This article explains what unenrollment means for your organization and what actions you must take.
 ms.date: 07/27/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
@@ -41,7 +41,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
 | ----- | ----- |
 | Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices.  You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
 | Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). |
-| Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. |
+| Microsoft Intune roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. |
 
 ## Unenroll from Windows Autopatch
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index 3169d13cff..549d7d5bba 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -1,9 +1,9 @@
 ---
 title: Software update management
-description:  This article provides an overview of how updates are handled in Autopatch
+description: This article provides an overview of how updates are handled in Autopatch
 ms.date: 08/08/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: overview
 ms.localizationpriority: medium
 author: tiaraquan
@@ -64,7 +64,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg
 | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:<br><ul><li>**0–500** devices: minimum **one** device.</li><li>**500–5000** devices: minimum **five** devices.</li><li>**5000+** devices: minimum **50** devices.</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
 | First |  **1%** | The First ring is the first group of production users to receive a change.<p><p>This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.<p><p>Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
 | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.<p><p>The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.</p> |
-| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.|
+| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.|
 
 ## Moving devices in between deployment rings
 
@@ -72,7 +72,7 @@ If you want to move separate devices to different deployment rings, after Window
 
 **To move devices in between deployment rings:**
 
-1. In Microsoft Endpoint Manager, select **Devices** in the left pane.
+1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
 2. In the **Windows Autopatch** section, select **Devices**.
 3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify.
 4. Select **Device actions** from the menu.
@@ -82,7 +82,7 @@ If you want to move separate devices to different deployment rings, after Window
 When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment.
 
 > [!NOTE]
-> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.<p>If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
+> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.<p>If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
   
 > [!WARNING]   
 > Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md
new file mode 100644
index 0000000000..3808dd45a7
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md
@@ -0,0 +1,40 @@
+---
+title: All devices report—historical
+description: Provides a visual representation of the update status trend for all devices over the last 90 days. 
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# All devices report—historical
+
+The historical All devices report provides a visual representation of the update status trend for all devices over the last 90 days.
+
+**To view the historical All devices report:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **All devices report—historical**.
+
+:::image type="content" source="../media/windows-autopatch-all-devices-historical-report.png" alt-text="All devices—historical report" lightbox="../media/windows-autopatch-all-devices-historical-report.png":::
+
+> [!NOTE]
+> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
+
+For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md
new file mode 100644
index 0000000000..5536a42c04
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md
@@ -0,0 +1,56 @@
+---
+title: All devices report
+description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.  
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# All devices report
+
+The All devices report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
+
+**To view the All devices report:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **All devices report**.
+
+:::image type="content" source="../media/windows-autopatch-all-devices-report.png" alt-text="All devices report" lightbox="../media/windows-autopatch-all-devices-report.png":::
+
+> [!NOTE]
+> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
+
+## Report information
+
+The following information is available in the All devices report:
+
+| Column name | Description |
+| ----- | ----- |
+| Device name | The name of the device. |
+| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. |
+| Serial number | The current Intune recorded serial number for the device. |
+| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
+| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)). |
+| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)) |
+| OS version | The current version of Windows installed on the device. |
+| OS revision | The current revision of Windows installed on the device. |
+| Intune last check in time | The last time the device checked in to Intune. |
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Search | Use to search by device name, Azure AD device ID or serial number |
+| Sort | Select the **column headings** to sort the report data in ascending and descending order. |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate report**. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
index 335abbb361..ffb70992db 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
@@ -1,9 +1,9 @@
 ---
 title: Windows quality and feature update communications
-description:  This article explains Windows quality update communications
+description: This article explains Windows quality update communications
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -34,7 +34,7 @@ Communications are posted to Message center, Service health dashboard, and the W
 
 ## Communications during release
 
-The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the Microsoft Endpoint Manager portal shortly after Autopatch becomes aware of the new information.
+The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
 
 There are some circumstances where Autopatch will need to change the release schedule based on new information.
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md
new file mode 100644
index 0000000000..4e4e383213
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md
@@ -0,0 +1,40 @@
+---
+title: Eligible devices report—historical
+description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days. 
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# Eligible devices report—historical
+
+The historical Eligible devices report provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days.
+
+**To view the historical Eligible devices report:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **Eligible devices report—historical**.
+
+:::image type="content" source="../media/windows-autopatch-eligible-devices-historical-report.png" alt-text="Eligible devices—historical report" lightbox="../media/windows-autopatch-eligible-devices-historical-report.png":::
+
+> [!NOTE]
+> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
+
+For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
index b83dc059df..9f8570c024 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
@@ -1,9 +1,9 @@
 ---
 title: Windows quality update end user experience
-description:  This article explains the Windows quality update end user experience
+description: This article explains the Windows quality update end user experience
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -24,6 +24,9 @@ In this section we'll review what an end user would see in the following three s
 2. Quality update deadline forces an update
 3. Quality update grace period
 
+> [!NOTE]
+> The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification.
+
 ### Typical update experience
 
 The Windows 10 quality update is published and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md
new file mode 100644
index 0000000000..733ee98e88
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md
@@ -0,0 +1,43 @@
+---
+title: Ineligible devices report—historical
+description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.  
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# Ineligible devices report—historical
+
+The historical Ineligible devices report provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days.
+
+> [!NOTE]
+> Devices must have at least six hours of usage, with at least two hours being continuous. You may see an increase in the number of ineligible devices when the widget refreshes every second Tuesday of each month.
+
+**To view the historical Ineligible devices report:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **Ineligible devices report—historical**.
+
+:::image type="content" source="../media/windows-autopatch-ineligible-devices-historical-report.png" alt-text="Ineligible devices—historical report" lightbox="../media/windows-autopatch-ineligible-devices-historical-report.png":::
+
+> [!NOTE]
+> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
+
+For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index a8da5aeb86..f2d4f477af 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -1,9 +1,9 @@
 ---
 title: Windows quality updates
-description:  This article explains how Windows quality updates are managed in Autopatch
+description: This article explains how Windows quality updates are managed in Autopatch
 ms.date: 08/08/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -31,7 +31,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
 | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
 | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
 | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
-| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) |
+| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) |
 
 ## Windows quality update releases
 
@@ -72,7 +72,7 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
 
 If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed.
 
-You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager.
+You can pause or resume a Windows quality update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 ## Incidents and outages
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md
new file mode 100644
index 0000000000..739953b809
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md
@@ -0,0 +1,110 @@
+---
+title: Windows quality update reports
+description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch 
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# Windows quality update reports
+
+The Windows quality update reports provide you information about:
+
+- Quality update device eligibility
+- Device update health
+- Device update trends  
+
+Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.  
+
+The report types are organized into the following focus areas:
+
+| Focus area | Description |
+| ----- | ----- |
+| Operational detail | <ul><li>[Summary dashboard](windows-autopatch-wqu-summary-dashboard.md): Provides the current update status summary for all devices.</li><li>[All devices report](windows-autopatch-wqu-all-devices-report.md): Provides the current update status of all devices at the device level.</li></ul> |
+| Device trends | <ul><li>[All devices report – historical](windows-autopatch-wqu-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.</li><li>[Eligible devices report – historical](windows-autopatch-wqu-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.</li><li>[Ineligible devices report – historical](windows-autopatch-wqu-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices haven’t received quality updates over the last 90 days.</li></ul> |
+
+## Who can access the reports?
+
+Users with the following permissions can access the reports:
+
+- Global Administrator
+- Intune Service Administrator
+- Administrators assigned to an Intune role with read permissions
+
+## About data latency
+
+The data source for these reports is the [Windows diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours.
+
+## Windows quality update statuses
+
+The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices:  
+
+- [Healthy devices](#healthy-devices)
+- [Not Up to Date (Microsoft Action)](#not-up-to-date-microsoft-action)
+- [Ineligible Devices (Customer Action)](#ineligible-devices-customer-action)
+
+Each status has its own set of sub statuses to further describe the status.
+
+### Healthy devices
+
+Healthy devices are devices that meet all of the following prerequisites:
+
+- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
+- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration)
+- [Windows quality update device eligibility](../operate/windows-autopatch-wqu-overview.md#device-eligibility)
+
+> [!NOTE]
+> Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy.
+
+| Sub status | Description |
+| ----- | ----- |
+| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). |
+| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). |
+| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). |
+
+### Not Up to Date (Microsoft Action)
+
+Not Up to Date means a device isn’t up to date when the:
+
+- Quality update is more than a month out of date, or the device is on last month’s quality update  
+- Device is more than 21 days overdue from the last release.
+
+> [!NOTE]
+> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-wqu-overview.md#service-level-objective).
+
+| Sub status | Description |
+| ----- | ----- |
+| No Heartbeat | The Windows Update service hasn’t been able to connect to this device. The service can’t offer the update to that device. |
+| Not Offered | The Windows Update service hasn’t offered the update to that device. |
+| Policy Blocking Update | This device has a policy that is blocking the update, such as a deferral or pause policy. Devices are only in this state after the 21-day threshold. |
+| In Progress—Stuck | This device has downloaded the update but is getting stuck in a loop during the install process. The update isn’t complete. |
+| Other | This device isn't up to date and isn’t reporting back data from the client. |
+
+### Ineligible Devices (Customer Action)
+
+Customer Action refers to the responsibility of the designated customer IT administrator to carry out the appropriate action to resolve the reported device sub status.  
+
+Within each 24-hour reporting period, devices that are ineligible are updated with one of the following sub statuses.
+
+| Sub status | Description |
+| ----- | ----- |
+| Insufficient Usage | Devices must have at least six hours of usage, with at least two hours being continuous. |
+| Low Connectivity | Devices must have a steady internet connection, and access to [Windows update endpoints](../prepare/windows-autopatch-configure-network.md). |
+| Out of Disk Space | Devices must have more than one GB (GigaBytes) of free storage space. |
+| Not Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
+| Not On Supported on Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
+| Not On Supported Windows Build | Devices must be on a Windows build supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
+| Intune Sync Older Than 5 Days | Devices must have checked with Intune within the last five days. |
+
+## Data export
+
+Select **Export devices** to export data for each report type.  
+
+> [!NOTE]
+> You can’t export Windows Autopatch report data using Microsoft Graph RESTful web API.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md
index d8b16b880a..be5becc700 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md
@@ -1,9 +1,9 @@
 ---
 title: Windows quality update signals
-description:  This article explains the Windows quality update signals
+description: This article explains the Windows quality update signals
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md
new file mode 100644
index 0000000000..735136be22
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md
@@ -0,0 +1,44 @@
+---
+title: Summary dashboard
+description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch. 
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: adnich
+---
+
+# Summary dashboard
+
+The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
+
+**To view the current update status for all your enrolled devices:**
+
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+
+:::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png":::
+
+> [!NOTE]
+> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page.
+
+## Report information
+
+The following information is available in the Summary dashboard:
+
+| Column name | Description |
+| ----- | ----- |
+| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). |
+| Devices | The number of devices showing as applicable for the state. |
+
+## Report options
+
+The following option is available:
+
+| Option | Description |
+| ----- | ----- |
+| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process will ensure that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
index 1ee72bdfda..1c19a4bac4 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
@@ -1,15 +1,15 @@
 ---
 title: Windows update policies
-description:  This article explains Windows update policies in Windows Autopatch
-ms.date: 07/07/2022
-ms.prod: w11
-ms.technology: windows
+description: This article explains Windows update policies in Windows Autopatch
+ms.date: 12/02/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
-msreviewer: hathind
+msreviewer: adnich
 ---
 
 # Windows update policies
@@ -109,8 +109,9 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de
 | [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.<p><p>Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
 | [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.<p><p>This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. |
 
-### Group policy
+### Group policy and other policy managers
 
-Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management:
+Group policy as well as other policy managers can take precedence over mobile device management (MDM) policies. For Windows quality updates, if any policies or configurations are detected which modify the following hives in the registry, the device could become ineligible for management:
 
-`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
+- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
+- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index df7c2b8966..7f5b4cf23e 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -111,6 +111,9 @@ sections:
       - question: What support is available for customers who need help with onboarding to Windows Autopatch?
         answer: |
           The FastTrack Center is the primary mode of support for customers who need assistance from Microsoft to meet the pre-requisites (such as Intune and Azure or Hybrid AD) for onboarding to Windows Autopatch. For more information, see [Microsoft FastTrack for Windows Autopatch](../operate/windows-autopatch-support-request.md#microsoft-fasttrack). When you've onboarded with Windows Autopatch, you can [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team.
+      - question: Does Windows Autopatch Support Dual Scan for Windows Update?
+        answer: |
+          Dual Scan for Windows has been deprecated and replaced with the [scan source policy](/windows/deployment/update/wufb-wsus). Windows Autopatch supports the scan source policy if the Feature updates, and Windows quality updates workloads are configured for Windows update. If Feature and Windows updates are configured for WSUS, it could cause disruptions to the service and your release schedules.
   - name: Other
     questions:
       - question: Are there Autopatch specific APIs or PowerShell scripts available?
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 107f37c50e..88cdfa1b6b 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,15 +1,17 @@
 ---
 title: What is Windows Autopatch?
-description:  Details what the service is and shortcuts to articles
+description: Details what the service is and shortcuts to articles
 ms.date: 07/11/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
 msreviewer: hathind
+ms.collection: 
+  - highpri
 ---
 
 # What is Windows Autopatch?
diff --git a/windows/deployment/windows-autopatch/prepare/index.md b/windows/deployment/windows-autopatch/prepare/index.md
index 903d732865..49198d3b87 100644
--- a/windows/deployment/windows-autopatch/prepare/index.md
+++ b/windows/deployment/windows-autopatch/prepare/index.md
@@ -2,8 +2,8 @@
 title: Preparing for Windows Autopatch
 description: Landing page for the prepare section
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index 93a0fbe3bd..a1c0a63417 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -1,9 +1,9 @@
 ---
 title: Configure your network
-description:  This article details the network configurations needed for Windows Autopatch
+description: This article details the network configurations needed for Windows Autopatch
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
@@ -47,3 +47,9 @@ There are URLs from several Microsoft products that must be in the allowed list
 | Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) |
 | Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
 | Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p)
+
+### Delivery Optimization
+
+Delivery Optimization is a peer-to-peer distribution technology available in Windows 10 and Windows 11 that allows devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Delivery Optimization can help reduce network bandwidth because the device can get portions of the update from another device on the same local network instead of having to download the update completely from Microsoft.
+
+Windows Autopatch supports and recommends you configure and validate Delivery Optimization when you enroll into the Window Autopatch service. For more information, see [What is Delivery Optimization?](/windows/deployment/do/waas-delivery-optimization)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index cb7b64d172..2dfa7a8912 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -1,9 +1,9 @@
 ---
 title: Enroll your tenant
-description:  This article details how to enroll your tenant
+description: This article details how to enroll your tenant
 ms.date: 07/11/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
@@ -19,7 +19,7 @@ Before you enroll in Windows Autopatch, there are settings, and other parameters
 > [!IMPORTANT]
 > You must be a Global Administrator to enroll your tenant.
 
-The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.  
+The Readiness assessment tool, accessed in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.  
 
 ## Step 1: Review all prerequisites
 
@@ -30,18 +30,18 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
 > [!IMPORTANT]
 > The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the  tool again.
 
-The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
+The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
 
 **To access and run the Readiness assessment tool:**
 
 > [!IMPORTANT]
 > You must be a Global Administrator to run the Readiness assessment tool.
 
-1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**.
 
 > [!IMPORTANT]
-> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md#more-about-licenses).
+> All Intune customers can see the Windows Autopatch Tenant enrollment blade. However, if you don't meet the prerequisites or have the proper licensing, you won't be able to enroll into the Windows Autopatch service. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md#more-about-licenses).
 
 The Readiness assessment tool checks the following settings:
 
@@ -109,7 +109,7 @@ Windows Autopatch retains the data associated with these checks for 12 months af
 
 **To delete the data we collect:**
 
-1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Navigate to Windows Autopatch > **Tenant enrollment**.
 3. Select **Delete all data**.
 
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index ae202548a6..854b107c86 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -1,9 +1,9 @@
 ---
 title: Fix issues found by the Readiness assessment tool
-description:  This article details how to fix issues found by the Readiness assessment tool
-ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+description: This article details how to fix issues found by the Readiness assessment tool
+ms.date: 11/17/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: how-to
 ms.localizationpriority: medium
 author: tiaraquan
@@ -32,7 +32,7 @@ For each check, the tool will report one of four possible results:
 
 ## Microsoft Intune settings
 
-You can access Intune settings at the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+You can access Intune settings at the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 ### Unlicensed admins
 
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index d5f7c38027..f7420e1f3e 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,9 +1,9 @@
 ---
 title: Prerequisites
-description:  This article details the prerequisites needed for Windows Autopatch
+description: This article details the prerequisites needed for Windows Autopatch
 ms.date: 09/16/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -29,7 +29,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
 
 ## More about licenses
 
-Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch:
+Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch:
 
 | License | ID | GUID number |
 | ----- | ----- | ------|
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index d04beca815..a57f79bc4e 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -1,9 +1,9 @@
 ---
 title: Changes made at tenant enrollment
-description:  This reference article details the changes made to your tenant when enrolling into Windows Autopatch
-ms.date: 08/08/2022
-ms.prod: w11
-ms.technology: windows
+description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
+ms.date: 12/01/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: reference
 ms.localizationpriority: medium
 author: tiaraquan
@@ -17,9 +17,19 @@ msreviewer: hathind
 The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service.
 
 > [!IMPORTANT]
-> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.  
+> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.
 
-## Service principal
+## Windows Autopatch enterprise applications
+
+Enterprise applications are applications (software) that a business uses to do its work.
+
+Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
+
+| Enterprise application name | Usage | Permissions |
+| ----- | ------ | ----- |
+| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
+
+### Service principal
 
 Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:  
 
@@ -38,40 +48,21 @@ Windows Autopatch will create Azure Active Directory groups that are required to
 | Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters |
 | Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption |
 | Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization |
-| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10<p>Group Rule:<ul><li>`(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`</li><li>`(device.deviceOSVersion -notStartsWith \"10.0.22000\")`</li></ul><br>Exclusions:<ul><li>Modern Workplace - Telemetry Settings for Windows 11</li></ul>  |
-| Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11<p>Group Rule:<ul><li>`(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`</li><li>`(device.deviceOSVersion -startsWith \"10.0.22000\")`</li></ul><br>Exclusions:<ul><li>Modern Workplace - Telemetry Settings for Windows 10</li></ul> |
 | Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role |
 | Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role |
 | Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch |
 
-## Windows Autopatch enterprise applications
-
-Enterprise applications are applications (software) that a business uses to do its work.
-
-Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
-
-| Enterprise application name | Usage | Permissions |
-| ----- | ------ | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
-
-> [!NOTE]
-> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
-
 ## Device configuration policies
 
-- Modern Workplace - Set MDM to Win Over GPO
-- Modern Workplace - Telemetry Settings for Windows 10
-- Modern Workplace - Telemetry Settings for Windows 11
-- Modern Workplace-Window Update Detection Frequency
-- Modern Workplace - Data Collection
+- Windows Autopatch - Set MDM to Win Over GPO
+- Windows Autopatch - Data Collection
+- Windows Autopatch-Window Update Detection Frequency
 
-| Policy name | Policy description | OMA | Value |
+| Policy name | Policy description | Properties | Value |
 | ----- | ----- | ----- | ----- |
-| Modern Workplace - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| | |
-| Modern Workplace - Telemetry Settings for Windows 10 | Telemetry settings for Windows 10<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 2 |
-| Modern Workplace - Telemetry Settings for Windows 11 | Telemetry settings for Windows 11<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ul><li>[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ul>|<ul><li>3</li><li>1</li><li>1</li><li>1</li> |
-| Modern Workplace - Windows Update Detection Frequency | Sets Windows update detection frequency<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 |
-| Modern Workplace - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop.<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul> | | |
+| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [MDM Wins Over GP ](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | The MDM policy is used and the GP policy is blocked |
+| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ol><li>[Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-ConfigureTelemetryOptInChangeNotification)</li><li>[Configure Telemetry Opt In Settings Ux](/windows/client-management/mdm/policy-csp-system#ConfigureTelemetryOptInSettingsUx)</li><li>[Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ol>|<ol><li>Enable telemetry change notifications</li><li>Enable Telemetry opt-in Settings</li><li>Full</li><li>Enabled</li><li>Enabled</li><li>Enabled</li></ol> |
+| Windows Autopatch - Windows Update Detection Frequency | Sets Windows update detection frequency<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 |
 
 ## Update rings for Windows 10 and later
 
@@ -105,33 +96,29 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
 
 ## Microsoft Office update policies
 
-- Modern Workplace - Office ADMX Deployment
-- Modern Workplace - Office Configuration v5
-- Modern Workplace - Office Update Configuration [Test]
-- Modern Workplace - Office Update Configuration [First]
-- Modern Workplace - Office Update Configuration [Fast]
-- Modern Workplace - Office Update Configuration [Broad]
+- Windows Autopatch - Office Configuration
+- Windows Autopatch - Office Update Configuration [Test]
+- Windows Autopatch - Office Update Configuration [First]
+- Windows Autopatch - Office Update Configuration [Fast]
+- Windows Autopatch - Office Update Configuration [Broad]
 
-| Policy name | Policy description | OMA | Value |
+| Policy name | Policy description | Properties | Value |
 | ----- | ----- | ----- | ----- |
-| Modern Workplace - Office ADMX Deployment | ADMX file for Office<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul> | | |
-| Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| | |
-| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li></ul> |<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>|<li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 0</li>|
-| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li></ul> |<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul> | <li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 0</li>|
-| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul>|<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>| <li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 3</li>|
-| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline<br>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Broad</li>|<ul><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`</li><li>`./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`</li></ul>|<li>Enabled; L_UpdateDeadlineID == 7</li><li>Enabled; L_DeferUpdateDaysID == 7</li> |
+| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>|<ol><li>Enable Automatic Updates</li><li>Hide option to enable or disable updates</li><li>Update Channel</li><li>Channel Name (Device)</li><li>Hide Update Notifications</li><li>Update Path</li></ol> |<ol><li>Enabled</li><li>Enabled</li><li>Enabled</li><li>Monthly Enterprise Channel</li><li>Disabled</li><li>Enabled</li></ol> |
+| Windows Autopatch - Office Update Configuration [Test] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Test</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>|<ol><li>Enabled;Days(Device) == 0 days</li></li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
+| Windows Autopatch - Office Update Configuration [First] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-First</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol> | <ol><li>Enabled;Days(Device) == 0 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
+| Windows Autopatch - Office Update Configuration [Fast] | Sets the Office update deadline<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ol>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled;Days(Device) == 3 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol>|
+| Windows Autopatch - Office Update Configuration [Broad] | Sets the Office update deadline<br>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Broad</li>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled;Days(Device) == 7 days</li><li>Enabled;Update Deadline(Device) == 7 days</li></ol> |
 
 ## Microsoft Edge update policies
 
-- Modern Workplace - Edge Update ADMX Deployment
-- Modern Workplace - Edge Update Channel Stable
-- Modern Workplace - Edge Update Channel Beta
+- Windows Autopatch - Edge Update Channel Stable
+- Windows Autopatch - Edge Update Channel Beta
 
-| Policy name | Policy description | OMA | Value |
+| Policy name | Policy description | Properties | Value |
 | ----- | ----- | ----- | ----- |
-| Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| | |
-| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
-| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test </li></ul>| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
+| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><ol><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>| <ol><li>Target Channel Override </li><li>Target Channel (Device) </li></ol> | <ol><li>Enabled</li><li>Stable</li></ol>|
+| Windows Autopatch - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel<p>Assigned to:<ol><li>Modern Workplace Devices-Windows Autopatch-Test </li></ol>| <ol><li>Target Channel Override</li><li>Target Channel (Device)</li></ol> | <ol><li>Enabled</li><li>Beta</li></ol>|
 
 ## PowerShell scripts
 
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
index 92295357e9..85965b7535 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
@@ -1,9 +1,9 @@
 ---
 title: Microsoft 365 Apps for enterprise update policies
-description:  This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
+description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
 ms.date: 07/11/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md
index b81c723344..d0f3e5acba 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md
@@ -1,9 +1,9 @@
 ---
 title: Windows Autopatch Preview Addendum
-description:  This article explains the Autopatch preview addendum
+description: This article explains the Autopatch preview addendum
 ms.date: 05/30/2022
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: reference
 ms.localizationpriority: medium
 author: tiaraquan
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index a1ada94b72..4850fddac3 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -1,7 +1,7 @@
 ---
 title: Privacy
 description:  This article provides details about the data platform and privacy compliance for Autopatch
-ms.date: 05/30/2022
+ms.date: 11/08/2022
 ms.prod: w11
 ms.technology: windows
 ms.topic: reference
@@ -26,8 +26,8 @@ The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Mic
 | ------ | ------ |
 | [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. |
 | [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
-| [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) | Device management and to keep your data secure. The following data sources fall under Microsoft Endpoint Manager:<br><ul><li>[Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.</li><li>[Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.</li></ul>
-| [Windows Autopatch](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. |
+| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:<br><ul><li>[Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.</li><li>[Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.</li></ul>
+| [Windows Autopatch](https://go.microsoft.com/fwlink/?linkid=2109431) | Data provided by the customer or generated by the service during running of the service. |
 | [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. |
 
 ## Windows Autopatch data process and storage
@@ -40,9 +40,12 @@ Processor duties of Windows Autopatch include ensuring appropriate confidentiali
 
 ## Windows Autopatch data storage and staff location
 
-Windows Autopatch stores its data in the Azure data centers in the United States.
+Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations).
 
-Personal data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep personal data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).
+> [!IMPORTANT]
+> <ul><li>As of November 8, 2022, only <b>new</b> Windows Autopatch customers (EU, UK, Africa, Middle East) will have their data live in the European data centers.</li><li>Existing European Union (EU) Windows Autopatch customers will move from the North American data centers to the European data centers by the end of 2022.</li><li>If you're an existing Windows Autopatch customer, but <b>not</b> part of the European Union, data migration from North America to your respective data residency will occur next year.</li></ul>
+
+Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).
 
 Windows Autopatch Service Engineering Team is in the United States, India and Romania.
 
@@ -54,9 +57,9 @@ The enhanced diagnostic data setting includes more detailed information about th
 
 The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
 
-Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data.
+Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data.
 
-For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
+For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
 
 ## Tenant access
 
@@ -107,11 +110,11 @@ Changes to the types of data gathered and where it's stored are considered a mat
 
 ## Data subject requests
 
-Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their personal data.
+Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their data.
 
 These rights include:
 
-- Obtaining copies of personal data
+- Obtaining copies of data
 - Requesting corrections to it
 - Restricting the processing of it
 - Deleting it
@@ -123,7 +126,7 @@ To exercise data subject requests on data collected by the Windows Autopatch cas
 
 | Data subject requests | Description |
 | ------ | ------ |
-| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of personal data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin). <br><br> Provide the following information: <ul><li>Request type: Change request</li><li>Category: Security</li><li>Subcategory: Other</li><li>Description: Provide the relevant device names or user names.</li></ul> |
+| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin). <br><br> Provide the following information: <ul><li>Request type: Change request</li><li>Category: Security</li><li>Subcategory: Other</li><li>Description: Provide the relevant device names or user names.</li></ul> |
 
 For DSRs from other products related to the service, see the following articles:
 
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
new file mode 100644
index 0000000000..a00b6e9669
--- /dev/null
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
@@ -0,0 +1,101 @@
+---
+title: What's new
+description: This article lists the new feature releases and any corresponding Message center post numbers.
+ms.date: 12/02/2022
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# What's new
+
+This article lists new and updated feature releases, and service releases, with their corresponding Message center post numbers (if applicable).
+
+Minor corrections such as typos, style, or formatting issues aren't listed.
+
+## December 2022
+
+### December feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md) | Updated to include other policy managers in the Group policy section |
+| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the Device configuration, Microsoft Office and Edge policies |
+| [Windows quality update reports](../operate/windows-autopatch-wqu-reports-overview.md) | Added Windows quality update reports |
+| [What's new](../whats-new/windows-autopatch-whats-new-2022.md) | Added the What's new article |
+
+## November 2022
+
+### November feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Privacy](../references/windows-autopatch-privacy.md) | Updated data center locations<ul><li>[MC448005](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
+| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated multiple sections because of the OMA-URI to Intune Settings Catalog policy migration<ul><li>[MC443898](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
+| [Configure your network](../prepare/windows-autopatch-configure-network.md) | Added information on Delivery Optimization  |
+| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | 32 and 64-bit versions are supported |
+
+### November service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC470135](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update |
+
+## October 2022
+
+### October feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md) | New Tenant management blade |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added Azure Virtual Desktop capability |
+
+### October service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC450491](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update |
+
+## September 2022
+
+### September feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | Post-device registration readiness checks public preview release<ul><li>[MC409850](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
+
+## August 2022
+
+### August feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Windows Autopatch on Windows 365 Enterprise Workloads capability.<ul><li>[MC409850](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
+
+### August service release
+
+| Message center post number | Description |
+| ----- | ----- |
+| [MC418962](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch baseline configuration update |
+
+## July 2022
+
+### July feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Windows Autopatch on Windows 365 Enterprise Workloads capability |
+| Windows Autopatch General Availability | Windows Autopatch General Availability (GA) release |
+
+## May 2022
+
+### May feature release
+
+| Article | Description |
+| ----- | ----- |
+| Windows Autopatch | Announcing Windows Autopatch; a new feature in Windows E3 and E5 <ul><li>[MC390012](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul> |
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index b8fe13f82f..28d817ea6d 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,22 +1,22 @@
 ---
 title: Demonstrate Autopilot deployment
-manager: dougeby
+manager: aaroncz
 description: Step-by-step instructions on how to set up a virtual machine with a Windows Autopilot deployment.
-ms.prod: w10
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-deploy
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-ms.collection:
+author: frankroj
+ms.author: frankroj
+ms.collection: 
   - M365-modern-desktop
   - highpri
 ms.topic: tutorial
-ms.date: 07/12/2022
+ms.date: 10/28/2022
 ---
 
 # Demonstrate Autopilot deployment
 
-*Applies to*
+**Applies to**
 
 - Windows 10
 
@@ -47,45 +47,51 @@ You'll need the following components to complete this lab:
 |**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
 |**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
 
+> [!NOTE]
+> When using a VM for Autopilot testing, assign at least two processors and 4 GB of memory.
+
 ## Procedures
 
 A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices.
 
 If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or later.
 
-- [Verify support for Hyper-V](#verify-support-for-hyper-v)
-- [Enable Hyper-V](#enable-hyper-v)
-- [Create a demo VM](#create-a-demo-vm)
-  - [Set ISO file location](#set-iso-file-location)
-  - [Determine network adapter name](#determine-network-adapter-name)
-  - [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
-  - [Install Windows 10](#install-windows-10)
-- [Capture the hardware ID](#capture-the-hardware-id)
-- [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
-- [Verify subscription level](#verify-subscription-level)
-- [Configure company branding](#configure-company-branding)
-- [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
-- [Register your VM](#register-your-vm)
-  - [Autopilot registration using Intune](#autopilot-registration-using-intune)
-  - [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
-- [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
-  - [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-    - [Create a device group](#create-a-device-group)
-    - [Create the deployment profile](#create-the-deployment-profile)
-  - [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
-- [See Windows Autopilot in action](#see-windows-autopilot-in-action)
-- [Remove devices from Autopilot](#remove-devices-from-autopilot)
-  - [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
-- [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
-- [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
-  - [Add a Win32 app](#add-a-win32-app)
-    - [Prepare the app for Intune](#prepare-the-app-for-intune)
-    - [Create app in Intune](#create-app-in-intune)
-    - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
-  - [Add Office 365](#add-microsoft-365-apps)
-    - [Create app in Intune](#create-app-in-intune)
-    - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
-- [Glossary](#glossary)
+- [Demonstrate Autopilot deployment](#demonstrate-autopilot-deployment)
+  - [Prerequisites](#prerequisites)
+  - [Procedures](#procedures)
+  - [Verify support for Hyper-V](#verify-support-for-hyper-v)
+  - [Enable Hyper-V](#enable-hyper-v)
+  - [Create a demo VM](#create-a-demo-vm)
+    - [Set ISO file location](#set-iso-file-location)
+    - [Determine network adapter name](#determine-network-adapter-name)
+    - [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
+    - [Install Windows 10](#install-windows-10)
+  - [Capture the hardware ID](#capture-the-hardware-id)
+  - [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
+  - [Verify subscription level](#verify-subscription-level)
+  - [Configure company branding](#configure-company-branding)
+  - [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
+  - [Register your VM](#register-your-vm)
+    - [Autopilot registration using Intune](#autopilot-registration-using-intune)
+    - [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
+  - [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
+    - [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+      - [Create a device group](#create-a-device-group)
+      - [Create the deployment profile](#create-the-deployment-profile)
+    - [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+  - [See Windows Autopilot in action](#see-windows-autopilot-in-action)
+  - [Remove devices from Autopilot](#remove-devices-from-autopilot)
+    - [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
+  - [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
+  - [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
+    - [Add a Win32 app](#add-a-win32-app)
+      - [Prepare the app for Intune](#prepare-the-app-for-intune)
+      - [Create app in Intune](#create-app-in-intune)
+      - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+    - [Add Microsoft 365 Apps](#add-microsoft-365-apps)
+      - [Create app in Microsoft Intune](#create-app-in-microsoft-intune)
+      - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile-1)
+  - [Glossary](#glossary)
 
 ## Verify support for Hyper-V
 
@@ -247,7 +253,7 @@ After the VM restarts, during OOBE, it's fine to select **Set up for personal us
 
    ![Windows setup example 7.](images/winsetup7.png)
 
-Once the installation is complete, sign in and verify that you're at the Windows 10 desktop. Then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
+Once the installation is complete, sign in, and verify that you're at the Windows 10 desktop. Then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
 
    > [!div class="mx-imgBorder"]
    > ![Windows setup example 8.](images/winsetup8.png)
@@ -395,7 +401,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 
 ### Autopilot registration using Intune
 
-1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
+1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
 
     ![Intune device import.](images/enroll1.png)
 
@@ -600,7 +606,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n
 
 ### Delete (deregister) Autopilot device
 
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the Microsoft Endpoint Manager admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
 
 > [!div class="mx-imgBorder"]
 > ![Delete device step 1.](images/delete-device1.png)
@@ -802,7 +808,7 @@ For more information on adding apps to Intune, see [Intune Standalone - Win32 ap
 
 ### Add Microsoft 365 Apps
 
-#### Create app in Microsoft Endpoint Manager
+#### Create app in Microsoft Intune
 
 Sign in to the Azure portal and select **Intune**.
 
diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml
index 92215275a7..567e5d62a8 100644
--- a/windows/deployment/windows-autopilot/index.yml
+++ b/windows/deployment/windows-autopilot/index.yml
@@ -1,20 +1,20 @@
 ### YamlMime:Landing
 
 title: Windows Autopilot deployment resources and documentation # < 60 chars
-summary: 'Note: Windows Autopilot documentation has moved! A few additional resources will also be available here. See the links on this page for more information.'  # < 160 chars
+summary: 'Note: Windows Autopilot documentation has moved! A few more resources will also be available here. For more information, see the links on this page.'  # < 160 chars
 
 metadata:
   title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
   description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
-  services: windows-10
-  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
-  ms.subservice: subservice
-  ms.topic: landing-page # Required
-  ms.collection: windows-10
-  author: aczechowski
-  ms.author: aaroncz
-  manager: dougeby
-  ms.date: 08/05/2020 #Required; mm/dd/yyyy format.
+  ms.topic: landing-page
+  ms.prod: windows-client
+  ms.technology: itpro-deploy
+  ms.collection:
+    - highpri
+  author: frankroj
+  ms.author: frankroj
+  manager: aaroncz
+  ms.date: 10/28/2022 #Required; mm/dd/yyyy format.
   localization_priority: medium
     
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index bf62c49c51..b6ac225f0e 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -1,17 +1,18 @@
 ---
 title: Windows 10 deployment scenarios and tools
 description: Learn about the tools you can use to deploy Windows 10 and related applications to your organization. Explore deployment scenarios.
-manager: dougeby
-ms.author: aaroncz
-author: aczechowski
-ms.prod: w10
+manager: aaroncz
+ms.author: frankroj
+author: frankroj
+ms.prod: windows-client
 ms.topic: article
-ms.collection: highpri
+ms.date: 11/23/2022
+ms.technology: itpro-deploy
 ---
 
 # Windows 10 deployment scenarios and tools
 
-To successfully deploy the Windows 10 operating system and applications for your organization, understand the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment.
+To successfully deploy the Windows 10 operating system and applications for your organization, understand the available tools to help with the process. In this article, you'll learn about the most commonly used tools for Windows 10 deployment.
 
 Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). These tools aren't a complete solution on their own. Combine these tools with solutions like [Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) to get a complete deployment solution.
 
@@ -19,7 +20,6 @@ In this article, you also learn about different types of reference images that y
 
 ## Windows Assessment and Deployment Kit
 
-
 Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more information, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
 
 ![The Windows 10 ADK feature selection page.](images/win-10-adk-select.png)
@@ -32,13 +32,13 @@ DISM is one of the deployment tools included in the Windows ADK and is used for
 
 DISM services online and offline images. For example, with DISM you can install the Microsoft .NET Framework 3.5.1 in Windows 10 online, which means that you can start the installation in the running operating system, not that you get the software online. The /LimitAccess switch configures DISM to get the files only from a local source:
 
-``` syntax
+```cmd
 Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS /LimitAccess
 ```
 
 In Windows 10, you can use Windows PowerShell for many of the functions done by DISM.exe. The equivalent command in Windows 10 using PowerShell is:
 
-``` syntax
+```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All 
 -Source D:\Sources\SxS -LimitAccess
 ```
@@ -55,15 +55,15 @@ USMT is a backup and restore tool that allows you to migrate user state, data, a
 
 USMT includes several command-line tools, the most important of which are ScanState and LoadState:
 
--   **ScanState.exe.** This tool performs the user-state backup.
--   **LoadState.exe.** This tool performs the user-state restore.
--   **UsmtUtils.exe.** This tool supplements the functionality in ScanState.exe and LoadState.exe.
+- **ScanState.exe**: This tool performs the user-state backup.
+- **LoadState.exe**: This tool performs the user-state restore.
+- **UsmtUtils.exe**: This tool supplements the functionality in ScanState.exe and LoadState.exe.
 
 In addition to these tools, there are also XML templates that manage which data is migrated. You can customize the templates, or create new ones, to manage the backup process at a high level of detail. USMT uses the following terms for its templates:
 
--   **Migration templates.** The default templates in USMT.
--   **Custom templates.** Custom templates that you create.
--   **Config template.** An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
+- **Migration templates**: The default templates in USMT.
+- **Custom templates**: Custom templates that you create.
+- **Config template**: An optional template called Config.xml which you can use to exclude or include components in a migration without modifying the other standard XML templates.
 
 ![A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files..](images/mdt-11-fig06.png)
 
@@ -73,14 +73,21 @@ USMT supports capturing data and settings from Windows Vista and later, and rest
 
 By default USMT migrates many settings, most of which are related to the user profile but also to Control Panel configurations, file types, and more. The default templates that are used in Windows 10 deployments are MigUser.xml and MigApp.xml. These two default templates migrate the following data and settings:
 
--   Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
--   Specific file types. USMT templates migrate the following file types: .accdb, .ch3, .csv, dif, .doc\*, .dot\*, .dqy, .iqy, .mcw, .mdb\*, .mpp, .one\*, .oqy, .or6, .pot\*, .ppa, .pps\*, .ppt\*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk, .txt, .vl\*, .vsd, .wk\*, .wpd, .wps, .wq1, .wri, .xl\*, .xla, .xlb, .xls\*.
+- Folders from each profile, including those folders from user profiles, and shared and public profiles. For example, the My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites folders are migrated.
+
+- The following specific file types:
+
+    `.accdb`, `.ch3`, `.csv`, `.dif`, `.doc*`, `.dot*`, `.dqy`, `.iqy`, `.mcw`, `.mdb*`, `.mpp`, `.one*`, `.oqy`, `.or6`, `.pot*`, `.ppa`, `.pps*`, `.ppt*`, `.pre`, `.pst`, `.pub`, `.qdf`, `.qel`, `.qph`, `.qsd`, `.rqy`, `.rtf`, `.scd`, `.sh3`, `.slk`, `.txt`, `.vl*`, `.vsd`, `.wk*`, `.wpd`, `.wps`, `.wq1`, `.wri`, `.xl*`, `.xla`, `.xlb`, `.xls*`
+
+    > [!NOTE]
+    > The asterisk (`*`) stands for zero or more characters.
 
     > [!NOTE]
     > The OpenDocument extensions (`*.odt`, `*.odp`, `*.ods`) that Microsoft Office applications can use aren't migrated by default.
 
--   Operating system component settings
--   Application settings
+- Operating system component settings
+
+- Application settings
 
 These settings are migrated by the default MigUser.xml and MigApp.xml templates. For more information, see [What does USMT migrate?](./usmt/usmt-what-does-usmt-migrate.md) For more general information on USMT, see [USMT technical reference](./usmt/usmt-reference.md).
 
@@ -106,7 +113,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht
 
 ### Volume Activation Management Tool (VAMT)
 
-If you don’t use KMS, manage your MAKs centrally with the Volume Activation Management Tool (VAMT). Use this tool to install and manage product keys throughout the organization. VAMT can also activate on behalf of clients without internet access, acting as a MAK proxy.
+If you don't use KMS, manage your MAKs centrally with the Volume Activation Management Tool (VAMT). Use this tool to install and manage product keys throughout the organization. VAMT can also activate on behalf of clients without internet access, acting as a MAK proxy.
 
 ![The updated Volume Activation Management Tool.](images/mdt-11-fig08.png)
 
@@ -114,7 +121,7 @@ The updated Volume Activation Management Tool.
 
 VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type:
 
-``` syntax
+```powershell
 Get-VamtProduct
 ```
 
@@ -132,8 +139,7 @@ A machine booted with the Windows ADK default Windows PE boot image.
 
 For more information on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro).
 
-## <a href="" id="sec07"></a>Windows Recovery Environment
-
+## Windows Recovery Environment
 
 Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you'll see an automatic failover into Windows RE.
 
@@ -145,7 +151,6 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows-
 
 ## Windows Deployment Services
 
-
 Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you'll use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
 
 ![Windows Deployment Services using multicast to deploy three machines.](images/mdt-11-fig11.png)
@@ -160,9 +165,9 @@ In some cases, you need to modify TFTP Maximum Block Size settings for performan
 
 Also, there are a few new features related to TFTP performance:
 
--   **Scalable buffer management.** Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
--   **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
--   **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
+- **Scalable buffer management**: Allows buffering an entire file instead of a fixed-size buffer for each client, enabling different sessions to read from the same shared buffer.
+- **Scalable port management**: Provides the capability to service clients with shared UDP port allocation, increasing scalability.
+- **Variable-size transmission window (Variable Windows Extension)**: Improves TFTP performance by allowing the client and server to determine the largest workable window size.
 
 ![TFTP changes are now easy to perform.](images/mdt-11-fig12.png)
 
@@ -170,7 +175,6 @@ TFTP changes are now easy to perform.
 
 ## Microsoft Deployment Toolkit
 
-
 MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution.
 
 MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to Configuration Manager.
@@ -178,8 +182,6 @@ MDT has two main parts: the first is Lite Touch, which is a stand-alone deployme
 **Note**  
 Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
 
- 
-
 ![The Deployment Workbench in, showing a task sequence.](images/mdt-11-fig13.png)
 
 The Deployment Workbench in, showing a task sequence.
@@ -188,7 +190,6 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm
 
 ## Microsoft Security Compliance Manager 2013
 
-
 [Microsoft SCM](https://www.microsoft.com/download/details.aspx?id=53353) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
 
 ![The SCM console showing a baseline configuration for a fictional client's computer security compliance.](images/mdt-11-fig14.png)
@@ -197,21 +198,24 @@ The SCM console showing a baseline configuration for a fictional client's comput
 
 ## Microsoft Desktop Optimization Pack
 
-
 MDOP is a suite of technologies available to Software Assurance customers through another subscription.
 
 The following components are included in the MDOP suite:
 
--   **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
+- **Microsoft Application Virtualization (App-V).** App-V 5.0 provides an integrated platform, more flexible virtualization, and powerful management for virtualized applications. With the release of App-V 5.0 SP3, you have support to run virtual applications on Windows 10.
 
--   **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
+- **Microsoft User Experience Virtualization (UE-V).** UE-V monitors the changes that are made by users to application settings and Windows operating system settings. The user settings are captured and centralized to a settings storage location. These settings can then be applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions.
 
--   **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
--   **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
--   **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, as well as monitor compliance with these policies.
+- **Microsoft Advanced Group Policy Management (AGPM).** AGPM enables advanced management of Group Policy objects by providing change control, offline editing, and role-based delegation.
+- **Microsoft Diagnostics and Recovery Toolset (DaRT).** DaRT provides additional tools that extend Windows RE to help you troubleshoot and repair your machines.
+- **Microsoft BitLocker Administration and Monitoring (MBAM).** MBAM is an administrator interface used to manage BitLocker drive encryption. It allows you to configure your enterprise with the correct BitLocker encryption policy options, and monitor compliance with these policies.
 
 For more information on the benefits of an MDOP subscription, see [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/).
 
+<!--
+
+REMOVING SECTION SINCE INTERNET EXPLORER IS NO LONGER SUPPORTED
+
 ## Internet Explorer Administration Kit 11
 
 There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
@@ -222,8 +226,9 @@ The User Experience selection screen in IEAK 11.
 
 To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Information and Downloads](/internet-explorer/ie11-ieak/ieak-information-and-downloads) page.
 
-## Windows Server Update Services
+-->
 
+## Windows Server Update Services
 
 WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
 
@@ -235,32 +240,31 @@ For more information on WSUS, see the [Windows Server Update Services Overview](
 
 ## Unified Extensible Firmware Interface
 
-
-For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
+For many years, BIOS has been the industry standard for booting a PC. BIOS has served us well, but it's time to replace it with something better. **UEFI** is the replacement for BIOS, so it's important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.
 
 ### Introduction to UEFI
 
 BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:
 
--   16-bit code
--   1-MB address space
--   Poor performance on ROM initialization
--   MBR maximum bootable disk size of 2.2 TB
+- 16-bit code
+- 1-MB address space
+- Poor performance on ROM initialization
+- MBR maximum bootable disk size of 2.2 TB
 
 As the replacement to BIOS, UEFI has many features that Windows can and will use.
 
 With UEFI, you can benefit from:
 
--   **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
--   **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
--   **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
--   **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
--   **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
--   **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
--   **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
--   **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader.
+- **Support for large disks.** UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
+- **Faster boot time.** UEFI doesn't use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
+- **Multicast deployment.** UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
+- **Compatibility with earlier BIOS.** Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
+- **CPU-independent architecture.** Even if BIOS can run both 32-bit and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
+- **CPU-independent drivers.** On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That isn't needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
+- **Flexible pre-operating system environment.** UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
+- **Secure boot.** Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware can't switch the boot loader.
 
-### Versions
+### UEFI versions
 
 UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a few machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.
 
@@ -268,10 +272,10 @@ UEFI Version 2.3.1B is the version required for Windows 8 and later logo complia
 
 In regard to UEFI, hardware is divided into four device classes:
 
--   **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device.
--   **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
--   **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
--   **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
+- **Class 0 devices.** The device of this class is the UEFI definition for a BIOS, or non-UEFI, device.
+- **Class 1 devices.** The devices of this class behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
+- **Class 2 devices.** The devices of this class have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
+- **Class 3 devices.** The devices of this class are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 isn't supported on these class 3 devices. Class 3 devices don't have a CSM to emulate BIOS.
 
 ### Windows support for UEFI
 
@@ -283,10 +287,10 @@ With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 support
 
 There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:
 
--   Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
--   When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
--   When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB.
--   UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit).
+- Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
+- When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It's common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
+- When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4 GB.
+- UEFI doesn't support cross-platform booting; therefore, you need to have the correct boot media (32-bit or 64-bit).
 
 For more information on UEFI, see the [UEFI firmware](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824898(v=win.10)) overview and related resources.
 
diff --git a/windows/hub/doc-test.md b/windows/hub/doc-test.md
index bb5825132e..86c3a11317 100644
--- a/windows/hub/doc-test.md
+++ b/windows/hub/doc-test.md
@@ -2,8 +2,8 @@
 title: Doc team test
 description: A test article for the doc team's use.
 ms.date: 05/10/2022
-ms.prod: windows
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
 ms.topic: reference
 ms.localizationpriority: null
 ROBOTS: NOINDEX
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 508d741a9b..f1b885b970 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -37,7 +37,7 @@
       "audience": "ITPro",
       "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
       "uhfHeaderId": "MSDocsHeader-M365-IT",
-      "ms.technology": "windows",
+      "ms.technology": "itpro-fundamentals",
       "ms.topic": "article",
       "feedback_system": "GitHub",
       "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 0794c284fd..aa9a8e5a92 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -8,12 +8,9 @@ brand: windows
 metadata:
   title: Windows client documentation for IT Pros # Required; page title displayed in search results. Include the brand. < 60 chars.
   description: Evaluate, plan, deploy, secure, and manage devices running Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
-  services: windows-10
-  ms.service: subservice #Required; service per approved list. service slug assigned to your service by ACOM.
-  ms.subservice: subservice # Optional; Remove if no subservice is used.
-  ms.topic: hub-page # Required
+  ms.topic: hub-page
+  ms.prod: windows-client
   ms.collection:
-    - windows-10
     - highpri
   author: dougeby #Required; your GitHub user alias, with correct capitalization.
   ms.author: dougeby #Required; microsoft alias of author; optional team alias.
@@ -230,19 +227,17 @@ additionalContent:
 
     - title: Other resources
       items:
-        - title: Microsoft Endpoint Manager
+        - title: Microsoft endpoint management with Intune
           links:
-            - text: Microsoft Endpoint Manager documentation
-              url: /mem
-            - text: Overview of Microsoft Endpoint Manager
+            - text: Intune is a family of products
               url: /mem/endpoint-manager-overview
-            - text: Getting started with Microsoft Endpoint Manager
-              url: /mem/endpoint-manager-getting-started
+            - text: What is Microsoft Intune?
+              url: /mem/intune/fundamentals/what-is-intune
             - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11
               url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886
             - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager
               url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866
-            - text: Microsoft Endpoint Manager blog
+            - text: Microsoft endpoint management blog
               url: https://aka.ms/memblog
         - title: Windows 365
           links:
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 13b8872c26..48eab123cc 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -17,7 +17,7 @@ ms.topic: conceptual
 - Windows 10, version 1903 and later
 - Windows Server 2022
 
-Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we have moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
+Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we've moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this change will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide.
 
 This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas:
 
@@ -26,7 +26,7 @@ This article is meant for IT administrators and explains the changes Windows is
 
 ## Summary of changes
 
-In Windows 10, version 1903 and later, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
+In Windows 10, version 1903 and later, you'll see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes.
 
 Additionally, starting in Windows 11 and Windows Server 2022, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
 
@@ -42,9 +42,9 @@ Starting in Windows 10, version 1903 and later, both the **Out-of-Box-Experience
 
 ## Behavioral changes
 
-Starting in Windows 11 and Windows Server 2022, we’re simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change.
+Starting in Windows 11 and Windows Server 2022, we’re simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they're upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that use enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change.
 
-Additionally, you will see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2):
+Additionally, you'll see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2):
 
 | Policy type | Current policy | Renamed policy |
 | --- | --- | --- |
@@ -65,9 +65,9 @@ For more info, see [Configure Windows diagnostic data in your organization](conf
 
 ## Services that rely on Enhanced diagnostic data
 
-Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
+Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they're released. These services will be updated to address these changes and guidance will be published on how to configure them properly.
 
-The following provides information on the current configurations:
+The following articles provide information on the current configurations:
 
 - [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data)
 - [Desktop Analytics](/mem/configmgr/desktop-analytics/overview)
@@ -95,7 +95,7 @@ For Windows devices with diagnostic data turned on and that are joined to an [Az
 - [Update Compliance](/windows/deployment/update/update-compliance-monitor)
 - [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
 - [Microsoft Managed Desktop](/managed-desktop/intro/)
-- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview)
+- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview)
 
 *(Additional licensing requirements may apply to use these services.)*
 
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index cac24b1acb..f111d92f7a 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w
 | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft. <br/><br/>To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).|
 | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats. <br/><br/>Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date. <br/><br/>To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
 | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps. <br/><br/>To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
-|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.<br/><br/> [Learn more about Mobile Device Management](../client-management/mdm-overview) |
+|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.<br/><br/> [Learn more about Mobile Device Management](/windows/client-management/mdm-overview) |
 
 ## Windows connected experiences
 
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 63ab9a4a86..d93fc2caaf 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -136,25 +136,25 @@
         - name: Troubleshoot BitLocker
           items:
             - name: Troubleshoot BitLocker
-              href: information-protection/bitlocker/troubleshoot-bitlocker.md
+              href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
             - name: "BitLocker cannot encrypt a drive: known issues"
-              href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+              href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
             - name: "Enforcing BitLocker policies by using Intune: known issues"
-              href: information-protection/bitlocker/ts-bitlocker-intune-issues.md
+              href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
             - name: "BitLocker Network Unlock: known issues"
-              href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+              href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
             - name: "BitLocker recovery: known issues"
-              href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+              href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
             - name: "BitLocker configuration: known issues"
-              href: information-protection/bitlocker/ts-bitlocker-config-issues.md
+              href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
             - name: Troubleshoot BitLocker and TPM issues
               items:
                 - name: "BitLocker cannot encrypt a drive: known TPM issues"
-                  href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+                  href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
                 - name: "BitLocker and TPM: other known issues"
-                  href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+                  href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
                 - name: Decode Measured Boot logs to track PCR changes
-                  href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+                  href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
      - name: Personal Data Encryption (PDE)
        items:
        - name: Personal Data Encryption (PDE) overview
@@ -244,7 +244,7 @@
               href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
             - name: Determine the enterprise context of an app running in WIP
               href: information-protection/windows-information-protection/wip-app-enterprise-context.md
-         - name: Create a WIP policy using Microsoft Endpoint Configuration Manager
+         - name: Create a WIP policy using Microsoft Configuration Manager
            href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
            items:
             - name: Create and deploy a WIP policy in Configuration Manager
diff --git a/windows/security/apps.md b/windows/security/apps.md
index 9c11807c27..1ddbbc8a9d 100644
--- a/windows/security/apps.md
+++ b/windows/security/apps.md
@@ -6,8 +6,8 @@ manager: aaroncz
 ms.author: dansimp
 author: dansimp
 ms.collection: M365-security-compliance
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ---
 
 # Windows application security
diff --git a/windows/security/cloud.md b/windows/security/cloud.md
index c3fb5965e9..0c96ff69db 100644
--- a/windows/security/cloud.md
+++ b/windows/security/cloud.md
@@ -4,15 +4,15 @@ description: Get an overview of cloud services supported in Windows 11 and Windo
 ms.reviewer: 
 author: paolomatarazzo
 ms.author: paoloma
-manager: aaroncz 
+manager: aaroncz
 ms.topic: conceptual
 ms.date: 09/20/2021
 ms.localizationpriority: medium
 ms.custom: 
-search.appverid: MET150 
+search.appverid: MET150
 ms.collection: M365-security-compliance
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ---
 
 # Windows and cloud security
@@ -23,9 +23,9 @@ Windows 11 includes the cloud services that are listed in the following table:<b
 
 | Service type | Description |
 |:---|:---|
-| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.<br/><br/>Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.<br/><br/>To learn more, see [Mobile device management](/windows/client-management/mdm/). |
+| Mobile device management (MDM) and Microsoft Intune | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.<br/><br/>Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.<br/><br/>To learn more, see [Mobile device management](/windows/client-management/mdm/). |
 | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices. <br/><br/>The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards. <br/><br/>To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).|
-| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data. <br/><br/>The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4). <br/><br/>In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
+| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data. <br/><br/>The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4). <br/><br/>If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
 | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.<br/><br/>With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.<br/><br/>To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
 
 ## Next steps
diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md
index 02c686cff3..768b1e3c3f 100644
--- a/windows/security/cryptography-certificate-mgmt.md
+++ b/windows/security/cryptography-certificate-mgmt.md
@@ -1,14 +1,14 @@
 ---
 title: Cryptography and Certificate Management
 description: Get an overview of cryptography and certificate management in Windows
-search.appverid: MET150  
+search.appverid: MET150
 author: paolomatarazzo
 ms.author: paoloma
-manager: aaroncz 
+manager: aaroncz
 ms.topic: conceptual
 ms.date: 09/07/2021
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.collection: 
 ms.custom: 
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 84eb2da0af..8484e3b795 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -36,9 +36,10 @@
       "recommendations": true,
       "breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
       "uhfHeaderId": "MSDocsHeader-M365-IT",
-      "ms.topic": "article",
-      "manager": "dansimp",
-      "audience": "ITPro",
+      "ms.localizationpriority": "medium",
+      "ms.prod": "windows-client",
+      "ms.technology": "itpro-security",
+      "manager": "aaroncz",
       "feedback_system": "GitHub",
       "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
       "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@@ -48,7 +49,6 @@
           "folder_relative_path_in_docset": "./"
         }
       },
-      "titleSuffix": "Windows security",
       "contributors_to_exclude": [
         "rjagiewich", 
         "traya1", 
@@ -56,13 +56,22 @@
         "claydetels19", 
         "jborsecnik",
         "tiburd",
+        "AngelaMotherofDragons",
+        "dstrome",
+        "v-dihans",
         "garycentric"
       ],
       "searchScope": ["Windows 10"]
     },
     "fileMetadata": {
-      "titleSuffix":{
-        "threat-protection/**/*.md": "Windows security"
+      "author":{
+        "identity-protection/hello-for-business/**/*.md": "paolomatarazzo"
+      },
+      "ms.author":{
+        "identity-protection/hello-for-business/**/*.md": "paoloma"
+      },
+      "ms.reviewer":{
+        "identity-protection/hello-for-business/**/*.md": "erikdau"
       }
     },
     "template": [],
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index 48738d546a..262ed05694 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Encryption and data protection in Windows
 description: Get an overview encryption and data protection in Windows 11 and Windows 10
-search.appverid: MET150 
+search.appverid: MET150
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
@@ -12,7 +12,7 @@ ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.collection: 
 ms.custom: 
-ms.reviewer: rafals  
+ms.reviewer: rafals
 ---
 
 # Encryption and data protection in Windows client
diff --git a/windows/security/hardware.md b/windows/security/hardware.md
index a51334e3f1..7954ea474f 100644
--- a/windows/security/hardware.md
+++ b/windows/security/hardware.md
@@ -6,8 +6,8 @@ manager: aaroncz
 ms.author: vinpa
 author: vinaypamnani-msft
 ms.collection: M365-security-compliance
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ---
 
 # Windows hardware security
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 3463887878..f900a31aa3 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -1,20 +1,20 @@
 ---
 title: Access Control Overview (Windows 10)
 description: Access Control Overview
-ms.prod: m365-security
+ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer: sulahiri
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
-  - highpri
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 07/18/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows Server 2016</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 
 # Access Control Overview
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index cf62379ed8..6d48d39a9a 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -1,23 +1,24 @@
 ---
 title: Local Accounts (Windows 10)
 description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
-ms.prod: m365-security
+ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer: sulahiri
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 06/17/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Local Accounts
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index b1d3c58e26..6fadaf74b4 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,7 +1,7 @@
 ---
 title: Configure S/MIME for Windows
 description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.prod: m365-security
+ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
@@ -9,9 +9,10 @@ ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 07/27/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index ae0b3c7b76..3fd8405edf 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -1,15 +1,16 @@
 ---
 title: Additional mitigations
 description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.date: 08/17/2017
+ms.technology: itpro-security
 ---
 
 # Additional mitigations
@@ -606,4 +607,4 @@ write-host $tmp -Foreground Red
 ```
 
 > [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
\ No newline at end of file
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 22f3e34740..b041c61076 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -1,21 +1,22 @@
 ---
 title: Advice while using Windows Defender Credential Guard (Windows)
 description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.date: 08/31/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Considerations when using Windows Defender Credential Guard
@@ -96,4 +97,4 @@ When data protected with user DPAPI is unusable, then the user loses access to a
 
 **Related videos**
 
-[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
\ No newline at end of file
+[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index b48fb5bbb3..48360ee775 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -1,21 +1,22 @@
 ---
 title: How Windows Defender Credential Guard works
 description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.date: 08/17/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # How Windows Defender Credential Guard works
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index e190e70c49..cb1b52ff54 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -1,65 +1,79 @@
 ---
 title: Windows Defender Credential Guard - Known issues (Windows)
 description: Windows Defender Credential Guard - Known issues in Windows Enterprise
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
-ms.date: 01/26/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+ms.date: 11/28/2022
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 # Windows Defender Credential Guard: Known issues
 
 Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
 
-The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
+## Known Issue: Single Sign-On (SSO) for Network services breaks after upgrading to **Windows 11, version 22H2**  
 
-- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
+### Symptoms of the issue:  
+Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication will be unable to use SSO to log in and will be forced to manually re-authenticate in every new Windows session when Windows Defender Credential Guard is running.  
 
-    ```console
-    Task Scheduler failed to log on '\Test'.
-    Failure occurred in 'LogonUserExEx'.
-    User Action: Ensure the credentials for the task are correctly specified.
-    Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect).
-    ```
+### Affected devices:  
+Any device that enables Windows Defender Credential Guard may encounter this issue. As part of the Windows 11, version 22H2 update, eligible devices which had not previously explicitly disabled Windows Defender Credential Guard had it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses*, as long as they met the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements). 
+  
+\* All Pro devices which previously ran Windows Defender Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](credential-guard-requirements.md#hardware-and-software-requirements), will receive default enablement.  
 
-- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
+> [!TIP]
+> To determine if your Pro device will receive default enablement when upgraded to **Windows 11, version 22H2**, do the following **before** upgrading:  
+> Check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. If it is present, the device will have Windows Defender Credential Guard enabled after upgrading. Note that Windows Defender Credential Guard can be disabled after upgrade by following the [disablement instructions](credential-guard-manage.md#disable-windows-defender-credential-guard).
 
-    ```console
-    Log Name: Microsoft-Windows-NTLM/Operational
-    Source: Microsoft-Windows-Security-Netlogon
-    Event ID: 8004
-    Task Category: Auditing NTLM
-    Level: Information
-    Description:
-    Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
-    Secure Channel name: <Secure Channel Name>
-    User name:
-    @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
-    Domain name: NULL
-    ```
+### Why this is happening:  
+Applications and services are affected by this issue when they rely on insecure protocols that use password-based authentication. Windows Defender Credential Guard blocks the use of these insecure protocols by design. These protocols are considered insecure because they can lead to password disclosure on the client and the server, which is in direct contradiction to the goals of Windows Defender Credential Guard. Affected procols include:
+  - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
+  - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
+  - MS-CHAP (only SSO is blocked)
+  - WDigest (only SSO is blocked)
+  - NTLM v1 (only SSO is blocked)  
+  
+Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.  
 
-  - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
-  - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute.
-  - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
+> [!NOTE]
+> MS-CHAP and NTLMv1 are particularly relevant to the observed SSO breakage after the Windows 11, version 22H2 update. To confirm whether Windows Defender Credential Guard is blocking either of these protocols, check the NTLM event logs in Event Viewer at `Application and Services Logs\Microsoft\Windows\NTLM\Operational` for the following warning and/or error:  
+  >  
+  > **Event ID 4013** (Warning)  
+  > ```
+  > <string  
+  >   id="NTLMv1BlockedByCredGuard"  
+  >   value="Attempt to use NTLMv1 failed.
+  >   Target server: %1%nSupplied user: %2%nSupplied domain: %3%nPID of client process: %4%nName of client process: %5%nLUID of client process: %6%nUser identity of client process: %7%nDomain name of user identity of client process: %8%nMechanism OID: %9%n%nThis device does not support NTLMv1. For more information, see https://go.microsoft.com/fwlink/?linkid=856826."  
+  > />  
+  >  ```
+  >  
+  > **Event ID 4014** (Error)  
+  > ```
+  > <string  
+  >    id="NTLMGetCredentialKeyBlockedByCredGuard"  
+  >    value="Attempt to get credential key by call package blocked by Credential Guard.%n%nCalling Process Name: %1%nService Host Tag: %2"  
+  > />  
+  > ```
 
-The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
+### Options to fix the issue:  
 
-- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722)
+Microsoft recommends that organizations move away from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. Windows Defender Credential Guard will not block certificate-based authentication.  
 
-    This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles:
+For a more immediate but less secure fix, [disable Windows Defender Credential Guard](credential-guard-manage.md#disable-windows-defender-credential-guard). Note that Windows Defender Credential Guard does not have per-protocol or per-application policies, and must either be completely on or off. Disabling Windows Defender Credential Guard will leave some stored domain credentials vulnerable to theft. Windows Defender Credential Guard can be disabled after it has already been enabled, or it can be explicitly disabled prior to updating to Windows 11, version 22H2, which will prevent default enablement from occurring.  
 
-  - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657)
-  - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6)
+> [!TIP]
+> To _prevent_ default enablement, [use Group Policy to explicitly disable Windows Defender Credential Guard](credential-guard-manage.md#disabling-windows-defender-credential-guard-using-group-policy) before updating to Windows 11, version 22H2. If the GPO value is not configured (which is the default state), the device will receive default enablement after updating, if eligible. If the GPO value is set to "disabled", it will not be enabled after updating. This process can also be done via Mobile Device Management (MDM) policy rather than Group Policy if the devices are currently being managed by MDM.  
 
 ## Known issues involving third-party applications
 
@@ -111,3 +125,45 @@ Windows Defender Credential Guard isn't supported by the following products, pro
 This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard.
 
 Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
+  
+## Previous known issues that have been fixed
+  
+The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
+
+- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
+
+    ```console
+    Task Scheduler failed to log on '\Test'.
+    Failure occurred in 'LogonUserExEx'.
+    User Action: Ensure the credentials for the task are correctly specified.
+    Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect).
+    ```
+
+- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
+
+    ```console
+    Log Name: Microsoft-Windows-NTLM/Operational
+    Source: Microsoft-Windows-Security-Netlogon
+    Event ID: 8004
+    Task Category: Auditing NTLM
+    Level: Information
+    Description:
+    Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
+    Secure Channel name: <Secure Channel Name>
+    User name:
+    @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
+    Domain name: NULL
+    ```
+
+  - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
+  - The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute.
+  - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
+
+The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
+
+- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722)
+
+    This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles:
+
+  - [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657)
+  - [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index c9216efadf..f7d645071d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -1,31 +1,34 @@
 ---
 title: Manage Windows Defender Credential Guard (Windows)
 description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer: zwhittington
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
 ms.topic: article
 ms.custom: 
   - CI 120967
   - CSSTroubleshooting
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 # Manage Windows Defender Credential Guard
 
 ## Default Enablement
 
-Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
+Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.  
+  
+Known issues arising from default enablement are documented in [Windows Defender Credential Guard: Known issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
 
 ### Requirements for automatic enablement
 
@@ -34,7 +37,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the
 |Component|Requirement|
 |---|---|
 |Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**|
-|Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
+|Existing Windows Defender Credential Guard Requirements|Only devices that meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
 |Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
 
 > [!NOTE]
@@ -55,7 +58,7 @@ The same set of procedures used to enable Windows Defender Credential Guard on p
 
 ### Enable Windows Defender Credential Guard by using Group Policy
 
-You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
+You can use Group Policy to enable Windows Defender Credential Guard. When enabled, it will add and enable the virtualization-based security features for you if needed.
 
 1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
 
@@ -73,32 +76,32 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
 
 To enforce processing of the group policy, you can run `gpupdate /force`.
 
-### Enable Windows Defender Credential Guard by using Microsoft Endpoint Manager
+### Enable Windows Defender Credential Guard by using Microsoft Intune
 
-1. From **Microsoft Endpoint Manager admin center**, select **Devices**.
+1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**.
 
 1. Select **Configuration Profiles**.
 
 1. Select  **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**.
 
-   1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings.
+   1. Configuration settings: In the settings picker, select **Device Guard** as category and add the needed settings.
 
 > [!NOTE]
 > Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
 
 > [!TIP]
-> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Endpoint Manager](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
 
 ### Enable Windows Defender Credential Guard by using the registry
 
-If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
+If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems.
 
 #### Add the virtualization-based security features
 
-Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security isn't necessary and this step can be skipped.
 
-If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
-You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+If you're using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
+To enable, use the Control Panel or the Deployment Image Servicing and Management tool (DISM).
 
 > [!NOTE]
 > If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
@@ -201,9 +204,9 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 > [!NOTE]
 > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
 
-- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.
+- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard won't help to secure a device or identity that has already been compromised. So, we recommend turning on Credential Guard as early as possible.
 
-- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. You can use security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
 
   - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
 
@@ -213,13 +216,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 
     - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
 
-  - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
+  - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; continuing without Windows Defender Credential Guard.
 
   - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
 
   - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]  
 
-- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you're running with a TPM, the TPM PCR mask value will be something other than 0.
 
 - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
 
@@ -238,9 +241,9 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 
 ## Disable Windows Defender Credential Guard
 
-Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and did not have it enabled prior to the update, it is sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
+Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and didn't have it enabled prior to the update, it's sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
 
-If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. Note that the default enablement change in eligible 22H2 devices does **not** use a UEFI Lock.
+If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. The default enablement change in eligible 22H2 devices does **not** use a UEFI Lock.
 
 If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy).
 
@@ -262,7 +265,7 @@ If Windows Defender Credential Guard was enabled via Group Policy and without UE
 
 ### Disabling Windows Defender Credential Guard using Registry Keys
 
-If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it is sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
+If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard.
 
 1. Change the following registry settings to 0:
 
@@ -314,7 +317,7 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 
 Instructions are given below for how to disable Virtualization-Based Security (VBS) entirely, rather than just Windows Defender Credential Guard. Disabling Virtualization-Based Security will automatically disable Windows Defender Credential Guard and other features that rely on VBS.
 
-> [!IMPORANT]
+> [!IMPORTANT]
 > Other security features in addition to Windows Defender Credential Guard rely on Virtualization-Based Security in order to run. Disabling Virtualization-Based Security may have unintended side effects.
 
 1. If Group Policy was used to enable Virtualization-Based Security, set the Group Policy setting that was used to enable it (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**) to "Disabled".
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 445168ffc1..51ecf3c661 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -1,21 +1,22 @@
 ---
 title: Windows Defender Credential Guard protection limits & mitigations (Windows)
 description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.date: 08/17/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Windows Defender Credential Guard protection limits and mitigations
@@ -643,4 +644,4 @@ write-host $tmp -Foreground Red
 
 **Deep Dive into Windows Defender Credential Guard: Related videos**
 
-[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
\ No newline at end of file
+[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index ba9aa464db..ef9f6a2bce 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -1,21 +1,22 @@
 ---
 title: Windows Defender Credential Guard protection limits (Windows)
 description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.date: 08/17/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 # Windows Defender Credential Guard protection limits
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 562a265130..2e2a82219b 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -1,23 +1,23 @@
 ---
 title: Windows Defender Credential Guard Requirements (Windows)
 description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer: zwhittington
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
-  - highpri
 ms.topic: article
 ms.date: 12/27/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Windows Defender Credential Guard: Requirements
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index d235f8a2dc..11caa36d86 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -1,15 +1,16 @@
 ---
 title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
-description:  Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
-ms.prod: m365-security
+description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.date: 08/17/2017
+ms.technology: itpro-security
 ---
 
 # Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index db31018523..aa1ffc29b1 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,23 +1,24 @@
 ---
 title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
 description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
-ms.reviewer: erikdau
+ms.reviewer: zwhittington
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
 ms.topic: article
 ms.date: 03/10/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Protect derived domain credentials with Windows Defender Credential Guard
@@ -30,6 +31,9 @@ By enabling Windows Defender Credential Guard, the following features and soluti
 -   **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
 -   **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures.
 
+> [!NOTE]
+> As of Windows 11, version 22H2, Windows Defender Credential Guard has been enabled by default on all devices which meet the minimum requirements as specified in the [Default Enablement](credential-guard-manage.md#default-enablement) section. For information about known issues related to default enablement, see [Credential Guard: Known Issues](credential-guard-known-issues.md#known-issue-single-sign-on-sso-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
+
  
 ## Related topics
 
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index c6ff98bda7..bfb971ef4f 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
@@ -9,12 +9,13 @@ ms.reviewer: erikdau
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index facbb090b1..4b46daa4cb 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -6,13 +6,13 @@ ms.author: paoloma
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.date: 07/27/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
 ---
 
 # Enterprise Certificate Pinning
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 50dac1c934..33c5c76b9f 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,36 +1,23 @@
 ---
 title: Multi-factor Unlock
-description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. 
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
+description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
 ms.date: 03/20/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Multi-factor Unlock
 
-**Requirements:**
-* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
-* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
-* Windows 10, version 1709 or newer, or Windows 11
-* Bluetooth, Bluetooth capable phone - optional
+Windows Hello for Business supports the use of a single credential (PIN and biometrics) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
 
-Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
-
-Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices.
+Windows Hello for Business can be configured with multi-factor device unlock, by extending Windows Hello with trusted signals. Administrators can configure devices to request a combination of factors and trusted signals to unlock theim.
 
 Which organizations can take advantage of Multi-factor unlock? Those who:
-* Have expressed that PINs alone do not meet their security needs.
-* Want to prevent Information Workers from sharing credentials.
-* Want their organizations to comply with regulatory two-factor authentication policy.
-* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution.
+
+- Have expressed that PINs alone do not meet their security needs
+- Want to prevent Information Workers from sharing credentials
+- Want their organizations to comply with regulatory two-factor authentication policy
+- Want to retain the familiar Windows sign-in user experience and not settle for a custom solution
  
 You enable multi-factor unlock using Group Policy.  The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 1c3acf11f8..721ddca258 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,24 +1,18 @@
 ---
 title: Azure Active Directory join cloud only deployment
-description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. 
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
+description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
 ms.date: 06/23/2021
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Azure Active Directory join cloud only deployment
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-cloud.md)]
+
 ## Introduction
 
-When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed.
+When you Azure Active Directory (Azure AD) join a Windows device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud-only environment, then there's no additional configuration needed.
 
 You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below.
 
@@ -27,7 +21,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom
 
 ## Prerequisites
 
-Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process.
+Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process.
 
 The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment).
 
@@ -37,7 +31,7 @@ Check and view this setting with the following MSOnline PowerShell command:
 
 `Get-MsolDomainFederationSettings –DomainName <your federated domain name>`
 
-To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain.
+To disable this setting, run the following command. This change impacts ALL Azure AD MFA scenarios for this federated domain.
 
 `Set-MsolDomainFederationSettings -DomainName <your federated domain name> -SupportsMfa $false`
 
@@ -55,11 +49,11 @@ We recommend that you disable or manage Windows Hello for Business provisioning
 
 The following method explains how to disable Windows Hello for Business enrollment without Intune.
 
-1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
+1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
 3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**.
 
-    When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
+    When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.
 
 > [!NOTE]
 > This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md).
@@ -70,7 +64,11 @@ If you don't use Intune in your organization, then you can disable Windows Hello
 
 Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
 
-To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
+To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/organization?$select=id
+```
 
 These registry settings are pushed from Intune for user policies:
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index edba592b4e..485f602211 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,21 +1,11 @@
 ---
 title: Having enough Domain Controllers for Windows Hello for Business deployments
 description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/20/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016 or later</b>
-- ✅ <b>Hybrid or On-Premises deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.topic: article
 ---
 # Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index 0b82e155e7..b7b06e3193 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -1,18 +1,10 @@
 ---
 title: Windows Hello and password changes (Windows)
 description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
 ms.date: 07/27/2017
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Windows Hello and password changes
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c2527f8e0d..c9bc5a12f3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -1,21 +1,10 @@
 ---
 title: Windows Hello biometrics in the enterprise (Windows)
 description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
-ms.prod: m365-security
-ms.collection:
-  - M365-identity-device-management
-  - highpri
-ms.topic: article
-localizationpriority: medium
 ms.date: 01/12/2021
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Holographic for Business</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Windows Hello biometrics in the enterprise
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index da1d9d6154..3486c444df 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,24 +1,15 @@
 ---
 title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
 description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 01/14/2021
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployments</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.topic: article
 ---
-# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust
+# Prepare and Deploy Active Directory Federation Services (AD FS)
 
-Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update.  The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
+Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS).  The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
 
 The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
 
@@ -119,6 +110,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 
 ## Review & validate
 
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 
 - Confirm the AD FS farm uses the correct database configuration.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 36186166cf..bde42599c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,27 +1,21 @@
 ---
 title: Configure Windows Hello for Business Policy settings - certificate trust
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
-ms.prod: m365-security
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/20/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployments</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.topic: article
 ---
 # Configure Windows Hello for Business Policy settings - Certificate Trust
 
-You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
+To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+Install the Remote Server Administration Tools for Windows on a computer running Windows 10 or later.
 
 On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
 * Enable Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 9d4ca3a2f5..af56ffb943 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,24 +1,17 @@
 ---
 title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
 description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployments</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.topic: article
 ---
 # Validate Active Directory prerequisites for cert-trust deployment
 
-The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. 
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
+The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema.
 
 > [!NOTE]
 > If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.
@@ -29,7 +22,9 @@ Manually updating Active Directory uses the command-line utility **adprep.exe**
 
 To locate the schema master role holder, open and command prompt and type:
 
-```Netdom query fsmo | findstr -i “schema”```
+```cmd
+netdom.exe query fsmo | findstr.exe -i "schema"
+```
 
 ![Netdom example output.](images/hello-cmd-netdom.png)
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 5ec79ae891..28d010fbd8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,23 +1,16 @@
 ---
 title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
 description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployments</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.topic: article
 ---
 # Validate and Deploy Multi-Factor Authentication feature
 
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
 Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
 
 For information on available third-party authentication methods, see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method, see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 578db1bd4e..4b692280e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,28 +1,21 @@
 ---
 title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
 description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployments</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.topic: article
 ---
 # Validate and Configure Public Key Infrastructure - Certificate Trust Model
 
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
 Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate.  The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  The certificate trust model extends certificate issuance to client computers.  During Windows Hello for Business provisioning, the user receives a sign-in certificate.
 
 ## Deploy an enterprise certificate authority
 
-This guide assumes most enterprise have an existing public key infrastructure.  Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
+This guide assumes most enterprise have an existing public key infrastructure.  Windows Hello for Business depends on a Windows enterprise public key infrastructure running Active Directory Certificate Services.
 
 ### Lab-based public key infrastructure
 
@@ -33,13 +26,13 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
 >[!NOTE]
 >Never install a certificate authority on a domain controller in a production environment.
 
-1. Open an elevated Windows PowerShell prompt.
-2. Use the following command to install the Active Directory Certificate Services role.   
+1. Open an elevated Windows PowerShell prompt
+2. Use the following command to install the Active Directory Certificate Services role
     ```PowerShell
     Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
     ```
 
-3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration.   
+3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration
     ```PowerShell
     Install-AdcsCertificationAuthority
     ```   
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index 21b67500a6..115a1041e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,23 +1,16 @@
 ---
 title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
 description: A guide to on premises, certificate trust Windows Hello for Business deployment.
-ms.prod: m365-security
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-author: paolomatarazzo
-ms.author: paoloma
-ms.reviewer: prsriva
-manager: aaroncz
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployments</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.topic: article
 ---
 # On Premises Certificate Trust Deployment
 
+[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
+
 Windows Hello for Business replaces username and password sign-in to Windows with authentication using an asymmetric key pair. This deployment guide provides the information you'll need to successfully deploy Windows Hello for Business in an existing environment.  
 
 Below, you can find all the information needed to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment:
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 00e6171863..64b6af4819 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,25 +1,13 @@
 ---
 title: Windows Hello for Business Deployment Overview
-description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment. 
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
-  - M365-identity-device-management
-  - highpri
-ms.topic: article
-localizationpriority: medium
+description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
 ms.date: 02/15/2022
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Windows Hello for Business Deployment Overview
 
-**Applies to**
-
-- Windows 10, version 1703 or later
-- Windows 11
-
 Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
 
 This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index 43ff73fc92..8c8fd3b65d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,16 +1,10 @@
 ---
 title: Windows Hello for Business Deployment Known Issues
 description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
-params: siblings_only
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 05/03/2021
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Windows Hello for Business Known Deployment Issues
 
@@ -18,12 +12,6 @@ The content of this article is to help troubleshoot and workaround known deploym
 
 ## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error
 
-Applies to:
-
-- Azure AD joined deployments
-- Windows 10, version 1803 and later
-- Windows 11
-
 PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now".
 
 ### Identifying Azure AD joined PIN Reset Allowed Domains Issue
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index faab624132..6dfcd9f952 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -1,29 +1,21 @@
 ---
 title: Windows Hello for Business Deployment Guide - On Premises Key Deployment
 description: A guide to on premises, key trust Windows Hello for Business deployment.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/20/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # On Premises Key Trust Deployment
 
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.  The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.  
 
 Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
 
 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
+3. [Prepare and Deploy Active Directory Federation Services](hello-key-trust-adfs.md)
 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
 5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 50c96ed712..af71e186d2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,204 +1,195 @@
 ---
-title: Deploying Certificates to Key Trust Users to Enable RDP
-description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
+title: Deploy certificates for remote desktop sign-in
+description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
+ms.collection: 
+  - ContentEngagementFY23
 ms.topic: article
 localizationpriority: medium
-ms.date: 02/22/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
-- ✅ <b>Cloud Kerberos trust</b>
+ms.date: 11/15/2022
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.technology: itpro-security
 ---
 
-# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP
+# Deploy certificates for remote desktop (RDP) sign-in
 
-Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [cloud Kerberos trust](hello-hybrid-cloud-kerberos-trust.md), [ key trust](hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** [Azure AD join](hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](hello-how-it-works-technology.md#hybrid-azure-ad-join)
 
-This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user.
+<br>
 
-Three approaches are documented here:
+---
 
-1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy.
+Windows Hello for Business supports using a certificate as the supplied credential, when establishing a remote desktop connection to another Windows device. This document discusses three approaches for *cloud Kerberos trust* and *key trust* deployments, where authentication certificates can be deployed to an existing Windows Hello for Business user:
 
-1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune.
+- Deploy certificates to hybrid joined devices using an on-premises Active Directory Certificate Services enrollment policy
+- Deploy certificates to hybrid or Azure AD-joined devices using Intune
+- Work with third-party PKIs
 
-1. Working with non-Microsoft enterprise certificate authorities.
-
-## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
-
-### Create a Windows Hello for Business certificate template
-
-1. Sign in to your issuing certificate authority (CA).
-
-1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc).
-
-1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
-
-1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console.
-
-1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
-
-    ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png)
-
-1. On the **Compatibility** tab:
-    1. Clear the **Show resulting changes** check box
-    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
-    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
-
-1. On the **General** tab:
-    1. Specify a Template display name, such as **WHfB Certificate Authentication**
-    1. Set the validity period to the desired value
-    1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example).
-
-1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
-
-1. On the **Subject Name** tab:
-    1. Select the **Build from this Active Directory** information button if it is not already selected
-    1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
-    1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
-1. On the **Request Handling** tab:
-    1. Select the **Renew with same key** check box
-    1. Set the Purpose to **Signature and smartcard logon**
-        1. Click **Yes** when prompted to change the certificate purpose
-    1. Click **Prompt the user during enrollment**
-
-1. On the **Cryptography** tab:
-    1. Set the Provider Category to **Key Storage Provider**
-    1. Set the Algorithm name to **RSA**
-    1. Set the minimum key size to **2048**
-    1. Select **Requests must use one of the following providers**
-    1. Tick **Microsoft Software Key Storage Provider**
-    1. Set the Request hash to **SHA256**
-
-1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
-
-1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
-
-1. Close the Certificate Templates console.
-
-1. Open an elevated command prompt and change to a temporary working directory.
-
-1. Execute the following command:
-
-    `certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txt`
-
-    Replace \<TemplateName\> with the Template name you took note of earlier in step 7.
-
-1. Open the text file created by the command above.
-    1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
-    1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
-
-1. Save the text file.
-
-1. Update the certificate template by executing the following command:
-
-    certutil -dsaddtemplate \<TemplateName\>.txt
-
-1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
-
-    ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png)
-
-1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
-
-1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
-
-### Requesting a Certificate
-
-1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority. 
-
-1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc).
-
-1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
-
-    ![Request a new certificate.](images/rdpcert/requestnewcertificate.png)
-
-1. On the Certificate Enrollment screen, click **Next**.
-
-1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**.
-
-1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**.
-
-1. After a successful certificate request, click Finish on the Certificate Installation Results screen
-
-## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
-
-Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](/mem/intune/protect/certificates-scep-configure).
-
-Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](/mem/intune/protect/certificates-trusted-root).
-
-Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows:
-
-1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-1. Navigate to Devices \> Configuration Profiles \> Create profile.
-
-1. Enter the following properties:
-    1. For Platform, select **Windows 10 and later**.
-    1. For Profile, select **SCEP Certificate**.
-    1. Click **Create**.
-
-1. In **Basics**, enter the following parameters:
-    1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company.
-    1. **Description**: Enter a description for the profile. This setting is optional, but recommended.
-    1. Select **Next**.
-
-1. In the **Configuration settings**, complete the following:
-    1. For Certificate Type, choose **User**.
-    1. For Subject name format, set it to **CN={{UserPrincipalName}}**.
-    1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**.
-    1. For Certificate validity period, set a value of your choosing.
-    1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**.
-    1. For Key usage, choose **Digital Signature**.
-    1. For Key size (bits), choose **2048**.
-    1. For Hash algorithm, choose **SHA-2**.
-    1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate.
-    1. Under Extended key usage, add the following:
-
-        | Name | Object Identifier | Predefined Values |
-        |------|-------------------|-------------------|
-        | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
-        | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication |
-
-    1. For Renewal threshold (%), set a value of your choosing.
-    1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure.
-    1. Click **Next**
-1. In Assignments, target the devices or users who should receive a certificate and click **Next**
-
-1. In Applicability Rules, provide additional issuance restrictions if required and click **Next**
-
-1. In Review + create, click **Create**
-
-Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
-
-1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
-
-1. In the left pane of the MMC, expand **Personal** and select **Certificates**
-
-1. In the right-hand pane of the MMC, check for the new certificate
+## Deploy certificates via Active Directory Certificate Services (AD CS)
 
 > [!NOTE]
-> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies.
+> This process is applicable to *hybrid Azure AD joined* devices only.
 
-## Using non-Microsoft Enterprise Certificate Authorities
+To deploy certificates using an on-premises Active Directory Certificate Services enrollment policy, you must first create a *certificate template*, and then deploy certificates based on that template.
 
-If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](/mem/intune/protect/certificate-authority-add-scep-overview).
+Expand the following sections to learn more about the process.
 
-As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet.
+<br>
+<details>
+<summary><b>Create a Windows Hello for Business certificate template</b></summary>
 
-The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate.
+Follow these steps to create a certificate template:
 
-## RDP Sign-in with Windows Hello for Business Certificate Authentication
+1. Sign in to your issuing certificate authority (CA) and open *Server Manager*
+1. Select **Tools > Certification Authority**. The Certification Authority Microsoft Management Console (MMC) opens
+1. In the MMC, expand the CA name and right-click **Certificate Templates > Manage**
+1. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane
+1. Right-click the **Smartcard Logon** template and select **Duplicate Template**
+1. Use the following table to configure the template:
 
-After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
+    | Tab Name | Configurations |
+    | --- | --- |
+    | *Compatibility* | <ul><li>Clear the **Show resulting changes** check box</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Authority list*</li><li>Select **Windows Server 2012 or Windows Server 2012 R2** from the *Certification Recipient list*</li></ul>|
+    | *General* | <ul><li>Specify a **Template display name**, for example *WHfB Certificate Authentication*</li><li>Set the validity period to the desired value</li><li>Take note of the Template name for later, which should be the same as the Template display name minus spaces (*WHfBCertificateAuthentication* in this example)</li></ul>|
+    | *Extensions* | Verify the **Application Policies** extension includes **Smart Card Logon**|
+    | *Subject Name* | <ul><li> Select the **Build from this Active Directory** information button if it isn't already selected</li><li>Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name isn't already selected</li><li>Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**</li></ul><br>**Note:** If you deploy certificates via Intune, select **Supply in the request** instead of *Build from this Active Directory*.|
+    |*Request Handling*|<ul><li>Set the Purpose to **Signature and smartcard logon** and select **Yes** when prompted to change the certificate purpose</li><li>Select the **Renew with same key** check box</li><li>Select **Prompt the user during enrollment**</li></ul>|
+    |*Cryptography*|<ul><li>Set the Provider Category to **Key Storage Provider**</li><li>Set the Algorithm name to **RSA**</li><li>Set the minimum key size to **2048**</li><li>Select **Requests must use one of the following providers**</li><li>Select **Microsoft Software Key Storage Provider**</li><li>Set the Request hash to **SHA256**</li></ul>|
+    |*Security*|Add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them|
 
-1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid Azure Active Directory-Joined client where the authentication certificate has been deployed.
-1. Attempt an RDP session to a target server.
-1. Use the certificate credential protected by your Windows Hello for Business gesture.
+1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
+1. Close the Certificate Templates console
+1. Open an elevated command prompt and change to a temporary working directory
+1. Execute the following command, replacing `<TemplateName>` with the **Template display name** noted above
+
+    ```cmd
+    certutil.exe -dstemplate <TemplateName> > <TemplateName.txt>
+    ```
+
+1. Open the text file created by the command above.
+    - Delete the last line of the output from the file that reads\
+      `CertUtil: -dsTemplate command completed successfully.`
+    - Modify the line that reads\
+      `pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"` to\
+      `pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"`
+1. Save the text file
+1. Update the certificate template by executing the following command:
+
+    ```cmd
+    certutil.exe -dsaddtemplate <TemplateName.txt>
+    ```
+
+1. In the Certificate Authority console, right-click **Certificate Templates**, select **New > Certificate Template to Issue**
+1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and select **OK**. It can take some time for the template to replicate to all servers and become available in this list
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks > Stop Service**. Right-click the name of the CA again, select **All Tasks > Start Service**
+
+</details>
+
+<br>
+<details>
+<summary><b>Request a certificate</b></summary>
+
+1. Sign in to a client that is hybrid Azure AD joined, ensuring that the client has line of sight to a domain controller and the issuing CA
+1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
+1. In the left pane of the MMC, right-click **Personal > All Tasks > Request New Certificate…**
+1. On the Certificate Enrollment screen, select **Next**
+1. Under *Select Certificate Enrollment Policy*, select **Active Directory Enrollment Policy > Next**
+1. Under *Request Certificates*, select the check-box for the certificate template you created in the previous section (*WHfB Certificate Authentication*) and then select **Enroll**
+1. After a successful certificate request, select **Finish** on the Certificate Installation Results screen
+
+</details>
+
+## Deploy certificates via Intune
+
+> [!NOTE]
+> This process is applicable to both *Azure AD joined* and *hybrid Azure AD joined* devices that are managed via Intune.
+
+Deploying a certificate to Azure AD joined or hybrid Azure AD joined devices may be achieved using the Simple Certificate Enrollment Protocol (SCEP) or PKCS (PFX) via Intune. For guidance deploying the required infrastructure, refer to:
+
+- [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune][MEM-1]
+- [Configure and use PKCS certificates with Intune][MEM-2]
+
+Next, you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD joined Devices using a *Trusted root certificate* policy with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune][MEM-5].
+
+Once these requirements are met, a policy can be configured in Intune that provisions certificates for the users on the targeted device.
+
+<br>
+<details>
+<summary><b>Create a policy in Intune</b></summary>
+
+This section describes how to configure a SCEP policy in Intune. Similar steps can be followed to configure a PKCS policy.
+
+1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
+1. Select **Devices > Configuration profiles > Create profile**
+1. Select **Platform > Windows 10 and later** and **Profile type > Templates > SCEP Certificate**
+1. Select **Create**
+1. In the *Basics* panel, provide a **Name** and, optionally, a **Description > Next**
+1. In the *Configuration settings* panel, use the following table to configure the policy:
+
+    | Setting| Configurations |
+    | --- | --- |
+    |*Certificate Type*| User |
+    |*Subject name format* | `CN={{UserPrincipalName}}` |
+    |*Subject alternative name* |From the dropdown, select **User principal name (UPN)** with a value of `{{UserPrincipalName}}`
+    |*Certificate validity period* | Configure a value of your choosing|
+    |*Key storage provider (KSP)* | **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**
+    |*Key usage*| **Digital Signature**|
+    |*Key size (bits)* | **2048**|
+    |*For Hash algorithm*|**SHA-2**|
+    |*Root Certificate*| Select **+Root Certificate** and select the trusted certificate profile created earlier for the Root CA Certificate|
+    |*Extended key usage*| <ul><li>*Name:* **Smart Card Logon**</li><li>*Object Identifier:* `1.3.6.1.4.1.311.20.2.2`</li><li>*Predefined Values:* **Not configured**</li><br><li>*Name:* **Client Authentication**</li><li>*Object Identifier:* `1.3.6.1.5.5.7.3.2 `</li><li>*Predefined Values:* **Client Authentication**</li></ul>|
+    |*Renewal threshold (%)*|Configure a value of your choosing|
+    |*SCEP Server URLs*|Provide the public endpoint(s) that you configured during the deployment of your SCEP infrastructure|
+
+1. Select **Next**
+1. In the *Assignments* panel, assign the policy to a security group that contains as members the devices or users that you want to configure and select **Next**
+1. In the *Applicability Rules* panel, configure issuance restrictions, if needed, and select **Next**
+1. In the *Review + create* panel, review the policy configuration and select **Create**
+
+For more information how to configure SCEP policies, see [Configure SCEP certificate profiles in Intune][MEM-3].
+To configure PKCS policies, see [Configure and use PKCS certificate with Intune][MEM-4].
+
+</details>
+
+<br>
+<details>
+<summary><b>Request a certificate</b></summary>
+Once the Intune policy is created, targeted clients will request a certificate during their next policy refresh cycle. To validate that the certificate is present in the user store, follow these steps:
+
+1. Sign in to a client targeted by the Intune policy
+1. Open the **Certificates - Current User** Microsoft Management Console (MMC). To do so, you can execute the command `certmgr.msc`
+1. In the left pane of the MMC, expand **Personal** and select **Certificates**
+1. In the right-hand pane of the MMC, check for the new certificate
+
+</details>
+
+## Use third-party certification authorities
+
+If you're using a non-Microsoft PKI, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune][MEM-6].
+
+As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest][HTTP-1] PowerShell commandlet.
+
+The `Generate-CertificateRequest` commandlet will generate an *.inf* file for a pre-existing Windows Hello for Business key. The *.inf* can be used to generate a certificate request manually using `certreq.exe`. The commandlet will also generate a *.req* file, which can be submitted to your PKI for a certificate.
+
+## RDP sign-in with Windows Hello for Business certificate authentication
+
+After obtaining a certificate, users can RDP to any Windows devices in the same Active Directory forest as the user's Active Directory account.
+
+> [!NOTE]
+> The certificate chain of the issuing CA must be trusted by the target server.
+
+1. Open the Remote Desktop Client (`mstsc.exe`) on the client where the authentication certificate has been deployed
+1. Attempt an RDP session to a target server
+1. Use the certificate credential protected by your Windows Hello for Business gesture to authenticate
+
+[MEM-1]: /mem/intune/protect/certificates-scep-configure
+[MEM-2]: /mem/intune/protect/certificates-pfx-configure
+[MEM-3]: /mem/intune/protect/certificates-profile-scep
+[MEM-4]: /mem/intune/protect/certificates-pfx-configure
+[MEM-5]: /mem/intune/protect/certificates-trusted-root
+[MEM-6]: /mem/intune/protect/certificate-authority-add-scep-overview
+
+[HTTP-1]: https://www.powershellgallery.com/packages/Generate-CertificateRequest
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index ec6b931e13..e1b28aec6f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -1,20 +1,10 @@
 ---
 title: Windows Hello errors during PIN creation (Windows)
 description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
-  - M365-identity-device-management
-  - highpri
 ms.topic: troubleshooting
-ms.localizationpriority: medium
 ms.date: 05/05/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 ---
 
 # Windows Hello errors during PIN creation
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index b0418e21c0..484985c43d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -1,18 +1,10 @@
 ---
 title: Event ID 300 - Windows Hello successfully created (Windows)
 description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-ms.localizationpriority: medium
 ms.date: 07/27/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Event ID 300 - Windows Hello successfully created
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 88115dc1cb..f4456c7110 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -3,8 +3,8 @@ metadata:
   title: Windows Hello for Business Frequently Asked Questions (FAQ)
   description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.   
   keywords: identity, PIN, biometric, Hello, passport
-  ms.prod: m365-security
-  ms.mktglfcycl: deploy
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.sitesec: library
   ms.pagetype: security, mobile
   audience: ITPro
@@ -17,10 +17,9 @@ metadata:
     - highpri
   ms.topic: faq
   localizationpriority: medium
-  ms.date: 02/21/2022
-  appliesto:
-  - ✅ <b>Windows 10</b>
-  - ✅ <b>Windows 11</b>
+  ms.date: 11/11/2022
+  appliesto: 
+    - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 
 title: Windows Hello for Business Frequently Asked Questions (FAQ)
 summary: |
@@ -47,11 +46,11 @@ sections:
           Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates.
 
           
-      - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
+      - question: Can I deploy Windows Hello for Business by using Microsoft Configuration Manager?
         answer: |
           Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings).
 
-      - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Manager Intune?
+      - question: Can I deploy Windows Hello for Business by using Microsoft Intune?
         answer: |
           Windows Hello for Business deployments using Intune allow for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
           
@@ -63,7 +62,19 @@ sections:
         answer: |
           When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key.  With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
           The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
-          
+
+      - question: What's a container?
+        answer: |  
+          In the context of Windows Hello for Business, it's shorthand for a logical grouping of key material or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
+          The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.
+          Note that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials of Windows Hello stores, are protected without the creation of actual containers or folders.
+          The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. Each logical container holds one or more sets of keys.\
+          :::image type="content" source="images/passport-fig3-logicalcontainer.png" alt-text="logical container with set of keys":::
+
+      - question: How do I delete a Windows Hello for Business container on a device?
+        answer: |  
+          You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device.
+
       - question: How does Windows Hello for Business work with Azure AD registered devices?
         answer: |
           A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices  if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their exiting gestures.
@@ -88,7 +99,7 @@ sections:
 
       - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked?
         answer: |
-          Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in the latest Windows Insiders builds and will be available in the future version of Windows 11.
+          Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in Windows 11, version 22H2.
 
       - question: Why does authentication fail immediately after provisioning hybrid key trust?
         answer: |
@@ -155,11 +166,11 @@ sections:
 
       - question: Where is Windows Hello biometrics data stored?
         answer: |
-            When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server.  For more details see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
+            When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server.  For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored).
       
       - question: What is the format used to store Windows Hello biometrics data on the device?
         answer: |
-          Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. 
+          Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. 
       
       - question: Who has access on Windows Hello biometrics data? 
         answer: |
@@ -167,11 +178,11 @@ sections:
       
       - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication?
         answer: |
-          Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
+          Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a pin. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just select on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users.
 
       - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication?
         answer: |
-            To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
+            To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy).
       
       - question: What about any diagnostic data coming out when WHFB is enabled?
         answer: |
@@ -187,7 +198,7 @@ sections:
 
       - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
         answer: |
-          Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, consider unenrolling from face authentication and only using PIN or fingerprint.
+          Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, consider unenrolling from face authentication and only using PIN or fingerprint.
 
       - question: What's the difference between Windows Hello and Windows Hello for Business?
         answer: |
@@ -199,7 +210,7 @@ sections:
 
       - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
         answer: |
-          No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
+          No. If your organization is using Microsoft cloud services, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
 
       - question: Does Windows Hello for Business prevent the use of simple PINs?
         answer: |
@@ -248,7 +259,7 @@ sections:
           Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.<br><br>
           
           | Protocol | Description |
-          | :---: | :--- |
+          | :--- | :--- |
           | [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
           | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. |  
           | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index 2acbb4823a..a96e6d66b5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -1,15 +1,10 @@
 ---
 title: Conditional Access
 description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 09/09/2019
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Conditional access
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 489d5513cf..adfbe58657 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,15 +1,10 @@
 ---
 title: Dual Enrollment
 description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 09/09/2019
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Dual Enrollment
@@ -18,7 +13,6 @@ ms.date: 09/09/2019
 
 * Hybrid and On-premises Windows Hello for Business deployments
 * Enterprise joined or Hybrid Azure joined devices
-* Windows 10, version 1709 or later
 * Certificate trust
 
 > [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 4fbe94952d..6bae92fc12 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,18 +1,10 @@
 ---
 title: Dynamic lock
 description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 07/12/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Dynamic lock
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 9b9e87b305..313ef05f54 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,20 +1,13 @@
 ---
 title: Pin Reset
 description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
-ms.topic: article
-localizationpriority: medium
 ms.date: 07/29/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # PIN reset
@@ -30,12 +23,7 @@ There are two forms of PIN reset:
 
 There are two forms of PIN reset called destructive and non-destructive. Destructive PIN reset is the default and doesn't require configuration. During a destructive PIN reset, the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned. For non-destructive PIN reset, you must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.
 
-**Requirements**
-
-- Reset from settings - Windows 10, version 1703 or later, Windows 11
-- Reset above Lock - Windows 10, version 1709 or later, Windows 11
-
-Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users do not have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
+Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider.
 
 
 >[!IMPORTANT]
@@ -52,16 +40,16 @@ Destructive and non-destructive PIN reset use the same steps for initiating a PI
 
 For Azure AD-joined devices:
 
-1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
+1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
 1. Select **I forgot my PIN** from the PIN credential provider.
-1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key).
+1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (like Password, PIN, Security key).
 1. Follow the instructions provided by the provisioning process.
 1. When finished, unlock your desktop using your newly created PIN.
 
 
 For Hybrid Azure AD-joined devices:
 
-1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
+1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon.
 1. Select **I forgot my PIN** from the PIN credential provider.
 1. Enter your password and press enter.
 1. Follow the instructions provided by the provisioning process.
@@ -70,19 +58,19 @@ For Hybrid Azure AD-joined devices:
 > [!NOTE]
 > Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
 
-You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+You may find that PIN reset from settings only works post login. Also, the "lock screen" PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
 
 ## Non-Destructive PIN reset
 
 **Requirements:**
 
 - Azure Active Directory
-- Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903.
+- Windows 10, version 1709 to 1809, Enterprise Edition. There's no licensing requirement for this feature since version 1903.
 - Hybrid Windows Hello for Business deployment
 - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
 
 
-When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory.
+When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
 
 Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment.
 
@@ -95,10 +83,10 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi
 |Category|Destructive PIN Reset|Non-Destructive PIN Reset|
 |--- |--- |--- |
 |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.|
-|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
+|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There isn't any licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.|
 |**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust|
 |**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.|
-|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
+|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.|
 |**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.|
 |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.|
 
@@ -117,13 +105,13 @@ Before you can remotely reset PINs, you must register two applications in your A
 #### Connect Azure Active Directory with the PIN Reset Service
 
 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
-1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization.
+1. After you've logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization.
    ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png)
 
 #### Connect Azure Active Directory with the PIN Reset Client
 
 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant.
-1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization.
+1. After you've logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization.
    ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png)
 
 #### Confirm that the two PIN Reset service principals are registered in your tenant
@@ -137,11 +125,11 @@ Before you can remotely reset PINs, you must register two applications in your A
 
 Before you can remotely reset PINs, your devices must be configured to enable PIN Recovery. Follow the instructions below to configure your devices using either Microsoft Intune, Group Policy Objects (GPO), or Configuration Service Providers (CSP).
 
-#### [✅ **Intune**](#tab/intune)
+#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
 
 You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune.
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Devices** > **Configuration profiles** > **Create profile**.
 1. Enter the following properties:
     - **Platform**: Select **Windows 10 and later**.
@@ -163,10 +151,10 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
 
 >[!NOTE]
 > You can also configure PIN recovery from the **Endpoint security** blade:
-> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 > 1. Select **Endpoint security** > **Account protection** > **Create Policy**.
 
-#### [✅ **GPO**](#tab/gpo)
+#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
 You can configure Windows devices to use the **Microsoft PIN Reset Service** using a Group Policy Object (GPO).
 
@@ -175,7 +163,7 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
 1. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
 1. Close the Group Policy Management Editor to save the Group Policy object.
 
-#### [✅ **CSP**](#tab/csp)
+#### [:::image type="icon" source="../../images/icons/windows-os.svg"::: **CSP**](#tab/CSP)
 
 You can configure Windows devices to use the **Microsoft PIN Reset Service** using the [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp).
 
@@ -184,7 +172,11 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
 - Value: **True**
 
 >[!NOTE]
-> You must replace `TenantId` with the identifier of your Azure Active Directory tenant.
+> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/organization?$select=id
+```
 
 ---
 
@@ -236,11 +228,11 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a
 
 - Azure AD joined devices
 
-The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
+The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then this policy should be set. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
 
 ### Configure Web Sign-in Allowed URLs using Microsoft Intune
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
 1. Select **Devices** > **Configuration profiles** > **Create profile**
 1. Enter the following properties:
     - **Platform**: Select **Windows 10 and later**
@@ -266,7 +258,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
 > [!NOTE]
 > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy.
 
-## Related topics
+## Related articles
 
 - [Windows Hello for Business](hello-identity-verification.md)
 - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 9073c4ef60..2281821bdc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,23 +1,15 @@
 ---
 title: Remote Desktop
 description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 02/24/2021
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Remote Desktop
 
 **Requirements**
-
-- Windows 10
-- Windows 11
 - Hybrid and On-premises Windows Hello for Business deployments
 - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index ffaec80712..27dde9400e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -1,18 +1,10 @@
 ---
 title: How Windows Hello for Business works - Authentication
 description: Learn about the authentication flow for  Windows Hello for Business.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 02/15/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Windows Hello for Business and Authentication
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 6ebf241107..6d250848d5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -1,18 +1,10 @@
 ---
 title: How Windows Hello for Business works - Provisioning
 description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 2/15/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Windows Hello for Business Provisioning
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index ff24499d85..ad5eec8634 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -1,18 +1,10 @@
 ---
 title: How Windows Hello for Business works - technology and terms
 description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 10/08/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Technology and terms
@@ -157,7 +149,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
 
 ## Federated environment
 
-Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
+Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Microsoft cloud services. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
 
 ### Related to federated environment
 
@@ -193,7 +185,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
 
 ## Hybrid deployment
 
-The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports three trust types for on-premises authentication: cloud Kerberos trust, key trust and certificate trust.
 
 ### Related to hybrid deployment
 
@@ -268,7 +260,7 @@ The Windows Hello for Business on-premises deployment is for organizations that
 
 ## Pass-through authentication
 
-Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Allows your users to sign in to both on-premises and Microsoft cloud resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Azure AD. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
 
 ### Related to pass-through authentication
 
@@ -282,7 +274,7 @@ Pass-through authentication provides a simple password validation for Azure AD a
 
 ## Password hash sync
 
-Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Azure AD and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
 
 ### Related to password hash sync
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index cb5b134268..9f3670151c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -1,22 +1,14 @@
 ---
 title: How Windows Hello for Business works
 description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 05/05/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # How Windows Hello for Business works in Windows Devices
 
-Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
+Windows Hello for Business is a two-factor credential that is a more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
 
 Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
 > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index c936ab0e6a..a53b5977d6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -1,44 +1,34 @@
 ---
 title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
 description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
-  - M365-identity-device-management
-  - highpri
-ms.topic: article
-localizationpriority: medium
 ms.date: 01/14/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Azure Active Directory-join</b>
-- ✅ <b>Hybrid Deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
+
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)]
+
 ## Prerequisites
 
-Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices.  Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain.  This factor changes the way in which users authenticate to Active Directory.  Validate the following configurations to ensure they support Azure AD-joined devices.
+Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices.  Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain.  This factor changes the way in which users authenticate to Active Directory.  Validate the following configurations to ensure they support Azure AD-joined devices.
 
 - Azure Active Directory Connect synchronization
 - Device Registration
 - Certificate Revocation List (CRL) Distribution Point (CDP)
 - 2016 Domain Controllers
 - Domain Controller certificate
-- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution.
+- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, you can use any VPN solution.
 
 ### Azure Active Directory Connect synchronization
-Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure.  To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate.  Ensure you have Azure AD Connect installed and functioning properly.  To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
+Azure AD join, and hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure.  To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you're using a key or a certificate.  Ensure you have Azure AD Connect installed and functioning properly.  To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
 
 If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
 ![Azure AD Connect Schema Refresh.](images/aadj/aadconnectschema.png)
 
 ### Azure Active Directory Device Registration
-A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration.  A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory.  For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
+A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration.  A user can't provision Windows Hello for Business unless the device from which they're trying to provision has registered with Azure Active Directory.  For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
 
 You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
 ![dsregcmd output.](images/aadj/dsregcmd.png)
@@ -49,24 +39,24 @@ Certificates issued by a certificate authority can be revoked.  When a certifica
 
 ![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
 
-The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory.  You can determine this because the value in the URL begins with **ldap**.  Using Active Directory for domain joined devices provides a highly available CRL distribution point.  However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list.  This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
+The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. The value in the URL begins with **ldap**.  Using Active Directory for domain joined devices provides a highly available CRL distribution point.  However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the certificate revocation list.  The authentication becomes a circular problem. The user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated.
 
-To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that does not require authentication.  The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
+To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that doesn't require authentication.  The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
 
-If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
+If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
 
 > [!NOTE]
 > If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server.
 
 ### Windows Server 2016 Domain Controllers
 
-If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers.  Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key.  What do we mean by adequate?  We are glad you asked.  Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+If you're interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers.  Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key.  What do we mean by adequate?  We're glad you asked.  Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-If you are interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you are the right place.  The same certificate configuration on the domain controllers is needed, whether you are using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server.  You can simply ignore the Windows Server 2016 domain controller requirement.  
+If you're interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you're the right place.  The same certificate configuration on the domain controllers is needed, whether you're using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server.  You can ignore the Windows Server 2016 domain controller requirement.  
 
 ### Domain Controller Certificates
 
-Certificate authorities write CRL distribution points in certificates as they are issued.  If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point.  The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory
+Certificate authorities write CRL distribution points in certificates as they're issued.  If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point.  The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory
 
 #### Why does Windows need to validate the domain controller certificate?
 
@@ -80,7 +70,7 @@ Windows Hello for Business enforces the strict KDC validation security feature w
 - The domain controller's certificate's signature hash algorithm is **sha256**.
 - The domain controller's certificate's public key is **RSA (2048 Bits)**.
 
-Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
+Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you're adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
 
 > [!Tip]
 > If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate.
@@ -89,7 +79,7 @@ Authenticating from a Hybrid Azure AD joined device to a domain using Windows He
 
 Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. 
 
-Steps you will perform include:
+Steps you'll perform include:
 
 - [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point) 
 - [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list)
@@ -100,40 +90,40 @@ Steps you will perform include:
 
 ### Configure Internet Information Services to host CRL distribution point
 
-You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication.  You can host these files on web servers many ways.  The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point.
+You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication.  You can host these files on web servers many ways.  The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point.
 
 > [!IMPORTANT]
 > Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate.  Clients should access the distribution point using http. 
 
 #### Installing the Web Server
 
-1. Sign-in to your server as a local administrator and start **Server Manager** if it did not start during your sign in. 
-2. Click the **Local Server** node in the navigation pane.  Click **Manage** and click **Add Roles and Features**.
-3. In the **Add Role and Features Wizard**, click **Server Selection**.  Verify the selected server is the local server.  Click **Server Roles**.  Select the check box next to **Web Server (IIS)**.
-4. Click **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role.
+1. Sign-in to your server as a local administrator and start **Server Manager** if it didn't start during your sign in. 
+2. Select the **Local Server** node in the navigation pane.  Select **Manage** and select **Add Roles and Features**.
+3. In the **Add Role and Features Wizard**, select **Server Selection**.  Verify the selected server is the local server.  Select **Server Roles**.  Select the check box next to **Web Server (IIS)**.
+4. Select **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role.
  
 #### Configure the Web Server
 
 1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
-2. Expand the navigation pane to show **Default Web Site**.  Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
-3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**.  For physical path, type or browse for the physical file location where you will host the certificate revocation list.  For this example, the path **c:\cdp** is used. Click **OK**.
+2. Expand the navigation pane to show **Default Web Site**.  Select and then right-click **Default Web site** and select **Add Virtual Directory...**.
+3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**.  For physical path, type or browse for the physical file location where you'll host the certificate revocation list.  For this example, the path **c:\cdp** is used. Select **OK**.
    ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) 
    > [!NOTE]
    > Make note of this path as you will use it later to configure share and file permissions.
 
-4. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Directory Browsing** in the content pane.  Click **Enable** in the details pane.
+4. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Directory Browsing** in the content pane.  Select **Enable** in the details pane.
 5. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Configuration Editor**.
 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
    ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png)   
-   In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**.  Click **Apply** in the actions pane.
+   In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**.  Select **Apply** in the actions pane.
    ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png)
 7. Close **Internet Information Services (IIS) Manager**. 
 
 #### Create a DNS resource record for the CRL distribution point URL 
 
 1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**.
-2. Expand **Forward Lookup Zones** to show the DNS zone for your domain.  Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**.
-3. In the **New Host** dialog box, type **crl** in **Name**.  Type the IP address of the web server you configured in **IP Address**. Click **Add Host**.  Click **OK** to close the **DNS** dialog box.  Click **Done**.
+2. Expand **Forward Lookup Zones** to show the DNS zone for your domain.  Right-click your domain name in the navigation pane and select **New Host (A or AAAA)...**.
+3. In the **New Host** dialog box, type **crl** in **Name**.  Type the IP address of the web server you configured in **IP Address**. Select **Add Host**.  Select **OK** to close the **DNS** dialog box.  Select **Done**.
 ![Create DNS host record.](images/aadj/dns-new-host-dialog.png)
 4. Close the **DNS Manager**. 
 
@@ -144,37 +134,37 @@ These procedures configure NTFS and share permissions on the web server to allow
 #### Configure the CDP file share
 
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
-2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
-3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**.
+2. Right-click the **cdp** folder and select **Properties**.  Select the **Sharing** tab.  Select **Advanced Sharing**.
+3. Select **Share this folder**. Type **cdp$** in **Share name**. Select **Permissions**.
 ![cdp sharing.](images/aadj/cdp-sharing.png)
-4. In the **Permissions for cdp$** dialog box, click **Add**.
-5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**.  In the **Object Types** dialog box, select **Computers**, and then click **OK**.
-7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**.
-8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
+4. In the **Permissions for cdp$** dialog box, select **Add**.
+5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**.  In the **Object Types** dialog box, select **Computers**, and then select **OK**.
+7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then select **Check Names**. Select **OK**.
+8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**.
 ![CDP Share Permissions.](images/aadj/cdp-share-permissions.png)
-9. In the **Advanced Sharing** dialog box, click **OK**.
+9. In the **Advanced Sharing** dialog box, select **OK**.
 
 > [!Tip]
 > Make sure that users can access **\\\Server FQDN\sharename**.
 
 #### Disable Caching 
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
-2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
-3. Click **Caching**. Select **No files or programs from the shared folder are available offline**.
+2. Right-click the **cdp** folder and select **Properties**.  Select the **Sharing** tab.  Select **Advanced Sharing**.
+3. Select **Caching**. Select **No files or programs from the shared folder are available offline**.
 ![CDP disable caching.](images/aadj/cdp-disable-caching.png)
-4. Click **OK**. 
+4. Select **OK**. 
 
 #### Configure NTFS permission for the CDP folder
 
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
-2. Right-click the **cdp** folder and click **Properties**.  Click the **Security** tab.
-3. On the **Security** tab, click Edit.
-5. In the **Permissions for cdp** dialog box, click **Add**.
+2. Right-click the **cdp** folder and select **Properties**.  Select the **Security** tab.
+3. On the **Security** tab, select Edit.
+5. In the **Permissions for cdp** dialog box, select **Add**.
 ![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png)
-6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**.  In the **Object Types** dialog box, select **Computers**. Click **OK**.
-7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**.
-8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
-9. Click **Close** in the **cdp Properties** dialog box.
+6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**.  In the **Object Types** dialog box, select **Computers**. Select **OK**.
+7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then select **Check Names**. Select **OK**.
+8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**.
+9. Select **Close** in the **cdp Properties** dialog box.
 
 
 ### Configure the new CRL distribution point and Publishing location in the issuing certificate authority
@@ -184,17 +174,17 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 
 #### Configure the CRL distribution Point
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**. 
-2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
-3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type <b>http://crl.[domainname]/cdp/</b> in **location**.  For example, `<http://crl.corp.contoso.com/cdp/>` or `<http://crl.contoso.com/cdp/>` (do not forget the trailing forward slash). 
+2. In the navigation pane, right-click the name of the certificate authority and select **Properties**
+3. Select **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
+4. On the **Extensions** tab, select **Add**. Type <b>http://crl.[domainname]/cdp/</b> in **location**.  For example, `<http://crl.corp.contoso.com/cdp/>` or `<http://crl.contoso.com/cdp/>` (don't forget the trailing forward slash). 
    ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png)
-5. Select **\<CaName>** from the **Variable** list and click **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
-6. Type **.crl** at the end of the text in **Location**. Click **OK**.
+5. Select **\<CaName>** from the **Variable** list and select **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and select **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and select **Insert**.
+6. Type **.crl** at the end of the text in **Location**. Select **OK**.
 7. Select the CDP you just created.
    ![CDP complete http.](images/aadj/cdp-extension-complete-http.png)
 8. Select **Include in CRLs.  Clients use this to find Delta CRL locations**.
 9. Select **Include in the CDP extension of issued certificates**.
-10. Click **Apply** save your selections.  Click **No** when ask to restart the service.
+10. Select **Apply** save your selections.  Select **No** when ask to restart the service.
 
 > [!NOTE]
 > Optionally, you can remove unused CRL distribution points and publishing locations.
@@ -202,43 +192,43 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 #### Configure the CRL publishing location
 
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**. 
-2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
-3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**.  Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share).  For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash).
-5. Select **\<CaName>** from the **Variable** list and click **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
-6. Type **.crl** at the end of the text in **Location**. Click **OK**.
+2. In the navigation pane, right-click the name of the certificate authority and select **Properties**
+3. Select **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
+4. On the **Extensions** tab, select **Add**.  Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share).  For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash).
+5. Select **\<CaName>** from the **Variable** list and select **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and select **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and select **Insert**.
+6. Type **.crl** at the end of the text in **Location**. Select **OK**.
 7. Select the CDP you just created. <br/>
    ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png)
 8. Select **Publish CRLs to this location**.
 9. Select **Publish Delta CRLs to this location**.
-10. Click **Apply** save your selections.  Click **Yes** when ask to restart the service.  Click **OK** to close the properties dialog box.
+10. Select **Apply** save your selections.  Select **Yes** when ask to restart the service.  Select **OK** to close the properties dialog box.
 
 ### Publish a new CRL
 
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**.
-2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish**
+2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish**
 ![Publish a New CRL.](images/aadj/publish-new-crl.png)
-3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**.
+3. In the **Publish CRL** dialog box, select **New CRL** and select **OK**.
 
 #### Validate CDP Publishing
 
 Validate your new CRL distribution point is working. 
 
-1. Open a web browser. Navigate to <b>http://crl.[yourdomain].com/cdp</b>.  You should see two files created from publishing your new CRL.
+1. Open a web browser. Navigate to `http://crl.[yourdomain].com/cdp`.  You should see two files created from publishing your new CRL.
    ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png)
 
 ### Reissue domain controller certificates
 
-With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate does not have the updated CRL distribution point. 
+With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point. 
 
 1. Sign-in a domain controller using administrative credentials.
 2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+3. In the navigation pane, expand **Personal**.  Select **Certificates**.  In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
 ![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png)
-4. Right-click the selected certificate.  Hover over **All Tasks** and then select **Renew Certificate with New Key...**.  In the **Certificate Enrollment** wizard, click **Next**.
+4. Right-click the selected certificate.  Hover over **All Tasks** and then select **Renew Certificate with New Key...**.  In the **Certificate Enrollment** wizard, select **Next**.
 ![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) 
-5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available.  Click **Enroll**.
-6. After the enrollment completes, click **Finish** to close the wizard. 
+5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available.  Select **Enroll**.
+6. After the enrollment completes, select **Finish** to close the wizard. 
 7. Repeat this procedure on all your domain controllers.
 
 > [!NOTE]
@@ -251,16 +241,16 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 
 1. Sign-in a domain controller using administrative credentials.
 2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-4. Click the **Details** tab.  Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list.  Select **CRL Distribution Point**.
-5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate.  Click **OK**.</br>
+3. In the navigation pane, expand **Personal**.  Select **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+4. Select the **Details** tab.  Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list.  Select **CRL Distribution Point**.
+5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate.  Select **OK**.</br>
 ![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
 
 ## Configure and Assign a Trusted Certificate Device Configuration Profile
 
-Your domain controllers have new certificate that include the new CRL distribution point.  Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices.  Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority.  Without the certificate, Azure AD-joined devices do not trust domain controller certificates and authentication fails. 
+Your domain controllers have new certificates that include the new CRL distribution point.  Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to the device, it ensures the device trusts any certificates issued by the certificate authority.  Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails. 
 
-Steps you will perform include:
+Steps you'll perform include:
 - [Export Enterprise Root certificate](#export-enterprise-root-certificate)
 - [Create and Assign a Trust Certificate Device Configuration Profile](#create-and-assign-a-trust-certificate-device-configuration-profile)
 
@@ -268,30 +258,30 @@ Steps you will perform include:
 
 1. Sign-in a domain controller using administrative credentials.
 2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
-3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-4. Click the **Certification Path** tab.  In the **Certification path** view, select the top most node and click **View Certificate**.
+3. In the navigation pane, expand **Personal**.  Select **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+4. Select the **Certification Path** tab.  In the **Certification path** view, select the topmost node and select **View Certificate**.
 ![Certificate Path.](images/aadj/certlm-cert-path-tab.png)
-5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
+5. In the new **Certificate** dialog box, select the **Details** tab. Select **Copy to File**.
 ![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png)
-6. In the **Certificate Export Wizard**, click **Next**.  
-7. On the **Export File Format** page of the wizard, click **Next**.  
-8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box. <br>
+6. In the **Certificate Export Wizard**, select **Next**.  
+7. On the **Export File Format** page of the wizard, select **Next**.  
+8. On the **File to Export** page in the wizard, type the name and location of the root certificate and select **Next**. Select **Finish** and then select **OK** to close the success dialog box. <br>
 ![Export root certificate.](images/aadj/certlm-export-root-certificate.png)
-9. Click **OK**  two times to return to the **Certificate Manager** for the local computer.  Close the **Certificate Manager**.
+9. Select **OK**  two times to return to the **Certificate Manager** for the local computer.  Close the **Certificate Manager**.
 
 ### Create and Assign a Trust Certificate Device Configuration Profile
 
 A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD-joined devices.
 
-1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
-2. Click **Device configuration**.  In the **Device Configuration** blade, click **Create profile**.
+1. Sign-in to the [Microsoft Azure portal](https://portal.azure.com) and select **Microsoft Intune**.
+2. Select **Device configuration**.  In the **Device Configuration** blade, select **Create profile**.
 ![Intune Create Profile.](images/aadj/intune-create-device-config-profile.png)
-3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**.  Provide a description.  Select **Windows 10 and later** from the **Platform** list.  Select **Trusted certificate** from the **Profile type** list.  Click **Configure**.
-4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate).  Click **OK**.  Click **Create**.
+3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**.  Provide a description.  Select **Windows 10 and later** from the **Platform** list.  Select **Trusted certificate** from the **Profile type** list.  Select **Configure**.
+4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate).  Select **OK**.  Select **Create**.
 ![Intune Trusted Certificate Profile.](images/aadj/intune-create-trusted-certificate-profile.png)
-5. In the **Enterprise Root Certificate** blade, click **Assignments**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
+5. In the **Enterprise Root Certificate** blade, select **Assignments**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Select **Save**.
 ![Intune Profile assignment.](images/aadj/intune-device-config-enterprise-root-assignment.png)
-6. Sign out of the Microsoft Azure Portal.
+6. Sign out of the Microsoft Azure portal.
 > [!NOTE]
 > After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
 
@@ -299,14 +289,14 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices**.
 3. Choose **Enroll devices**.
 4. Select **Windows enrollment**.
 5. Under **Windows enrollment**, select **Windows Hello for Business**.
    ![Create Windows Hello for Business Policy.](images/aadj/MEM.png)
 6. Select **Enabled** from the **Configure Windows Hello for Business** list.
-7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
+7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and doesn't allow fall back to software-based keys.
 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
     > [!IMPORTANT]
     > The default minimum PIN length for Windows Hello for Business on Windows 10 and Windows 11 is six.  Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN.  If you do not have a desired PIN length, set the minimum PIN length to six.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 875fe62728..1b222da4f8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,31 +1,22 @@
 ---
-title: Using Certificates for AADJ On-premises Single-sign On single sign-on
+title: Use Certificates to enable SSO for Azure AD join devices
 description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Azure AD-join</b>
-- ✅ <b>Hybrid Deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Using Certificates for AADJ On-premises Single-sign On
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-aad.md)]
+
 If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
 
 > [!IMPORTANT]
 > Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
 
-Steps you will perform include:
+Steps you'll perform include:
 
 - [Prepare Azure AD Connect](#prepare-azure-ad-connect)
 - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
@@ -46,7 +37,7 @@ You need to install and configure additional infrastructure to provide Azure AD-
 
 The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority.  Certificate registration servers enroll certificates on behalf of the user.  Users request certificates from the NDES service rather than directly from the issuing certificate authority.
 
-The architecture of the NDES server prevents it from being clustered or load balanced for high availability.  To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
+The architecture of the NDES server prevents it from being clustered or load balanced for high availability.  To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion).
 
 The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates.  The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template.  The certificate request purpose has three options:
 
@@ -74,9 +65,9 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad
 
 1. Open **Synchronization Services** from the **Azure AD Connect** folder.
 
-2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
+2. In the **Synchronization Service Manager**, select **Help** and then select **About**.
 
-3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
+3. If the version number isn't **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
 
 ### Verify the onPremisesDistinguishedName attribute is synchronized
 
@@ -89,7 +80,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
 > [!NOTE]
 > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted.
 
-3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent.
+3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent.
 
 4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Azure Active Directory.  Select **Run query**.
 
@@ -106,7 +97,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
 GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
 ```
 
-5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute.  Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute is not synchronized the value will be **null**.
+5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute.  Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
 
 #### Response
 <!-- {
@@ -138,11 +129,11 @@ Sign-in to a domain controller or management workstation with access equivalent
 
 2. Expand the domain node from the navigation pane.
 
-3. Right-click the **Users** container. Hover over **New** and click **Group**.
+3. Right-click the **Users** container. Hover over **New** and select **Group**.
 
 4. Type **NDES Servers** in the **Group Name** text box.
 
-5. Click **OK**.
+5. Select **OK**.
 
 ### Add the NDES server to the NDES Servers global security group
 
@@ -152,26 +143,26 @@ Sign-in to a domain controller or management workstation with access equivalent
 
 2. Expand the domain node from the navigation pane.
 
-3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role.  Click **Add to a group**.
+3. Select **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role.  Select **Add to a group**.
 
-4. Type **NDES Servers** in **Enter the object names to select**.  Click **OK**.  Click **OK** on the **Active Directory Domain Services** success dialog.
+4. Type **NDES Servers** in **Enter the object names to select**.  Select **OK**.  Select **OK** on the **Active Directory Domain Services** success dialog.
 
 > [!NOTE]
 > For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests.  You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
 
 ### Create the NDES Service Account
 
-The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA).  While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration.  The deployment uses a normal services account.
+The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it's preferential to run services using a Group Managed Service Account (GMSA).  While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector wasn't designed nor tested using a GMSA and is considered an unsupported configuration.  The deployment uses a normal services account.
 
 Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
 
 1. In the navigation pane, expand the node that has your domain name.  Select **Users**.
 
-2. Right-click the **Users** container. Hover over **New** and then select **User**.  Type **NDESSvc** in  **Full Name** and **User logon name**. Click **Next**.
+2. Right-click the **Users** container. Hover over **New** and then select **User**.  Type **NDESSvc** in  **Full Name** and **User logon name**. Select **Next**.
 
-3. Type a secure password in **Password**.  Confirm the secure password in **Confirm Password**.  Clear **User must change password at next logon**.  Click **Next**.
+3. Type a secure password in **Password**.  Confirm the secure password in **Confirm Password**.  Clear **User must change password at next logon**.  Select **Next**.
 
-4. Click **Finish**.
+4. Select **Finish**.
 
 > [!IMPORTANT]
 > Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk.  Normal service account passwords should expire in accordance with the organizations user password expiration policy.  Create a reminder to change the service account's password two weeks before it will expire.  Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
@@ -188,19 +179,19 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 
 3. Right-click **Group Policy object** and select **New**.
 
-4. Type **NDES Service Rights** in the name box and click **OK**.
+4. Type **NDES Service Rights** in the name box and select **OK**.
 
-5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
+5. In the content pane, right-click the **NDES Service Rights** Group Policy object and select **Edit**.
 
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 
 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
 
-8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and select **OK**.  Select **Add User or Group...**.  In the **Add User or Group** dialog box, select **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Select **OK** twice.
 
-9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and select **OK**.  Select **Add User or Group...**.  In the **Add User or Group** dialog box, select **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Select **OK** twice.
 
-10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** three times.
+10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and select **OK**.  Select **Add User or Group...**.  In the **Add User or Group** dialog box, select **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Select **OK** three times.
 
 11. Close the **Group Policy Management Editor**.
 
@@ -216,11 +207,11 @@ Sign-in to a domain controller or management workstation with access equivalent
 
 3. Double-click the **NDES Service User Rights** Group Policy object.
 
-4. In the **Security Filtering** section of the content pane, click **Add**.  Type **NDES Servers** or the name of the security group you previously created and click **OK**.
+4. In the **Security Filtering** section of the content pane, select **Add**.  Type **NDES Servers** or the name of the security group you previously created and select **OK**.
 
-5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
+5. Select the **Delegation** tab. Select **Authenticated Users** and select **Advanced**.
 
-6. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
+6. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**.
 
 ### Deploy the NDES Service User Rights Group Policy object
 
@@ -230,16 +221,16 @@ Sign-in to a domain controller or management workstation with access equivalent
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
 
-2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
+2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select **Link an existing GPO**
 
-3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
+3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and select **OK**.
 
 > [!IMPORTANT]
 > Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object.
 
 ## Prepare Active Directory Certificate Authority
 
-You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role.  In this task, you will
+You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role.  In this task, you'll
 
 - Configure the certificate authority to let Intune provide validity periods
 - Create an NDES-Intune Authentication Certificate template
@@ -271,9 +262,9 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 
 1. Open the **Certificate Authority** management console.
 
-2. Right-click **Certificate Templates** and click **Manage**.
+2. Right-click **Certificate Templates** and select **Manage**.
 
-3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
+3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and select **Duplicate Template**.
 
 4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
 
@@ -284,15 +275,15 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 
 6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
 
-7. On the **Security** tab, click **Add**.
+7. On the **Security** tab, select **Add**.
 
-8. Select **Object Types**, then, in the window that appears, choose **Computers** and click **OK**.
+8. Select **Object Types**, then in the window that appears, choose **Computers** and select **OK**.
 
-9. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
+9. Type **NDES server** in the **Enter the object names to select** text box and select **OK**.
 
-10. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+10. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes aren't already cleared. Select **OK**.
 
-11. Click on the **Apply** to save changes and close the console.
+11. Select on the **Apply** to save changes and close the console.
 
 ### Create an Azure AD joined Windows Hello for Business authentication certificate template
 
@@ -302,7 +293,7 @@ Sign in a certificate authority or management workstations with _Domain Admin eq
 
 1. Open the **Certificate Authority** management console.
 
-2. Right-click **Certificate Templates** and click **Manage**.
+2. Right-click **Certificate Templates** and select **Manage**.
 
 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
 
@@ -321,9 +312,9 @@ Sign in a certificate authority or management workstations with _Domain Admin eq
 
 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list.  Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
 
-10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
+10. On the **Security** tab, select **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and select **OK**.
 
-11. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+11. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared. Select **OK**.
 
 12. Close the console.
 
@@ -340,17 +331,17 @@ Sign in to the certificate authority or management workstations with an _enterpr
 
 2. Expand the parent node from the navigation pane.
 
-3. Click **Certificate Templates** in the navigation pane.
+3. Select **Certificate Templates** in the navigation pane.
 
-4. Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
+4. Right-click the **Certificate Templates** node.  Select **New**, and select **Certificate Template** to issue.
 
-5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
+5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps.  Select **OK** to publish the selected certificate templates to the certificate authority.
 
 6. Close the console.
 
 ## Install and Configure the NDES Role
 
-This section includes the following topics:
+This section includes the following articles:
 
 - Install the Network Device Enrollment Service Role
 - Configure the NDES service account
@@ -364,13 +355,13 @@ This section includes the following topics:
 
 Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority.
 
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credential.
 
 1. Open **Server Manager** on the NDES server.
 
-2. Click **Manage**.  Click **Add Roles and Features**.
+2. Select **Manage**.  Select **Add Roles and Features**.
 
-3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**.  Select **Role-based or feature-based installation** on the **Select installation type** page.  Click **Next**.  Click **Select a server from the server pool**.  Select the local server from the **Server Pool** list.  Click **Next**.
+3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, select **Next**.  Select **Role-based or feature-based installation** on the **Select installation type** page.  Select **Next**.  Select **Select a server from the server pool**.  Select the local server from the **Server Pool** list.  Select **Next**.
 
    ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png)
 
@@ -378,21 +369,21 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 
    ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png)
 
-   Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
+   Select **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Select **Next**.
 
    ![Server Manager Add Features.](images/aadjcert/servermanager-adcs-add-features.png)
 
-5. On the **Features** page, expand **.NET Framework 3.5 Features**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Expand **.NET Framework 4.5 Features**.  Expand **WCF Services**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
+5. On the **Features** page, expand **.NET Framework 3.5 Features**.  Select **HTTP Activation**.  Select **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Expand **.NET Framework 4.5 Features**.  Expand **WCF Services**.  Select **HTTP Activation**.  Select **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Select **Next**.
 
    ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png)
 
-6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**.  Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
+6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**.  Select **Add Features** on the **Add Roles and Features Wizard** dialog box. Select **Next**.
 
    ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
 
-7. Click **Next** on the **Web Server Role (IIS)** page.
+7. Select **Next** on the **Web Server Role (IIS)** page.
 
-8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
+8. On the **Select role services** page for the Web Serve role, Select the following additional services if they aren't already selected and then select **Next**.
 
    - **Web Server > Security > Request Filtering**
    - **Web Server > Application Development > ASP.NET 3.5**.
@@ -402,7 +393,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 
    ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png)
 
-9. Click **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
+9. Select **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
 
    > [!IMPORTANT]
    > .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
@@ -421,7 +412,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
 
-3. In the **IIS_IUSRS Properties** dialog box, click **Add**.  Type **NDESSvc** or the name of your NDES service account.  Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
+3. In the **IIS_IUSRS Properties** dialog box, select **Add**.  Type **NDESSvc** or the name of your NDES service account.  Select **Check Names** to verify the name and then select **OK**. Select **OK** to close the properties dialog box.
 
 4. Close the management console.
 
@@ -456,7 +447,7 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 
 1. Open **Active Directory Users and Computers**
 
-2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
+2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Select the **Delegation** tab.
 
    ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png)
 
@@ -464,21 +455,21 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 
 4. Select **Use any authentication protocol**.
 
-5. Click **Add**.
+5. Select **Add**.
 
-6. Click **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD-joined devices.  From the **Available services** list, select **HOST**.  Click **OK**.
+6. Select **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD-joined devices.  From the **Available services** list, select **HOST**.  Select **OK**.
 
    ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
 
-7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
+7. Repeat steps 5 and 6 for each NDES server using this service account. Select **Add**.
 
-8. Click **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD-joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Click **OK**.
+8. Select **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD-joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Select **OK**.
 
 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
 
    ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
 
-10. Click **OK**.  Close **Active Directory Users and Computers**.
+10. Select **OK**.  Close **Active Directory Users and Computers**.
 
 ### Configure the NDES Role and Certificate Templates
 
@@ -486,40 +477,40 @@ This task configures the NDES role and the certificate templates the NDES server
 
 #### Configure the NDES Role
 
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credential.
 
 > [!NOTE]
 > If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
 
 ![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
 
-1. Click the **Configure Active Directory Certificate Services on the destination server** link.
+1. Select the **Configure Active Directory Certificate Services on the destination server** link.
 
-2. On the **Credentials** page, click **Next**.
+2. On the **Credentials** page, select **Next**.
 
    ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png)
 
-3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
+3. On the **Role Services** page, select **Network Device Enrollment Service** and then select **Next**
 
    ![NDES Role Services.](images/aadjcert/ndesconfig02.png)
 
-4. On the **Service Account for NDES** page, select **Specify service account (recommended)**.  Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box.  Click **Next**.
+4. On the **Service Account for NDES** page, select **Specify service account (recommended)**.  Select **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box.  Select **Next**.
 
    ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png)
 
-5. On the **CA for NDES** page, select **CA name**. Click **Select...**.  Select the issuing certificate authority from which the NDES server requests certificates.  Click **Next**.
+5. On the **CA for NDES** page, select **CA name**. Select **Select...**.  Select the issuing certificate authority from which the NDES server requests certificates.  Select **Next**.
 
    ![NDES CA selection.](images/aadjcert/ndesconfig04.png)
 
-6. On the **RA Information**, click **Next**.
+6. On the **RA Information**, select **Next**.
 
-7. On the **Cryptography for NDES** page, click **Next**.
+7. On the **Cryptography for NDES** page, select **Next**.
 
-8. Review the **Confirmation** page.  Click **Configure**.
+8. Review the **Confirmation** page.  Select **Configure**.
 
    ![NDES Confirmation.](images/aadjcert/ndesconfig05.png)
 
-9. Click **Close** after the configuration completes.
+9. Select **Close** after the configuration completes.
 
 #### Configure Certificate Templates on NDES
 
@@ -545,7 +536,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 
 1. Open an elevated command prompt.
 
-2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
+2. Using the table above, decide which registry value name you'll use to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
 
 3. Type the following command:
 
@@ -580,13 +571,13 @@ Connector group automatically round-robin, load balance the Azure AD Application
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
 
-3. Under **MANAGE**, click **Application proxy**.
+3. Under **MANAGE**, select **Application proxy**.
 
-4. Click **Download connector service**.  Click **Accept terms & Download**.  Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
+4. Select **Download connector service**.  Select **Accept terms & Download**.  Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
 
    ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
 
@@ -597,7 +588,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
 
-7. Read the license terms and then select **I agree to the license terms and conditions**.  Click **Install**.
+7. Read the license terms and then select **I agree to the license terms and conditions**.  Select **Install**.
 
    ![Azure Application Proxy Connector: license terms](images/aadjcert/azureappproxyconnectorinstall-01.png)
 
@@ -605,7 +596,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
    ![Azure Application Proxy Connector: sign-in](images/aadjcert/azureappproxyconnectorinstall-02.png)
 
-9. When the installation completes. Read the information regarding outbound proxy servers.  Click **Close**.
+9. When the installation completes. Read the information regarding outbound proxy servers.  Select **Close**.
 
    ![Azure Application Proxy Connector: read](images/aadjcert/azureappproxyconnectorinstall-03.png)
 
@@ -615,39 +606,39 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
 
-3. Under **MANAGE**, click **Application proxy**.
+3. Under **MANAGE**, select **Application proxy**.
 
    ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
 
-4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
+4. Select **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
 
    ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
 
 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
 
-6. Click **Save**.
+6. Select **Save**.
 
 #### Create the Azure Application Proxy
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
 
-3. Under **MANAGE**, click **Application proxy**.
+3. Under **MANAGE**, select **Application proxy**.
 
-4. Click **Configure an app**.
+4. Select **Configure an app**.
 
-5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
+5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers can't share the same internal URL.
 
 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, ```https://ndes.corp.mstepdemo.net```.  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
 
-7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It's recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
 
    ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png)
 
@@ -657,9 +648,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**.  Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
 
-11. Click **Add**.
+11. Select **Add**.
 
-12. Sign-out of the Azure Portal.
+12. Sign-out of the Azure portal.
 
     > [!IMPORTANT]
     > Write down the internal and external URLs.  You will need this information when you enroll the NDES-Intune Authentication certificate.
@@ -676,21 +667,21 @@ Sign-in the NDES server with access equivalent to _local administrators_.
 
 3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
 
-4. Click **Next** on the **Before You Begin** page.
+4. Select **Next** on the **Before You Begin** page.
 
-5. Click **Next** on the **Select Certificate Enrollment Policy** page.
+5. Select **Next** on the **Select Certificate Enrollment Policy** page.
 
 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
 
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
+7. Select the **More information is required to enroll for this certificate. Click here to configure settings** link
 
    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
 
-8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
+8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then select **Add**.
 
-9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**).  Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
+9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**).  Select **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Select **Add**. Select **OK** when finished.
 
-10. Click **Enroll**
+10. Select **Enroll**
 
 11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
 
@@ -706,7 +697,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
    ![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
 
-3. Click **Bindings...** under **Actions**.  Click **Add**.
+3. Select **Bindings...** under **Actions**.  Select **Add**.
 
    ![NDES IIS Console: Add](images/aadjcert/ndes-iis-bindings.png)
 
@@ -716,9 +707,9 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
    ![NDES IIS Console: Certificate List](images/aadjcert/ndes-iis-bindings-add-443.png)
 
-6. Select **http** from the **Site Bindings** list.  Click **Remove**.
+6. Select **http** from the **Site Bindings** list.  Select **Remove**.
 
-7. Click **Close** on the **Site Bindings** dialog box.
+7. Select **Close** on the **Site Bindings** dialog box.
 
 8. Close **Internet Information Services (IIS) Manager**.
 
@@ -730,11 +721,11 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 #### Disable Internet Explorer Enhanced Security Configuration
 
-1. Open **Server Manager**. Click **Local Server** from the navigation pane.
+1. Open **Server Manager**. Select **Local Server** from the navigation pane.
 
-2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
+2. Select **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
 
-3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**.  Click **OK**.
+3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**.  Select **OK**.
 
 4. Close **Server Manager**.
 
@@ -750,7 +741,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
    where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
 
-A web page similar to the following should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentService** source.
+A web page similar to the following should appear in your web browser.  If you don't see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the Application event log for events with the **NetworkDeviceEnrollmentService** source.
 
 ![NDES IIS Console: Source](images/aadjcert/ndes-https-website-test-01.png)
 
@@ -760,7 +751,7 @@ Confirm the web site uses the server authentication certificate.
 
 ## Configure Network Device Enrollment Services to work with Microsoft Intune
 
-You have successfully configured the Network Device Enrollment Services.  You must now modify the configuration to work with the Intune Certificate Connector.  In this task, you will enable the NDES server and http.sys to handle long URLs.
+You have successfully configured the Network Device Enrollment Services.  You must now modify the configuration to work with the Intune Certificate Connector.  In this task, you'll enable the NDES server and http.sys to handle long URLs.
 
 - Configure NDES to support long URLs
 
@@ -774,7 +765,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
 
-3. In the content pane, double-click **Request Filtering**.  Click **Edit Feature Settings...** in the action pane.
+3. In the content pane, double-click **Request Filtering**.  Select **Edit Feature Settings...** in the action pane.
 
    ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png)
 
@@ -790,7 +781,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 9. Type **65534** in **Maximum query string (Bytes)**.
 
-10. Click **OK**.  Close **Internet Information Services (IIS) Manager**.
+10. Select **OK**.  Close **Internet Information Services (IIS) Manager**.
 
 #### Configure Parameters for HTTP.SYS
 
@@ -833,11 +824,11 @@ Optionally (not required), you can configure the Intune connector for certificat
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+1. Sign-in to the [Azure portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 
-2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, select **Azure Active Directory**.
 
-3. Click **Groups**.  Click **New group**.
+3. Select **Groups**.  Select **New group**.
 
 4. Select **Security** from the **Group type** list.
 
@@ -849,17 +840,17 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
    ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
 
-8. Click **Members**.  Use the  **Select members** pane to add members to this group. When finished, click **Select**.
+8. Select **Members**.  Use the  **Select members** pane to add members to this group. When finished, select **Select**.
 
-9. Click **Create**.
+9. Select **Create**.
 
 ### Create a SCEP Certificate Profile
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-2. Select **Devices**, and then click **Configuration Profiles**.
+2. Select **Devices**, and then select **Configuration Profiles**.
 
 3. Select **Create Profile**.
 
@@ -894,37 +885,37 @@ Sign-in a workstation with access equivalent to a _domain user_.
 
 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
 
-15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
+15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Select **Add**.
 
 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
 
     ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
 
-17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, ```https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll```. Select **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
 
-18. Click **Next**.
+18. Select **Next**.
 
-19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
+19. Select **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and select **Create**.
 
 ### Assign Group to the WHFB Certificate Enrollment Certificate Profile
 
 Sign-in a workstation with access equivalent to a _domain user_.
 
-1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Sign-in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-2. Select **Devices**, and then click **Configuration Profiles**.
+2. Select **Devices**, and then select **Configuration Profiles**.
 
-3. Click **WHFB Certificate Enrollment**.
+3. Select **WHFB Certificate Enrollment**.
 
-4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
+4. Select **Properties**, and then select **Edit** next to the **Assignments** section.
 
-5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list.  Click **Select groups to include**.
+5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list.  Select **Select groups to include**.
 
    ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png)
 
-6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
+6. Select the **AADJ WHFB Certificate Users** group. Select **Select**.
 
-7. Click **Review + Save**, and then **Save**.
+7. Select **Review + Save**, and then **Save**.
 
 You have successfully completed the configuration.  Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group.  This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 0842bb52e6..1acc6aa213 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,21 +1,15 @@
 ---
 title: Azure AD Join Single Sign-on Deployment
 description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Azure AD Join Single Sign-on Deployment
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-keycert-trust-aad.md)]
+
 Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential.  Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources.  With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate.
 
 ## Key vs. Certificate
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 1dbae77cc3..234f257566 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,23 +1,15 @@
 ---
 title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
 description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Hybrid Azure AD joined Windows Hello for Business Certificate Trust New Installation
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure.  Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
 
 - [Active Directory](#active-directory)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index b35fa21dac..997dbea6e9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -1,23 +1,15 @@
 ---
 title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
 description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
+
 Your environment is federated and you're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.  
 
 > [!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index b6d189d7c1..56e0d50918 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -1,23 +1,15 @@
 ---
 title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
 description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Hybrid Azure AD joined Windows Hello for Business Prerequisites
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
 
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
@@ -35,8 +27,8 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
 
 A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  Different deployment configurations are supported by different Azure subscriptions.  The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature.  Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription.
 
-Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers.  Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory or later schema.
- 
+Windows Hello for Business can be deployed in any environment with Windows Server 2012 or later domain controllers.  Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory or later schema.
+
 Review these requirements and those from the Windows Hello for Business planning guide and worksheet.  Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
 
 ### Section Review ###
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index 72086e9d13..caf8cfe867 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,38 +1,30 @@
 ---
 title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
 description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 09/08/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Hybrid Azure AD joined Certificate Trust Deployment
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
 
 It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide.  The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.  You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
 
-This deployment guide provides guidance for new deployments and customers who are already federated with Office 365.  These two scenarios provide a baseline from which you can begin your deployment.
+This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD.  These two scenarios provide a baseline from which you can begin your deployment.
 
 ## New Deployment Baseline
 
-The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments.  This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
+The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments.  This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
 
 This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
 
 ## Federated Baseline
 
-The federated baseline helps organizations that have completed their federation with Azure Active Directory and Office 365 and enables them to introduce Windows Hello for Business into their hybrid environment.  This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
+The federated baseline helps organizations that have completed their federation with Azure Active Directory and enables them to introduce Windows Hello for Business into their hybrid environment.  This baseline exclusively focuses on the procedures needed to add Azure Device Registration and Windows Hello for Business to an existing hybrid deployment.
 
 Regardless of the baseline you choose, your next step is to familiarize yourself with the prerequisites needed for the deployment.  Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 6721675b09..fa4284edd5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,23 +1,15 @@
 ---
 title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
 description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 ## Provisioning
 
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 230a694361..748cc46a44 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -1,23 +1,15 @@
 ---
 title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
 description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. 
 
 ### Creating Security Groups
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 03989ad22c..83988357c9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -1,23 +1,15 @@
 ---
-title:  Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
+title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
 description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 ## Federation Services
 
 The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 7e29ef7f6a..5002843385 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -1,24 +1,16 @@
 ---
 title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
 description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 ## Directory Synchronization
 
 In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure.  Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index e604fc736f..98725d74b3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -1,24 +1,16 @@
 ---
 title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
 description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
 
 All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 2708e9a22c..ad8ff6984f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -1,23 +1,14 @@
 ---
 title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
 description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust-ad.md)]
 
 ## Policy Configuration
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index c0ba9ce415..360f679614 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,23 +1,15 @@
 ---
 title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
 description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Certificate trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cert-trust.md)]
+
 Your environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.  
 > [!IMPORTANT]
 > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.  
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
index c208471c8b..d8063e6127 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
@@ -1,91 +1,92 @@
 ---
-title: Hybrid cloud Kerberos trust Deployment (Windows Hello for Business)
+title: Hybrid cloud Kerberos trust deployment (Windows Hello for Business)
 description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
+ms.date: 11/1/2022
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10, version 21H2 and later</a>
 ms.topic: article
-localizationpriority: medium
-ms.date: 2/15/2022
-appliesto:
-- ✅ <b>Windows 10, version 21H2 and later</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Cloud Kerberos trust</b>
 ---
-# Hybrid Cloud Kerberos Trust Deployment
+# Hybrid cloud Kerberos trust deployment
 
-Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-cloudkerb-trust.md)]
 
-## Introduction to Cloud Kerberos Trust
+Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario.
 
-The goal of the Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
+## Introduction to cloud Kerberos trust
 
-Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
+The goal of **Windows Hello for Business cloud Kerberos trust** is to bring the simplified deployment experience of [*passwordless security key sign-in*][AZ-1] to Windows Hello for Business, and it can be used for new or existing Windows Hello for Business deployments.
 
-- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI
-- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate
-- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup
+*Windows Hello for Business cloud Kerberos trust* uses **Azure AD Kerberos**, which enables a simpler deployment when compared to the *key trust model*:
+
+- No need to deploy a public key infrastructure (PKI) or to change an existing PKI
+- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. This means that there isn't delay between the user's WHFB provisioning and being able to authenticate to Active Directory
+- [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup
 
 > [!NOTE]
-> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
+> Windows Hello for Business cloud Kerberos trust is the recommended deployment model when compared to the *key trust model*. It is also the preferred deployment model if you do not need to support certificate authentication scenarios.
 
-## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication
+## Azure AD Kerberos and cloud Kerberos trust authentication
 
-Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. cloud Kerberos trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
+*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\
+For *Azure AD joined devices* to have single sign-on (SSO) to on-premises resources protected by Active Directory, they must trust and validate the DC certificates. For this to happen, a certificate revocation list (CRL) must be published to an endpoint accessible by the Azure AD joined devices.
 
-With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs.
+*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require any of the above PKI to request TGTs.
 
-When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object.
+With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers.
 
-More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
+When *Azure AD Kerberos* is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object:
 
-If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
+- Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers
+- Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object
+
+:::image type="content" source="images/azuread-kerberos-object.png" alt-text="Active Directory Users and Computers console, showing the computer object representing the Azure AD Kerberos server ":::
+
+For more information about how Azure AD Kerberos enables access to on-premises resources, see [enabling passwordless security key sign-in to on-premises resources][AZ-1].\
+For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust).
+
+> [!IMPORTANT]
+> When implementing the *hybrid cloud Kerberos trust* deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1].
 
 ## Prerequisites
 
 | Requirement | Notes |
 | --- | --- |
 | Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
-| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
-| Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. |
+| Windows 10, version 21H2 or Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
+| Windows Server 2016 or later Domain Controllers | If you're using Windows Server 2016, [KB3534307][SUP-1] must be installed. If you're using Server 2019, [KB4534321][SUP-2] must be installed. |
 | Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
 | Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
 
-### Unsupported Scenarios
+### Unsupported scenarios
 
 The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust:
 
 - On-premises only deployments
 - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
-- Scenarios that require a certificate for authentication
 - Using cloud Kerberos trust for "Run as"
 - Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
 
 > [!NOTE]
 > The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
-> 
-> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\<domain-DN\>).
+>
+> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object `CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>`.
 
-## Deployment Instructions
+## Deployment steps
 
-Deploying Windows Hello for Business cloud Kerberos trust consists of two steps:
+Deploying *Windows Hello for Business cloud Kerberos trust* consists of two steps:
 
-1. Set up Azure AD Kerberos in your hybrid environment.
-1. Configure Windows Hello for Business policy and deploy it to devices.
+1. Set up *Azure AD Kerberos*
+1. Configure a Windows Hello for Business policy and deploy it to the devices
 
 ### Deploy Azure AD Kerberos
 
 If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
 
-If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
+If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust.
 
-### Configure Windows Hello for Business Policy
+### Configure Windows Hello for Business policy
 
-After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
+After setting up the *Azure AD Kerberos object*, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
 
 #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
 
@@ -93,29 +94,15 @@ Windows Hello for Business can be enabled using device enrollment or device conf
 
 The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
 
-### Create a user Group that will be targeted for Windows Hello for Business
-
-If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step.
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/)
-1. Browse to **Groups** and select **New group**
-1. Configure the following group settings:
-    1. Group type: **Security**
-    1. Group name: *WHFB cloud Kerberos trust users* or a group name of your choosing
-    1. Membership type: **Assigned**
-1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust
-
-You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center
-
 ### Enable Windows Hello for Business
 
-If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud Kerberos trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
+If you already enabled Windows Hello for Business, you can skip to **configure the cloud Kerberos trust policy**. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
 
-You can also follow these steps to create a device configuration policy instead of a device enrollment policy:
+You can also follow these steps to create a device configuration policy instead of using the device enrollment policy:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-1. Browse to Devices > Windows > Configuration Profiles > Create profile.
-1. For Platform, select Windows 10 and later.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
+1. For Platform, select **Windows 10 and later**.
 1. For Profile Type, select **Templates** and select the **Identity Protection** Template.
 1. Name the profile with a familiar name. For example, "Windows Hello for Business".
 1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**.
@@ -123,42 +110,30 @@ You can also follow these steps to create a device configuration policy instead
 
     [![Intune custom device configuration policy creation](./images/hello-intune-enable.png)](./images/hello-intune-enable-large.png#lightbox)
 
-1. Select Next to move to **Assignments**.
-1. Under Included groups, select **Add groups**.
-1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
-1. Select Next to move to the Applicability Rules.
-1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
 
 Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
 
-### Configure Cloud Kerberos Trust policy
+### Configure cloud Kerberos trust policy
 
-To configure the cloud Kerberos trust policy, follow the steps below:
+To configure the *cloud Kerberos trust* policy, follow the steps below:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-1. Browse to Devices > Windows > Configuration Profiles > Create profile.
-1. For Platform, select Windows 10 and later.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**.
 1. For Profile Type, select **Templates** and select the **Custom** Template.
 1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
 1. In Configuration Settings, add a new configuration with the following settings:
-    
+
     | Setting |
     |--------|
     | <ul><li>Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name</li><li>Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*</li><li>OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\<tenant ID>*`/Policies/UseCloudTrustForOnPremAuth`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li></ul>|
-    
-    >[!IMPORTANT]
-    >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
-    
-    [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox)
-    
-1. Select Next to navigate to **Assignments**.
-1. Under Included groups, select **Add groups**.
-1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
-1. Select Next to move to the Applicability Rules.
-1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
 
-> [!Important]
-> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
+    >[!IMPORTANT]
+    >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID.
+
+    [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox)
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.
 
 #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
 
@@ -171,98 +146,95 @@ You can configure the Enable Windows Hello for Business Group Policy setting for
 cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
 
 > [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP][WIN-1]. For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources).
 
-#### Update Group Policy Objects
+#### Update administrative templates
 
-You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
+You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files.
 
-You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
+You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1].
 
-#### Create the Windows Hello for Business Group Policy object
+#### Create the Windows Hello for Business group policy object
 
-Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
+You can configure Windows devices to enable *Windows Hello for Business cloud Kerberos trust* using a Group Policy Object (GPO).
 
-1. Start the **Group Policy Management Console** (gpmc.msc).
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
-1. Right-click **Group Policy object** and select **New**.
-1. Type *Enable Windows Hello for Business* in the name box and click **OK**.
-1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
-1. In the navigation pane, expand **Policies** under **Device Configuration**.
-1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
-1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
-1. In the content pane, double-click **Use cloud Kerberos trust for on-premises authentication**. Click **Enable** and click **OK**.
-1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
-
-This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
-
-> [!Important]
-> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory
+1. Edit the Group Policy object from Step 1
+1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**
+1. Select **Use Windows Hello for Business** > **Enable** > **OK**
+1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**
+1. *Optional, but recommended*: select **Use a hardware security device** > **Enable** > **OK**
 
 ---
 
-## Provisioning
+> [!IMPORTANT]
+> If the *Use certificate for on-premises authentication* policy is enabled, *certificate trust* will take precedence over *cloud Kerberos trust*. Ensure that the machines that you want to enable *cloud Kerberos trust* have this policy *not configured* or *disabled*.
 
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud Kerberos trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
+## Provision Windows Hello for Business
 
-You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console.  
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy.
 
-  ![cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png)
+You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\
+This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4].
 
-The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust is not being enforced by policy or if the device is Azure AD joined.
+  ![Cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png)
 
-This prerequisite check isn't done for provisioning on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in.
+The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined.
+
+> [!NOTE]
+> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.
 
 ### PIN Setup
 
-When Windows Hello for Business provisioning begins, the user will see a full screen page with the title **Setup a PIN** and button with the same name.  The user clicks **Setup a PIN**.
+This is the process that occurs after a user signs in, to enroll in Windows Hello for Business:
 
-![Setup a PIN Provisioning.](images/setupapin.png)
+1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**
+1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment.  Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry
+1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device
 
-The provisioning flow proceeds to the multi-factor authentication portion of the enrollment.  Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA.  The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
-  
-![MFA prompt during provisioning.](images/mfa.png)
-
-After a successful MFA, the provisioning flow asks the user to create and validate a PIN.  This PIN must observe any PIN complexity requirements that you deployed to the environment.
-
-![Create a PIN during provisioning.](images/createPin.png)
+:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business.":::
 
 ### Sign-in
 
-Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
+Once a user has set up a PIN with *cloud Kerberos trust*, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity.
 
 ## Migrate from key trust deployment model to cloud Kerberos trust
 
-If you deployed WHFB using the **key trust** deployment model, and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps:
+If you deployed Windows Hello for Business using the *key trust model*, and want to migrate to the *cloud Kerberos trust model*, follow these steps:
 
 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
-1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails
+1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business
+
+> [!NOTE]
+> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+>
+> Without line of sight to a DC, even when the client is configured to use *cloud Kerberos trust*, the system will fall back to *key trust* if *cloud Kerberos trust* login fails.
 
 ## Migrate from certificate trust deployment model to cloud Kerberos trust
 
 > [!IMPORTANT]
-> There is no direct migration path from certificate trust deployment to cloud Kerberos trust deployment.
+> There is no *direct* migration path from *certificate trust* deployment to *cloud Kerberos trust* deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust.
 
-If you have deployed WHFB using a **certificate trust** deployment model, and want to use **cloud Kerberos trust**, you will need to clean up the existing deployments and redeploy by following these steps:
+If you deployed Windows Hello for Business using the *certificate trust model*, and want to use the *cloud Kerberos trust model*, you must redeploy Windows Hello for Business by following these steps:
 
 1. Disable the certificate trust policy
 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
 1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
-1. Reboot or sign out and sign back in
-1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint)
+1. Sign out and sign back in
+1. Provision Windows Hello for Business using a method of your choice
 
 > [!NOTE]
-> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC.
+> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
 
 ## Troubleshooting
 
-If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps:
+If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the *Windows Feedback Hub* app by following these steps:
 
-1. Open **Feedback Hub**, and make sure that you're signed in.
+1. Open **Feedback Hub**, and make sure that you're signed in
 1. Submit feedback by selecting the following categories:
-    - Category: Security and Privacy
-    - Subcategory: Windows Hello PIN
+  - Category: Security and Privacy
+  - Subcategory: Windows Hello PIN
 
 ## Frequently Asked Questions
 
@@ -270,20 +242,37 @@ If you encounter issues or want to share feedback about Windows Hello for Busine
 
 This feature doesn't work in a pure on-premises AD domain services environment.
 
-### Does Windows Hello for Business cloud Kerberos trust work in a Windows login with RODC present in the hybrid environment?
+### Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment?
 
 Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work.
 
 ### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
 
-Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller for some scenarios:
-- The first sign-in or unlock with Windows Hello for Business after provisioning
-- When attempting to access an on-premises resource from a Hybrid Azure AD joined device
+Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
+
+- a user signs-in for the first time or unlocks with Windows Hello for Business after provisioning. 
+- attempting to access on-premises resources secured by Active Directory. 
 
 ### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
 
-Windows Hello for Business cloud Kerberos trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
+Windows Hello for Business cloud Kerberos trust can't be used as a supplied credential with RDP/VDI. Similar to key trust, cloud Kerberos trust can be used for RDP with [remote credential guard][WIN-2] or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
 
 ### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud Kerberos trust?
 
 No, only the number necessary to handle the load from all cloud Kerberos trust devices.
+
+---
+
+[AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises
+[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
+[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant
+[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
+
+[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services
+[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store
+
+[MEM-1]: /mem/intune/protect/identity-protection-windows-settings
+[WIN-1]: /windows/client-management/mdm/passportforwork-csp
+[WIN-2]: /windows/security/identity-protection/remote-credential-guard
+[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e
+[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 98599d9132..32f0d91fc6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,23 +1,15 @@
 ---
 title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
 description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
 Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure.  Hybrid key trust deployments of Windows Hello for Business rely on these technologies
 
 - [Active Directory](#active-directory)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 49cd5d3b42..e6d1d3275c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -1,23 +1,15 @@
 ---
 title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
 description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 05/04/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
 You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
 
 > [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index d3e68887fd..18df532ca9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -1,23 +1,15 @@
 ---
 title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
 description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
 You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
 
 ## Deploy Azure AD Connect
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index b732396e36..17e3fe7e61 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,23 +1,16 @@
 ---
 title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
 description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites
 
-Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
+Hybrid environments are distributed systems that enable organizations to use on-premises and Azure AD-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
 
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
 
@@ -32,7 +25,7 @@ The distributed systems on which these technologies were built involved several
 
 Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.  
 
-A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
+A hybrid Windows Hello for Business deployment requires Azure Active Directory. The hybrid key trust deployment does not need a premium Azure Active Directory subscription.
 
 You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  
 If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.  
@@ -112,7 +105,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
 
 Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords.  The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
 
-Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
+Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS, which includes an adapter model that enables third parties to integrate their MFA into AD FS.
 
 ### Section Review
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 7a7e3f3eed..9ab687ded9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,32 +1,24 @@
 ---
 title: Hybrid Key Trust Deployment (Windows Hello for Business)
 description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/20/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Hybrid Azure AD joined Key Trust Deployment
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
 
 It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide.  The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions.  You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
 
-This deployment guide provides guidance for new deployments and customers who are already federated with Office 365.  These two scenarios provide a baseline from which you can begin your deployment.
+This deployment guide provides guidance for new deployments and customers who are already federated with Azure AD.  These two scenarios provide a baseline from which you can begin your deployment.
 
 ## New Deployment Baseline ##
 
-The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments.  This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
+The new deployment baseline helps organizations who are moving to Azure AD to include Windows Hello for Business as part of their deployments.  This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment.
 
 This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 4b009fe228..b5c704fb93 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,22 +1,15 @@
 ---
 title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
 description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Hybrid Azure AD joined Windows Hello for Business Key Trust Provisioning
+
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
 ## Provisioning
 
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index 49124b1ddf..cb30af909d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -1,23 +1,14 @@
 ---
 title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
 description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configuring Hybrid Azure AD joined key trust Windows Hello for Business: Active Directory
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)]
 
 Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. 
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 1092173f9c..f19aab257d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -1,26 +1,18 @@
 ---
 title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
 description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
 ## Directory Synchronization
 
-In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure.  Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.  
+In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure AD. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.  
 
 ### Group Memberships for the Azure AD Connect Service Account
 >[!IMPORTANT]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 8a9e8ee322..a824e822fe 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -1,23 +1,15 @@
 ---
 title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
 description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 04/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
 Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
 
 All deployments use enterprise issued certificates for domain controllers as a root of trust.
@@ -84,7 +76,7 @@ The certificate template is configured to supersede all the certificate template
 
 The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
 
-Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials.
+Sign-in to the certificate authority or management workstations with _enterprise administrator_ equivalent credentials.
 
 1. Open the **Certificate Authority** management console.
 2. Expand the parent node from the navigation pane.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 4522c3b93d..333f505d95 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -1,23 +1,15 @@
 ---
 title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
 description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust-ad.md)]
+
 ## Policy Configuration
 
 You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
@@ -27,7 +19,7 @@ Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 C
 
 Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.  
 
-Hybrid Azure AD-joined devices needs one Group Policy setting:
+Hybrid Azure AD-joined devices need one Group Policy setting:
 * Enable Windows Hello for Business
 
 ### Configure Domain Controllers for Automatic Certificate Enrollment
@@ -123,13 +115,13 @@ The default configuration for Windows Hello for Business is to prefer hardware p
 
 You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials.  Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
 
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
 
 #### Use biometrics
 
 Windows Hello for Business provides a great user experience when combined with the use of biometrics.  Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.  
 
-The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers.  The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint.
+The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers.  The policy setting disabled all biometrics. Currently, Windows doesn't provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition but disallowing fingerprint recognition.
 
 ### PIN Complexity
 
@@ -150,7 +142,7 @@ Windows provides eight PIN Complexity Group Policy settings that give you granul
 
 ## Add users to the Windows Hello for Business Users group
 
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision  Windows Hello for Business . You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group.   Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision  Windows Hello for Business. You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group.   Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
 
 ### Section Review
 > [!div class="checklist"]
@@ -174,4 +166,4 @@ Users must receive the Windows Hello for Business group policy settings and have
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. Configure Windows Hello for Business policy settings (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index ea0439b451..5e24b6de2c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,25 +1,17 @@
 ---
 title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
 description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 4/30/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Hybrid deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Hybrid Azure AD joined Windows Hello for Business key trust settings
 
+[!INCLUDE [hello-hybrid-key-trust](../../includes/hello-hybrid-key-trust.md)]
+
 You are ready to configure your hybrid Azure AD joined key trust environment for Windows Hello for Business.
-  
+
 > [!IMPORTANT]
 > Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment.  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 0ae2e88df1..37b6335a50 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,17 +1,13 @@
 ---
 title: Windows Hello for Business Deployment Prerequisite Overview
 description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
-ms.topic: article
-localizationpriority: medium
 ms.date: 2/15/2022
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Windows Hello for Business Deployment Prerequisite Overview
@@ -20,7 +16,6 @@ This article lists the infrastructure requirements for the different deployment
 
 ## Azure AD Cloud Only Deployment
 
-* Windows 10, version 1511 or later, or Windows 11
 * Microsoft Azure Account
 * Azure Active Directory
 * Azure AD Multifactor Authentication
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 8761b3eaf6..4a8dc18965 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,36 +1,28 @@
 ---
 title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
 description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
 
-Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update.  The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
+Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
 
 The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
 
 If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
 
-If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update.  If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment.  If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
+If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
 
 Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. 
 
-A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
+A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with external networking peripherals, or with using the Network Load Balancing Role included in Windows Server.
 
-Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers.  Ensure the update listed below is applied to each server before continuing.    
+Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. 
 
 ## Update Windows Server 2016
 
@@ -43,19 +35,19 @@ Sign-in the federation server with _local admin_ equivalent credentials.
 
 ## Enroll for a TLS Server Authentication Certificate
 
-Key trust Windows Hello for Business on-premises deployments need a federation server for device registration and key registration.  Typically, a federation service is an edge facing role.  However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.  
+Key trust Windows Hello for Business on-premises deployments need a federation server for device registration and key registration. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. 
 
-The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority.  The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
+The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
 * Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
 * Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
 
-You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**.  The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
+You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
 
-You can, however, issue one certificate for all hosts in the farm.  If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request.  All names should include the FQDN of each host in the farm and the federation service name.  
+You can, however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. 
 
 When creating a wildcard certificate, it is recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. 
 
-Be sure to enroll or import the certificate into the AD FS server’s computer certificate store.  Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
+Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
 
 ### Internal Server Authentication Certificate Enrollment
 
@@ -68,7 +60,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
 6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link   
     ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png)
-8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.  Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role.  Click **Add**. Click **OK** when finished.
+8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished.
 9. Click **Enroll**.
 
 A server authentication certificate should appear in the computer’s Personal certificate store.
@@ -80,17 +72,17 @@ The Active Directory Federation Service (AD FS) role provides the following serv
 * Key registration 
 
 >[!IMPORTANT]
-> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm.  Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. 
+> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. 
 
-Windows Hello for Business depends on proper device registration.  For on-premises key trust deployments, Windows Server 2016 AD FS handles device and key registration.
+Windows Hello for Business depends on proper device registration. For on-premises key trust deployments, Windows Server 2016 AD FS handles device and key registration.
 
 Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
-1. Start **Server Manager**.  Click **Local Server** in the navigation pane.
+1. Start **Server Manager**. Click **Local Server** in the navigation pane.
 2. Click **Manage** and then click **Add Roles and Features**.
 3. Click **Next** on the **Before you begin** page.
 4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, choose **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
-6. On the **Select server roles** page, select **Active Directory Federation Services**.  Click **Next**.
+5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
+6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**.
 7. Click **Next** on the **Select features** page.
 8. Click **Next** on the **Active Directory Federation Service** page.
 9. Click **Install** to start the role installation.
@@ -107,16 +99,16 @@ Before you continue with the deployment, validate your deployment progress by re
 
 ## Device Registration Service Account Prerequisite
 
-The service account used for the device registration server depends on the domain controllers in the environment.  
+The service account used for the device registration server depends on the domain controllers in the environment.
 
 >[!NOTE]
->Follow the procedures below based on the domain controllers deployed in your environment.  If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
+>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
 
 ### Windows Server 2012 or later Domain Controllers
 
-Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them.  Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management.  This means the password is long, complex, and changes periodically.  The best part of GMSA is all this happens automatically.  AD FS supports GMSA and should be configured using them for additional defense in depth security.
+Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA, have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security.
 
-GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers.  Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA.  Before you can create a GSMA, you must first create a root key for the service.  You can skip this if your environment already uses GSMA.
+GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA.
 
 #### Create KDS Root Key
 
@@ -126,14 +118,14 @@ Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
 
 ### Windows Server 2008 or 2008 R2 Domain Controllers
 
-Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts.  Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis.
+Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use or create a normal user account as a service account where you are responsible for changing the password on a regular basis.
 
 #### Create an AD FS Service Account
 
 Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
 1. Open **Active Directory Users and Computers**.
 2. Right-click the **Users** container, Click **New**. Click **User**.
-3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box.  Type **adfssvc** in the **User logon name** text box.  Click **Next**.
+3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
 4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box.
 5. Click **Next** and then click **Finish**.
 
@@ -144,19 +136,19 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 ### Windows Server 2016, 2012 R2 or later Domain Controllers
 
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**.  If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
 
 Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
 1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.   
+2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. 
    ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
 
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
-5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list.  The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
+5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
 6. Select the federation service name from the **Federation Service Name** list.
-7. Type the Federation Service Display Name in the text box.  This is the name users see when signing in.  Click **Next**.
-8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**.  In the **Account Name** box, type **adfssvc**.
+7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
+8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**.
 9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
 10. On the **Review Options** page, click **Next**.
 11. On the **Pre-requisite Checks** page, click **Configure**.
@@ -164,11 +156,11 @@ Sign-in the federation server with _Domain Admin_ equivalent credentials. These
 
 ### Windows Server 2008 or 2008 R2 Domain Controllers
 
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**.  If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
 
-Sign-in the federation server with _Domain Admin_ equivalent credentials.  These instructions assume you are configuring the first federation server in a federation server farm.
+Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
 1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.   
+2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
     ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
 
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
@@ -176,7 +168,7 @@ Sign-in the federation server with _Domain Admin_ equivalent credentials.  These
 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
 6. Select the federation service name from the **Federation Service Name** list.
 7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
-8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.   
+8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. 
     * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
 9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
 10. On the **Review Options** page, click **Next**.
@@ -194,7 +186,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 2. Click the **Users** container in the navigation pane.
 3. Right-click **KeyAdmins** in the details pane and click **Properties**.
 4. Click the **Members** tab and click **Add…**
-5. In the **Enter the object names to select** text box, type **adfssvc**.  Click **OK**.
+5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**.
 6. Click **OK** to return to **Active Directory Users and Computers**.
 7. Change to server hosting the AD FS role and restart it.
 
@@ -231,11 +223,11 @@ Before you continue with the deployment, validate your deployment progress by re
 
 ## Additional Federation Servers
 
-Organizations should deploy more than one federation server in their federation farm for high-availability.  You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more.  This largely depends on the number of devices and users using the services provided by the AD FS farm. 
+Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. 
 
 ### Server Authentication Certificate
 
-Each server you add to the AD FS farm must have a proper server authentication certificate.  Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate.  As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
+Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities.
 
 ### Install Additional Servers
 
@@ -243,16 +235,16 @@ Adding federation servers to the existing AD FS farm begins with ensuring the se
 
 ## Load Balance AD FS Federation Servers
 
-Many environments load balance using hardware devices.  Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm.  Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
+Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced.
 
 ### Install Network Load Balancing Feature on AD FS Servers
 
 Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
-1. Start **Server Manager**.  Click **Local Server** in the navigation pane.
+1. Start **Server Manager**. Click **Local Server** in the navigation pane.
 2. Click **Manage** and then click **Add Roles and Features**.
 3. Click **Next** On the **Before you begin** page.
 4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, choose **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
+5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
 6. On the **Select server roles** page, click **Next**.
 7. Select **Network Load Balancing** on the **Select features** page.
 8. Click **Install** to start the feature installation   
@@ -260,33 +252,33 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 
 ### Configure Network Load Balancing for AD FS
 
-Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster.  Once you have created the cluster, then you can add new nodes to that cluster.
+Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster.
 
 Sign-in a node of the federation farm with _Admin_ equivalent credentials.
-1. Open **Network Load Balancing Manager** from **Administrative Tools**.   
+1. Open **Network Load Balancing Manager** from **Administrative Tools**. 
     ![NLB Manager user interface.](images/hello-nlb-manager.png)
 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
-3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.   
+3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. 
     ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png)
 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
-6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.   
+6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. 
     ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png)
-7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.   
+7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. 
     ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png)
 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
-9. In Port Rules, click Edit to modify the default port rules to use port 443.   
+9. In Port Rules, click Edit to modify the default port rules to use port 443. 
     ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png)
 
 ### Additional AD FS Servers
 
 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
-2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.   
+2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. 
     ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png)
 
 ## Configure DNS for Device Registration
 
-Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.  You’ll need the Federation service name to complete this task.  You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
 1. Open the **DNS Management** console.
 2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
@@ -302,7 +294,7 @@ Sign-in the domain controller or administrative workstation with domain administ
 
 ## Configure the Intranet Zone to include the federation service
 
-The Windows Hello provisioning presents web pages from the federation service.  Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication.  Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. 
+The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. 
 
 ### Create an Intranet Zone Group Policy
 
@@ -315,7 +307,7 @@ Sign-in the domain controller or administrative workstation with _Domain Admin_
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**.
 8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**.
-9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**.  Click OK twice, then close the Group Policy Management Editor.
+9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor.
 
 ### Deploy the Intranet Zone Group Policy object
 
@@ -342,4 +334,4 @@ Before you continue with the deployment, validate your deployment progress by re
 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
 3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
+5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index b954e4d073..c618365d4e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,27 +1,18 @@
 ---
 title: Configure Windows Hello for Business Policy settings - key trust
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Configure Windows Hello for Business Policy settings - Key Trust
 
-You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
 
-Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
+To run the Group Policy Management Console from a Windows client, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+
+Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows client installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for more information.
 
 On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting:  Enable Windows Hello for Business
 
@@ -76,13 +67,13 @@ The default configuration for Windows Hello for Business is to prefer hardware p
 
 You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials.  Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
 
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Some organizations may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
 
 ### Use biometrics
 
 Windows Hello for Business provides a great user experience when combined with the use of biometrics.  Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security.  
 
-The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers.  The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint.
+The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers.  The policy setting disabled all biometrics.  Currently, Windows does not provide the ability to set granular policies that enable you to disable specific modalities of biometrics, such as allowing facial recognition, but disallowing fingerprint recognition.
 
 ### PIN Complexity
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 64195a8b82..57080612a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,24 +1,16 @@
 ---
 title: Key registration for on-premises deployment of Windows Hello for Business
 description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Validate Active Directory prerequisites - Key Trust
 
-Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business.  To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
+Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
 
 > [!NOTE]
 >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 81e0df5016..046acb3df3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,23 +1,15 @@
 ---
 title: Validate and Deploy MFA for Windows Hello for Business with key trust
 description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Validate and Deploy Multifactor Authentication (MFA)
 
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
 > [!IMPORTANT]
 > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index d12ad32ade..c3a9226714 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,34 +1,26 @@
 ---
 title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
 description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>On-premises deployment</b>
-- ✅ <b>Key trust</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Validate and Configure Public Key Infrastructure - Key Trust
 
-Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate.  The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  
+[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
+
+Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  
 
 ## Deploy an enterprise certificate authority
 
-This guide assumes most enterprise have an existing public key infrastructure.  Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
+This guide assumes most enterprises have an existing public key infrastructure.  Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later.
 
 ### Lab-based public key infrastructure
 
 The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment.
 
-Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
+Sign in using **Enterprise Admin** equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed.
 
 >[!NOTE]
 >Never install a certificate authority on a domain controller in a production environment.
@@ -56,7 +48,7 @@ Domain controllers automatically request a domain controller certificate (if pub
 
 By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template.  However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs.  To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template.
 
-Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+Sign in to a certificate authority or management workstations with **Domain Admin** equivalent credentials.
 
 1. Open the **Certificate Authority** management console.
 
@@ -64,7 +56,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
 
 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
 
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 
 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
 
@@ -83,7 +75,7 @@ Many domain controllers may have an existing domain controller certificate.  The
 
 The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).   The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates.  You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. 
 
-Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
+Sign in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
 
 1. Open the **Certificate Authority** management console.
 
@@ -109,7 +101,7 @@ The certificate template is configured to supersede all the certificate template
 
 Windows clients use the https protocol when communicating with Active Directory Federation Services.  To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm.  On-premises deployments can use a server authentication certificate issued by their enterprise PKI.  You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. 
 
-Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+Sign in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
 
 1. Open the **Certificate Authority** management console.
 
@@ -140,7 +132,7 @@ The certificate authority only issues certificates based on published certificat
 
 The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates.  Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
 
-Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
+Sign in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
 
 1. Open the **Certificate Authority** management console.
 
@@ -156,7 +148,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
 
 The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
 
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+Sign in to the certificate authority or management workstations with **Enterprise Admin** equivalent credentials.
 
 1. Open the **Certificate Authority** management console.
 
@@ -204,7 +196,7 @@ Domain controllers automatically request a certificate from the domain controlle
 
 ### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object
 
-Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+Sign in to domain controller or management workstations with _Domain Admin_ equivalent credentials.
 
 1. Start the **Group Policy Management Console** (gpmc.msc).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 7127970af5..2d83fca7b3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,30 +1,21 @@
 ---
 title: Manage Windows Hello in your organization (Windows)
 description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
-ms.topic: article
-ms.localizationpriority: medium
 ms.date: 2/15/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 
 # Manage Windows Hello for Business in your organization
 
-You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
+You can create a Group Policy or mobile device management (MDM) policy to configure Windows Hello for Business on Windows devices.
 
 >[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
->
->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+>Windows Hello as a convenience PIN is disabled by default on all domain joined and Azure AD joined devices. To enable a convenience PIN, enable the Group Policy setting **Turn on convenience PIN sign-in**.
 >
 >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
 
@@ -143,9 +134,10 @@ All PIN complexity policies are grouped separately from feature enablement and a
 >- LowercaseLetters - 1
 >- SpecialCharacters - 1
 
+<!--
 ## How to use Windows Hello for Business with Azure Active Directory
 
-There are three scenarios for using Windows Hello for Business in Azure AD–only organizations:
+There are three scenarios for using Windows Hello for Business in Azure AD-only organizations:
 
 - **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
 - **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. 
@@ -163,3 +155,5 @@ If you want to use Windows Hello for Business with certificates, you'll need a d
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+
+-->
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 6efd13da5a..87ec948d71 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,24 +1,16 @@
 ---
 title: Windows Hello for Business Overview (Windows)
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
 ms.topic: conceptual
-localizationpriority: medium
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Holographic for Business</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 ---
 # Windows Hello for Business Overview
 
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
+Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.
 
 >[!NOTE]
 > When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index a50d39c2dc..c3c5912b26 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -1,20 +1,10 @@
 ---
 title: Planning a Windows Hello for Business Deployment
 description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
-  - M365-identity-device-management
-  - highpri
-ms.topic: article
-localizationpriority: conceptual
 ms.date: 09/16/2020
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Planning a Windows Hello for Business Deployment
 
@@ -189,9 +179,9 @@ Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2
 
 Choose a trust type that is best suited for your organizations.  Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
 
-One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).  
+One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers and needing to enroll certificates for all their users (certificate trust).  
 
-Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision.  Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority.  In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. 
+Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision.  Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority.  In a federated environment, you need to activate the Device Writeback option in Azure AD Connect.
 
 If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 89efd738ea..69e4a380e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,18 +1,10 @@
 ---
 title: Prepare people to use Windows Hello (Windows)
 description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 08/19/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Prepare people to use Windows Hello
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index cf437e3bee..bf6f5a4ea0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,18 +1,10 @@
 ---
 title: Windows Hello for Business Videos
 description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 07/26/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Windows Hello for Business Videos
 ## Overview of Windows Hello for Business and Features
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 887d2893eb..f2ba4fd368 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,25 +1,18 @@
 ---
 title: Why a PIN is better than an online password (Windows)
-description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection:
+description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
+ms.collection: 
   - M365-identity-device-management
   - highpri
-ms.topic: article
-ms.localizationpriority: medium
 ms.date: 10/23/2017
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # Why a PIN is better than an online password
 
-Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
-On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password. 
+Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a local password?
+On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than an online password, it's how it works. First we need to distinguish between two types of passwords: `local` passwords are validated against the machine's password store, whereas `online` passwords are validated against a server. This article mostly covers the benefits a PIN has over an online password, and also why it can be considered even better than a local password.
 
 Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than an online password.
 
diff --git a/windows/security/identity-protection/hello-for-business/images/azuread-kerberos-object.png b/windows/security/identity-protection/hello-for-business/images/azuread-kerberos-object.png
new file mode 100644
index 0000000000..a1cffd3665
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/azuread-kerberos-object.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/haadj-whfb-pin-provisioning.gif b/windows/security/identity-protection/hello-for-business/images/haadj-whfb-pin-provisioning.gif
new file mode 100644
index 0000000000..7bff02eada
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/haadj-whfb-pin-provisioning.gif differ
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 3907b4b422..0f14b0a619 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -6,7 +6,8 @@ summary: Learn how to manage and deploy Windows Hello for Business.
 metadata:
   title: Windows Hello for Business documentation
   description: Learn how to manage and deploy Windows Hello for Business.
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.topic: landing-page
   author: paolomatarazzo
   ms.author: paoloma
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index 2d0f9aed02..6d5ad8dea5 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -1,15 +1,10 @@
 ---
-title: Microsoft-compatible security key 
+title: Microsoft-compatible security key
 description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 11/14/2018
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # What is a Microsoft-compatible security key?
 
@@ -26,6 +21,6 @@ A security key **MUST** implement the following features and extensions from the
 | #</br> | Feature / Extension trust</br> | Why is this required? </br> |
 | --- | --- | --- | 
 | 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key |
-| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface|
+| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have a user interface|
 | 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode |
 | 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) |
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index be9b81f965..a18a0b3aeb 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -1,23 +1,15 @@
 ---
 title: Password-less strategy
 description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
 ms.topic: conceptual
-localizationpriority: medium
 ms.date: 05/24/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 ---
 
 # Password-less strategy
 
-This article describes Windows' password-less strategy. Learn how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
+This article describes Windows' password-less strategy and how Windows Hello for Business implements this strategy.
 
 ## Four steps to password freedom
 
@@ -308,7 +300,7 @@ The following image shows the SCRIL setting for a user in Active Directory Users
 
 :::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options.":::
 
-When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level don't expire. The users are effectively password-less because:
+When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Users will no longer need to change their password when it expires, because passwords for SCRIL users don't expire. The users are effectively password-less because:
 
 - They don't know their password.
 - Their password is 128 random bits of data and is likely to include non-typable characters.
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index 3818cf29e6..366a317f73 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -1,15 +1,10 @@
 ---
-title: Reset-security-key 
+title: Reset-security-key
 description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 11/14/2018
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # How to reset a Microsoft-compatible security key? 
 > [!Warning]
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 21756b8260..5aa1fcad6a 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -1,16 +1,11 @@
 ---
 title: How Windows Hello for Business works (Windows)
 description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
-ms.prod: windows-client
-ms.localizationpriority: high
-author: paolomatarazzo
-ms.author: paoloma
 ms.date: 10/16/2017
-manager: aaroncz
-ms.topic: article
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.topic: article
 ---
 # How Windows Hello for Business works in Windows devices
 
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 2c22050ab0..502a196109 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -1,13 +1,11 @@
 - name: Windows Hello for Business documentation
   href: index.yml
-- name: Overview
-  items:
-  - name: Windows Hello for Business Overview
-    href: hello-overview.md
 - name: Concepts
   expanded: true
   items:
-  - name: Passwordless Strategy
+  - name: Windows Hello for Business overview
+    href: hello-overview.md
+  - name: Passwordless strategy
     href: passwordless-strategy.md
   - name: Why a PIN is better than a password
     href: hello-why-pin-is-better-than-password.md
@@ -15,129 +13,160 @@
     href: hello-biometrics-in-enterprise.md
   - name: How Windows Hello for Business works
     href: hello-how-it-works.md
-  - name: Technical Deep Dive
-    items:
-    - name: Provisioning
-      href: hello-how-it-works-provisioning.md
-    - name: Authentication
-      href: hello-how-it-works-authentication.md
-    - name: WebAuthn APIs
-      href: webauthn-apis.md
-- name: How-to Guides
+- name: Deployment guides
   items:
-  - name: Windows Hello for Business Deployment Overview
+  - name: Windows Hello for Business deployment overview
     href: hello-deployment-guide.md
-  - name: Planning a Windows Hello for Business Deployment
+  - name: Planning a Windows Hello for Business deployment
     href: hello-planning-guide.md
-  - name: Deployment Prerequisite Overview
+  - name: Deployment prerequisite overview
     href: hello-identity-verification.md
-  - name: Prepare people to use Windows Hello
-    href: hello-prepare-people-to-use.md
-  - name: Deployment Guides
+  - name: Cloud-only deployment
+    href: hello-aad-join-cloud-only-deploy.md
+  - name: Hybrid deployments
     items:
-    - name: Hybrid Cloud Kerberos Trust Deployment
+    - name: Cloud Kerberos trust deployment
       href: hello-hybrid-cloud-kerberos-trust.md
-    - name: Hybrid Azure AD Joined Key Trust
+    - name: Key trust deployment
       items: 
-      - name: Hybrid Azure AD Joined Key Trust Deployment
+      - name: Overview
         href: hello-hybrid-key-trust.md
       - name: Prerequisites
         href: hello-hybrid-key-trust-prereqs.md
-      - name: New Installation Baseline
+      - name: New installation baseline
         href: hello-hybrid-key-new-install.md
-      - name: Configure Directory Synchronization
+      - name: Configure directory synchronization
         href: hello-hybrid-key-trust-dirsync.md
-      - name: Configure Azure Device Registration
+      - name: Configure Azure AD device registration
         href: hello-hybrid-key-trust-devreg.md
       - name: Configure Windows Hello for Business settings
-        href: hello-hybrid-key-whfb-settings.md
-      - name: Sign-in and Provisioning
+        items:
+        - name: Overview
+          href: hello-hybrid-key-whfb-settings.md
+        - name: Configure Active Directory
+          href: hello-hybrid-key-whfb-settings-ad.md
+        - name: Configure Azure AD Connect Sync
+          href: hello-hybrid-key-whfb-settings-dir-sync.md
+        - name: Configure PKI
+          href: hello-hybrid-key-whfb-settings-pki.md
+        - name: Configure Group Policy settings
+          href: hello-hybrid-key-whfb-settings-policy.md
+      - name: Sign-in and provision Windows Hello for Business
         href: hello-hybrid-key-whfb-provision.md
-    - name: Hybrid Azure AD Joined Certificate Trust
+      - name: On-premises SSO for Azure AD joined devices
+        href: hello-hybrid-aadj-sso.md
+      - name: Configure Azure AD joined devices for on-premises SSO
+        href: hello-hybrid-aadj-sso-base.md
+    - name: Certificate trust deployment
       items: 
-      - name: Hybrid Azure AD Joined Certificate Trust Deployment
+      - name: Overview
         href: hello-hybrid-cert-trust.md
       - name: Prerequisites
         href: hello-hybrid-cert-trust-prereqs.md
-      - name: New Installation Baseline
+      - name: New installation baseline
         href: hello-hybrid-cert-new-install.md
-      - name: Configure Azure Device Registration
+      - name: Configure Azure AD device registration
         href: hello-hybrid-cert-trust-devreg.md
       - name: Configure Windows Hello for Business settings
-        href: hello-hybrid-cert-whfb-settings.md
-      - name: Sign-in and Provisioning
+        items:
+        - name: Overview
+          href: hello-hybrid-cert-whfb-settings.md
+        - name: Configure Active Directory
+          href: hello-hybrid-cert-whfb-settings-ad.md
+        - name: Configure Azure AD Connect Sync
+          href: hello-hybrid-cert-whfb-settings-dir-sync.md
+        - name: Configure PKI
+          href: hello-hybrid-cert-whfb-settings-pki.md
+        - name: Configure AD FS
+          href: hello-hybrid-cert-whfb-settings-adfs.md
+        - name: Configure Group Policy settings
+          href: hello-hybrid-cert-whfb-settings-policy.md
+      - name: Sign-in and provision Windows Hello for Business
         href: hello-hybrid-cert-whfb-provision.md
-    - name: On-premises SSO for Azure AD Joined Devices
-      items: 
-      - name: On-premises SSO for Azure AD Joined Devices Deployment 
+      - name: On-premises SSO for Azure AD joined devices
         href: hello-hybrid-aadj-sso.md
-      - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+      - name: Configure Azure AD joined devices for on-premises SSO
         href: hello-hybrid-aadj-sso-base.md
-      - name: Using Certificates for AADJ On-premises Single-sign On
+      - name: Using certificates for on-premises SSO
         href: hello-hybrid-aadj-sso-cert.md
-    - name: On-premises Key Trust
+    - name: Planning for Domain Controller load
+      href: hello-adequate-domain-controllers.md
+  - name: On-premises deployments
+    items:
+    - name: Key trust deployment
       items: 
-      - name: On-premises Key Trust Deployment
+      - name: Overview
         href: hello-deployment-key-trust.md
-      - name: Validate Active Directory Prerequisites
+      - name: Validate Active Directory prerequisites
         href: hello-key-trust-validate-ad-prereq.md
-      - name: Validate and Configure Public Key Infrastructure
+      - name: Validate and configure Public Key Infrastructure (PKI)
         href: hello-key-trust-validate-pki.md
-      - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+      - name: Prepare and deploy Active Directory Federation Services (AD FS)
         href: hello-key-trust-adfs.md
-      - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+      - name: Validate and deploy multi-factor authentication (MFA) services
         href: hello-key-trust-validate-deploy-mfa.md
       - name: Configure Windows Hello for Business policy settings
         href: hello-key-trust-policy-settings.md
-    - name: On-premises Certificate Trust
+    - name: Certificate trust deployment
       items: 
-      - name: On-premises Certificate Trust Deployment
+      - name: Overview
         href: hello-deployment-cert-trust.md
-      - name: Validate Active Directory Prerequisites
+      - name: Validate Active Directory prerequisites
         href: hello-cert-trust-validate-ad-prereq.md
-      - name: Validate and Configure Public Key Infrastructure
+      - name: Validate and configure Public Key Infrastructure (PKI)
         href: hello-cert-trust-validate-pki.md
-      - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+      - name: Prepare and Deploy Active Directory Federation Services (AD FS)
         href: hello-cert-trust-adfs.md
-      - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+      - name: Validate and deploy multi-factor authentication (MFA) services
         href: hello-cert-trust-validate-deploy-mfa.md
       - name: Configure Windows Hello for Business policy settings
         href: hello-cert-trust-policy-settings.md
-    - name: Azure AD join cloud only deployment
-      href: hello-aad-join-cloud-only-deploy.md
-    - name: Managing Windows Hello for Business in your organization
-      href: hello-manage-in-organization.md
-    - name: Deploying Certificates to Key Trust Users to Enable RDP
-      href: hello-deployment-rdp-certs.md
-  - name: Windows Hello for Business Features
-    items:
-    - name: Conditional Access 
-      href: hello-feature-conditional-access.md
-    - name: PIN Reset
-      href: hello-feature-pin-reset.md
-    - name: Dual Enrollment
-      href: hello-feature-dual-enrollment.md  
-    - name: Dynamic Lock
-      href: hello-feature-dynamic-lock.md
-    - name: Multi-factor Unlock
-      href: feature-multifactor-unlock.md
-    - name: Remote Desktop
-      href: hello-feature-remote-desktop.md
-  - name: Troubleshooting
-    items:
-    - name: Known Deployment Issues
-      href: hello-deployment-issues.md
-    - name: Errors During PIN Creation
-      href: hello-errors-during-pin-creation.md
-    - name: Event ID 300 - Windows Hello successfully created
-      href: hello-event-300.md
-    - name: Windows Hello and password changes
-      href: hello-and-password-changes.md
+    - name: Planning for Domain Controller load
+      href: hello-adequate-domain-controllers.md
+  - name: Deploy certificates for remote desktop (RDP) sign-in
+    href: hello-deployment-rdp-certs.md
+- name: How-to Guides
+  items:
+  - name: Prepare people to use Windows Hello
+    href: hello-prepare-people-to-use.md
+  - name: Manage Windows Hello for Business in your organization
+    href: hello-manage-in-organization.md
+- name: Windows Hello for Business features
+  items:
+  - name: Conditional access 
+    href: hello-feature-conditional-access.md
+  - name: PIN Reset
+    href: hello-feature-pin-reset.md
+  - name: Dual Enrollment
+    href: hello-feature-dual-enrollment.md  
+  - name: Dynamic Lock
+    href: hello-feature-dynamic-lock.md
+  - name: Multi-factor Unlock
+    href: feature-multifactor-unlock.md
+  - name: Remote desktop (RDP) sign-in
+    href: hello-feature-remote-desktop.md
+- name: Troubleshooting
+  items:
+  - name: Known deployment issues
+    href: hello-deployment-issues.md
+  - name: Errors during PIN creation
+    href: hello-errors-during-pin-creation.md
+  - name: Event ID 300 - Windows Hello successfully created
+    href: hello-event-300.md
+  - name: Windows Hello and password changes
+    href: hello-and-password-changes.md
 - name: Reference
   items:
-  - name: Technology and Terminology
+  - name: How Windows Hello for Business provisioning works
+    href: hello-how-it-works-provisioning.md
+  - name: How Windows Hello for Business authentication works
+    href: hello-how-it-works-authentication.md
+  - name: WebAuthn APIs
+    href: webauthn-apis.md
+  - name: Technology and terminology
     href: hello-how-it-works-technology.md
   - name: Frequently Asked Questions (FAQ)
     href: hello-faq.yml
   - name: Windows Hello for Business videos
     href: hello-videos.md
+    
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index 26654a00e4..534fddf6ee 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -1,18 +1,10 @@
 ---
-title: WebAuthn APIs 
+title: WebAuthn APIs
 description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
-ms.prod: m365-security
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.reviewer: prsriva
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
 ms.date: 09/15/2022
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
+ms.topic: article
 ---
 # WebAuthn APIs for passwordless authentication on Windows
 <!--MAXADO-6021798-->
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index ee523e79f7..efab24f84a 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -1,7 +1,7 @@
 ---
 title: Identity and access management (Windows 10)
 description: Learn more about identity and access protection technologies in Windows.
-ms.prod: m365-security
+ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
@@ -9,9 +9,10 @@ ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 02/05/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # Identity and access management
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
index a48a887b72..fe76412c23 100644
--- a/windows/security/identity-protection/password-support-policy.md
+++ b/windows/security/identity-protection/password-support-policy.md
@@ -1,16 +1,17 @@
 ---
 title: Technical support policy for lost or forgotten passwords
 description: Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so.
-ms.custom:
-- CI ID 110060
-- CSSTroubleshoot 
-ms.prod: m365-security
+ms.custom: 
+  - CI ID 110060
+  - CSSTroubleshoot
+ms.prod: windows-client
 ms.topic: article
 ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
 ms.date: 11/20/2019
+ms.technology: itpro-security
 ---
 
 # Technical support policy for lost or forgotten passwords
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 4d160b97b2..943feee191 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -1,19 +1,20 @@
 ---
 title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
 description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
-ms.prod: m365-security
+ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-identity-device-management
   - highpri
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 01/12/2018
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows Server 2016</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 # Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 613d27bf02..94d820ba53 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,7 +1,7 @@
 ---
 title: Smart Card and Remote Desktop Services (Windows)
 description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-ms.prod: m365-security
+ms.prod: windows-client
 author: paolomatarazzo
 ms.author: paoloma
 ms.reviewer: ardenw
@@ -10,12 +10,13 @@ ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 09/24/2021
-appliesto:
-- ✅ <b>Windows 10</b>
-- ✅ <b>Windows 11</b>
-- ✅ <b>Windows Server 2016</b>
-- ✅ <b>Windows Server 2019</b>
-- ✅ <b>Windows Server 2022</b>
+appliesto: 
+  - ✅ <b>Windows 10</b>
+  - ✅ <b>Windows 11</b>
+  - ✅ <b>Windows Server 2016</b>
+  - ✅ <b>Windows Server 2019</b>
+  - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 # Smart Card and Remote Desktop Services
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 7277b044d4..8fdd044d15 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Smart Card Architecture
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 00b2152267..664a098b48 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Certificate Propagation Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 5707ce0650..eafc1a53ec 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Certificate Requirements and Enumeration
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 7604db531a..041be309ae 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -18,6 +18,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Smart Card Troubleshooting
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index fd2d69b73f..82b2141687 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Smart Card Events
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index c32bc12fe2..9ba33317ac 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Smart Card Group Policy and Registry Settings
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index ad01703612..75800f2ed8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -8,7 +8,6 @@ ms.reviewer: ardenw
 manager: aaroncz
 ms.collection: 
   - M365-identity-device-management
-  - highpri
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 09/24/2021
@@ -18,6 +17,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # How Smart Card Sign-in Works in Windows
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index bd2846b176..1dde909358 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Smart Card Removal Policy Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index af5b9e8bb6..60ec54e817 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Smart Cards for Windows Service
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 106071d129..fe25ba9e7c 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Smart Card Tools and Settings
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index f1676735c7..073e9fb3e9 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -16,6 +16,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # Smart Card Technical Reference
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 49a56c854a..9736d287a0 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -18,6 +18,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # How User Account Control works
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 540e4342f1..aeae137539 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -18,6 +18,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # User Account Control Group Policy and registry key settings
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 39dfcbd0bc..1e1fb5f9a7 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -18,6 +18,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # User Account Control
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index c65eb01870..2b860883d7 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -8,7 +8,6 @@ ms.reviewer: sulahiri
 manager: aaroncz
 ms.collection: 
   - M365-identity-device-management
-  - highpri
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 09/24/2021
@@ -18,6 +17,7 @@ appliesto:
   - ✅ <b>Windows Server 2016</b>
   - ✅ <b>Windows Server 2019</b>
   - ✅ <b>Windows Server 2022</b>
+ms.technology: itpro-security
 ---
 
 # User Account Control security policy settings
@@ -35,7 +35,7 @@ This policy setting controls the behavior of Admin Approval Mode for the built-i
 
 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.
 
--   **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
+-   **Enabled** UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
 -   **Disabled** (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
 
 ## User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
@@ -65,29 +65,33 @@ This policy setting controls the behavior of the elevation prompt for standard u
 This policy setting controls the behavior of application installation detection for the computer.
 
 -   **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
--   **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Manager should disable this policy setting. In this case, installer detection is unnecessary.
+-   **Disabled** App installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Intune should disable this policy setting. In this case, installer detection is unnecessary.
 
 ## User Account Control: Only elevate executable files that are signed and validated
 
 This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.
 
--   **Enabled** Enforces the certificate certification path validation for a given executable file before it is permitted to run.
--   **Disabled** (Default) Does not enforce the certificate certification path validation before a given executable file is permitted to run.
+-   **Enabled** Enforces the certificate certification path validation for a given executable file before it's permitted to run.
+-   **Disabled** (Default) Doesn't enforce the certificate certification path validation before a given executable file is permitted to run.
 
 ## User Account Control: Only elevate UIAccess applications that are installed in secure locations
 
-This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows
+This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following folders: 
+
+- …\\Program Files\\, including subfolders
+- …\\Windows\\system32\\ 
+- …\\Program Files (x86)\\, including subfolders for 64-bit versions of Windows
 
 >**Note:**  Windows enforces a digital signature check on any interactive app that requests to run with a UIAccess integrity level regardless of the state of this security setting.
  
 -   **Enabled** (Default) If an app resides in a secure location in the file system, it runs only with UIAccess integrity.
--   **Disabled** An app runs with UIAccess integrity even if it does not reside in a secure location in the file system.
+-   **Disabled** An app runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
 
 ## User Account Control: Turn on Admin Approval Mode
 
 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.
 
--   **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+-   **Enabled** (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately. They'll allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
 -   **Disabled** Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.
 
 ## User Account Control: Switch to the secure desktop when prompting for elevation
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index 0f5fef56ab..7154750f0b 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -12,6 +12,7 @@ ms.date: 04/19/2017
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 
 # Deploy Virtual Smart Cards
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index f5ce64521a..8aff0f477f 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -12,6 +12,7 @@ ms.date: 04/19/2017
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 
 # Evaluate Virtual Smart Card Security
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index ab366df26d..3dbfc81372 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -12,6 +12,7 @@ ms.date: 04/19/2017
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 
 # Get Started with Virtual Smart Cards: Walkthrough Guide
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index acb3e89bb3..361c943258 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -12,6 +12,7 @@ ms.date: 10/13/2017
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 
 # Virtual Smart Card Overview
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 62b4f01d0c..c4bbcf77bd 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -12,6 +12,7 @@ ms.date: 04/19/2017
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 
 # Tpmvscmgr
@@ -34,7 +35,7 @@ The Create command sets up new virtual smart cards on the user’s system. It re
 | /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.<br>**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a value for the administrator key.<br>**RANDOM**&nbsp;&nbsp;Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. |
 | /PIN | Indicates desired user PIN value.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PIN of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
 | /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.<br>**DEFAULT**&nbsp;&nbsp;Specifies the default PUK of 12345678.<br>**PROMPT**&nbsp;&nbsp;Prompts the user to enter a PUK at the command line. |
-| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. |
+| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. |
 | /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
 | /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:<br>**minlen** &lt;minimum PIN length&gt;<br>&nbsp;&nbsp;&nbsp;If not specified, defaults to 8. The lower bound is 4.<br>**maxlen** &lt;maximum PIN length&gt;<br>&nbsp;&nbsp;&nbsp;If not specified, defaults to 127. The upper bound is 127.<br>**uppercase**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**lowercase**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**digits**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br>**specialchars**&nbsp;&nbsp;Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**<br><br>When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
 | /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:<br>**AIK_AND_CERT**&nbsp;&nbsp;Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.<br>**AIK_ONLY**&nbsp;&nbsp;Creates an AIK but does not obtain an AIK certificate. |
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 6b9c28ede3..7145692213 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -12,6 +12,7 @@ ms.date: 04/19/2017
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 
 # Understanding and Evaluating Virtual Smart Cards
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 713f1ab1f6..c8e7f675e5 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -12,6 +12,7 @@ ms.date: 10/13/2017
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows Server 2016</b>
+ms.technology: itpro-security
 ---
 
 # Use Virtual Smart Cards
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 863eec92a6..5ca81d5c91 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -11,6 +11,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # How to configure Diffie Hellman protocol over IKEv2 VPN connections
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index d7cefe3eee..4b167fab27 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -10,6 +10,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 508f1851bc..fa541c4f87 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -11,6 +11,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # VPN authentication options
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 84b2d6c66b..e7e1f831ab 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -11,6 +11,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # VPN auto-triggered profile options
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 2589095203..5d7a695376 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -11,6 +11,7 @@ ms.date: 09/23/2021
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # VPN and conditional access
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 473b6fede7..c3b4995351 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -11,6 +11,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # VPN connection types
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 54ef63f227..40331b878d 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -11,6 +11,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # Windows VPN technical guide
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index cc0d1c17d1..61fccf4518 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -11,6 +11,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # VPN name resolution
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index 3512900011..6e45c35a7e 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -12,6 +12,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 # Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client
 
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 07f0f4e317..ebd414e637 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -11,11 +11,12 @@ ms.date: 05/17/2018
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # VPN profile options
 
-Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Endpoint Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). 
+Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp). 
 
 >[!NOTE]
 >If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first.
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index 8a4d2a49b8..195202fe24 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -11,6 +11,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 # VPN routing decisions
 
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index 852ee0c9d5..d21e11182a 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -11,6 +11,7 @@ ms.reviewer: pesmith
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # VPN security features
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 1e475ba610..9b7bb26672 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -12,6 +12,7 @@ ms.date: 04/19/2017
 appliesto: 
   - ✅ <b>Windows 10</b>
   - ✅ <b>Windows 11</b>
+ms.technology: itpro-security
 ---
 
 # Windows Credential Theft Mitigation Guide Abstract
diff --git a/windows/security/identity.md b/windows/security/identity.md
index f9ccae6a49..6ef1e3db59 100644
--- a/windows/security/identity.md
+++ b/windows/security/identity.md
@@ -6,8 +6,8 @@ manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
 ms.collection: M365-security-compliance
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ---
 
 # Windows identity and privacy
diff --git a/windows/security/includes/hello-cloud.md b/windows/security/includes/hello-cloud.md
new file mode 100644
index 0000000000..c40ed1027c
--- /dev/null
+++ b/windows/security/includes/hello-cloud.md
@@ -0,0 +1,7 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [cloud](../identity-protection/hello-for-business/hello-how-it-works-technology.md#cloud-deployment)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
+
+<br>
+
+---
diff --git a/windows/security/includes/hello-hybrid-cert-trust-aad.md b/windows/security/includes/hello-hybrid-cert-trust-aad.md
new file mode 100644
index 0000000000..e80912d8b9
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-cert-trust-aad.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
+
+<br>
+
+---
diff --git a/windows/security/includes/hello-hybrid-cert-trust-ad.md b/windows/security/includes/hello-hybrid-cert-trust-ad.md
new file mode 100644
index 0000000000..4ef97bd233
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-cert-trust-ad.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+<br>
+
+---
diff --git a/windows/security/includes/hello-hybrid-cert-trust.md b/windows/security/includes/hello-hybrid-cert-trust.md
new file mode 100644
index 0000000000..77a897f264
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-cert-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+<br>
+
+---
diff --git a/windows/security/includes/hello-hybrid-cloudkerb-trust.md b/windows/security/includes/hello-hybrid-cloudkerb-trust.md
new file mode 100644
index 0000000000..4f68be791b
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-cloudkerb-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [cloud Kerberos trust](../identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+<br>
+
+---
diff --git a/windows/security/includes/hello-hybrid-key-trust-ad.md b/windows/security/includes/hello-hybrid-key-trust-ad.md
new file mode 100644
index 0000000000..68521a5a14
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-key-trust-ad.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+<br>
+
+---
diff --git a/windows/security/includes/hello-hybrid-key-trust.md b/windows/security/includes/hello-hybrid-key-trust.md
new file mode 100644
index 0000000000..fdb7466014
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-key-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join), [Hybrid Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-azure-ad-join)
+
+<br>
+
+---
diff --git a/windows/security/includes/hello-hybrid-keycert-trust-aad.md b/windows/security/includes/hello-hybrid-keycert-trust-aad.md
new file mode 100644
index 0000000000..a8d82200d3
--- /dev/null
+++ b/windows/security/includes/hello-hybrid-keycert-trust-aad.md
@@ -0,0 +1,7 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [hybrid](../identity-protection/hello-for-business/hello-how-it-works-technology.md#hybrid-deployment)\
+✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust), [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** [Azure AD join](../identity-protection/hello-for-business/hello-how-it-works-technology.md#azure-active-directory-join)
+<br>
+
+---
diff --git a/windows/security/includes/hello-on-premises-cert-trust.md b/windows/security/includes/hello-on-premises-cert-trust.md
new file mode 100644
index 0000000000..2cc01ac3ac
--- /dev/null
+++ b/windows/security/includes/hello-on-premises-cert-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\
+✅ **Trust type:** [certificate trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#certificate-trust)\
+✅ **Device registration type:** Active Directory domain join
+
+<br>
+
+---
diff --git a/windows/security/includes/hello-on-premises-key-trust.md b/windows/security/includes/hello-on-premises-key-trust.md
new file mode 100644
index 0000000000..cd6241fa72
--- /dev/null
+++ b/windows/security/includes/hello-on-premises-key-trust.md
@@ -0,0 +1,8 @@
+This document describes Windows Hello for Business functionalities or scenarios that apply to:\
+✅ **Deployment type:** [on-premises](../identity-protection/hello-for-business/hello-how-it-works-technology.md#on-premises-deployment)\
+✅ **Trust type:** [key trust](../identity-protection/hello-for-business/hello-how-it-works-technology.md#key-trust)\
+✅ **Device registration type:** Active Directory domain join
+
+<br>
+
+---
diff --git a/windows/security/index.yml b/windows/security/index.yml
index bca2ee7b90..57d27d3093 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -6,8 +6,9 @@ summary: Built with Zero Trust principles at the core to safeguard data and acce
 metadata:
   title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars.
   description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars.
-  ms.topic: landing-page # Required
-  ms.prod: windows
+  ms.topic: landing-page
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.collection:
     - m365-security-compliance
     - highpri
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index 4a3b3e57ca..aaee4befef 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,260 +1,258 @@
 ---
 title: BCD settings and BitLocker (Windows 10)
-description: This topic for IT professionals describes the BCD settings that are used by BitLocker.
+description: This article for IT professionals describes the BCD settings that are used by BitLocker.
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # Boot Configuration Data settings and BitLocker
 
-**Applies to**
+This article for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
 
-This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
-
-When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
+When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
 
 ## BitLocker and BCD Settings
 
 In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode.
 
-In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. 
-If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
+In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit the preferences for validation. If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
 
 ### When secure boot is enabled
 
 Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
 
-One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system.
+One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system.
 
 ## Customizing BCD validation settings
 
 To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting.
 
-For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog:
+For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog:
 
--   winload
--   winresume
--   memtest
--   all of the above
+- winload
+- winresume
+- memtest
+- all of the above
 
-All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.”
+All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a "friendly name."
 
 The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.
 
-You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”.
+You can quickly obtain the friendly name for the BCD settings on a computer by using the command `bcdedit.exe /enum all`.
 
 Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
 
 When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax:
 
--   Prefix the setting with the boot application prefix
--   Append a colon ‘:’
--   Append either the hex value or the friendly name
--   If entering more than one BCD setting, you will need to enter each BCD setting on a new line
+- Prefix the setting with the boot application prefix
+- Append a colon `:`
+- Append either the hex value or the friendly name
+- If entering more than one BCD setting, each BCD setting will need to be entered on a new line
 
-For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yields the same value.
+For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yields the same value.
 
-A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
+A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.
 
 > [!NOTE]
 > Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
- 
+
 ### Default BCD validation profile
 
 The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions:
 
 | Hex Value | Prefix | Friendly Name |
 | - | - | - |
-| 0x11000001 | all | device| 
-| 0x12000002 | all | path| 
+| 0x11000001 | all | device|
+| 0x12000002 | all | path|
 | 0x12000030 | all | loadoptions|
-| 0x16000010 | all | bootdebug| 
-| 0x16000040 | all | advancedoptions| 
-| 0x16000041 | all| optionsedit| 
-| 0x16000048| all| nointegritychecks| 
-| 0x16000049| all| testsigning| 
-| 0x16000060| all| isolatedcontext| 
+| 0x16000010 | all | bootdebug|
+| 0x16000040 | all | advancedoptions|
+| 0x16000041 | all| optionsedit|
+| 0x16000048| all| nointegritychecks|
+| 0x16000049| all| testsigning|
+| 0x16000060| all| isolatedcontext|
 | 0x1600007b| all| forcefipscrypto|
-| 0x22000002| winload| systemroot| 
-| 0x22000011| winload| kernel| 
-| 0x22000012| winload| hal| 
-| 0x22000053| winload| evstore| 
-| 0x25000020| winload| nx| 
-| 0x25000052| winload| restrictapiccluster| 
-| 0x26000022| winload| winpe| 
-| 0x26000025 |winload|lastknowngood| 
-| 0x26000081| winload| safebootalternateshell| 
-| 0x260000a0| winload| debug| 
-| 0x260000f2| winload| hypervisordebug| 
-| 0x26000116| winload| hypervisorusevapic| 
-| 0x21000001| winresume| filedevice| 
-| 0x22000002| winresume| filepath| 
-| 0x26000006| winresume| debugoptionenabled| 
+| 0x22000002| winload| systemroot|
+| 0x22000011| winload| kernel|
+| 0x22000012| winload| hal|
+| 0x22000053| winload| evstore|
+| 0x25000020| winload| nx|
+| 0x25000052| winload| restrictapiccluster|
+| 0x26000022| winload| winpe|
+| 0x26000025 |winload|lastknowngood|
+| 0x26000081| winload| safebootalternateshell|
+| 0x260000a0| winload| debug|
+| 0x260000f2| winload| hypervisordebug|
+| 0x26000116| winload| hypervisorusevapic|
+| 0x21000001| winresume| filedevice|
+| 0x22000002| winresume| filepath|
+| 0x26000006| winresume| debugoptionenabled|
 
 ### Full list of friendly names for ignored BCD settings
 
-This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked.
+The following list is a full list of BCD settings with friendly names, which are ignored by default. These settings aren't part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker-protected operating system drive to be unlocked.
 
 > [!NOTE]
 > Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
 
 | Hex Value | Prefix | Friendly Name |
 | - | - | - |
-| 0x12000004 | all | description | 
-| 0x12000005 | all | locale | 
-| 0x12000016 | all | targetname | 
-| 0x12000019| all| busparams| 
-| 0x1200001d| all| key| 
-| 0x1200004a| all| fontpath| 
-| 0x14000006| all| inherit| 
-| 0x14000008| all| recoverysequence| 
-| 0x15000007| all| truncatememory| 
-| 0x1500000c| all| firstmegabytepolicy| 
-| 0x1500000d| all| relocatephysical| 
-| 0x1500000e| all| avoidlowmemory| 
-| 0x15000011| all| debugtype| 
-| 0x15000012 |all|debugaddress| 
-| 0x15000013| all| debugport| 
-| 0x15000014|all|baudrate| 
-| 0x15000015 | all| channel| 
-| 0x15000018 | all| debugstart| 
-| 0x1500001a | all| hostip| 
-| 0x1500001b | all| port| 
-| 0x15000022 | all| emsport| 
-| 0x15000023 | all| emsbaudrate| 
-| 0x15000042 | all| keyringaddress| 
-| 0x15000047 | all| configaccesspolicy| 
-| 0x1500004b | all| integrityservices| 
-| 0x1500004c | all| volumebandid| 
-| 0x15000051 | all| initialconsoleinput| 
-| 0x15000052 | all| graphicsresolution| 
-| 0x15000065 | all| displaymessage| 
+| 0x12000004 | all | description |
+| 0x12000005 | all | locale |
+| 0x12000016 | all | targetname |
+| 0x12000019| all| busparams|
+| 0x1200001d| all| key|
+| 0x1200004a| all| fontpath|
+| 0x14000006| all| inherit|
+| 0x14000008| all| recoverysequence|
+| 0x15000007| all| truncatememory|
+| 0x1500000c| all| firstmegabytepolicy|
+| 0x1500000d| all| relocatephysical|
+| 0x1500000e| all| avoidlowmemory|
+| 0x15000011| all| debugtype|
+| 0x15000012 |all|debugaddress|
+| 0x15000013| all| debugport|
+| 0x15000014|all|baudrate|
+| 0x15000015 | all| channel|
+| 0x15000018 | all| debugstart|
+| 0x1500001a | all| hostip|
+| 0x1500001b | all| port|
+| 0x15000022 | all| emsport|
+| 0x15000023 | all| emsbaudrate|
+| 0x15000042 | all| keyringaddress|
+| 0x15000047 | all| configaccesspolicy|
+| 0x1500004b | all| integrityservices|
+| 0x1500004c | all| volumebandid|
+| 0x15000051 | all| initialconsoleinput|
+| 0x15000052 | all| graphicsresolution|
+| 0x15000065 | all| displaymessage|
 | 0x15000066 | all| displaymessageoverride|
 | 0x15000081 | all| logcontrol|
-| 0x16000009 | all| recoveryenabled| 
-| 0x1600000b | all| badmemoryaccess| 
-| 0x1600000f | all| traditionalkseg| 
-| 0x16000017 | all| noumex| 
-| 0x1600001c | all| dhcp| 
-| 0x1600001e | all| vm| 
-| 0x16000020 | all| bootems| 
-| 0x16000046 | all| graphicsmodedisabled| 
-| 0x16000050 | all| extendedinput| 
-| 0x16000053 | all| restartonfailure| 
-| 0x16000054 | all| highestmode| 
-| 0x1600006c | all| bootuxdisabled| 
-| 0x16000072 | all| nokeyboard| 
-| 0x16000074 | all| bootshutdowndisabled| 
-| 0x1700000a | all| badmemorylist| 
-| 0x17000077 | all| allowedinmemorysettings| 
-| 0x22000040 | all| fverecoveryurl| 
-| 0x22000041 | all| fverecoverymessage| 
-| 0x31000003 | all| ramdisksdidevice| 
+| 0x16000009 | all| recoveryenabled|
+| 0x1600000b | all| badmemoryaccess|
+| 0x1600000f | all| traditionalkseg|
+| 0x16000017 | all| noumex|
+| 0x1600001c | all| dhcp|
+| 0x1600001e | all| vm|
+| 0x16000020 | all| bootems|
+| 0x16000046 | all| graphicsmodedisabled|
+| 0x16000050 | all| extendedinput|
+| 0x16000053 | all| restartonfailure|
+| 0x16000054 | all| highestmode|
+| 0x1600006c | all| bootuxdisabled|
+| 0x16000072 | all| nokeyboard|
+| 0x16000074 | all| bootshutdowndisabled|
+| 0x1700000a | all| badmemorylist|
+| 0x17000077 | all| allowedinmemorysettings|
+| 0x22000040 | all| fverecoveryurl|
+| 0x22000041 | all| fverecoverymessage|
+| 0x31000003 | all| ramdisksdidevice|
 | 0x32000004 | all| ramdisksdipath|
-| 0x35000001| all | ramdiskimageoffset| 
-| 0x35000002 | all| ramdisktftpclientport| 
-| 0x35000005 | all| ramdiskimagelength| 
-| 0x35000007 | all| ramdisktftpblocksize| 
-| 0x35000008 | all| ramdisktftpwindowsize| 
-| 0x36000006 | all| exportascd| 
-| 0x36000009 | all| ramdiskmcenabled| 
-| 0x3600000a | all| ramdiskmctftpfallback| 
-| 0x3600000b | all| ramdisktftpvarwindow| 
-| 0x21000001 | winload| osdevice| 
-| 0x22000013 | winload| dbgtransport| 
-| 0x220000f9 | winload| hypervisorbusparams| 
-| 0x22000110 | winload| hypervisorusekey| 
+| 0x35000001| all | ramdiskimageoffset|
+| 0x35000002 | all| ramdisktftpclientport|
+| 0x35000005 | all| ramdiskimagelength|
+| 0x35000007 | all| ramdisktftpblocksize|
+| 0x35000008 | all| ramdisktftpwindowsize|
+| 0x36000006 | all| exportascd|
+| 0x36000009 | all| ramdiskmcenabled|
+| 0x3600000a | all| ramdiskmctftpfallback|
+| 0x3600000b | all| ramdisktftpvarwindow|
+| 0x21000001 | winload| osdevice|
+| 0x22000013 | winload| dbgtransport|
+| 0x220000f9 | winload| hypervisorbusparams|
+| 0x22000110 | winload| hypervisorusekey|
 | 0x23000003  |winload| resumeobject|
-| 0x25000021| winload| pae| 
-| 0x25000031 |winload| removememory| 
-| 0x25000032 | winload| increaseuserva| 
-| 0x25000033 | winload| perfmem| 
-| 0x25000050 | winload| clustermodeaddressing| 
-| 0x25000055 | winload| x2apicpolicy| 
-| 0x25000061 | winload| numproc| 
+| 0x25000021| winload| pae|
+| 0x25000031 |winload| removememory|
+| 0x25000032 | winload| increaseuserva|
+| 0x25000033 | winload| perfmem|
+| 0x25000050 | winload| clustermodeaddressing|
+| 0x25000055 | winload| x2apicpolicy|
+| 0x25000061 | winload| numproc|
 | 0x25000063 | winload| configflags|
 | 0x25000066| winload| groupsize|
 | 0x25000071 | winload| msi|
-| 0x25000072 | winload| pciexpress| 
-| 0x25000080 | winload| safeboot| 
-| 0x250000a6 | winload| tscsyncpolicy| 
-| 0x250000c1| winload| driverloadfailurepolicy| 
-| 0x250000c2| winload| bootmenupolicy| 
-| 0x250000e0  |winload| bootstatuspolicy| 
-| 0x250000f0 | winload| hypervisorlaunchtype| 
-| 0x250000f3 | winload| hypervisordebugtype| 
-| 0x250000f4 | winload| hypervisordebugport| 
-| 0x250000f5 | winload| hypervisorbaudrate| 
-| 0x250000f6 | winload| hypervisorchannel| 
-| 0x250000f7 | winload| bootux| 
-| 0x250000fa | winload| hypervisornumproc| 
-| 0x250000fb | winload| hypervisorrootprocpernode| 
-| 0x250000fd | winload| hypervisorhostip| 
-| 0x250000fe | winload| hypervisorhostport| 
-| 0x25000100 | winload| tpmbootentropy| 
-| 0x25000113 | winload| hypervisorrootproc| 
-| 0x25000115 | winload| hypervisoriommupolicy| 
-| 0x25000120 | winload| xsavepolicy| 
-| 0x25000121 | winload| xsaveaddfeature0| 
-| 0x25000122 | winload| xsaveaddfeature1| 
-| 0x25000123 | winload| xsaveaddfeature2| 
-| 0x25000124 | winload| xsaveaddfeature3| 
-| 0x25000125 | winload| xsaveaddfeature4| 
-| 0x25000126 | winload| xsaveaddfeature5| 
-| 0x25000127 | winload| xsaveaddfeature6| 
-| 0x25000128 | winload| xsaveaddfeature7| 
-| 0x25000129 | winload| xsaveremovefeature| 
-| 0x2500012a | winload| xsaveprocessorsmask| 
-| 0x2500012b | winload| xsavedisable| 
-| 0x25000130 | winload| claimedtpmcounter| 
-| 0x26000004 | winload| stampdisks| 
-| 0x26000010 | winload| detecthal| 
-| 0x26000024 | winload| nocrashautoreboot| 
-| 0x26000030 | winload| nolowmem| 
-| 0x26000040 | winload| vga| 
-| 0x26000041 | winload| quietboot| 
-| 0x26000042 | winload| novesa| 
-| 0x26000043 | winload| novga| 
-| 0x26000051 | winload| usephysicaldestination| 
-| 0x26000054 | winload| uselegacyapicmode| 
-| 0x26000060 | winload| onecpu| 
-| 0x26000062 | winload| maxproc| 
-| 0x26000064 | winload| maxgroup| 
-| 0x26000065 | winload| groupaware| 
-| 0x26000070| winload| usefirmwarepcisettings| 
+| 0x25000072 | winload| pciexpress|
+| 0x25000080 | winload| safeboot|
+| 0x250000a6 | winload| tscsyncpolicy|
+| 0x250000c1| winload| driverloadfailurepolicy|
+| 0x250000c2| winload| bootmenupolicy|
+| 0x250000e0  |winload| bootstatuspolicy|
+| 0x250000f0 | winload| hypervisorlaunchtype|
+| 0x250000f3 | winload| hypervisordebugtype|
+| 0x250000f4 | winload| hypervisordebugport|
+| 0x250000f5 | winload| hypervisorbaudrate|
+| 0x250000f6 | winload| hypervisorchannel|
+| 0x250000f7 | winload| bootux|
+| 0x250000fa | winload| hypervisornumproc|
+| 0x250000fb | winload| hypervisorrootprocpernode|
+| 0x250000fd | winload| hypervisorhostip|
+| 0x250000fe | winload| hypervisorhostport|
+| 0x25000100 | winload| tpmbootentropy|
+| 0x25000113 | winload| hypervisorrootproc|
+| 0x25000115 | winload| hypervisoriommupolicy|
+| 0x25000120 | winload| xsavepolicy|
+| 0x25000121 | winload| xsaveaddfeature0|
+| 0x25000122 | winload| xsaveaddfeature1|
+| 0x25000123 | winload| xsaveaddfeature2|
+| 0x25000124 | winload| xsaveaddfeature3|
+| 0x25000125 | winload| xsaveaddfeature4|
+| 0x25000126 | winload| xsaveaddfeature5|
+| 0x25000127 | winload| xsaveaddfeature6|
+| 0x25000128 | winload| xsaveaddfeature7|
+| 0x25000129 | winload| xsaveremovefeature|
+| 0x2500012a | winload| xsaveprocessorsmask|
+| 0x2500012b | winload| xsavedisable|
+| 0x25000130 | winload| claimedtpmcounter|
+| 0x26000004 | winload| stampdisks|
+| 0x26000010 | winload| detecthal|
+| 0x26000024 | winload| nocrashautoreboot|
+| 0x26000030 | winload| nolowmem|
+| 0x26000040 | winload| vga|
+| 0x26000041 | winload| quietboot|
+| 0x26000042 | winload| novesa|
+| 0x26000043 | winload| novga|
+| 0x26000051 | winload| usephysicaldestination|
+| 0x26000054 | winload| uselegacyapicmode|
+| 0x26000060 | winload| onecpu|
+| 0x26000062 | winload| maxproc|
+| 0x26000064 | winload| maxgroup|
+| 0x26000065 | winload| groupaware|
+| 0x26000070| winload| usefirmwarepcisettings|
 | 0x26000090 | winload| bootlog|
-| 0x26000091 | winload| sos| 
-| 0x260000a1 | winload| halbreakpoint| 
-| 0x260000a2 | winload| useplatformclock| 
-| 0x260000a3 |winload| forcelegacyplatform| 
-| 0x260000a4 | winload| useplatformtick| 
-| 0x260000a5 | winload| disabledynamictick| 
-| 0x260000b0 | winload| ems| 
-| 0x260000c3 | winload| onetimeadvancedoptions| 
-| 0x260000c4 | winload| onetimeoptionsedit| 
-| 0x260000e1| winload| disableelamdrivers| 
-| 0x260000f8 | winload| hypervisordisableslat| 
-| 0x260000fc | winload| hypervisoruselargevtlb| 
-| 0x26000114 | winload| hypervisordhcp| 
+| 0x26000091 | winload| sos|
+| 0x260000a1 | winload| halbreakpoint|
+| 0x260000a2 | winload| useplatformclock|
+| 0x260000a3 |winload| forcelegacyplatform|
+| 0x260000a4 | winload| useplatformtick|
+| 0x260000a5 | winload| disabledynamictick|
+| 0x260000b0 | winload| ems|
+| 0x260000c3 | winload| onetimeadvancedoptions|
+| 0x260000c4 | winload| onetimeoptionsedit|
+| 0x260000e1| winload| disableelamdrivers|
+| 0x260000f8 | winload| hypervisordisableslat|
+| 0x260000fc | winload| hypervisoruselargevtlb|
+| 0x26000114 | winload| hypervisordhcp|
 | 0x21000005 | winresume| associatedosdevice|
-| 0x25000007 | winresume| bootux| 
+| 0x25000007 | winresume| bootux|
 | 0x25000008 | winresume| bootmenupolicy|
-| 0x26000003| winresume |customsettings| 
+| 0x26000003| winresume |customsettings|
 | 0x26000004 | winresume| pae|
-| 0x25000001 | memtest| passcount| 
-| 0x25000002 | memtest| testmix| 
-| 0x25000005 | memtest| stridefailcount| 
-| 0x25000006 | memtest| invcfailcount| 
-| 0x25000007 | memtest| matsfailcount| 
-| 0x25000008 | memtest| randfailcount| 
+| 0x25000001 | memtest| passcount|
+| 0x25000002 | memtest| testmix|
+| 0x25000005 | memtest| stridefailcount|
+| 0x25000006 | memtest| invcfailcount|
+| 0x25000007 | memtest| matsfailcount|
+| 0x25000008 | memtest| randfailcount|
 | 0x25000009 |memtest| chckrfailcount|
 | 0x26000003| memtest| cacheenable|
 | 0x26000004 | memtest| failuresenabled|
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
index 5278e578b5..df826bda53 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -3,26 +3,28 @@ metadata:
   title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10)
   description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure. 
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
-  ms.reviewer: 
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection:
     - M365-security-compliance
     - highpri
   ms.topic: faq
-  ms.date: 02/28/2019
+  ms.date: 11/08/2022
   ms.custom: bitlocker
 title: BitLocker and Active Directory Domain Services (AD DS) FAQ
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
   
   
 
@@ -34,20 +36,20 @@ sections:
         answer: |
           Stored information | Description
           -------------------|------------
-          Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
-          BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
+          Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
+          BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
           BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. 
           
       - question: |
           What if BitLocker is enabled on a computer before the computer has joined the domain?
         answer: |
-          If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+          If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
           
           For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
           
-          The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
+          The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
           
-          ```PowerShell
+          ```powershell
           $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
           $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
           
@@ -56,29 +58,29 @@ sections:
           ```
           
           > [!IMPORTANT]
-          > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
+          > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
            
       - question: |
           Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
         answer: |
-          Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
+          Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
           
-          Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
+          Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
           
       - question: |
-          If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
+          If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
         answer: |
-          No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
+          No. By design, BitLocker recovery password entries don't get deleted from AD DS. Therefore, multiple passwords might be seen for each drive. To identify the latest password, check the date on the object.
 
       - question: |
           What happens if the backup initially fails? Will BitLocker retry it?
         answer: |
-          If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
+          If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS.
           
-          When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+          When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
           
           For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
           
-          When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
+          When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
           
           
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index f19d80e906..a2047fc5a1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -4,26 +4,26 @@ description: This article for the IT professional explains how BitLocker feature
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker basic deployment
 
-**Applies to**
+**Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
-This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
 
 ## Using BitLocker to encrypt volumes
 
@@ -34,77 +34,148 @@ If the drive was prepared as a single contiguous space, BitLocker requires a new
 > [!NOTE]
 > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
 
-BitLocker encryption can be done using the following methods:
+BitLocker encryption can be enabled and managed using the following methods:
 
--   BitLocker control panel
--   Windows Explorer
--   `manage-bde` command-line interface
--   BitLocker Windows PowerShell cmdlets
+- BitLocker control panel
+- Windows Explorer
+- `manage-bde.exe` command-line interface
+- BitLocker Windows PowerShell cmdlets
 
 ### Encrypting volumes using the BitLocker control panel
 
-Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel (select **Start**, enter `Bitlocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
 
-To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
+To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume).
 
-### Operating system volume
+#### Operating system volume
 
-When the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
+For the operating system volume the **BitLocker Drive Encryption Wizard** presents several screens that prompt for options while it performs several actions:
 
-|Requirement|Description|
-|--- |--- |
-|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
-|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
-|Hardware TPM|TPM version 1.2 or 2.0. <p> A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
-|BIOS configuration|<li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li>  <li> The firmware must be able to read from a USB flash drive during startup.</li>|
-|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
-|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
+1. When the **BitLocker Drive Encryption Wizard**  first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
 
-Upon passing the initial configuration, users are required to enter a password for the volume. If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
-Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer can't access the drive.
+    |Requirement|Description|
+    |--- |--- |
+    |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
+    |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
+    |Hardware TPM|TPM version 1.2 or 2.0. <br><br> A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
+    |UEFI firmware/BIOS configuration|<ul><li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li>  <li> The firmware must be able to read from a USB flash drive during startup.</li></ul>|
+    |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
+    |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
 
-You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
+    If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
 
--   Encrypt used disk space only - Encrypts only disk space that contains data
--   Encrypt entire drive - Encrypts the entire volume including free space
+2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped.
 
-It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option.
+3. After the initial configuration/password screens, a recovery key will be generated. The **BitLocker Drive Encryption Wizard** will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the computer if:
 
-> [!NOTE]
-> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
+   - The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption
+   - BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up
 
-Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
+    A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason the password is forgotten or the computer can't access the drive.
 
+    The recovery key can be stored using the following methods:
 
-After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
+   - **Save to your Azure AD account** (if applicable)
+   - **Save to a USB flash drive**
+   - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
+   - **Print the recovery key**
+
+   The recovery key can't be stored at the following locations:
+
+   - The drive being encrypted
+   - The root directory of a non-removable/fixed drive
+   - An encrypted volume
+
+    > [!TIP]
+    > Ideally, a computer's recovery key should be stored separate from the computer itself.
+
+    > [!NOTE]
+    > After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key.
+
+4. The **BitLocker Drive Encryption Wizard** will then prompt how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** will have two options that determine how much of the drive is encrypted:
+
+   - **Encrypt used disk space only** - Encrypts only disk space that contains data.
+   - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
+
+    Each of the methods is recommended in the following scenarios:
+
+     - **Encrypt used disk space only**:
+
+       - The drive has never had data
+       - Formatted or erased drives that in the past have never had confidential data that was never encrypted
+
+     - **Encrypt entire drive** (full disk encryption):
+
+       - Drives that currently have data
+       - Drives that currently have an operating system
+       - Formatted or erased drives that in the past had confidential data that was never encrypted
+
+    > [!IMPORTANT]
+    > Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
+
+5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
+
+   - **New encryption mode**
+   - **Compatible mode**
+
+    Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
+
+6. After selecting an encryption mode, the **BitLocker Drive Encryption Wizard** will give the option of running a BitLocker system check via the option **Run BitLocker system check**. This system check will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
+
+After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** will begin encryption. A reboot may be initiated to start encryption. If a reboot was initiated, if there was no TPM and a password was specified, the password will need to be entered to boot into the operating system volume.
+
+Users can check encryption status by checking the system notification area or the BitLocker control panel.
 
 Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
 
-### Data volume
+#### Data volume
 
-Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard.
-Unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked.
+Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**.
 
-After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
-With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected.
+1. Upon launching the **BitLocker Drive Encryption Wizard**, unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the **BitLocker Drive Encryption Wizard** to proceed
 
-With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins. Selecting **Start encrypting** begins encryption.
+2. A choice of authentication methods to unlock the drive appears. The available options are:
+
+   - **Use a password to unlock the drive**
+   - **Use my smart card to unlock the drive**
+   - **Automatically unlock this drive on this computer** - Disabled by default but if enabled, this option will unlock the data volume without user input when the operating system volume is unlocked.
+
+3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes:
+
+   - **Save to your Azure AD account** (if applicable)
+   - **Save to a USB flash drive**
+   - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
+   - **Print the recovery key**
+
+4. After saving the recovery key, the **BitLocker Drive Encryption Wizard** will show available options for encryption. These options are the same as for operating system volumes:
+
+   - **Encrypt used disk space only** - Encrypts only disk space that contains data.
+   - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
+
+5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
+
+   - **New encryption mode**
+   - **Compatible mode**
+
+    Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
+
+6. The **BitLocker Drive Encryption Wizard** will display a final confirmation screen before the encryption process begins. Selecting **Start encrypting** begins encryption.
 
 Encryption status displays in the notification area or within the BitLocker control panel.
 
-### <a href="" id="-onedrive-option-"></a> OneDrive option
+### OneDrive option
 
-There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
+There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
 
-Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
+Users can verify whether the recovery key was saved properly by checking OneDrive for the BitLocker folder. The BitLocker folder on OneDrive is created automatically during the save process. The folder will contain two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
 
 ### Using BitLocker within Windows Explorer
 
-Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
+Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
 
-## <a href="" id="bkmk-dep2"></a>Down-level compatibility
+## Down-level compatibility
 
-The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows.
+The following table shows the compatibility matrix for systems that have been BitLocker enabled and then presented to a different version of Windows.
 
 Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
 
@@ -115,67 +186,81 @@ Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8,
 |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
 |Partially encrypted volume from Windows 7|Windows 11, Windows 10, and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
 
-## <a href="" id="bkmk-dep3"></a>Encrypting volumes using the manage-bde command-line interface
+## Encrypting volumes using the `manage-bde.exe` command-line interface
 
-Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
+`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
-Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
+`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command.
 
 Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
 
-### Operating system volume
+### Operating system volume commands
 
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
 
-**Determining volume status**
+#### Determining volume status
 
-A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
+A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
 
-`manage-bde -status`
+`manage-bde.exe -status`
 
 This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
 
-**Enabling BitLocker without a TPM**
+#### Enabling BitLocker without a TPM
 
-For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you'll need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You'll need to reboot the computer when prompted to complete the encryption process.
+Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption:
 
 ```powershell
-manage-bde –protectors -add C: -startupkey E:
-manage-bde -on C:
+manage-bde.exe -protectors -add C: -startupkey E:
+manage-bde.exe -on C:
 ```
 
-**Enabling BitLocker with a TPM only**
+If prompted, reboot the computer to complete the encryption process.
 
-It's possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:
+#### Enabling BitLocker with a TPM only
 
-`manage-bde -on C:`
+It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command:
 
-This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command:
+```cmd
+manage-bde.exe -on C:
+```
 
-`manage-bde -protectors -get <volume>`
+This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command:
 
-**Provisioning BitLocker with two protectors**
+```cmd
+manage-bde.exe -protectors -get <volume>
+```
 
-Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
+#### Provisioning BitLocker with two protectors
 
-`manage-bde -protectors -add C: -pw -sid <user or group>`
+Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command:
 
-This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
+```cmd
+manage-bde.exe -protectors -add C: -pw -sid <user or group>
+```
 
-### Data volume
+This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
 
-Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.
+### Data volume commands
 
-**Enabling BitLocker with a password**
+Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
 
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
+```cmd
+manage-bde.exe -on <drive letter>
+```
+
+Or users can choose to add protectors to the volume. It is recommended to add at least one primary protector and a recovery protector to a data volume.
+
+#### Enabling BitLocker with a password
+
+A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and turn on BitLocker.
 
 ```powershell
-manage-bde -protectors -add -pw C:
-manage-bde -on C:
+manage-bde.exe -protectors -add -pw C:
+manage-bde.exe -on C:
 ```
 
-## <a href="" id="bkmk-dep4"></a>Encrypting volumes using the BitLocker Windows PowerShell cmdlets
+## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
 
 Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
 
@@ -194,11 +279,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
 |**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
 |**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
 
-Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
+Similar to `manage-bde.exe`, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with `manage-bde.exe`, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
 
-A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
+A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume PowerShell cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
 
-Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If all of the protectors for a volume aren't seen, the Windows PowerShell pipe command (`|`) can be used to format a listing of the protectors.
 
 > [!NOTE]
 > In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
@@ -206,7 +291,8 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
 ```powershell
 Get-BitLockerVolume C: | fl
 ```
-If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+
+If the existing protectors need to be removed prior to provisioning BitLocker on the volume, the `Remove-BitLockerKeyProtector` cmdlet can be used. Accomplishing this action requires the GUID associated with the protector to be removed.
 A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below:
 
 ```powershell
@@ -214,18 +300,18 @@ $vol = Get-BitLockerVolume
 $keyprotectors = $vol.KeyProtector
 ```
 
-Using this script, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
-Using this information, we can then remove the key protector for a specific volume using the command:
+Using this script, the information in the **$keyprotectors** variable can be displayed to determine the GUID for each protector. This information can then be used to remove the key protector for a specific volume using the command:
 
 ```powershell
 Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
 ```
+
 > [!NOTE]
 > The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command.
 
-### Operating system volume
+### Operating system volume PowerShell cmdlets
 
-Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
+Using the BitLocker Windows PowerShell cmdlets is similar to working with the `manage-bde.exe` tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
 
 To enable BitLocker with just the TPM protector, use this command:
 
@@ -239,11 +325,10 @@ The example below adds one additional protector, the StartupKey protectors, and
 Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
 ```
 
-### Data volume
+### Data volume PowerShell cmdlets
 
 Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
 
-
 ```powershell
 $pw = Read-Host -AsSecureString
 <user inputs password>
@@ -252,12 +337,12 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 
 ### Using an SID-based protector in Windows PowerShell
 
-The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
+The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.
 
 > [!WARNING]
-> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
+> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.
 
-To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G.
 
 ```powershell
 Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
@@ -268,23 +353,25 @@ For users who wish to use the SID for the account or group, the first step is to
 ```powershell
 Get-ADUser -filter {samaccountname -eq "administrator"}
 ```
+
 > [!NOTE]
 > Use of this command requires the RSAT-AD-PowerShell feature.
 
 > [!TIP]
-> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features.
+> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features.
 
 In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
 
 ```powershell
 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
 ```
+
 > [!NOTE]
 > Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes.
 
-## <a href="" id="bkmk-dep5"></a> Checking BitLocker status
+## Checking BitLocker status
 
-To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.
 
 ### Checking BitLocker status with the control panel
 
@@ -297,21 +384,21 @@ Checking BitLocker status with the control panel is the most common method used
 | **Suspended** | BitLocker is suspended and not actively protecting the volume |
 | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
 
-If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
+If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
 
 Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
 The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
 
 Once BitLocker protector activation is completed, the completion notice is displayed.
 
-### Checking BitLocker status with manage-bde
+### Checking BitLocker status with `manage-bde.exe`
 
-Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
+Administrators who prefer a command-line interface can utilize `manage-bde.exe` to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, `manage-bde.exe` can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
 
-To check the status of a volume using manage-bde, use the following command:
+To check the status of a volume using `manage-bde.exe`, use the following command:
 
 ```powershell
-manage-bde -status <volume>
+manage-bde.exe -status <volume>
 ```
 
 > [!NOTE]
@@ -319,22 +406,23 @@ manage-bde -status <volume>
 
 ### Checking BitLocker status with Windows PowerShell
 
-Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
+Windows PowerShell commands offer another way to query BitLocker status for volumes. Like `manage-bde.exe`, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
 
 Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
 
 ```powershell
 Get-BitLockerVolume <volume> -Verbose | fl
 ```
-This command displays information about the encryption method, volume type, key protectors, etc.
+
+This command displays information about the encryption method, volume type, key protectors, and more.
 
 ### Provisioning BitLocker during operating system deployment
 
-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. This is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
 
 ### Decrypting BitLocker volumes
 
-Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We'll discuss each method further below.
+Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, `manage-bde.exe`, or Windows PowerShell cmdlets. We'll discuss each method further below.
 
 ### Decrypting volumes using the BitLocker control panel applet
 
@@ -345,22 +433,23 @@ The control panel doesn't report decryption progress but displays it in the noti
 
 Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption.
 
-### Decrypting volumes using the manage-bde command-line interface
+### Decrypting volumes using the `manage-bde.exe` command-line interface
 
-Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
+Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
 
 ```powershell
-manage-bde -off C:
+manage-bde.exe -off C:
 ```
+
 This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command:
 
 ```powershell
-manage-bde -status C:
+manage-bde.exe -status C:
 ```
 
 ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
 
-Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
+Decryption with Windows PowerShell cmdlets is straightforward, similar to `manage-bde.exe`. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
 
 Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
 
@@ -374,7 +463,7 @@ If a user didn't want to input each mount point individually, using the `-MountP
 Disable-BitLocker -MountPoint E:,F:,G:
 ```
 
-## See also
+## Related articles
 
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 0e827934c2..7a8377aceb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -1,66 +1,59 @@
 ---
 title: BitLocker Countermeasures (Windows 10)
-description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
+description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker Countermeasures
 
-**Applies to**
+**Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
-Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. 
-BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. 
-Data on a lost or stolen computer is vulnerable. 
-For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer’s hard disk to a different computer. 
+Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
 
 BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
 
-- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
-- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
- 
+- **Encrypting volumes on a computer.** For example, BitLocker can be turned on for the operating system volume, a volume on a fixed drive. or removable data drive (such as a USB flash drive, SD card, etc.) Turning on BitLocker for the operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
+
+- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
+
 The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
 
-For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803 or Windows 11, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
+For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
 
 ## Protection before startup
 
-Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot.
+Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot.
 
 ### Trusted Platform Module
 
-A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. 
-On some platforms, TPM can alternatively be implemented as a part of secure firmware. 
-BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. 
-For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
+A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
 
 ### UEFI and secure boot
 
-Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. 
+Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
 
-The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). 
-Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. 
+The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
 
-By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. 
-An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
+By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
 
 ### BitLocker and reset attacks
 
-To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. 
+To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory.
 
 >[!NOTE]
 >This does not protect against physical attacks where an attacker opens the case and attacks the hardware.
@@ -71,89 +64,88 @@ The next sections cover pre-boot authentication and DMA policies that can provid
 
 ### Pre-boot authentication
 
-Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. 
-The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. 
+Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
 
-BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. 
-If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
+BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
 
-Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. 
-This helps mitigate DMA and memory remanence attacks.
+Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. This feature helps mitigate DMA and memory remanence attacks.
 
 On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
 
 - **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.  
+
 - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
+
 - **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.  
+
 - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
 
 In the following group policy example, TPM + PIN is required to unlock an operating system drive:
 
 ![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
 
-Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. 
-Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. 
+Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
 
-On the other hand, Pre-boot authentication-prompts can be inconvenient to users. 
-In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. 
-Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. 
+On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
 
-To address these issues, you can deploy [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md). 
-Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. 
-It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.  
+To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.  
 
 ### Protecting Thunderbolt and other DMA ports
 
-There are a few different options to protect DMA ports, such as Thunderbolt™3. 
-Beginning with Windows 10 version 1803 or Windows 11, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. 
-This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803 or Windows 11, as it requires changes in the system firmware and/or BIOS.  
+There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.  
 
-You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: 
+You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
 
 ![Kernel DMA protection.](images/kernel-dma-protection.png)
 
-If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports:
+If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
+
+1. Require a password for BIOS changes
 
-1. Require a password for BIOS changes 
 2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
+
 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
 
-    - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy 
+    - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
+
     - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
 
-For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
-For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
- 
+For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
+
 ## Attack countermeasures
 
 This section covers countermeasures for specific types of attacks. 
 
 ### Bootkits and rootkits
 
-A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. 
-The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. 
+A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released.
 
-This is the default configuration.
+> [!NOTE]
+> BitLocker protects against this attack by default.
 
-A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. 
-Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. 
-Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
+A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
 
 ### Brute force attacks against a PIN
-Require TPM + PIN for anti-hammering protection. 
+
+Require TPM + PIN for anti-hammering protection.
 
 ### DMA attacks
 
 See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this article.
 
 ### Paging file, crash dump, and Hyberfil.sys attacks
-These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. 
-It also blocks automatic or manual attempts to move the paging file.
+
+These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks automatic or manual attempts to move the paging file.
 
 ### Memory remanence
 
-Enable secure boot and mandatorily prompt a password to change BIOS settings. 
-For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
+Enable secure boot and mandatorily prompt a password to change BIOS settings. For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
+
+### Tricking BitLocker to pass the key to a rogue operating system
+
+An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
+ 
+An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
 
 ## Attacker countermeasures
 
@@ -161,12 +153,12 @@ The following sections cover mitigations for different types of attackers.
 
 ### Attacker without much skill or with limited physical access
 
-Physical access may be limited by a form factor that doesn't expose buses and memory. 
-For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. 
+Physical access may be limited by a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
 
-This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software. 
+This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software.
+
+Mitigation:
 
-Mitigation: 
 - Pre-boot authentication set to TPM only (the default)
 
 ### Attacker with skill and lengthy physical access
@@ -174,27 +166,32 @@ Mitigation:
 Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
 
 Mitigation:
+
 - Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
 
   -And-
 
-- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This can be set using Group Policy:
+- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This configuration can be set using the following Group Policy:
 
-  - Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show hibernate in the power options menu
-  - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (plugged in)
-  - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (on battery)
+  - *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *File Explorer* > **Show hibernate in the power options menu**
 
-These settings are **Not configured** by default.
+  - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (plugged in)**
+
+  - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (on battery)**
+
+> [!IMPORTANT]
+> These settings are **not configured** by default.
 
 For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](./bitlocker-group-policy-settings.md) is:
 
-Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives|Allow enhanced PINs for startup
+- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup**
 
-This setting is **Not configured** by default.
+> [!IMPORTANT]
+> This setting is **not configured** by default.
 
 For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device.
 
-## See also 
+## Related articles
 
 - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
 - [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
index 2b9f32384a..39701f8123 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
@@ -4,23 +4,26 @@ metadata:
   description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?"
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
   ms.reviewer: 
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: faq
-  ms.date: 02/28/2019
+  ms.date: 11/08/2022
   ms.custom: bitlocker
 title: BitLocker frequently asked questions (FAQ)
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
   
 
 sections:
@@ -28,7 +31,7 @@ sections:
     questions:
       - question: Can BitLocker deployment be automated in an enterprise environment?
         answer: |
-          Yes, you can automate the deployment and configuration of BitLocker and the TPM using either WMI or Windows PowerShell scripts. How you choose to implement the scripts depends on your environment. You can also use Manage-bde.exe to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps).
+          Yes, the deployment and configuration of both BitLocker and the TPM can be automated using either WMI or Windows PowerShell scripts. Which method is chosen to implement the automation depends on the environment. `Manage-bde.exe` can also be used to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps).
           
       - question: Can BitLocker encrypt more than just the operating system drive?
         answer: Yes.
@@ -38,58 +41,58 @@ sections:
 
       - question: How long will initial encryption take when BitLocker is turned on?
         answer: |
-          Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
+          Although BitLocker encryption occurs in the background while a user continues to work with the system remaining usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If encrypting large drives, encryption may want to be scheduled during times when the drive isn't being used.
           
-          You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
+          When BitLocker is enabled, BitLocker can also be set to encrypt the entire drive or just the used space on the drive. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
           
       - question: What happens if the computer is turned off during encryption or decryption?
-        answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
+        answer: If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. BitLocker resuming encryption or decryption is true even if the power is suddenly unavailable.
 
       - question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
-        answer: No, BitLocker does not encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they are requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
+        answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
 
       - question: How can I prevent users on a network from storing data on an unencrypted drive?
         answer: |
-          You can configure Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-          When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only.
+          Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+          When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
           
       - question: What is Used Disk Space Only encryption?
         answer: |
-          BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
+          BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
           
       - question: What system changes would cause the integrity check on my operating system drive to fail?
         answer: |
           The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
           
-          -   Moving the BitLocker-protected drive into a new computer.
-          -   Installing a new motherboard with a new TPM.
-          -   Turning off, disabling, or clearing the TPM.
-          -   Changing any boot configuration settings.
-          -   Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
+          - Moving the BitLocker-protected drive into a new computer.
+          - Installing a new motherboard with a new TPM.
+          - Turning off, disabling, or clearing the TPM.
+          - Changing any boot configuration settings.
+          - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
           
       - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
         answer: |
-          Because BitLocker is designed to protect your computer from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. 
+          Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. 
           For example: 
           
           - Changing the BIOS boot order to boot another drive in advance of the hard drive.
-          - Adding or removing hardware, such as inserting a new card in the computer, including some PCMIA wireless cards.
+          - Adding or removing hardware, such as inserting a new card in the computer.
           - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
           
           In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. 
-          The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
+          The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
           
       - question: What can prevent BitLocker from binding to PCR 7?
-        answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
+        answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it.
 
       - question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
-        answer: Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
+        answer: Yes, multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive. If a backup operating system or data drive needs to be prepared in case of a disk failure, make sure that they were matched with the correct TPM. Different hard drives can also be configured for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
 
       - question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
-        answer: Yes, if the drive is a data drive, you can unlock it from the **BitLocker Drive Encryption** Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
+        answer: Yes, if the drive is a data drive, it can be unlocked from the **BitLocker Drive Encryption** Control Panel item by using a password or smart card. If the data drive was configured for automatic unlock only, it will need to be unlocked by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
 
-      - question: Why is "Turn BitLocker on" not available when I right-click a drive?
-        answer: Some drives cannot be encrypted with BitLocker. Reasons a drive cannot be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it is not created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but cannot be encrypted.
+      - question: Why is **Turn BitLocker on** not available when I right-click a drive?
+        answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted.
 
       - question: What type of disk configurations are supported by BitLocker?
         answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 3811e7cb94..d3643ab0fe 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -3,60 +3,61 @@ title: BitLocker deployment comparison (Windows 10)
 description: This article shows the BitLocker deployment comparison chart.
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: lovina-saldanha
-ms.author: v-lsaldanha
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 05/20/2021
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker deployment comparison
 
-**Applies to**
+**Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 This article depicts the BitLocker deployment comparison chart.
 
 ## BitLocker deployment comparison chart
 
-| Requirements |Microsoft Intune  |Microsoft Endpoint Configuration Manager  |Microsoft BitLocker Administration and Monitoring (MBAM) |
+| Requirements |Microsoft Intune  |Microsoft Configuration Manager  |Microsoft BitLocker Administration and Monitoring (MBAM) |
 |---------|---------|---------|---------|
-|Minimum client operating system version     |Windows 11 and Windows 10    | Windows 11, Windows 10, and Windows 8.1  | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11      |
-|Supported Windows SKUs     |    Enterprise, Pro, Education     |    Enterprise, Pro, Education     |     Enterprise    |
-|Minimum Windows version     |1909   |    None     |    None     |
-|Supported domain-joined status     |     Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined    |   Active Directory-joined, hybrid Azure AD joined      |     Active Directory-joined    |
-|Permissions required to manage policies     |    Endpoint security manager or custom     |   Full administrator or custom      |     Domain Admin or Delegated GPO access    |
-|Cloud or on premises      |     Cloud    |  On premises     |    On premises     |
+|*Minimum client operating system version*     |Windows 11 and Windows 10    | Windows 11, Windows 10, and Windows 8.1  | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11      |
+|*Supported Windows SKUs*    |    Enterprise, Pro, Education     |    Enterprise, Pro, Education     |     Enterprise    |
+|*Minimum Windows version*    |1909   |    None     |    None     |
+|*Supported domain-joined status*    |     Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined    |   Active Directory-joined, hybrid Azure AD joined      |     Active Directory-joined    |
+|*Permissions required to manage policies*     |    Endpoint security manager or custom     |   Full administrator or custom      |     Domain Admin or Delegated GPO access    |
+|*Cloud or on premises*      |     Cloud    |  On premises     |    On premises     |
 |Server components required?      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Additional agent required?     |     No (device enrollment only)    |   Configuration Manager client      |     MBAM client    |
-|Administrative plane     | Microsoft Endpoint Manager admin center        |    Configuration Manager console     |    Group Policy Management Console and MBAM sites     |
-|Administrative portal installation required     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
-|Compliance reporting capabilities     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Force encryption     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Encryption for storage cards (mobile)      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |         |
-|Allow recovery password      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
-|Manage startup authentication     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
-|Select cipher strength and algorithms for fixed drives      |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
-|Select cipher strength and algorithms for removable drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Select cipher strength and algorithms for operating environment drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
-|Standard recovery password storage location     |     Azure AD or Active Directory    |     Configuration Manager site database    |    MBAM database     |
-|Store recovery password for operating system and fixed drives to Azure AD or Active Directory     |    Yes (Active Directory and Azure AD)     | Yes (Active Directory only)      |   Yes (Active Directory only)      |
-|Customize preboot message and recovery link     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
-|Allow/deny key file creation     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
-|Deny Write permission to unprotected drives     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Can be administered outside company network     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |         |
-|Support for organization unique IDs     |         |      :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
-|Self-service recovery      |    Yes (through Azure AD or Company Portal app)     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
-|Recovery password rotation for fixed and operating environment drives     |   Yes (Windows 10, version 1909 and later or Windows 11)     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Wait to complete encryption until recovery information is backed up to Azure AD      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |       |        |
-|Wait to complete encryption until recovery information is backed up to Active Directory      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
-|Allow or deny Data Recovery Agent     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Unlock a volume using certificate with custom object identifier     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
-|Prevent memory overwrite on restart     |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Configure custom Trusted Platform Module Platform Configuration Register profiles     |         |       | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
-|Manage auto-unlock functionality     |         |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
+|*Additional agent required?*     |     No (device enrollment only)    |   Configuration Manager client      |     MBAM client    |
+|*Administrative plane*     | Microsoft Endpoint Manager admin center        |    Configuration Manager console     |    Group Policy Management Console and MBAM sites     |
+|*Administrative portal installation required*     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+|*Compliance reporting capabilities*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|*Force encryption*     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|*Encryption for storage cards (mobile)*      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |         |
+|*Allow recovery password*      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+|*Manage startup authentication*     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+|*Select cipher strength and algorithms for fixed drives*      |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+|*Select cipher strength and algorithms for removable drives*     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|*Select cipher strength and algorithms for operating environment drives*     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+|*Standard recovery password storage location*     |     Azure AD or Active Directory    |     Configuration Manager site database    |    MBAM database     |
+|*Store recovery password for operating system and fixed drives to Azure AD or Active Directory*     |    Yes (Active Directory and Azure AD)     | Yes (Active Directory only)      |   Yes (Active Directory only)      |
+|*Customize preboot message and recovery link*     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+|*Allow/deny key file creation*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+|*Deny Write permission to unprotected drives*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|*Can be administered outside company network*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |         |
+|*Support for organization unique IDs*     |         |      :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+|*Self-service recovery*      |    Yes (through Azure AD or Company Portal app)     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+|*Recovery password rotation for fixed and operating environment drives*     |   Yes (Windows 10, version 1909 and later)     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|*Wait to complete encryption until recovery information is backed up to Azure AD*      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |       |        |
+|*Wait to complete encryption until recovery information is backed up to Active Directory*      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+|*Allow or deny Data Recovery Agent*     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|*Unlock a volume using certificate with custom object identifier*     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+|*Prevent memory overwrite on restart*    |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|*Configure custom Trusted Platform Module Platform Configuration Register profiles*     |         |       | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
+|*Manage auto-unlock functionality*     |         |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 5b84d41717..82fb89a4d8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -3,55 +3,57 @@ title: Overview of BitLocker Device Encryption in Windows
 description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
-ms.date: 03/10/2022
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # Overview of BitLocker Device Encryption in Windows
 
-**Applies to**
--   Windows 10
--   Windows 11
--   Windows Server 2016 and later 
+**Applies to:**
 
-This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). 
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
-When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
+This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles.
 
-Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
+When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
 
-**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7**
+## Data Protection in Windows 11, Windows 10, and Windows 7
 
-| Windows 7 | Windows 11 and Windows 10 |
+The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
+
+
+| Windows 7 | Windows 11 and Windows 10 |
 |---|---|
 | When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
 | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
 | There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
 | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
 | Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
-| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password. |
-| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | 
+| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the PIN or password is lost. |
+| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
 
 ## Prepare for drive and file encryption
 
-The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid.
-Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
+The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's a strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that's a scenario that organizations need to avoid. Whether planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet these needs by providing streamlined, usable solutions. In fact, several steps can be taken in advance to prepare for data encryption and make the deployment quick and smooth.
 
 ### TPM pre-provisioning
 
-In Windows 7, preparing the TPM for use offered a couple of challenges:
+In Windows 7, preparing the TPM offered a few challenges:
 
-* You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows.
-* When you enable the TPM, it may require one or more restarts.
+- Turning on the TPM required going into the BIOS or UEFI firmware of the device. Turning on the TPM at the device requires someone to either physically go into the BIOS or UEFI firmware settings of the device to turn on the TPM, or to install a driver in Windows to turn on the TPM from within Windows.
+- When the TPM is enabled, it may require one or more restarts.
 
-Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled.
+This made preparing the TPM in Windows 7 problematic. If IT staff are provisioning new PCs, they can handle the required steps for preparing a TPM. However, if BitLocker needed to be enabled on devices that are already in users' hands, those users would probably struggle with the technical challenges. The user would then either call to IT for support or leave BitLocker disabled.
 
 Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
 
@@ -61,65 +63,83 @@ BitLocker is capable of encrypting entire hard drives, including both system and
 
 With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
 
-## BitLocker device encryption 
+## BitLocker Device Encryption
 
-Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.
+Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.
 
-Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices. BitLocker device encryption further protects the system by transparently implementing device-wide data encryption.
+Microsoft expects that most devices in the future will pass the requirements for BitLocker Device Encryption that will make BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
 
-Unlike a standard BitLocker implementation, BitLocker device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
+Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically:
 
-* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer.  The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
-* If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
-* If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
-* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
+- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer.  The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
 
-Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
-- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker
-- **Value**: PreventDeviceEncryption equal to True (1)
-- **Type**: REG\_DWORD
+- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials.
 
-Administrators can manage domain-joined devices that have BitLocker device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
+- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS:
+
+  *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives**
+  
+  With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
+
+- Similar to signing in with a domain account, the clear key is removed when the user signs in to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
+
+Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
+
+- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`
+- **Type**: `REG_DWORD`
+- **Value**: `PreventDeviceEncryption` equal to `1` (True)
+
+Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
 
 > [!NOTE]
-> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied.
+> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied.
 
 ## Used Disk Space Only encryption
 
-BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn't have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
-But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
-Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
+BitLocker in earlier Windows versions could take a long time to encrypt a drive because it encrypted every byte on the volume including areas that didn't have data. Encrypting every byte on the volume including areas that didn't have data is known as full disk encryption. Full disk encryption is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. If a drive previously had confidential data that has been moved or deleted, traces of the confidential data could remain on portions of the drive marked as unused.
+
+To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty won't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent.
+
+Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
 
 ## Encrypted hard drive support
 
-SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
-Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use,  whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
-For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md).
+SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
+
+Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements.
+
+For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md).
 
 ## Preboot information protection
 
 An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
+
 It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
-Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
+
+Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
 
 ## Manage passwords and PINs
 
-When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it virtually impossible for the attacker to access or modify user data and system files.
+When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files.
+
+Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs. One of the most significant costs is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
 
-Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
 Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
+
 For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
 
 ## Configure Network Unlock
 
-Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
+Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
 
 Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
 Network Unlock requires the following infrastructure:
 
-* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
-* A server running at least Windows Server 2012 with the Windows deployment services role
-* A server with the DHCP server role installed
+- Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
+
+- A server running at least Windows Server 2012 with the Windows deployment services (WDS) role
+
+- A server with the DHCP server role installed
 
 For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
 
@@ -127,21 +147,31 @@ For more information about how to configure Network unlock feature, see [BitLock
 
 Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
 
-* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
-* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
-* Provides centralized reporting and hardware management with Microsoft Endpoint Configuration Manager.
-* Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
-* Enables end users to recover encrypted devices independently by using the Self-Service Portal.
-* Enables security officers to easily audit access to recovery key information.
-* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
-* Enforces the BitLocker encryption policy options that you set for your enterprise.
-* Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
-* Offers an IT-customizable recovery user experience.
-* Supports Windows 11 and Windows 10.
+- Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
+
+- Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
+
+- Provides centralized reporting and hardware management with Microsoft Configuration Manager.
+
+- Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
+
+- Enables end users to recover encrypted devices independently by using the Self-Service Portal.
+
+- Enables security officers to easily audit access to recovery key information.
+
+- Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
+
+- Enforces the BitLocker encryption policy options that are set for the enterprise.
+
+- Integrates with existing management tools, such as Microsoft Configuration Manager.
+
+- Offers an IT-customizable recovery user experience.
+
+- Supports Windows 11 and Windows 10.
 
 > [!IMPORTANT]
 > Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
 
-Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
+Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management).
 
-Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
+Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index 3f48006d72..46ab64d09d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -4,37 +4,40 @@ metadata:
   description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker.
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
   ms.reviewer: 
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection:
     - M365-security-compliance
     - highpri
   ms.topic: faq
-  ms.date: 02/28/2019
+  ms.date: 11/08/2022
   ms.custom: bitlocker
 title: BitLocker frequently asked questions (FAQ) resources
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
   
-  This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
+  This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
   
-  -   [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
-  -   [Upgrading](bitlocker-upgrading-faq.yml)
-  -   [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
-  -   [Key management](bitlocker-key-management-faq.yml)
-  -   [BitLocker To Go](bitlocker-to-go-faq.yml)
-  -   [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
-  -   [Security](bitlocker-security-faq.yml)
-  -   [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml)
-  -   [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml)
+  - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
+  - [Upgrading](bitlocker-upgrading-faq.yml)
+  - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
+  - [Key management](bitlocker-key-management-faq.yml)
+  - [BitLocker To Go](bitlocker-to-go-faq.yml)
+  - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
+  - [Security](bitlocker-security-faq.yml)
+  - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml)
+  - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml)
   
   
 
@@ -44,11 +47,11 @@ sections:
       - question: |
           More information
         answer: |
-          -   [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
-          -   [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
-          -   [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
-          -   [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-          -   [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
-          -   [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
-          -   [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
-          -   [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)
+          - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+          - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
+          - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
+          - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+          - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
+          - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
+          - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
+          - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 8f2e37d39f..a082bdcca9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -4,37 +4,42 @@ description: This article for IT professionals describes the function, location,
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
-ms.date: 04/17/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker group policy settings
 
 **Applies to:**
 
-- Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
 
-To control the drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed.
+Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
 
 > [!NOTE]
 > A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md).
 
-BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**.
-Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.
+BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
 
-If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive is initially configured to be unlocked with a password and then Group
-Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
+Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the computer is in a compliant state. When a drive becomes out of compliance with Group Policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. This scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in Group Policy settings.
 
-## <a href="" id="bkmk-gptop"></a>BitLocker group policy settings
+If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. This situation could occur, for example, if a removable drive is initially configured for unlock with a password but then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the Group Policy setting, and BitLocker protection on the drive can be resumed.
+
+In other scenarios, to bring the drive into compliance with a change in Group Policy settings, BitLocker may need to be disabled and the drive decrypted followed by reenabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance.
+
+## BitLocker group policy settings details
 
 > [!NOTE]
 > For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker).
@@ -43,290 +48,281 @@ The following sections provide a comprehensive list of BitLocker group policy se
 
 The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
 
--   [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
--   [Allow network unlock at startup](#bkmk-netunlock)
--   [Require additional authentication at startup](#bkmk-unlockpol1)
--   [Allow enhanced PINs for startup](#bkmk-unlockpol2)
--   [Configure minimum PIN length for startup](#bkmk-unlockpol3)
--   [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
--   [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
--   [Configure use of passwords for operating system drives](#bkmk-ospw)
--   [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
--   [Configure use of smart cards on fixed data drives](#bkmk-unlockpol5)
--   [Configure use of passwords on fixed data drives](#bkmk-unlockpol6)
--   [Configure use of smart cards on removable data drives](#bkmk-unlockpol7)
--   [Configure use of passwords on removable data drives](#bkmk-unlockpol8)
--   [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9)
--   [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates)
+- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#allow-devices-with-secure-boot-and-protected-dma-ports-to-opt-out-of-preboot-pin)
+- [Allow network unlock at startup](#allow-network-unlock-at-startup)
+- [Require additional authentication at startup](#require-additional-authentication-at-startup)
+- [Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup)
+- [Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup)
+- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
+- [Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password)
+- [Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives)
+- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#require-additional-authentication-at-startup-windows-server-2008-and-windows-vista)
+- [Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives)
+- [Configure use of passwords on fixed data drives](#configure-use-of-passwords-on-fixed-data-drives)
+- [Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives)
+- [Configure use of passwords on removable data drives](#configure-use-of-passwords-on-removable-data-drives)
+- [Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)
+- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)
 
 The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers.
 
--   [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1)
--   [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2)
--   [Control use of BitLocker on removable drives](#bkmk-driveaccess3)
+- [Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker)
+- [Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker)
+- [Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives)
 
 The following policy settings determine the encryption methods and encryption types that are used with BitLocker.
 
--   [Choose drive encryption method and cipher strength](#bkmk-encryptmeth)
--   [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd)
--   [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd)
--   [Configure use of hardware-based encryption for removable data drives](#bkmk-hderdd)
--   [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd)
--   [Enforce drive encryption type on operating system drives](#bkmk-detypeosd)
--   [Enforce drive encryption type on removable data drives](#bkmk-detyperdd)
+- [Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)
+- [Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives)
+- [Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives)
+- [Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives)
+- [Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives)
+- [Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)
+- [Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives)
 
 The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
 
--   [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1)
--   [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2)
--   [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3)
--   [Choose default folder for recovery password](#bkmk-rec4)
--   [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6)
--   [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7)
--   [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot)
+- [Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
+- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#choose-how-users-can-recover-bitlocker-protected-drives-windows-server-2008-and-windows-vista)
+- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#store-bitlocker-recovery-information-in-active-directory-domain-services-windows-server-2008-and-windows-vista)
+- [Choose default folder for recovery password](#choose-default-folder-for-recovery-password)
+- [Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
+- [Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
+- [Configure the pre-boot recovery message and URL](#configure-the-pre-boot-recovery-message-and-url)
 
-The following policies are used to support customized deployment scenarios in your organization.
+The following policies are used to support customized deployment scenarios in an organization.
 
--   [Allow Secure Boot for integrity validation](#bkmk-secboot)
--   [Provide the unique identifiers for your organization](#bkmk-depopt1)
--   [Prevent memory overwrite on restart](#bkmk-depopt2)
--   [Configure TPM platform validation profile for BIOS-based firmware configurations](#bkmk-tpmbios)
--   [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3)
--   [Configure TPM platform validation profile for native UEFI firmware configurations](#bkmk-tpmvaluefi)
--   [Reset platform validation data after BitLocker recovery](#bkmk-resetrec)
--   [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd)
--   [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
--   [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
+- [Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation)
+- [Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)
+- [Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)
+- [Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations)
+- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#configure-tpm-platform-validation-profile-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2)
+- [Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)
+- [Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)
+- [Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)
+- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-fixed-data-drives-from-earlier-versions-of-windows)
+- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-removable-data-drives-from-earlier-versions-of-windows)
 
-### <a href="" id="bkmk-hstioptout"></a>Allow devices with secure boot and protected DMA ports to opt out of preboot PIN
+### Allow devices with secure boot and protected DMA ports to opt out of preboot PIN
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.|
-|**Introduced**|Windows 10, version 1703, or Windows 11|
+|**Policy description**|With this policy setting, TPM-only protection can be allowed for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.|
+|**Introduced**|Windows 10, version 1703|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
-|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
+|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy on compliant hardware.|
 |**When enabled**|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.|
-|**When disabled or not configured**|The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.|
+|**When disabled or not configured**|The options of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy apply.|
 
-**Reference**
+#### Reference: Allow devices with secure boot and protected DMA ports to opt out of preboot PIN
 
-The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN.
+The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN.
 This setting enables an exception to the PIN-required policy on secure hardware.
 
-### <a href="" id="bkmk-netunlock"></a>Allow network unlock at startup
+### Allow network unlock at startup
 
 This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
 
 This policy is used with the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.|
+|**Policy description**|With this policy setting, it can be controlled whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
 |**When enabled**|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.|
-|**When disabled or not configured**|Clients can't create and use Network Key Protectors|
+|**When disabled or not configured**|Clients can't create and use Network Key Protectors.|
 
-**Reference**
+#### Reference: Allow network unlock at startup
 
-To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock.
+To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock.
 
 > [!NOTE]
 > For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup.
 
 For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
 
-### <a href="" id="bkmk-unlockpol1"></a>Require additional authentication at startup
+### Require additional authentication at startup
 
 This policy setting is used to control which unlock options are available for operating system drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.|
+|**Policy description**|With this policy setting, it can be configured whether BitLocker requires additional authentication each time the computer starts and whether BitLocker will be used with a Trusted Platform Module (TPM). This policy setting is applied when BitLocker is turned on.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.|
 |**When enabled**|Users can configure advanced startup options in the BitLocker Setup Wizard.|
-|**When disabled or not configured**|Users can configure only basic options on computers with a TPM. <p> Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.|
+|**When disabled or not configured**|Users can configure only basic options on computers with a TPM. <br><br>Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.|
 
-**Reference**
+#### Reference: Require additional authentication at startup
 
-If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
+If BitLocker needs to be used on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated, and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
 
 On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:
 
--   Only the TPM
--   Insertion of a USB flash drive containing the startup key
--   The entry of a 4-digit to 20-digit personal identification number (PIN)
--   A combination of the PIN and the USB flash drive
+- Only the TPM
+- Insertion of a USB flash drive containing the startup key
+- The entry of a 4-digit to 20-digit personal identification number (PIN)
+- A combination of the PIN and the USB flash drive
 
 There are four options for TPM-enabled computers or devices:
 
--   Configure TPM startup
+- Configure TPM startup
+  - Allow TPM
+  - Require TPM
+  - Do not allow TPM
+- Configure TPM startup PIN
 
-    -   Allow TPM
-    -   Require TPM
-    -   Do not allow TPM
--   Configure TPM startup PIN
+  - Allow startup PIN with TPM
+  - Require startup PIN with TPM
+  - Do not allow startup PIN with TPM
 
-    -   Allow startup PIN with TPM
-    -   Require startup PIN with TPM
-    -   Do not allow startup PIN with TPM
--   Configure TPM startup key
+- Configure TPM startup key
+  - Allow startup key with TPM
+  - Require startup key with TPM
+  - Do not allow startup key with TPM
 
-    -   Allow startup key with TPM
-    -   Require startup key with TPM
-    -   Do not allow startup key with TPM
--   Configure TPM startup key and PIN
+- Configure TPM startup key and PIN
+  - Allow TPM startup key with PIN
+  - Require startup key and PIN with TPM
+  - Do not allow TPM startup key with PIN
 
-    -   Allow TPM startup key with PIN
-    -   Require startup key and PIN with TPM
-    -   Do not allow TPM startup key with PIN
+### Allow enhanced PINs for startup
 
-### <a href="" id="bkmk-unlockpol2"></a>Allow enhanced PINs for startup
+This policy setting permits the use of enhanced PINs when an unlock method that includes a PIN is used.
 
-This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN.
-
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.|
+|**Policy description**|With this policy setting, it can be configured whether enhanced startup PINs are used with BitLocker.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
 |**When enabled**|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.|
-|**When disabled or not configured**|Enhanced PINs will not be used.|
+|**When disabled or not configured**|Enhanced PINs won't be used.|
 
-**Reference**
+#### Reference: Allow enhanced PINs for startup
 
-Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
+Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when BitLocker is turned on.
 
 > [!IMPORTANT]
 > Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
 
-### <a href="" id="bkmk-unlockpol3"></a>Configure minimum PIN length for startup
+### Configure minimum PIN length for startup
 
-This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.
+This policy setting is used to set a minimum PIN length when an unlock method that includes a PIN is used.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.|
+|**Policy description**|With this policy setting, it can be configured a minimum length for a TPM startup PIN. This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
-|**When enabled**|You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.|
+|**When enabled**|The required minimum length of startup PINs set by users can be set between 4 and 20 digits.|
 |**When disabled or not configured**|Users can configure a startup PIN of any length between 6 and 20 digits.|
 
-**Reference**
+#### Reference: Configure minimum PIN length for startup
 
-This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits.
+This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits.
 
-Originally, BitLocker allowed a length from 4 to 20 characters for a PIN.
-Windows Hello has its own PIN for logon, length of which can be 4 to 127 characters.
-Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
+Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 
 The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
 
-The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
-For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
-A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
-This totals a maximum of about 4415 guesses per year.
-If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
 
-Increasing the PIN length requires a greater number of guesses for an attacker.
-In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
+Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
 
-Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello.
-To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017, or Windows 11 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters.
-If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
 
 ### Disable new DMA devices when this computer is locked
 
-This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
+This policy setting allows blocking of direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
 |**Policy description**|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.|
-|**Introduced**|Windows 10, version 1703, or Windows 11|
+|**Introduced**|Windows 10, version 1703|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
 |**Conflicts**|None|
 |**When enabled**|Every time the user locks the scree, DMA will be blocked on hot pluggable PCI ports until the user signs in again.|
 |**When disabled or not configured**|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
 
-**Reference**
+#### Reference: Disable new DMA devices when this computer is locked
 
 This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](/archive/blogs/secguide/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105).
 
-### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password
+### Disallow standard users from changing the PIN or password
 
-This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
+This policy setting allows configuration of whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.|
+|**Policy description**|With this policy setting, it can be configured whether standard users are allowed to change the PIN or password used to protect the operating system drive.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
 |**When enabled**|Standard users aren't allowed to change BitLocker PINs or passwords.|
 |**When disabled or not configured**|Standard users are permitted to change BitLocker PINs or passwords.|
 
-**Reference**
+#### Reference: Disallow standard users from changing the PIN or password
 
-To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when you turn on BitLocker.
+To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when BitLocker is turned on.
 
-### <a href="" id="bkmk-ospw"></a>Configure use of passwords for operating system drives
+### Configure use of passwords for operating system drives
 
 This policy controls how non-TPM based systems utilize the password protector. Used with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.|
+|**Policy description**|With this policy setting, the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker can be specified.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
-|**Conflicts**|Passwords can't be used if FIPS-compliance is enabled. <p><br/> **NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.|
-|**When enabled**|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
+|**Conflicts**|Passwords can't be used if FIPS-compliance is enabled.<br/><div class="alert"> **NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS-compliance is enabled.</div>|
+|**When enabled**|Users can configure a password that meets the defined requirements. To enforce complexity requirements for the password, select **Require complexity**.|
 |**When disabled or not configured**|The default length constraint of eight characters will apply to operating system drive passwords and no complexity checks will occur.|
 
-**Reference**
+#### Reference: Configure use of passwords for operating system drives
 
-If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**, must be also enabled.
+If non-TPM protectors are allowed on operating system drives, a password, enforcement of complexity requirements on the password, and configuration of a minimum length for the password can all be provisioned. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must be also enabled.
 
 > [!NOTE]
 > These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
 
-When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
+When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there's no password complexity validation.
+
 Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
 
-When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to:
+When this policy setting is enabled, the option **Configure password complexity for operating system drives** can be set to:
 
--   Allow password complexity
--   Deny password complexity
--   Require password complexity
+- Allow password complexity
+- Deny password complexity
+- Require password complexity
 
-### <a href="" id="bkmk-unlockpol4"></a>Require additional authentication at startup (Windows Server 2008 and Windows Vista)
+### Require additional authentication at startup (Windows Server 2008 and Windows Vista)
 
 This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.|
+|**Policy description**|With this policy setting, it can be controlled whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.|
 |**Introduced**|Windows Server 2008 and Windows Vista|
 |**Drive type**|Operating system drives (Windows Server 2008 and Windows Vista)|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
-|**Conflicts**|If you choose to require an additional authentication method, other authentication methods can't be allowed.|
-|**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
+|**Conflicts**|If an additional authentication method is chosen, other authentication methods can't be allowed.|
+|**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. Setting options can be further configured for computers with or without a TPM.|
 |**When disabled or not configured**|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.|
 
-**Reference**
+#### Reference: Require additional authentication at startup (Windows Server 2008 and Windows Vista)
 
 On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can prompt users to insert a USB drive that contains a startup key. It can also prompt users to enter a startup PIN with a length between 6 and 20 digits.
 
@@ -334,57 +330,56 @@ A USB drive that contains a startup key is needed on computers without a compati
 
 There are two options for TPM-enabled computers or devices:
 
--   Configure TPM startup PIN
+- Configure TPM startup PIN
+  - Allow startup PIN with TPM
+  - Require startup PIN with TPM
+  - Do not allow startup PIN with TPM
 
-    -   Allow startup PIN with TPM
-    -   Require startup PIN with TPM
-    -   Do not allow startup PIN with TPM
--   Configure TPM startup key
+- Configure TPM startup key
+  - Allow startup key with TPM
+  - Require startup key with TPM
+  - Do not allow startup key with TPM
 
-    -   Allow startup key with TPM
-    -   Require startup key with TPM
-    -   Do not allow startup key with TPM
-
-These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur.
+These options are mutually exclusive. If a startup key is required, a startup PIN isn't allowed. If startup PIN is required, startup key isn't allowed. If these policies are in conflict, a policy error will occur.
 
 To hide the advanced page on a TPM-enabled computer or device, set these options to **Do not allow** for the startup key and for the startup PIN.
 
-### <a href="" id="bkmk-unlockpol5"></a>Configure use of smart cards on fixed data drives
+### Configure use of smart cards on fixed data drives
 
 This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.|
+|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Fixed data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
-|**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.|
-|**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on fixed data drives** check box.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
+|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting may need to be modified to match the object identifier of the smart card certificates.|
+|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on fixed data drives** check box.|
 |**When disabled**|Users can't use smart cards to authenticate their access to BitLocker-protected fixed data drives.|
 |**When not configured**|Smart cards can be used to authenticate user access to a BitLocker-protected drive.|
 
-**Reference**
+#### Reference: Configure use of smart cards on fixed data drives
 
 > [!NOTE]
 > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
 
-### <a href="" id="bkmk-unlockpol6"></a>Configure use of passwords on fixed data drives
+### Configure use of passwords on fixed data drives
 
 This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.|
+|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected fixed data drives.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Fixed data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
 |**Conflicts**|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.|
-|**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
+|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
 |**When disabled**|The user isn't allowed to use a password.|
 |**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.|
 
-**Reference**
+#### Reference: Configure use of passwords on fixed data drives
 
 When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
 
@@ -397,53 +392,51 @@ Passwords must be at least eight characters. To configure a greater minimum leng
 > [!NOTE]
 > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
 
-For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled.
-This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector can't be added to the drive.
+For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** > **Password must meet complexity requirements** must also be enabled. This policy setting is configured on a per-computer basis. The policy setting also applies to both local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if a local user account signs in, and a drive is attempted to be encrypted or a password changed on an existing BitLocker-protected drive, an **Access denied** error message is displayed. In this situation, the password key protector can't be added to the drive.
 
-Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
+Enabling this policy setting requires that a device is connected to a domain before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they'll be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
 
 > [!IMPORTANT]
-> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS compliance is enabled.
 
-### <a href="" id="bkmk-unlockpol7"></a>Configure use of smart cards on removable data drives
+### Configure use of smart cards on removable data drives
 
 This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.|
+|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Removable data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
-|**Conflicts**|To use smart cards with BitLocker, you may also need to modify the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting to match the object identifier of your smart card certificates.|
-|**When enabled**|Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the **Require use of smart cards on removable data drives** check box.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
+|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration** > **Administrative Templates** > **BitLocker Drive Encryption** > **Validate smart card certificate usage rule compliance** policy setting may also need to be modified to match the object identifier of the smart card certificates.|
+|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on removable data drives** check box.|
 |**When disabled or not configured**|Users aren't allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.|
 |**When not configured**|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.|
 
-**Reference**
+#### Reference: Configure use of smart cards on removable data drives
 
 > [!NOTE]
 > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
 
-### <a href="" id="bkmk-unlockpol8"></a>Configure use of passwords on removable data drives
+### Configure use of passwords on removable data drives
 
 This policy setting is used to require, allow, or deny the use of passwords with removable data drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.|
+|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected removable data drives.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Removable data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
 |**Conflicts**|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.|
-|**When enabled**|Users can configure a password that meets the requirements you define. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
+|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
 |**When disabled**|The user isn't allowed to use a password.|
 |**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.|
 
-**Reference**
+#### Reference: Configure use of passwords on removable data drives
 
-If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at
-**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**, must also be enabled.
+If use of passwords is allowed, requiring a password to be used, enforcement of password complexity requirements, and password minimum length can all be configured. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must also be enabled.
 
 > [!NOTE]
 > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
@@ -452,32 +445,32 @@ Passwords must be at least eight characters. To configure a greater minimum leng
 
 When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password.
 
-When set to **Allow complexity**, a connection to a domain controller is be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector.
+When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector.
 
 When set to **Do not allow complexity**, no password complexity validation is done.
 
 > [!NOTE]
-> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled.
 
 For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
 
-### <a href="" id="bkmk-unlockpol9"></a>Validate smart card certificate usage rule compliance
+### Validate smart card certificate usage rule compliance
 
 This policy setting is used to determine what certificate to use with BitLocker.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.|
+|**Policy description**|With this policy setting, an object identifier from a smart card certificate can be associated to a BitLocker-protected drive.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Fixed and removable data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
 |**Conflicts**|None|
 |**When enabled**|The object identifier that is specified in the **Object identifier** setting must match the object identifier in the smart card certificate.|
 |**When disabled or not configured**|The default object identifier is used.|
 
-**Reference**
+#### Reference: Validate smart card certificate usage rule compliance
 
-This policy setting is applied when you turn on BitLocker.
+This policy setting is applied when BitLocker is turned on.
 
 The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting.
 
@@ -486,138 +479,143 @@ The default object identifier is 1.3.6.1.4.1.311.67.1.1.
 > [!NOTE]
 > BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
 
-### <a href="" id="bkmk-slates"></a>Enable use of BitLocker authentication requiring preboot keyboard input on slates
+### Enable use of BitLocker authentication requiring preboot keyboard input on slates
 
-### <a href="" id="bkmk-slates"></a>Enable use of BitLocker authentication requiring pre-boot keyboard input on slates
-
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.|
+|**Policy description**|With this policy setting, users can be allowed to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drive|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
 |**When enabled**|Devices must have an alternative means of preboot input (such as an attached USB keyboard).|
 |**When disabled or not configured**|The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.|
 
-**Reference**
+#### Reference: Enable use of BitLocker authentication requiring preboot keyboard input on slates
 
 The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
 
 It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
 
-When the Windows Recovery Environment isn't enabled and this policy isn't enabled, you can't turn on BitLocker on a device that uses the Windows touch keyboard.
+When the Windows Recovery Environment (WinRE) isn't enabled and this policy isn't enabled, BitLocker can't be turned on a device that uses the Windows touch keyboard.
 
-If you don't enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available:
+If this policy setting isn't enabled, the following options in the **Require additional authentication at startup** policy might not be available:
 
--   Configure TPM startup PIN: Required and Allowed
--   Configure TPM startup key and PIN: Required and Allowed
--   Configure use of passwords for operating system drives
+- Configure TPM startup PIN: Required and Allowed
+- Configure TPM startup key and PIN: Required and Allowed
+- Configure use of passwords for operating system drives
 
-### <a href="" id="bkmk-driveaccess1"></a>Deny write access to fixed drives not protected by BitLocker
+### Deny write access to fixed drives not protected by BitLocker
 
 This policy setting is used to require encryption of fixed drives prior to granting Write access.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.|
+|**Policy description**|With this policy setting, it can be set whether BitLocker protection is required for fixed data drives to be writable on a computer.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Fixed data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
 |**Conflicts**|See the Reference section for a description of conflicts.|
 |**When enabled**|All fixed data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.|
 |**When disabled or not configured**|All fixed data drives on the computer are mounted with Read and Write access.|
 
-**Reference**
+#### Reference: Deny write access to fixed drives not protected by BitLocker
 
-This policy setting is applied when you turn on BitLocker.
+This policy setting is applied when BitLocker is turned on.
 
 Conflict considerations include:
 
-1.  When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts.
-2.  If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues:
+1. When this policy setting is enabled, users receive **Access denied** error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts.
 
-    -   If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
-    -   If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
-    -   If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."
+2. If `BdeHdCfg.exe` is run on a computer when this policy setting is enabled, the following issues could be encountered:
 
-3.  If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers.
+    - If it was attempted to shrink a drive to create the system drive, the drive size is successfully reduced, and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.**
 
-### <a href="" id="bkmk-driveaccess2"></a>Deny write access to removable drives not protected by BitLocker
+    - If it was attempted to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition won't be formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.**
+
+    - If it was attempted to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: **BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker.**
+
+3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If computers are being upgrading in an organization from a previous version of Windows, and those computers were configured with a single partition, the required BitLocker system partition should be created before applying this policy setting to the computers.
+
+### Deny write access to removable drives not protected by BitLocker
 
 This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.|
+|**Policy description**|With this policy setting, it can be configured whether BitLocker protection is required for a computer to be able to write data to a removable data drive.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Removable data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
 |**Conflicts**|See the Reference section for a description of conflicts.|
 |**When enabled**|All removable data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.|
 |**When disabled or not configured**|All removable data drives on the computer are mounted with Read and Write access.|
 
-**Reference**
+#### Reference: Deny write access to removable drives not protected by BitLocker
 
 If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it's checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
 
 > [!NOTE]
-> You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
+> This policy setting can be overridden with the policy settings under **User Configuration** > **Administrative Templates** > **System** > **Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
 
 Conflict considerations include:
 
-1.  Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
-2.  Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
-3.  You must enable the **Provide the unique identifiers for your organization** policy setting if you want to deny Write access to drives that were configured in another organization.
+1. Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
 
-### <a href="" id="bkmk-driveaccess3"></a>Control use of BitLocker on removable drives
+2. Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
+
+3. The **Provide the unique identifiers for your organization** policy setting must be enabled if Write access needs to be denied to drives that were configured in another organization.
+
+### Control use of BitLocker on removable drives
 
 This policy setting is used to prevent users from turning BitLocker on or off on removable data drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control the use of BitLocker on removable data drives.|
+|**Policy description**|With this policy setting, it can be controlled the use of BitLocker on removable data drives.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Removable data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
 |**Conflicts**|None|
-|**When enabled**|You can select property settings that control how users can configure BitLocker.|
+|**When enabled**|Property settings can be selected that control how users can configure BitLocker.|
 |**When disabled**|Users can't use BitLocker on removable data drives.|
 |**When not configured**|Users can use BitLocker on removable data drives.|
 
-**Reference**
+#### Reference: Control use of BitLocker on removable drives
 
-This policy setting is applied when you turn on BitLocker.
+This policy setting is applied when BitLocker is turned on.
 
 For information about suspending BitLocker protection, see [BitLocker Basic Deployment](bitlocker-basic-deployment.md).
 
 The options for choosing property settings that control how users can configure BitLocker are:
 
--   **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive.
--   **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
+- **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive.
 
-### <a href="" id="bkmk-encryptmeth"></a>Choose drive encryption method and cipher strength
+- **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
+
+### Choose drive encryption method and cipher strength
 
 This policy setting is used to control the encryption method and cipher strength.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control the encryption method and strength for drives.|
+|**Policy description**|With this policy setting, it can be controlled the encryption method and strength for drives.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|All drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
 |**Conflicts**|None|
-|**When enabled**|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.|
-|**When disabled or not configured**|Beginning with Windows 10, version 1511, or Windows 11,  BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. 
+|**When enabled**|An encryption algorithm and key cipher strength for BitLocker can be chosen to use to encrypt drives.|
+|**When disabled or not configured**|Beginning with Windows 10, version 1511,  BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script.
 
-**Reference**
+#### Reference: Choose drive encryption method and cipher strength
 
-The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
-Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
+The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
 
-If you enable this setting, you can configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
-For fixed and operating system drives, we recommend that you use the XTS-AES algorithm.
-For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511 or later, or Windows 11.
+If this setting is enabled, it can be configured an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
+
+- For fixed and operating system drives, it's recommended to use the XTS-AES algorithm.
+
+- For removable drives, AES-CBC 128-bit or AES-CBC 256-bit should be used if the drive will be used in other devices that aren't running Windows 10, version 1511 or later.
 
 Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
 
@@ -626,171 +624,171 @@ Changing the encryption method has no effect if the drive is already encrypted o
 
 When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script.
 
-### <a href="" id="bkmk-hdefxd"></a>Configure use of hardware-based encryption for fixed data drives
+### Configure use of hardware-based encryption for fixed data drives
 
 This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
+|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Fixed data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
 |**Conflicts**|None|
-|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
 |**When disabled**|BitLocker can't use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
 |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
 
-**Reference**
+#### Reference: Configure use of hardware-based encryption for fixed data drives
 
 > [!NOTE]
 > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
 
-The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
+The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
 
--   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
--   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
 
-### <a href="" id="bkmk-hdeosd"></a>Configure use of hardware-based encryption for operating system drives
+### Configure use of hardware-based encryption for operating system drives
 
 This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.|
+|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on operating system drives and specifies which encryption algorithms it can use with hardware-based encryption.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
-|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
 |**When disabled**|BitLocker can't use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
 |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
 
-**Reference**
+#### Reference: Configure use of hardware-based encryption for operating system drives
 
 If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
 
 > [!NOTE]
 > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
 
-The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
+The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
 
--   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
--   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
 
-### <a href="" id="bkmk-hderdd"></a>Configure use of hardware-based encryption for removable data drives
+### Configure use of hardware-based encryption for removable data drives
 
 This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.|
+|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on removable data drives and specifies which encryption algorithms it can use with hardware-based encryption.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Removable data drive|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
 |**Conflicts**|None|
-|**When enabled**|You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
+|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
 |**When disabled**|BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
 |**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
 
-**Reference**
+#### Reference: Configure use of hardware-based encryption for removable data drives
 
 If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
 
 > [!NOTE]
 > The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
 
-The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
+The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
 
--   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
--   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
 
-### <a href="" id="bkmk-detypefdd"></a>Enforce drive encryption type on fixed data drives
+### Enforce drive encryption type on fixed data drives
 
 This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Fixed data drive|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
 |**Conflicts**|None|
 |**When enabled**|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
 |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
 
-**Reference**
+#### Reference: Enforce drive encryption type on fixed data drives
 
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
+This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
 
 > [!NOTE]
-> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+> This policy is ignored when a volume is being shrunk or expanded and the BitLocker drive uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
 
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
-### <a href="" id="bkmk-detypeosd"></a>Enforce drive encryption type on operating system drives
+### Enforce drive encryption type on operating system drives
 
 This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drive|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
 |**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
 |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
 
-**Reference**
+#### Reference: Enforce drive encryption type on operating system drives
 
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
+This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
 
 > [!NOTE]
-> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
 
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
-### <a href="" id="bkmk-detyperdd"></a>Enforce drive encryption type on removable data drives
+### Enforce drive encryption type on removable data drives
 
 This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure the encryption type that is used by BitLocker.|
+|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Removable data drive|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
 |**Conflicts**|None|
 |**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
 |**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
 
-**Reference**
+#### Reference: Enforce drive encryption type on removable data drives
 
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
+This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
 
 > [!NOTE]
-> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
 
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
-### <a href="" id="bkmk-rec1"></a>Choose how BitLocker-protected operating system drives can be recovered
+### Choose how BitLocker-protected operating system drives can be recovered
 
 This policy setting is used to configure recovery methods for operating system drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.|
+|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
-|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.|
-|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
+|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.|
+|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected operating system drives.|
 |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
 
-**Reference**
+#### Reference: Choose how BitLocker-protected operating system drives can be recovered
 
-This policy setting is applied when you turn on BitLocker.
+This policy setting is applied when BitLocker is turned on.
 
 The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
 
@@ -798,377 +796,380 @@ For more information about adding data recovery agents, see [BitLocker basic dep
 
 In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
 
-Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for
-the drive are determined by the policy setting.
+Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting.
 
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If **Store recovery password and key packages** is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If **Store recovery password only** is selected, only the recovery password is stored in AD DS.
 
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if users need to be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
 > [!NOTE]
 > If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
 
-### <a href="" id="bkmk-rec2"></a>Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
+### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
 
 This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.|
+|**Policy description**|With this policy setting, it can be controlled whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.|
 |**Introduced**|Windows Server 2008 and Windows Vista|
 |**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
-|**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the **Do not allow** option for both user recovery options, you must enable the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting to prevent a policy error.|
-|**When enabled**|You can configure the options that the BitLocker Setup Wizard displays to users for recovering BitLocker encrypted data.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
+|**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If the **Do not allow** option is chosen for both user recovery options, the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting must be enabled to prevent a policy error.|
+|**When enabled**|The options that the BitLocker Setup Wizard displays to users for recovering BitLocker encrypted data can be configured.|
 |**When disabled or not configured**|The BitLocker Setup Wizard presents users with ways to store recovery options.|
 
-**Reference**
+#### Reference: Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
 
-This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.
+This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when BitLocker is turned on.
 
 Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key.
 
-Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving the recovery password to a folder stores the 48-digit recovery password as a text file. Printing the recovery password sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
+- Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file.
+- Saving the recovery password to a folder stores the 48-digit recovery password as a text file.
+- Printing the recovery password sends the 48-digit recovery password to the default printer.
+
+For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
 
 > [!IMPORTANT]
 > If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
 > The 48-digit recovery password isn't available in FIPS-compliance mode.
 
 > [!IMPORTANT]
-> To prevent data loss, you must have a way to recover BitLocker encryption keys. If you don't allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
+> To prevent data loss, there must be a way to recover BitLocker encryption keys. If both recovery options are not allowed, backup of BitLocker recovery information to AD DS must be enabled. Otherwise, a policy error occurs.
 
-### <a href="" id="bkmk-rec3"></a>Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
+### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
 
-This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
+This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.|
+|**Policy description**|This policy setting allows management of the AD DS backup of BitLocker Drive Encryption recovery information.|
 |**Introduced**|Windows Server 2008 and Windows Vista|
 |**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
 |**Conflicts**|None|
 |**When enabled**|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.|
 |**When disabled or not configured**|BitLocker recovery information isn't backed up to AD DS.|
 
-**Reference**
+#### Reference: Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
 
 This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
 
-This policy setting is applied when you turn on BitLocker.
+This policy setting is applied when BitLocker is turned on.
 
-BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted.
+BitLocker recovery information includes the recovery password and unique identifier data. A package that contains an encryption key for a BitLocker-protected drive can also be included. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted.
 
-If you select **Require BitLocker backup to AD DS**, BitLocker can't be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible.
+If **Require BitLocker backup to AD DS** is selected, BitLocker can't be turned on unless the computer is connected to the domain, and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible.
 
-A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted.
+A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive's BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted.
 
 If the **Require BitLocker backup to AD DS** option isn't selected, AD DS backup is attempted, but network or other backup failures don't prevent the BitLocker setup. The Backup process isn't automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup.
-TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up.
+TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services** to ensure that TPM information is also backed up.
 
 For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
 
-### <a href="" id="bkmk-rec4"></a>Choose default folder for recovery password
+### Choose default folder for recovery password
 
 This policy setting is used to configure the default folder for recovery passwords.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.|
+|**Policy description**|With this policy setting, the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password can be specified.|
 |**Introduced**|Windows Vista|
 |**Drive type**|All drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
 |**Conflicts**|None|
-|**When enabled**|You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.|
+|**When enabled**|The path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder can be specified. A fully qualified path can be specified. The target computer's environment variables can also be included in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.|
 |**When disabled or not configured**|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.|
 
-**Reference**
+#### Reference: Choose default folder for recovery password
 
-This policy setting is applied when you turn on BitLocker.
+This policy setting is applied when BitLocker is turned on.
 
 > [!NOTE]
 > This policy setting doesn't prevent the user from saving the recovery password in another folder.
 
-### <a href="" id="bkmk-rec6"></a>Choose how BitLocker-protected fixed drives can be recovered
+### Choose how BitLocker-protected fixed drives can be recovered
 
 This policy setting is used to configure recovery methods for fixed data drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.|
+|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Fixed data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
-|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.|
-|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
+|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.|
+|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected fixed data drives.|
 |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
 
-**Reference**
+#### Reference: Choose how BitLocker-protected fixed drives can be recovered
 
-This policy setting is applied when you turn on BitLocker.
+This policy setting is applied when BitLocker is turned on.
 
 The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
 
 In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
 
-Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
+Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting.
 
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
-Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the `Repair-bde` command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If **Backup recovery password and key package** is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, the `Repair-bde.exe` command-line tool can be used. If **Backup recovery password only** is selected, only the recovery password is stored in AD DS.
 
 For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde).
 
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if users should be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
 > [!NOTE]
 > If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
 
-### <a href="" id="bkmk-rec7"></a>Choose how BitLocker-protected removable drives can be recovered
+### Choose how BitLocker-protected removable drives can be recovered
 
 This policy setting is used to configure recovery methods for removable data drives.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.|
+|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected removable data drives are recovered in the absence of the required credentials.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Removable data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
-|**Conflicts**|You must disallow the use of recovery keys if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.|
-|**When enabled**|You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
+|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. </br> </br>When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.|
+|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected removable data drives.|
 |**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
 
-**Reference**
+#### Reference: Choose how BitLocker-protected removable drives can be recovered
 
-This policy setting is applied when you turn on BitLocker.
+This policy setting is applied when BitLocker is turned on.
 
 The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor.
 
 In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password.
 
-Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
+Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting.
 
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If **Backup recovery password and key package** is selected, the BitLocker recovery password and the key package are stored in AD DS. If **Backup recovery password only** is selected, only the recovery password is stored in AD DS.
 
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if users should be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
 > [!NOTE]
 > If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
 
-### <a href="" id="bkmk-configurepreboot"></a>Configure the pre-boot recovery message and URL
+### Configure the pre-boot recovery message and URL
 
 This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.|
+|**Policy description**|With this policy setting, it can be configured the BitLocker recovery screen to display a customized message and URL.|
 |**Introduced**|Windows|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > *Configure pre-boot recovery message and URL*|
 |**Conflicts**|None|
-|**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the **Use default recovery message and URL** option.|
+|**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If a custom recovery message and URL has been previously enabled and the message and URL need to be reverted back to the default message and URL, the policy setting must be enabled and the **Use default recovery message and URL** option selected.|
 |**When disabled or not configured**|If the setting hasn't been previously enabled, then the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is later disabled, then the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.|
 
-**Reference**
+#### Reference: Configure the pre-boot recovery message and URL
 
-Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key.
+Enabling the **Configure the pre-boot recovery message and URL** policy setting allows customization of the default recovery screen message and URL to assist customers in recovering their key.
 
-Once you enable the setting, you have three options:
+Once the setting is enabled, three options are available:
 
--   If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen.
--   If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
--   If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen.
+- If the **Use default recovery message and URL** option is selected, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen.
+- If the **Use custom recovery message** option is selected, enter the custom message in the **Custom recovery message option** text box. The message that is entered in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
+- If the **Use custom recovery URL** option is selected, enter the custom message URL in the **Custom recovery URL option** text box. The URL that is entered in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen.
 
 > [!IMPORTANT]
-> Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
+> Not all characters and languages are supported in the pre-boot environment. It is strongly recommended to verify the correct appearance of the characters that are used for the custom message and URL on the pre-boot recovery screen.
 
 > [!IMPORTANT]
-> Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you can't return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
+> Because BCDEdit commands can be altered manually before Group Policy settings have been set, the policy setting can't be returned to the default setting by selecting the **Not Configured** option after this policy setting has been configured. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
 
-### <a href="" id="bkmk-secboot"></a>Allow Secure Boot for integrity validation
+### Allow Secure Boot for integrity validation
 
 This policy controls how BitLocker-enabled system volumes are handled with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.|
+|**Policy description**|With this policy setting, it can be configured whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|All drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
-|**Conflicts**|If you enable **Allow Secure Boot for integrity validation**, make sure the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting isn't enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation. <P> For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
+|**Conflicts**|If **Allow Secure Boot for integrity validation** is enabled, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting isn't enabled, or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation. <BR><BR> For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.|
 |**When enabled or not configured**|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.|
 |**When disabled**|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.|
 
-**Reference**
+#### Reference: Allow Secure Boot for integrity validation
 
 Secure boot ensures that the computer's pre-boot environment loads only firmware that is digitally signed by authorized software publishers. Secure boot also started providing more flexibility for managing pre-boot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
+
 When this policy is enabled and the hardware is capable of using secure boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** group policy setting is ignored, and secure boot verifies BCD settings according to the secure boot policy setting, which is configured separately from BitLocker.
 
 > [!WARNING]
-> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
+> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If this policy is disabled, suspend BitLocker prior to applying firmware updates.
 
-### <a href="" id="bkmk-depopt1"></a>Provide the unique identifiers for your organization
+### Provide the unique identifiers for your organization
 
-This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
+This policy setting is used to establish an identifier that is applied to all drives that are encrypted in an organization.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.|
+|**Policy description**|With this policy setting, unique organizational identifiers can be associated to a new drive that is enabled with BitLocker.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|All drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
 |**Conflicts**|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it's identical to the value that is configured on the computer.|
-|**When enabled**|You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.|
+|**When enabled**|The identification field on the BitLocker-protected drive and any allowed identification field that is used by an organization can be configured.|
 |**When disabled or not configured**|The identification field isn't required.|
 
-**Reference**
+#### Reference: Provide the unique identifiers for your organization
 
-These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
+These identifiers are stored as the identification field and the allowed identification field. The identification field allows association of a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
 
 An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field's value on the drive matches the value that is configured for the identification field.
 
 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 
-The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in your organization. It's a comma-separated list of identification fields from your organization or external organizations.
+The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in an organization. It's a comma-separated list of identification fields from an internal organization or external organizations.
 
-You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
+The identification fields on existing drives can be configured by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
 
 When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an external organization.
 
 Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value upto 260 characters.
 
-### <a href="" id="bkmk-depopt2"></a>Prevent memory overwrite on restart
+### Prevent memory overwrite on restart
 
 This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.|
+|**Policy description**|With this policy setting, it can be controlled computer restart performance at the risk of exposing BitLocker secrets.|
 |**Introduced**|Windows Vista|
 |**Drive type**|All drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
 |**Conflicts**|None|
-|**When enabled**|The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.|
+|**When enabled**|The computer won't overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.|
 |**When disabled or not configured**|BitLocker secrets are removed from memory when the computer restarts.|
 
-**Reference**
+#### Reference: Prevent memory overwrite on restart
 
-This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
+This policy setting is applied when BitLocker is turned on. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
 
-### <a href="" id="bkmk-tpmbios"></a>Configure TPM platform validation profile for BIOS-based firmware configurations
+### Configure TPM platform validation profile for BIOS-based firmware configurations
 
 This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.|
+|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
-|**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
 |**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
 
-**Reference**
+#### Reference: Configure TPM platform validation profile for BIOS-based firmware configurations
 
 This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.
 
 > [!IMPORTANT]
 > This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
 
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs:
 
--   Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
--   Option ROM Code (PCR 2)
--   Master Boot Record (MBR) Code (PCR 4)
--   NTFS Boot Sector (PCR 8)
--   NTFS Boot Block (PCR 9)
--   Boot Manager (PCR 10)
--   BitLocker Access Control (PCR 11)
+- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
+- Option ROM Code (PCR 2)
+- Master Boot Record (MBR) Code (PCR 4)
+- NTFS Boot Sector (PCR 8)
+- NTFS Boot Block (PCR 9)
+- Boot Manager (PCR 10)
+- BitLocker Access Control (PCR 11)
 
 > [!NOTE]
-> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
 
 The following list identifies all of the available PCRs:
 
--   PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions
--   PCR 1: Platform and motherboard configuration and data.
--   PCR 2: Option ROM code
--   PCR 3: Option ROM data and configuration
--   PCR 4: Master Boot Record (MBR) code
--   PCR 5: Master Boot Record (MBR) partition table
--   PCR 6: State transition and wake events
--   PCR 7: Computer manufacturer-specific
--   PCR 8: NTFS boot sector
--   PCR 9: NTFS boot block
--   PCR 10: Boot manager
--   PCR 11: BitLocker access control
--   PCR 12-23: Reserved for future use
+- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions
+- PCR 1: Platform and motherboard configuration and data.
+- PCR 2: Option ROM code
+- PCR 3: Option ROM data and configuration
+- PCR 4: Master Boot Record (MBR) code
+- PCR 5: Master Boot Record (MBR) partition table
+- PCR 6: State transition and wake events
+- PCR 7: Computer manufacturer-specific
+- PCR 8: NTFS boot sector
+- PCR 9: NTFS boot block
+- PCR 10: Boot manager
+- PCR 11: BitLocker access control
+- PCR 12-23: Reserved for future use
 
-### <a href="" id="bkmk-depopt3"></a>Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
+### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
 
 This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.|
+|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.|
 |**Introduced**|Windows Server 2008 and Windows Vista|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
-|**When enabled**|You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
 |**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
 
-**Reference**
+#### Reference: Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
 
 This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
 
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs:
 
--   Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
--   Option ROM Code (PCR 2)
--   Master Boot Record (MBR) Code (PCR 4)
--   NTFS Boot Sector (PCR 8)
--   NTFS Boot Block (PCR 9)
--   Boot Manager (PCR 10)
--   BitLocker Access Control (PCR 11)
+- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
+- Option ROM Code (PCR 2)
+- Master Boot Record (MBR) Code (PCR 4)
+- NTFS Boot Sector (PCR 8)
+- NTFS Boot Block (PCR 9)
+- Boot Manager (PCR 10)
+- BitLocker Access Control (PCR 11)
 
 > [!NOTE]
 > The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
 
 The following list identifies all of the available PCRs:
 
--   PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
--   PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
--   PCR 2: Option ROM code
--   PCR 3: Option ROM data and configuration
--   PCR 4: Master Boot Record (MBR) code or code from other boot devices
--   PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
--   PCR 6: State transition and wake events
--   PCR 7: Computer manufacturer-specific
--   PCR 8: NTFS boot sector
--   PCR 9: NTFS boot block
--   PCR 10: Boot manager
--   PCR 11: BitLocker access control
--   PCR 12 - 23: Reserved for future use
+- PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
+- PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
+- PCR 2: Option ROM code
+- PCR 3: Option ROM data and configuration
+- PCR 4: Master Boot Record (MBR) code or code from other boot devices
+- PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
+- PCR 6: State transition and wake events
+- PCR 7: Computer manufacturer-specific
+- PCR 8: NTFS boot sector
+- PCR 9: NTFS boot block
+- PCR 10: Boot manager
+- PCR 11: BitLocker access control
+- PCR 12 - 23: Reserved for future use
 
 > [!WARNING]
-> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
 
-### <a href="" id="bkmk-tpmvaluefi"></a>Configure TPM platform validation profile for native UEFI firmware configurations
+### Configure TPM platform validation profile for native UEFI firmware configurations
 
 This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.|
+|**Policy description**|With this policy setting, it can be configured how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
-|**Conflicts**|Setting this policy with PCR 7 omitted, overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. <br/><p> If your environments use TPM and Secure Boot for platform integrity checks, this policy is configured. <p> For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.|
-|**When enabled**|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
+|**Conflicts**|Setting this policy with PCR 7 omitted overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. <BR><BR> If an environment uses TPM and Secure Boot for platform integrity checks, this policy is configured. <BR><BR> For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.|
+|**When enabled**|Before BitLocker is turned on, the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
 |**When disabled or not configured**|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
 
-**Reference**
+#### Reference: Configure TPM platform validation profile for native UEFI firmware configurations
 
 This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
 
@@ -1179,161 +1180,160 @@ A platform validation profile consists of a set of PCR indices ranging from 0 to
 
 The following list identifies all of the available PCRs:
 
--   PCR 0: Core System Firmware executable code
--   PCR 1: Core System Firmware data
--   PCR 2: Extended or pluggable executable code
--   PCR 3: Extended or pluggable firmware data
--   PCR 4: Boot Manager
--   PCR 5: GPT/Partition Table
--   PCR 6: Resume from S4 and S5 Power State Events
--   PCR 7: Secure Boot State
+- PCR 0: Core System Firmware executable code
+- PCR 1: Core System Firmware data
+- PCR 2: Extended or pluggable executable code
+- PCR 3: Extended or pluggable firmware data
+- PCR 4: Boot Manager
+- PCR 5: GPT/Partition Table
+- PCR 6: Resume from S4 and S5 Power State Events
+- PCR 7: Secure Boot State
 
-    For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.
+    For more information about this PCR, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.
 
--   PCR 8: Initialized to 0 with no Extends (reserved for future use)
--   PCR 9: Initialized to 0 with no Extends (reserved for future use)
--   PCR 10: Initialized to 0 with no Extends (reserved for future use)
--   PCR 11: BitLocker access control
--   PCR 12: Data events and highly volatile events
--   PCR 13: Boot Module Details
--   PCR 14: Boot Authorities
--   PCR 15 – 23: Reserved for future use
+- PCR 8: Initialized to 0 with no Extends (reserved for future use)
+- PCR 9: Initialized to 0 with no Extends (reserved for future use)
+- PCR 10: Initialized to 0 with no Extends (reserved for future use)
+- PCR 11: BitLocker access control
+- PCR 12: Data events and highly volatile events
+- PCR 13: Boot Module Details
+- PCR 14: Boot Authorities
+- PCR 15 - 23: Reserved for future use
 
 > [!WARNING]
-> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
 
-### <a href="" id="bkmk-resetrec"></a>Reset platform validation data after BitLocker recovery
+### Reset platform validation data after BitLocker recovery
 
-This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
+This policy setting determines if platform validation data should refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.|
+|**Policy description**|With this policy setting, it can be controlled whether platform validation data is refreshed when Windows is started following a BitLocker recovery.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|None|
 |**When enabled**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
 |**When disabled**|Platform validation data isn't refreshed when Windows is started following a BitLocker recovery.|
 |**When not configured**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
 
-**Reference**
+#### Reference: Reset platform validation data after BitLocker recovery
 
 For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
 
-### <a href="" id="bkmk-enbcd"></a>Use enhanced Boot Configuration Data validation profile
+### Use enhanced Boot Configuration Data validation profile
 
 This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.|
+|**Policy description**|With this policy setting, Boot Configuration Data (BCD) settings to verify during platform validation can be specified.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
 |**Conflicts**|When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored (as defined by the **Allow Secure Boot for integrity validation** Group Policy setting).|
-|**When enabled**|You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.|
+|**When enabled**|Additional BCD settings can be added and specified BCD settings can be excluded. Also a customized BCD validation profile can be created by combining inclusion and exclusion lists. The customized BCD validation profile gives the ability to verify BCD settings.|
 |**When disabled**|The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.|
 |**When not configured**|The computer verifies the default BCD settings in Windows.|
 
-**Reference**
+#### Reference: Use enhanced Boot Configuration Data validation profile
 
 > [!NOTE]
 > The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it's included in the inclusion or the exclusion list.
 
-### <a href="" id="bkmk-depopt4"></a>Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
+### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
 
 This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and whether BitLocker To Go Reader can be installed on the drive.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).|
+|**Policy description**|With this policy setting, it can be configured whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Fixed data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
 |**Conflicts**|None|
 |**When enabled and When not configured**|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
 |**When disabled**|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.|
 
-**Reference**
+#### Reference: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
 
 > [!NOTE]
 > This policy setting doesn't apply to drives that are formatted with the NTFS file system.
 
 When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
 
-### <a href="" id="bkmk-depopt5"></a>Allow access to BitLocker-protected removable data drives from earlier versions of Windows
+### Allow access to BitLocker-protected removable data drives from earlier versions of Windows
 
 This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
-|**Policy description**|With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.|
+|**Policy description**|With this policy setting, it can be configured whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.|
 |**Introduced**|Windows Server 2008 R2 and Windows 7|
 |**Drive type**|Removable data drives|
-|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
+|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
 |**Conflicts**|None|
 |**When enabled and When not configured**|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
 |**When disabled**|Removable data drives that are formatted with the FAT file system that are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.|
 
-**Reference**
+#### Reference: Allow access to BitLocker-protected removable data drives from earlier versions of Windows
 
 > [!NOTE]
 > This policy setting doesn't apply to drives that are formatted with the NTFS file system.
 
-When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that don't have BitLocker To Go Reader installed.
+When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista or Windows XP that don't have BitLocker To Go Reader installed.
 
 ## FIPS setting
 
-You can configure the Federal Information Processing Standard (FIPS) setting for FIPS compliance. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
+The Federal Information Processing Standard (FIPS) setting for FIPS compliance can be configured. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
 
-|    | &nbsp; |
+|  Item  | Info |
 |:---|:---|
 |**Policy description**|Notes|
 |**Introduced**|Windows Server 2003 with SP1|
 |**Drive type**|System-wide|
-|**Policy path**|Local Policies\Security Options\System cryptography: **Use FIPS compliant algorithms for encryption, hashing, and signing**|
+|**Policy path**|*Local Policies* > *Security Options* > *System cryptography*: **Use FIPS compliant algorithms for encryption, hashing, and signing**|
 |**Conflicts**|Some applications, such as Terminal Services, don't support FIPS-140 on all operating systems.|
-|**When enabled**|Users will be unable to save a recovery password to any location. This includes AD DS and network folders. Also, you can't use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.|
+|**When enabled**|Users will be unable to save a recovery password to any location. This policy setting includes AD DS and network folders. Also, WMI or the BitLocker Drive Encryption Setup wizard can't be used to create a recovery password.|
 |**When disabled or not configured**|No BitLocker encryption key is generated|
 
-**Reference**
+### Reference: FIPS setting
 
 This policy must be enabled before any encryption key is generated for BitLocker. When this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
 
-You can save the optional recovery key to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
+The optional recovery key can be saved to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
 
-You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures.
+The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures.
 
 For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
 
 ## Power management group policy settings: Sleep and Hibernate
 
-PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised.
+PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system's battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. Not needing to reauthenticate when resuming from Sleep might lead to conditions where data security is compromised.
 
 However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
 
-You can disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states:
+To disable all available sleep states, disable the Group Policy settings located in **Computer Configuration** > **Administrative Templates** > **System** > **Power Management** :
 
--   Allow Standby States (S1-S3) When Sleeping (Plugged In)
--   Allow Standby States (S1-S3) When Sleeping (Battery)
+- **Allow Standby States (S1-S3) When Sleeping (Plugged In)**
+- **Allow Standby States (S1-S3) When Sleeping (Battery)**
 
-## <a href="" id="bkmk-pcr"></a>About the Platform Configuration Register (PCR)
+## About the Platform Configuration Register (PCR)
 
 A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system.
 
-Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
 
-**About PCR 7**
+### About PCR 7
 
-PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This
-reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration.
+PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This process reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides with greater flexibility to manage the preboot configuration.
 
 PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol).
 
 PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and secure boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
 
-## See also
+## Related articles
 
 - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
 - [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
index 17dd8a1f09..bdf2e0b538 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@@ -4,55 +4,73 @@ description: This article for the IT professional explains how to deploy BitLock
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker: How to deploy on Windows Server 2012 and later
 
-> Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
+**Applies to:**
+
+- Windows Server 2012
+- Windows Server 2012 R2
+- Windows Server 2016 and above
 
 This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
 
-## <a href="" id="installing-bitlocker-"></a>Installing BitLocker
+## Installing BitLocker
 
-### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using server manager
+### To install BitLocker using server manager
 
-1.  Open server manager by selecting the server manager icon or running servermanager.exe.
-2.  Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
-3.  With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
-4.  Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
-5.  Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
-6.  Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
- **Note**: Server roles and features are installed by using the same wizard in Server Manager.
-7.  Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If you don't want to install these features, deselect the **Include management tools 
-** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
+1. Open server manager by selecting the server manager icon or running servermanager.exe.
 
-    > **Note:**      The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
-     
-8.  Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
-9.  If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
+2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
 
-### <a href="" id="bkmk-blinstallwps"></a>To install BitLocker using Windows PowerShell
+3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
 
-Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules don't always share feature name parity. Because of this, it's advisable to confirm the feature or role name prior to installation.
+4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
+
+5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
+
+6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
+
+   > [!NOTE]
+   > Server roles and features are installed by using the same wizard in Server Manager.
+
+7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**.
+
+   > [!NOTE]
+   > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
+
+8. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
+
+9. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
+
+10. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
+
+### To install BitLocker using Windows PowerShell
+
+Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism.exe` module. However, the `servermanager` and `dism.exe` modules don't always share feature name parity. Because of this mismatch of feature name parity, it's advisable to confirm the feature or role name prior to installation.
+
+> [!NOTE]
+> The server must be restarted to complete the installation of BitLocker.
 
->**Note:**  You must restart the server to complete the installation of BitLocker.
- 
 ### Using the servermanager module to install BitLocker
 
-The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. 
+The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
 
-By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. This can be seen using the `-WhatIf` option in Windows PowerShell.
+By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
 
 ```powershell
 Install-WindowsFeature BitLocker -WhatIf
 ```
+
 The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
 
 To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command:
@@ -63,13 +81,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -
 
 The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
 
--   BitLocker Drive Encryption
--   BitLocker Drive Encryption Tools
--   BitLocker Drive Encryption Administration Utilities
--   BitLocker Recovery Password Viewer
--   AD DS Snap-Ins and Command-Line Tools
--   AD DS Tools
--   AD DS and AD LDS Tools
+- BitLocker Drive Encryption
+- BitLocker Drive Encryption Tools
+- BitLocker Drive Encryption Administration Utilities
+- BitLocker Recovery Password Viewer
+- AD DS Snap-Ins and Command-Line Tools
+- AD DS Tools
+- AD DS and AD LDS Tools
 
 The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:
 
@@ -77,19 +95,20 @@ The command to complete a full installation of the BitLocker feature with all av
 Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
 ```
 
->**Important:**  Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
- 
+> [!IMPORTANT]
+> Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
+
 ### Using the dism module to install BitLocker
 
-The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module doesn't support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
+The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
 
 ```powershell
 Get-WindowsOptionalFeature -Online | ft
 ```
 
-From this output, we can see that there are three BitLocker-related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items.
+From this output, it can be seen that there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
 
-To install BitLocker using the `dism` module, use the following command:
+To install BitLocker using the `dism.exe` module, use the following command:
 
 ```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
@@ -100,7 +119,8 @@ This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cm
 ```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
 ```
-## More information
+
+## Related articles
 
 - [BitLocker overview](bitlocker-overview.md)
 - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 88e19c407b..dd8cc3e8c7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -4,93 +4,99 @@ description: This article for the IT professional describes how BitLocker Networ
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
-# BitLocker: How to enable network unlock
+# BitLocker: How to enable Network Unlock
 
-**Applies to**
+**Applies to:**
 
 - Windows 10
 - Windows 11
 - Windows Server 2016 and above
 
-This topic describes how BitLocker network unlock works and how to configure it.
+This article describes how BitLocker Network Unlock works and how to configure it.
 
-Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware.
-Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
+Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
 
-Network unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
+Network Unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
 
-## <a href="" id="bkmk-nunlockcorereqs"></a>Network unlock core requirements
+## Network Unlock core requirements
 
 Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include:
 
--   Windows 8 or Windows Server 2012 as the current operating system.
--   Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients.
--   Network Unlock clients with a TPM chip and at least one TPM protector.
--   A server running the Windows Deployment Services (WDS) role on any supported server operating system.
--   BitLocker Network Unlock optional feature installed on any supported server operating system.
--   A DHCP server, separate from the WDS server.
--   Properly configured public/private key pairing.
--   Network Unlock group policy settings configured.
-
-The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus; therefore, you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
+- Currently supported Windows operating system
+- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients
+- Network Unlock clients with a TPM chip and at least one TPM protector
+- A server running the Windows Deployment Services (WDS) role on any supported server operating system
+- BitLocker Network Unlock optional feature installed on any supported server operating system
+- A DHCP server, separate from the WDS server
+- Properly configured public/private key pairing
+- Network Unlock group policy settings configured
+- Network stack enabled in the UEFI firmware of client devices
 
 > [!NOTE]
 > To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled.
 
-On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock. 
+For Network Unlock to work reliably on computers, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This first network adapter must be used for Network Unlock. This configuration is especially worth noting when the device has multiple adapters, and some adapters are configured without DHCP, such as for use with a lights-out management protocol. This configuration is necessary because Network Unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails.
 
-For network unlock to work reliably on computers running Windows 8 and later versions, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and must be used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because network unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails.
- 
 The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
 
-Network unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service must be running on the server.
+Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server.
 
 The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
 
-## <a href="" id="bkmk-networkunlockseq"></a>Network Unlock sequence
+## Network Unlock sequence
 
-The unlock sequence starts on the client side when the Windows boot manager detects the existence of network unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
+The unlock sequence starts on the client side when the Windows boot manager detects the existence of Network Unlock protector. It uses the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
 
-On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming network unlock requests. You can also configure the provider with subnet restrictions, which would require that the IP address provided by the client in the network unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive.
+On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive.
 
 The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
 
 Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM.
 
-![Diagram showing the BitLocker network unlock sequence.](images/bitlockernetworkunlocksequence.png)
+![Diagram showing the BitLocker Network Unlock sequence.](images/bitlockernetworkunlocksequence.png)
 
 The Network Unlock process follows these phases:
 
-1.  The Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
-2.  The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address.
-3.  The client computer broadcasts a vendor-specific DHCP request that contains: 
-    1.  A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the network unlock certificate from the WDS server.
-    2.  An AES-256 session key for the reply.
-4.  The Network Unlock provider on the WDS server recognizes the vendor-specific request.
-5.  The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
-6.  The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
-7.  The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM.
-8.  This combined key is used to create an AES-256 key that unlocks the volume.
-9.  Windows continues the boot sequence.
+1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
 
-## <a href="" id="bkmk-configuringnetworkunlock"></a>Configure network unlock
+2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address.
 
-The following steps allow an administrator to configure network unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
+3. The client computer broadcasts a vendor-specific DHCP request that contains:
 
-### <a href="" id="bkmk-installwdsrole"></a>Install the WDS server role
+    1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
 
-The BitLocker network unlock feature installs the WDS role if it is not already installed. If you want to install it separately before you install BitLocker network unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
+    2. An AES-256 session key for the reply.
+
+4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
+
+5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
+
+6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
+
+7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM.
+
+8. This combined key is used to create an AES-256 key that unlocks the volume.
+
+9. Windows continues the boot sequence.
+
+## Configure Network Unlock
+
+The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
+
+### Install the WDS server role
+
+The BitLocker Network Unlock feature installs the WDS role if it isn't already installed. WDS can be installed separately before BitLocker Network Unlock is installed by using **Server Manager** or **Windows PowerShell**. To install the role using Server Manager, select the **Windows Deployment Services** role in **Server Manager**.
 
 To install the role by using Windows PowerShell, use the following command:
 
@@ -98,94 +104,132 @@ To install the role by using Windows PowerShell, use the following command:
 Install-WindowsFeature WDS-Deployment
 ```
 
-You must configure the WDS server so that it can communicate with DHCP (and optionally AD DS) and the client computer. You can configure using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration wizard.
+The WDS server must be configured so that it can communicate with DHCP (and optionally AD DS) and the client computer. The WDS server can be configured using the WDS management tool, `wdsmgmt.msc`, which starts the Windows Deployment Services Configuration wizard.
 
-### <a href="" id="bkmk-confirmwdsrunning"></a>Confirm the WDS service is running
+### Confirm the WDS service is running
 
-To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
+To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using `services.msc` and check the status of the Windows Deployment Services service.
 
 To confirm that the service is running using Windows PowerShell, use the following command:
 
 ```powershell
 Get-Service WDSServer
 ```
-### <a href="" id="bkmk-installnufeature"></a>Install the Network Unlock feature
 
-To install the network unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
+### Install the Network Unlock feature
+
+To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
 
 To install the feature by using Windows PowerShell, use the following command:
 
 ```powershell
 Install-WindowsFeature BitLocker-NetworkUnlock
 ```
-### <a href="" id="bkmk-createcerttmpl"><a/>Create the certificate template for Network Unlock
+
+### Create the certificate template for Network Unlock
 
 A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
 
-1.  Open the Certificates Template snap-in (certtmpl.msc).
-2.  Locate the User template, right-click the template name and select **Duplicate Template**.
-3.  On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected.
-4.  Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option.
-5.  Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected.
-6.  Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.)
-7.  Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as **Microsoft Software Key Storage Provider**.
-8.  Select the **Subject Name** tab. Select **Supply in the request**. Click **OK** if the certificate templates pop-up dialog appears.
-9.  Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
+1. Open the Certificates Template snap-in (`certtmpl.msc`).
+
+2. Locate the User template, right-click the template name and select **Duplicate Template**.
+
+3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected.
+
+4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option.
+
+5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected.
+
+6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, it is recommended to use **Microsoft Software Key Storage Provider**.
+
+7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider selected, such as **Microsoft Software Key Storage Provider**.
+
+8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
+
+9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
+
 10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
+
 11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
+
 12. On the **Edit Application Policies Extension** dialog box, select **Add**.
-13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:
 
-    -   **Name:** **BitLocker Network Unlock**
-    -   **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
+13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then select **OK** to create the BitLocker Network Unlock application policy:
+
+    - *Name:* **BitLocker Network Unlock**
+    - *Object Identifier:* **1.3.6.1.4.1.311.67.1.1**
+
+14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
 
-14. Select the newly created **BitLocker Network Unlock** application policy and click **OK**.
 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
+
 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
-17. Click **OK** to complete configuration of the template.
+
+17. Select **OK** to complete configuration of the template.
 
 To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
 
-After you add the Network Unlock template to the certificate authority, you can use this certificate to configure BitLocker Network Unlock.
+After the Network Unlock template is added to the certificate authority, this certificate can be used to configure BitLocker Network Unlock.
 
-### <a href="" id="bkmk-createcert"></a>Create the Network Unlock certificate
+### Create the Network Unlock certificate
 
 Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate.
 
 To enroll a certificate from an existing certificate authority:
-1.  On the WDS server, open Certificate Manager by using `certmgr.msc`.
-2.  Under **Certificates - Current User**, right-click **Personal**.
-3.  Select **All Tasks** > **Request New Certificate**.
-4.  When the Certificate Enrollment wizard opens, select **Next**.
-5.  Select **Active Directory Enrollment Policy**.
-6.  Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**. 
-1. When you're prompted for more information, select **Subject Name** and provide a friendly name value. Your friendly name should include information for the domain or organizational unit for the certificate. Here's an example: *BitLocker Network Unlock Certificate for Contoso domain*.
-7.  Create the certificate. Ensure the certificate appears in the **Personal** folder.
-8.  Export the public key certificate for Network Unlock:
 
-    1.  Create a .cer file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
-    2.  Select **No, do not export the private key**.
-    3.  Select **DER encoded binary X.509** and complete exporting the certificate to a file.
-    4.  Give the file a name such as BitLocker-NetworkUnlock.cer.
+1. On the WDS server, open Certificate Manager by using `certmgr.msc`.
 
-9.  Export the public key with a private key for Network Unlock.
+2. Under **Certificates - Current User**, right-click **Personal**.
 
-    1.  Create a .pfx file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
-    2.  Select **Yes, export the private key**.
-    3.  Complete the steps to create the *.pfx* file.
+3. Select **All Tasks** > **Request New Certificate**.
 
-To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq`.
+4. When the Certificate Enrollment wizard opens, select **Next**.
 
-Here's a Windows PowerShell example:
+5. Select **Active Directory Enrollment Policy**.
+
+6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**.
+
+7. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate. For example:
+
+    *BitLocker Network Unlock Certificate for Contoso domain*
+
+8. Create the certificate. Ensure the certificate appears in the **Personal** folder.
+
+9. Export the public key certificate for Network Unlock:
+
+   1. Create a `.cer` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
+
+   2. Select **No, do not export the private key**.
+
+   3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
+
+   4. Give the file a name such as BitLocker-NetworkUnlock.cer.
+
+10. Export the public key with a private key for Network Unlock.
+
+    1. Create a `.pfx` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
+
+    2. Select **Yes, export the private key**.
+
+    3. Complete the steps to create the `.pfx` file.
+
+To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq.exe`. For example:
+
+**Windows PowerShell:**
 
 ```powershell
 New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
 ```
 
-Here's a `certreq` example:
+**certreq.exe:**
 
-1.  Create a text file with an .inf extension, for example, notepad.exe BitLocker-NetworkUnlock.inf.
-2.  Add the following contents to the previously created file:
+1. Create a text file with an `.inf` extension, for example:
+
+    ```cmd
+    notepad.exe BitLocker-NetworkUnlock.inf
+    ```
+
+2. Add the following contents to the previously created file:
 
     ```ini
     [NewRequest]
@@ -206,61 +250,82 @@ Here's a `certreq` example:
     _continue_ = "1.3.6.1.4.1.311.67.1.1"
     ```
 
-3.  Open an elevated command prompt and use the `certreq` tool to create a new certificate. Use the following command, specifying the full path to the file that you created previously. Also specify the file name.
+3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name:
 
     ```cmd
-    certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
+    certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
     ```
-4.  Verify that certificate was properly created by the previous command by confirming that the .cer file exists.
-5.  Launch Certificates - Local Machine by running **certlm.msc**.
-6.  Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, and then selecting **Export**. Follow through the wizard to create the .pfx file.
 
-### <a href="" id="bkmk-deploycert"></a>Deploy the private key and certificate to the WDS server
+4. Verify that certificate was properly created by the previous command by confirming that the `.cer` file exists.
 
-Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
+5. Launch the **Certificates - Local Computer** console by running `certlm.msc`.
 
-1.  On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options.
-2.  Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item -, select **All Tasks**, and then select **Import**.
-3.  In the **File to Import** dialog, choose the .pfx file created previously.
-4.  Enter the password used to create the .pfx and complete the wizard.
+6. Create a `.pfx` file by following the below steps the **Certificates - Local Computer** console:
 
-### Configure group policy settings for network unlock
+   1. Navigate to **Certificates - Local Computer** > **Personal** > **Certificates**
 
-With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
+   2. Right-click the previously imported certificate, select **All Tasks**, and then select **Export**
 
-The following steps describe how to enable the group policy setting that is a requirement for configuring network unlock.
+   3. Follow through the wizard to create the `.pfx` file.
 
-1.  Open Group Policy Management Console (`gpmc.msc`).
-2.  Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**.
-3.  Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
+### Deploy the private key and certificate to the WDS server
+
+After creating the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
+
+1. On the WDS server, launch the **Certificates - Local Computer** console by running `certlm.msc`.
+
+2. Right-click **BitLocker Drive Encryption Network Unlock** item under **Certificates (Local Computer)**, select **All Tasks**, and then select **Import**.
+
+3. In the **File to Import** dialog, choose the `.pfx` file created previously.
+
+4. Enter the password used to create the `.pfx` and complete the wizard.
+
+### Configure group policy settings for Network Unlock
+
+With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to the desired computers that will use the Network Unlock key to unlock. Group policy settings for BitLocker can be found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
+
+The following steps describe how to enable the group policy setting that is a requirement for configuring Network Unlock.
+
+1. Open Group Policy Management Console (`gpmc.msc`).
+2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**.
+3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
 
 The following steps describe how to deploy the required group policy setting:
 
 > [!NOTE]
-> The group policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
- 
-1.  Copy the *.cer* file that you created for Network Unlock to the domain controller.
-2.  On the domain controller, open Group Policy Management Console (`gpmc.msc`).
-3.  Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
-4.  Deploy the public certificate to clients:
-    1.  Within group policy management console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**.
-    2.  Right-click the folder and select **Add Network Unlock Certificate**.
-    3.  Follow the wizard steps and import the .cer file that was copied earlier.
+> The group policy settings **Allow Network Unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
+
+1. Copy the `.cer` file that was created for Network Unlock to the domain controller.
+
+2. On the domain controller, open Group Policy Management Console (`gpmc.msc`).
+
+3. Create a new Group Policy Object or modify an existing object to enable the **Allow Network Unlock at startup** setting.
+
+4. Deploy the public certificate to clients:
+
+    1. Within group policy management console, navigate to the following location:
+
+        **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate**.
+
+    2. Right-click the folder and select **Add Network Unlock Certificate**.
+
+    3. Follow the wizard steps and import the `.cer` file that was copied earlier.
 
     > [!NOTE]
-    > Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer.
+    > Only one Network Unlock certificate can be available at a time. If a new certificate is needed, delete the current certificate before deploying a new one. The Network Unlock certificate is located under the **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** registry key on the client computer.
+
+5. Reboot the clients after the Group Policy is deployed.
 
-5. Reboot the clients after you deploy the Group Policy.
    > [!NOTE]
    > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store.
- 
+
 ### Subnet policy configuration files on the WDS server (optional)
 
-By default, all clients with the correct network unlock certificate and valid Network Unlock protectors that have wired access to a network unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the network unlock clients can use to unlock.
+By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock.
 
-The configuration file, called bde-network-unlock.ini, must be located in the same directory as the network unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
+The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
 
-The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name–value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
+The subnet policy configuration file must use a **\[SUBNETS\]** section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word **ENABLED** is disallowed for subnet names.
 
 ```ini
 [SUBNETS]
@@ -269,13 +334,15 @@ SUBNET2=10.185.252.200/28
 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
 SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
 ```
-Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate.
+
+Following the **\[SUBNETS\]** section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate.
 
 > [!NOTE]
 > When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid.
 
-Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every network unlock certificate on the server, and an explicit allowed list set for each certificate section.
-Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
+Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate doesn't have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. For restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
+
+Subnet lists are created by putting the name of a subnet from the **\[SUBNETS\]** section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon.
 
 ```ini
 [2158a767e1c14e88e27a4c0aee111d2de2eafe60]
@@ -288,94 +355,115 @@ SUBNET3
 
 To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list.
 
-## <a href="" id="bkmk-turnoffnetworkunlock"></a>Turn off Network Unlock
+## Turn off Network Unlock
 
-
-To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating network unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker network unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
+To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
 
 > [!NOTE]
-> Removing the FVE_NKP certificate store that contains the network unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the network unlock server.
- 
-## <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates
+> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
 
-To update the certificates used by network unlock, administrators need to import or generate the new certificate for the server and then update the network unlock certificate group policy setting on the domain controller.
+## Update Network Unlock certificates
+
+To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server, and then update the Network Unlock certificate group policy setting on the domain controller.
 
 > [!NOTE]
 > Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate.
 
-## <a href="" id="bkmk-troubleshoot"></a>Troubleshoot Network Unlock
+## Troubleshoot Network Unlock
 
-Troubleshooting network unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
+Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
+
+- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode.
 
-- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
 - All required roles and services are installed and started.
-- Public and private certificates have been published and are in the proper certificate containers. The presence of the network unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
-- Group policy for network unlock is enabled and linked to the appropriate domains.
-- Verify whether group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
+
+- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer.
+
+- Group policy for Network Unlock is enabled and linked to the appropriate domains.
+
+- Verify whether group policy is reaching the clients properly. Verification of group policy can be done using the `GPRESULT.exe` or `RSOP.msc` utilities.
+
 - Verify whether the clients were rebooted after applying the policy.
-- Verify whether the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
+
+- Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
 
   ```powershell
-  manage-bde -protectors -get C:
+  manage-bde.exe -protectors -get C:
   ```
+
   > [!NOTE]
-  > Use the output of `manage-bde` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock.
- 
+  > Use the output of `manage-bde.exe` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock.
+
 Gather the following files to troubleshoot BitLocker Network Unlock.
 
 - The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log.
 
-    Debug logging is turned off by default for the WDS server role, so you need to enable it before you can retrieve it. Use either of the following two methods to turn on WDS debug logging.
+    Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging.
 
-    - Start an elevated command prompt, and then run the following command:
+  - Start an elevated command prompt, and then run the following command:
 
-        ```cmd
-        wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
-        ```
-    - Open Event Viewer on the WDS server:
+      ```cmd
+      wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
+      ```
+
+  - Open **Event Viewer** on the WDS server:
+
+    1. In the left pane, navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
+    2. In the right pane, select **Enable Log**.
 
-    1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
-    1. In the right pane, select **Enable Log**.
 - The DHCP subnet configuration file (if one exists).
-- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
+
+- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde.exe -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
+
 - The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
 
-## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions
+<!--
 
-Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. But you can deploy them by  using operating systems that run Windows Server 2008 R2 and Windows Server 2008.
+REMOVING SECTION DUE TO THE VERSIONS OF WINDOWS THAT THIS SECTION APPLIES TO ARE NO LONGER SUPPORTED.
 
-Your system must meet these requirements:
+## Configure Network Unlock Group Policy settings on earlier versions
 
--   The server that hosts WDS must be running a server operating system that's designated in the "Applies to" list at the beginning of this article.
--   Client computers must be running a client operating system that's designated in the "Applies to" list at the beginning of this article.
+Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. However Network Unlock and the accompanying Group Policy settings can be deployed using operating systems that run Windows Server 2008 R2 and Windows Server 2008.
+
+The system must meet these requirements:
+
+- The server that hosts WDS must be running a server operating system that's designated in the "Applies to" list at the beginning of this article.
+- Client computers must be running a client operating system that's designated in the "Applies to" list at the beginning of this article.
 
 Follow these steps to configure Network Unlock on these older systems.
 
-1.  [Install the WDS Server role](#bkmk-installwdsrole)
-2.  [Confirm the WDS Service is running](#bkmk-confirmwdsrunning)
-3.  [Install the Network Unlock feature](#bkmk-installnufeature)
-4.  [Create the Network Unlock certificate](#bkmk-createcert)
-5.  [Deploy the private key and certificate to the WDS server](#bkmk-deploycert)
-6.  Configure registry settings for network unlock:
+1. [Install the WDS Server role](#install-the-wds-server-role)
 
-    Apply the registry settings by running the following `certutil` script (assuming your Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the "Applies to" list at the beginning of this article.
+2. [Confirm the WDS Service is running](#confirm-the-wds-service-is-running)
 
-    ```console
-            certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
-            reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
-            reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
-            reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
-            reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
-            reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
-            reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
-            reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
+3. [Install the Network Unlock feature](#install-the-network-unlock-feature)
+
+4. [Create the Network Unlock certificate](#create-the-network-unlock-certificate)
+
+5. [Deploy the private key and certificate to the WDS server](#deploy-the-private-key-and-certificate-to-the-wds-server)
+
+6. Configure registry settings for Network Unlock:
+
+    Apply the registry settings by running the following `certutil.exe` script (assuming the Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the [Applies to](#bitlocker-how-to-enable-network-unlock) list at the beginning of this article.
+
+    ```cmd
+            certutil.exe -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
+            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
+            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
+            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
+            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
+            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
+            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
+            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
     ```
 
-7.  Set up a TPM protector on the clients.
-8.  Reboot the clients to add the Network (certificate based) protector.
+7. Set up a TPM protector on the clients.
 
-## See also
+8. Reboot the clients to add the Network (certificate based) protector.
+-->
 
--   [BitLocker overview](bitlocker-overview.md)
--   [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
--   [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+## Related articles
+
+- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
index 369d16d8e8..b7aa1ae889 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
@@ -3,24 +3,26 @@ metadata:
   title: BitLocker Key Management FAQ (Windows 10)
   description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
-  ms.reviewer: 
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: faq
-  ms.date: 02/28/2019
+  ms.date: 11/08/2022
   ms.custom: bitlocker
 title: BitLocker Key Management FAQ
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
   
 
 sections:
@@ -28,9 +30,11 @@ sections:
     questions:
       - question: How can I authenticate or unlock my removable data drive?
         answer: |
-          You can unlock removable data drives by using a password, a smart card, or you can configure a SID protector to unlock a drive by using your domain credentials. After you've started encryption, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users, as well as password complexity and minimum length requirements. To unlock by using a SID protector, use Manage-bde:
+          Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
           
-          <code>Manage-bde -protectors -add e: -sid <i>domain\username</i></code>
+          ```cmd
+          Manage-bde.exe -protectors -add e: -sid <i>domain\username</i></code>
+          ```
           
       - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
         answer: |
@@ -38,83 +42,85 @@ sections:
           
       - question: How can the recovery password and recovery key be stored?
         answer: |
-          The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
+          The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed.
           
-          For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
+          For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive.
           
-          A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
+          A domain administrator can also configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
           
       - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
         answer: |
-          You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use:
+          The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
           
-          <code>manage-bde –protectors –delete %systemdrive% -type tpm</code>
-          
-          <code>manage-bde –protectors –add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
+          ```cmd
+          manage-bde.exe -protectors -delete %systemdrive% -type tpm
+         
+          manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN>
+          ```
           
           
       - question: When should an additional method of authentication be considered?
         answer: |
-          New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. 
-          For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. 
+          New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack. 
+          For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers. 
           
       - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
         answer: |
           BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
           
           > [!IMPORTANT]
-          > Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
+          > Store the recovery information in AD DS, along with in a Microsoft Account, or another safe location.
            
       - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
-        answer: While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
+        answer: While using a USB flash drive as both the startup key and for storage of the recovery key is technically possible, it isn't a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains the startup key is lost or stolen, the recovery key will also be lost. In addition, inserting this key would cause the computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
 
       - question: Can I save the startup key on multiple USB flash drives?
-        answer: Yes, you can save a computer's startup key on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide you the options to duplicate the recovery keys as needed.
+        answer: Yes, computer's startup key can be saved on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting **Manage BitLocker** will provide the options to save the recovery keys on additional USB flash drives as needed.
 
       - question: Can I save multiple (different) startup keys on the same USB flash drive?
-        answer: Yes, you can save BitLocker startup keys for different computers on the same USB flash drive.
+        answer: Yes, BitLocker startup keys for different  computers can be saved on the same USB flash drive.
 
       - question: Can I generate multiple (different) startup keys for the same computer?
-        answer: You can generate different startup keys for the same computer through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
+        answer: Generating different startup keys for the same computer can be done through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM's system integrity check.
 
       - question: Can I generate multiple PIN combinations?
-        answer: You cannot generate multiple PIN combinations.
+        answer: Generating multiple PIN combinations can't be done.
 
       - question: What encryption keys are used in BitLocker? How do they work together?
-        answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on your authentication (that is, key protectors or TPM) and recovery scenarios.
+        answer: Raw data is encrypted with the full volume encryption key, which is then encrypted with the volume master key. The volume master key is in turn encrypted by one of several possible methods depending on the authentication (that is, key protectors or TPM) and recovery scenarios.
 
       - question: Where are the encryption keys stored?
         answer: |
           The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
           
-          This storage process ensures that the volume master key is never stored unencrypted and is protected unless you disable BitLocker. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
+          This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
           
       - question: Why do I have to use the function keys to enter the PIN or the 48-character recovery password?
         answer: |
-          The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 are not usable in the pre-boot environment on all keyboards.
+          The F1 through F10 keys are universally mapped scan codes available in the pre-boot environment on all computers and in all languages. The numeric keys 0 through 9 aren't usable in the pre-boot environment on all keyboards.
           
           When using an enhanced PIN, users should run the optional system check during the BitLocker setup process to ensure that the PIN can be entered correctly in the pre-boot environment.
           
       - question: How does BitLocker help prevent an attacker from discovering the PIN that unlocks my operating system drive?
         answer: |
-          It is possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker have physical access to the computer.
+          It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer.
           
-          The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact your TPM's manufacturer to determine how your computer's TPM mitigates PIN brute force attacks.
-          After you have determined your TPM's manufacturer, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
+          The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks.
+          After the TPM's manufacturer has been determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
           
       - question: How can I determine the manufacturer of my TPM?
-        answer: You can determine your TPM manufacturer in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
+        answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
 
       - question: How can I evaluate a TPM's dictionary attack mitigation mechanism?
         answer: |
-          The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
+          The following questions can assist when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
           
-          -   How many failed authorization attempts can occur before lockout?
-          -   What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
-          -   What actions can cause the failure count and lockout duration to be decreased or reset?
+          - How many failed authorization attempts can occur before lockout?
+          - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
+          - What actions can cause the failure count and lockout duration to be decreased or reset?
           
       - question: Can PIN length and complexity be managed with Group Policy?
         answer: |
-          Yes and No. You can configure the minimum personal identification number (PIN) length by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, you cannot require PIN complexity by Group Policy.
+          Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy.
           
           For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 6d39fbf7bf..e3bea9928b 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -3,65 +3,61 @@ title: BitLocker Management Recommendations for Enterprises (Windows 10)
 description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker management for enterprises
 
-The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. 
+The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
 
-Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
-
-
-> [!IMPORTANT]
-> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [ConfigMgr in on-prem scenarios](/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker/) in the future.
+Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
 
 ## Managing domain-joined computers and moving to cloud  
 
-Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md).
+Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md).
 
 Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
 
+> [!IMPORTANT]
+> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information.
+
 ## Managing devices joined to Azure Active Directory
 
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, or Windows 11, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, or Windows 11, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
 
-Starting with Windows 10 version 1703 (also known as the Windows Creators Update), or Windows 11, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
+Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
 
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), or Windows 11, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD.
-
-This is applicable to Azure Hybrid AD as well. 
+For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
 
 ## Managing workplace-joined PCs and phones
 
 For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
 
-
 ## Managing servers
 
-Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. 
+Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
 
-The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features).  
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features).  
 
-If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
+If a server is being installed manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core.
 
- Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). 
+ Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+ For more information, see the BitLocker FAQs article and other useful links in [Related Articles](#related-articles).
 
- For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles).
- 
 ## PowerShell examples
 
 For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD.  
 
-*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
+**Example**: *Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
+
 ```powershell
 Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
@@ -70,9 +66,10 @@ $BLV = Get-BitLockerVolume -MountPoint "C:"
 BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
 ```
 
-For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). 
+For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
+
+**Example**: *Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
 
-*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
 ```powershell
 Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
@@ -81,55 +78,44 @@ $BLV = Get-BitLockerVolume -MountPoint "C:"
 Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
 ```
 
-Subsequently, you can use PowerShell to enable BitLocker. 
+PowerShell can then be used to enable BitLocker:
+
+**Example**: *Use PowerShell to enable BitLocker with a TPM protector*
 
-*Example: Use PowerShell to enable BitLocker with a TPM protector*
 ```powershell
 Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
 ```
 
-*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
+**Example**: *Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
+
 ```powershell
 $SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
 
 Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
-``` 
+```
 
 ## Related Articles
 
-[BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
-
-[Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
-
-[Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) 
-
-[BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md) 
-
-[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
+- [BitLocker: FAQs](bitlocker-frequently-asked-questions.yml)
+- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
+- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
+- [BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md)
+- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
 *(Overview)*
-
-[Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
+- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
 *(Policy CSP: See [Security-RequireDeviceEncryption](/windows/client-management/mdm/policy-csp-security#security-policies))*
+- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/)
 
-[BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/)
+### Windows Server setup tools
 
-**Windows Server setup tools**
+- [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
+- [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
+- [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
+- [BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)  
+- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+- [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
 
-[Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
+### PowerShell
 
-[How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
-
-[How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
-
-[BitLocker: How to deploy on Windows Server 2012 and newer](bitlocker-how-to-deploy-on-windows-server.md)  
-
-[BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-
-[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) 
-
-
-**PowerShell**
-
-[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell) 
-
-[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)
\ No newline at end of file
+- [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
+- [Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
index 11fe756cf9..7129c50889 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
@@ -2,24 +2,27 @@
 metadata:
   title: BitLocker Network Unlock FAQ (Windows 10)
   description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments.
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: faq
-  ms.date: 02/28/2019
+  ms.date: 11/08/2022
   ms.reviewer: 
   ms.custom: bitlocker
 title: BitLocker Network Unlock FAQ
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
 
 sections:
   - name: Ignored
@@ -29,10 +32,10 @@ sections:
         answer: |  
           BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
           
-          To use Network Unlock you must also have a PIN configured for your computer. When your computer isn't connected to the network you'll need to provide the PIN to unlock it.
+          To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it.
           
-          BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
+          BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before it can be used.
           
-          Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt you to enter your PIN. If the PIN isn't available, you'll need to use the recovery key to unlock the computer if it can't be connected to the network.
+          Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network.
           
           For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 46325ab4f4..c8bea939c1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -3,27 +3,28 @@ metadata:
   title: BitLocker overview and requirements FAQ (Windows 10)
   description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker.
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
-  ms.reviewer: 
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection:
     - M365-security-compliance
     - highpri
   ms.topic: faq
-  ms.date: 07/27/2021
+  ms.date: 11/08/2022
   ms.custom: bitlocker
 title: BitLocker Overview and Requirements FAQ
 summary: |
-  **Applies to**
-  -   Windows 10
-  -   Windows 11
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
   
 
 sections:
@@ -33,21 +34,21 @@ sections:
         answer: |
           **How BitLocker works with operating system drives**
           
-          You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
+          BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
           
           **How BitLocker works with fixed and removable data drives**
           
-          You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
+          BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods.
           
       - question: Does BitLocker support multifactor authentication?
-        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
+        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection.
 
       - question: What are the BitLocker hardware and software requirements?
         answer: |
           For requirements, see [System requirements](bitlocker-overview.md#system-requirements).
           
           > [!NOTE]
-          > Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it cannot be protected by BitLocker.
+          > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
            
       - question: Why are two partitions required? Why does the system drive have to be so large?
         answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
@@ -57,27 +58,27 @@ sections:
           BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. 
           
           > [!NOTE]
-          > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
+          > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature.
           > 
-          > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
+          > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI.
           
-      - question: How can I tell if a TPM is on my computer?
-        answer: Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. You can also run [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** in PowerShell to get more details about the TPM on the current computer.
+      - question: How can I tell if a computer has a TPM?
+        answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer.
 
       - question: Can I use BitLocker on an operating system drive without a TPM?
         answer: |
-          Yes, you can enable BitLocker on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. This is because BitLocker will not unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs will not be able to use the system integrity verification that BitLocker can also provide.
+          Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
           To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
           
       - question: How do I obtain BIOS support for the TPM on my computer?
         answer: |
           Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
           
-          -   It is compliant with the TCG standards for a client computer.
-          -   It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
+          - It's compliant with the TCG standards for a client computer.
+          - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
           
       - question: What credentials are required to use BitLocker?
         answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
 
       - question: What is the recommended boot order for computers that are going to be BitLocker-protected?
-        answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 
+        answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked. 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 8d83958580..de852a1f48 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -1,67 +1,69 @@
 ---
 title: BitLocker
-description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-ms.author: dansimp
+description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
+ms.author: frankroj
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
+author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
-ms.date: 01/26/2018
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker
 
-**Applies to**
+**Applies to:**
 
 - Windows 10
 - Windows 11
 - Windows Server 2016 and above
 
-This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
+This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
 
-## <a href="" id="bkmk-over"></a>BitLocker overview
+## BitLocker overview
 
 BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
 
-BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
+BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline.
 
-On computers that do not have a TPM version 1.2 or later versions, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
+On computers that don't have a TPM version 1.2 or later versions, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, an operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
 
-In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
+In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
 
-## <a href="" id="bkmk-app"></a>Practical applications
+## Practical applications
 
 Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
 
-There are two additional tools in the Remote Server Administration Tools which you can use to manage BitLocker.
+There are two additional tools in the Remote Server Administration Tools that can be used to manage BitLocker.
 
--   **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
-    By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.
+- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables the BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS) to be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
 
--   **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
-BitLocker control panel, and they are appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console.
+    By using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords. Additionally, a domain container can be searched for a BitLocker recovery password across all the domains in the Active Directory forest by right clicking on the domain container. Viewing recovery passwords can only be viewed by domain administrator or having delegated permissions by a domain administrator.
 
-## <a href="" id="bkmk-new"></a>New and changed functionality
+- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
+BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console.
+
+## New and changed functionality
+
+To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker).
 
-To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10."
- 
 ## System requirements
 
 BitLocker has the following hardware requirements:
 
-For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive.
+For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker.
 
-A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware.
+A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware.
 
 The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
 
 > [!IMPORTANT]
-> From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
+> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
 
 > [!NOTE]
 > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
@@ -70,35 +72,31 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th
 
 The hard disk must be partitioned with at least two drives:
 
--   The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
--   The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
+- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
+- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
 
 When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
 
-A partition subject to encryption cannot be marked as an active partition (this applies to the operating system, fixed data, and removable data drives).
+A partition subject to encryption can't be marked as an active partition. This requirement applies to the operating system drives, fixed data drives, and removable data drives.
 
-
-When installing the BitLocker optional component on a server, you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
+When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
 
 ## In this section
 
-| Topic | Description |
+| Article | Description |
 | - | - |
-| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10.  |
-| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
-| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic explains the procedure you can use to plan your BitLocker deployment. |
-| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic explains how BitLocker features can be used to protect your data through drive encryption. |
-| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This topic explains how to deploy BitLocker on Windows Server.|
-| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This topic describes how BitLocker Network Unlock works and how to configure it. |
-| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This topic describes how to use tools to manage BitLocker.|
-| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This topic describes how to use the BitLocker Recovery Password Viewer. |
-| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. |
-| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.|
-| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. |
-| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
-| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
-| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.|
-| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic describes how to use BitLocker with Windows IoT Core |
-
-
-
+| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This article provides an overview of the ways in which BitLocker Device Encryption can help protect data on devices running Windows 10. |
+| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This article answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
+| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This article explains the procedure you can use to plan your BitLocker deployment. |
+| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This article explains how BitLocker features can be used to protect your data through drive encryption. |
+| [BitLocker: How to deploy on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)| This article explains how to deploy BitLocker on Windows Server.|
+| [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | This article describes how BitLocker Network Unlock works and how to configure it. |
+| [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)| This article describes how to use tools to manage BitLocker.|
+| [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md) | This article describes how to use the BitLocker Recovery Password Viewer. |
+| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This article describes the function, location, and effect of each group policy setting that is used to manage BitLocker. |
+| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This article describes the BCD settings that are used by BitLocker.|
+| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This article describes how to recover BitLocker keys from AD DS. |
+| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
+| [Troubleshoot BitLocker](/troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
+| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This article describes how to protect CSVs and SANs with BitLocker.|
+| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This article describes how to use BitLocker with Windows IoT Core |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 390b943e87..efdcd705e7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,6 +1,6 @@
 ---
 title: BitLocker recovery guide
-description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
+description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.localizationpriority: medium
@@ -12,7 +12,7 @@ ms.collection:
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---
 
@@ -22,264 +22,312 @@ ms.custom: bitlocker
 
 - Windows 10
 - Windows 11
-- Windows Server 2016 and later
+- Windows Server 2016 and above
 
 This article describes how to recover BitLocker keys from AD DS.
 
-Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment.
+Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
 
-This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
+This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
 
-This article does not detail how to configure AD DS to store the BitLocker recovery information.
+This article doesn't detail how to configure AD DS to store the BitLocker recovery information.
 
+## What is BitLocker recovery?
 
-## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?
+BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
 
-BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive:
+- **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain.
 
--   **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
--   **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
--   **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
+
+- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 
 ### What causes BitLocker recovery?
 
 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
 
-- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
-- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
+- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
+
+- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised.
+
 - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
+
 - Failing to boot from a network drive before booting from the hard drive.
-- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
+
+- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it's unlocked. Conversely, if a portable computer isn't connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it's unlocked.
+
 - Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
+
 - Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
-- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.
+
+- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM.
+
 - Turning off, disabling, deactivating, or clearing the TPM.
+
 - Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
+
 - Forgetting the PIN when PIN authentication has been enabled.
+
 - Updating option ROM firmware.
+
 - Upgrading TPM firmware.
+
 - Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.
+
 - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
+
 - Changes to the master boot record on the disk.
+
 - Changes to the boot manager on the disk.
-- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
-- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
+
+- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM doesn't respond to commands from any software.
+
+- Using a different keyboard that doesn't correctly enter the PIN or whose keyboard map doesn't match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
+
 - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
 
     > [!NOTE]
     > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
 
 - Moving the BitLocker-protected drive into a new computer.
+
 - Upgrading the motherboard to a new one with a new TPM.
+
 - Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
+
 - Failing the TPM self-test.
-- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
+
+- Having a BIOS, UEFI firmware, or an option ROM component that isn't compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
+
 - Changing the usage authorization for the storage root key of the TPM to a non-zero value.
 
     > [!NOTE]
     > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
 
 - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
+
 - Pressing the F8 or F10 key during the boot process.
+
 - Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
+
 - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
 
-
 > [!NOTE]
-> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components.
- 
-For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
+> Before beginning recovery, it is recommend to determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if it is determined that an attacker has modified the computer by obtaining physical access, new security policies can be created for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components.
+
+For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
 
 > [!NOTE]
 > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
 
-If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker network unlock feature to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
+If software maintenance requires the computer to be restarted and two-factor authentication is being used, the BitLocker network unlock feature can be enabled to provide the secondary authentication factor when the computers don't have an on-premises user to provide the additional authentication method.
 
-Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
+Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user.
 
-## <a href="" id="bkmk-testingrecovery"></a>Testing recovery
+## Testing recovery
 
-Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
+Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation.
 
 **To force a recovery for the local computer:**
 
-1.  Select the **Start** button, type **cmd** in the **Start Search** box, and select and hold **cmd.exe**, and then select **Run as administrator**.
-2.  At the command prompt, type the following command and then press **ENTER**:
+1. Select the **Start** button and type in **cmd**
 
-    `manage-bde -forcerecovery <BitLockerVolume>`
+2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
+
+3. At the command prompt, enter the following command:
+
+    ```cmd
+    manage-bde.exe -forcerecovery <BitLockerVolume>
+    ```
 
 **To force recovery for a remote computer:**
 
-1.  On the Start screen, type **cmd.exe**, and then select **Run as administrator**.
+1. Select the **Start** button and type in **cmd**
 
-2.  At the command prompt, type the following command and then press **ENTER**:
+2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
 
-    `manage-bde -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
+3. At the command prompt, enter the following command:
+
+    ```cmd
+    manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>
+    ```
 
     > [!NOTE]
     > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
 
+## Planning the recovery process
 
-## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process
+When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: How does the enterprise handle lost Windows passwords? How does the organization perform smart card PIN resets? These best practices and related resources (people and tools) can be used to help formulate a BitLocker recovery model.
 
-When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
+Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
 
-Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
+After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization.
 
-After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization.
+When the recovery process is determined:
 
-When you determine your recovery process, you should:
+- Become familiar with how a recovery password can be retrieved. See:
 
-- Become familiar with how you can retrieve the recovery password. See:
-
-    - [Self-recovery](#bkmk-selfrecovery)
-    - [Recovery password retrieval](#bkmk-recoveryretrieval)
+  - [Self-recovery](#self-recovery)
+  - [Recovery password retrieval](#recovery-password-retrieval)
 
 - Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
 
-    - [Post-recovery analysis](#bkmk-planningpostrecovery)
+  - [Post-recovery analysis](#post-recovery-analysis)
 
+### Self-recovery
 
-### <a href="" id="bkmk-selfrecovery"></a>Self-recovery
+In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
 
-In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
+### Recovery password retrieval
 
-### <a href="" id="bkmk-recoveryretrieval"></a>Recovery password retrieval
+If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
 
-If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default; you must have configured the appropriate group policy settings before BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
+- **Choose how BitLocker-protected operating system drives can be recovered**
 
--   **Choose how BitLocker-protected operating system drives can be recovered**
--   **Choose how BitLocker-protected fixed drives can be recovered**
--   **Choose how BitLocker-protected removable drives can be recovered**
-In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD
-DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
+- **Choose how BitLocker-protected fixed drives can be recovered**
+
+- **Choose how BitLocker-protected removable drives can be recovered**
+
+In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD
+DS** check box if it's desired to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
 
 > [!NOTE]
-> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event of a recovery being required.
- 
+> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of the BitLocker recovery password is recommended to help ensure access to data is not lost in the event of a recovery being required.
+
 The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
 
-You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
+The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
 
-- [Record the name of the user's computer](#bkmk-recordcomputername)
-- [Verify the user's identity](#bkmk-verifyidentity)
-- [Locate the recovery password in AD DS](#bkmk-locatepassword)
-- [Gather information to determine why recovery occurred](#bkmk-gatherinfo)
-- [Give the user the recovery password](#bkmk-givepassword)
+- [Record the name of the user's computer](#record-the-name-of-the-users-computer)
+- [Verify the user's identity](#verify-the-users-identity)
+- [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds)
+- [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred)
+- [Give the user the recovery password](#give-the-user-the-recovery-password)
 
+### Record the name of the user's computer
 
-### <a href="" id="bkmk-recordcomputername"></a>Record the name of the user's computer
+The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer.
 
-You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.
+### Verify the user's identity
 
+The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user.
 
-### <a href="" id="bkmk-verifyidentity"></a>Verify the user's identity
-
-You should verify whether the person who is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify whether the computer for which the user provided the name belongs to the user.
-
-### <a href="" id="bkmk-locatepassword"></a>Locate the recovery password in AD DS
-
-Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.
+### Locate the recovery password in AD DS
 
+Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest.
 
 ### Multiple recovery passwords
 
-If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created.
+If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created.
 
-If at any time you are unsure about the password to be provided, or if you think you might be providing the incorrect password, ask the user to read the 8-character password ID that is displayed in the recovery console.
+To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.
 
-Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
+Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
 
+### Gather information to determine why recovery occurred
 
-### <a href="" id="bkmk-gatherinfo"></a>Gather information to determine why recovery occurred
+Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis).
 
-Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#bkmk-planningpostrecovery).
+### Give the user the recovery password
 
-
-### <a href="" id="bkmk-givepassword"></a>Give the user the recovery password
-
-Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
+Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password.
 
 > [!NOTE]
 > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
 
-### <a href="" id="bkmk-planningpostrecovery"></a>Post-recovery analysis
+### Post-recovery analysis
 
-When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
+When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
 
-If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See:
+If it's noticed that a computer is having repeated recovery password unlocks, an administrator might want to perform post-recovery analysis to determine the root cause of the recovery, and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. For more information, see:
 
-- [Determine the root cause of the recovery](#bkmk-determinecause)
-- [Refresh BitLocker protection](#bkmk-refreshprotection)
+- [Determine the root cause of the recovery](#determine-the-root-cause-of-the-recovery)
+- [Resolve the root cause](#resolve-the-root-cause)
 
-### <a href="" id="bkmk-determinecause"></a>Determine the root cause of the recovery
+### Determine the root cause of the recovery
 
-If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
+If a user needed to recover the drive, it's important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
 
 While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.
 
-Review and answer the following questions for your organization:
+Review and answer the following questions for the organization:
 
-1.  Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
-2.  Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
-3.  If TPM mode was in effect, was recovery caused by a boot file change?
-4.  If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software?
-5.  When was the user last able to start the computer successfully, and what might have happened to the computer since then?
-6.  Might the user have encountered malicious software or left the computer unattended since the last successful startup?
+1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
 
-To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely.
+2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
 
-### <a href="" id="bkmk-refreshprotection"></a>Resolve the root cause
+3. If TPM mode was in effect, was recovery caused by a boot file change?
 
-After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.
+4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software?
 
-The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
+5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
+
+6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
+
+To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode:
+
+```cmd
+manage-bde.exe -status
+```
+
+Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely.
+
+### Resolve the root cause
+
+After it has been identified what caused recovery, BitLocker protection can be reset to avoid recovery on every startup.
+
+The details of this reset can vary according to the root cause of the recovery. If root cause can't be determined, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
 
 > [!NOTE]
-> You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
+> BitLocker validation profile reset can be performed by suspending and resuming BitLocker.
 
-- [Unknown PIN](#bkmk-unknownpin)
-- [Lost startup key](#bkmk-loststartup)
-- [Changes to boot files](#bkmk-changebootknown)
+- [Unknown PIN](#unknown-pin)
+- [Lost startup key](#lost-startup-key)
+- [Changes to boot files](#changes-to-boot-files)
 
+### Unknown PIN
 
-### <a href="" id="bkmk-unknownpin"></a>Unknown PIN
+If a user has forgotten the PIN, the PIN must be reset while signed on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
 
-If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
+#### To prevent continued recovery due to an unknown PIN
 
-**To prevent continued recovery due to an unknown PIN**
+1. Unlock the computer using the recovery password.
 
-1.  Unlock the computer using the recovery password.
-2.  Reset the PIN:
-    1.  Select and hold the drive and then select **Change PIN**
-    2.  In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, you must provide administrative credentials at this time.
-    3.  In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**.
-3. You will use the new PIN the next time you unlock the drive.
+2. Reset the PIN:
 
-### <a href="" id="bkmk-loststartup"></a>Lost startup key
+    1. Select and hold the drive and then select **Change PIN**
 
-If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key.
+    2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time.
 
-**To prevent continued recovery due to a lost startup key**
+    3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**.
 
-1.  Log on as an administrator to the computer that has its startup key lost.
-2.  Open Manage BitLocker.
-3.  Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key, and then select **Save**.
+3. The new PIN can be used the next time the drive needs to be unlocked.
 
-### <a href="" id="bkmk-changebootknown"></a>Changes to boot files
+### Lost startup key
 
-This error occurs if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
+If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created.
+
+#### To prevent continued recovery due to a lost startup key
+
+1. Sign in as an administrator to the computer that has its startup key lost.
+
+2. Open Manage BitLocker.
+
+3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**.
+
+### Changes to boot files
+
+This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time.
 
 ## Windows RE and BitLocker Device Encryption
 
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
 
-Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
+Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally.
 
-The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
+The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
 
-To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**.
-To activate the on-screen keyboard, tap on a text input control.
+To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. To activate the on-screen keyboard, tap on a text input control.
 
 :::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated.":::
 
@@ -287,44 +335,50 @@ To activate the on-screen keyboard, tap on a text input control.
 
 During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
 
-
 ### Custom recovery message
 
-BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
+BitLocker Group Policy settings starting in Windows 10, version 1511, allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
 
 This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
 
-It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
-*\<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\</LocURI>*
+It can also be configured using mobile device management (MDM), including in Intune, using the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp):
+
+**`<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>`**
 
 ![Custom URL.](./images/bl-intune-custom-url.png)
 
-Example of customized recovery screen:
+Example of a customized recovery screen:
 
 ![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png)
 
-
 ### BitLocker recovery key hints
 
-BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
 
 ![Customized BitLocker recovery screen.](./images/bl-password-hint2.png)
 
 > [!IMPORTANT]
-> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account.
+> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account.
 
 There are rules governing which hint is shown during the recovery (in the order of processing):
 
 1. Always display custom recovery message if it has been configured (using GPO or MDM).
-2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq."
-3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key.
-4. Prioritize keys with successful backup over keys that have never been backed up.
-5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. 
-6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints.
-7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date.
-8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” is displayed. 
-9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. 
 
+2. Always display generic hint: `For more information, go to https://aka.ms/recoverykeyfaq.`
+
+3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key.
+
+4. Prioritize keys with successful backup over keys that have never been backed up.
+
+5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
+
+6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
+
+7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date.
+
+8. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed.
+
+9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer.
 
 #### Example 1 (single recovery key with single backup)
 
@@ -336,12 +390,10 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Printed          |     No     |
 |     Saved to file    |     No     |
 
-
 **Result:** The hints for the Microsoft account and custom URL are displayed.
 
 ![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png)
 
-
 #### Example 2 (single recovery key with single backup)
 
 |     Custom URL       |     Yes    |
@@ -356,7 +408,6 @@ There are rules governing which hint is shown during the recovery (in the order
 
 ![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png)
 
-
 #### Example 3 (single recovery key with multiple backups)
 
 |     Custom URL       |     No     |
@@ -371,7 +422,6 @@ There are rules governing which hint is shown during the recovery (in the order
 
 ![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png)
 
-
 #### Example 4  (multiple recovery passwords)
 
 |     Custom URL       |     No          |
@@ -384,8 +434,8 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Creation time    |     **1PM**     |
 |     Key ID           |     A564F193    |
 
-&nbsp;
-&nbsp;
+<br>
+<br>
 
 |     Custom URL       |     No          |
 |----------------------|-----------------|
@@ -401,7 +451,6 @@ There are rules governing which hint is shown during the recovery (in the order
 
 ![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png)
 
-
 #### Example 5  (multiple recovery passwords)
 
 |     Custom URL       |     No          |
@@ -414,9 +463,6 @@ There are rules governing which hint is shown during the recovery (in the order
 |     Creation time    |     **1PM**     |
 |     Key ID           |     99631A34    |
 
-&nbsp;
-&nbsp;
-
 |     Custom URL       |     No        |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
@@ -431,70 +477,81 @@ There are rules governing which hint is shown during the recovery (in the order
 
 ![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png)
 
-
-## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
+## Using additional recovery information
 
 Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
 
-
 ### BitLocker key package
 
-If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.
+If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password.
 
 > [!NOTE]
-> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
+> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package.
 
-The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the group policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
+The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package).
 
-## <a href="" id="bkmk-appendixb"></a>Resetting recovery passwords
+## Resetting recovery passwords
 
-You must invalidate a recovery password after it has been provided and used, and when you intentionally want to invalidate an existing recovery password for any reason.
+It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason.
 
-You can reset the recovery password in two ways:
+The recovery password and be invalidated and reset in two ways:
 
-- **Use manage-bde**: You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
-- **Run a script**: You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
+- **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
 
-**To reset a recovery password using manage-bde:**
+- **Run a script**: A script can be run to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
 
-1.  Remove the previous recovery password.
+### Resetting a recovery password using `manage-bde.exe`
 
-    ```powershell
-    Manage-bde –protectors –delete C: –type RecoveryPassword
+1. Remove the previous recovery password.
+
+    ```cmd
+    `manage-bde.exe` -protectors -delete C: -type RecoveryPassword
     ```
-2.  Add the new recovery password.
 
-    ```powershell
-    Manage-bde –protectors –add C: -RecoveryPassword
+2. Add the new recovery password.
+
+    ```cmd
+    `manage-bde.exe` -protectors -add C: -RecoveryPassword
     ```
-3.  Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
 
-    ```powershell
-    Manage-bde –protectors –get C: -Type RecoveryPassword
+3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
+
+    ```cmd
+    `manage-bde.exe` -protectors -get C: -Type RecoveryPassword
     ```
-4.  Back up the new recovery password to AD DS.
 
-    ```powershell
-    Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
+4. Back up the new recovery password to AD DS.
+
+    ```cmd
+    `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
     ```
 
     > [!WARNING]
-    > You must include the braces in the ID string.
+    > The braces `{}` must be included in the ID string.
 
-**To run the sample recovery password script:**
+### Running the sample recovery password script to reset the recovery passwords
 
-1.  Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
-2.  At the command prompt, type a command similar to the following:
+1. Save the following sample script in a VBScript file. For example:
 
-    **cscript ResetPassword.vbs**
+    `ResetPassword.vbs`.
+
+2. At the command prompt, enter the following command::
+
+    ```cmd
+    cscript.exe ResetPassword.vbs
+    ```
 
     > [!IMPORTANT]
-    > This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
+    > This sample script is configured to work only for the C volume. If necessary, customize the script to match the volume where the password reset needs to be tested.
 
 > [!NOTE]
-> To manage a remote computer, you must specify the remote computer name rather than the local computer name.
+> To manage a remote computer, specify the remote computer name rather than the local computer name.
 
-You can use the following sample VBScript to reset the recovery passwords:
+The following sample VBScript can be used to reset the recovery passwords:
+
+<br>
+<details>
+  <summary>Expand to view sample recovery password VBscript to reset the recovery passwords</summary>
 
 ```vb
 ' Target drive letter
@@ -564,27 +621,36 @@ Next
 WScript.Echo "A new recovery password has been added. Old passwords have been removed."
 ' - some advanced output (hidden)
 'WScript.Echo ""
-'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
+'WScript.Echo "Type ""manage-bde.exe -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
 ```
 
+</details>
 
-## <a href="" id="bkmk-appendixc"></a>Retrieving the BitLocker key package
+## Retrieving the BitLocker key package
 
-You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
+Two methods can be used to retrieve the key package as described in [Using Additional Recovery Information](#using-additional-recovery-information):
 
-- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
-- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
+- **Export a previously saved key package from AD DS.** Read access is required to BitLocker recovery passwords that are stored in AD DS.
 
-The following sample script exports all previously saved key packages from AD DS.
+- **Export a new key package from an unlocked, BitLocker-protected volume.** Local administrator access to the working volume is required before any damage occurred to the volume.
 
-**To run the sample key package retrieval script:**
+### Running the sample key package retrieval script that exports all previously saved key packages from AD DS
 
-1.  Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
-2.  At the command prompt, type a command similar to the following sample script:
+The following steps and sample script exports all previously saved key packages from AD DS.
 
-    **cscript GetBitLockerKeyPackageADDS.vbs -?**
+1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackageADDS.vbs`.
 
-You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS:
+2. At the command prompt, enter a command similar to the following sample script:
+
+    ```cmd
+    cscript.exe GetBitLockerKeyPackageADDS.vbs -?
+    ```
+
+The following sample script can be used to create a VBScript file to retrieve the BitLocker key package from AD DS:
+
+<br>
+<details>
+  <summary>Expand to view sample key package retrieval VBscript that exports all previously saved key packages from AD DS</summary>
 
 ```vb
 ' --------------------------------------------------------------------------------
@@ -724,14 +790,23 @@ End Function
 WScript.Quit
 ```
 
-The following sample script exports a new key package from an unlocked, encrypted volume.
+</details>
 
-**To run the sample key package retrieval script:**
+### Running the sample key package retrieval script that exports a new key package from an unlocked, encrypted volume
 
-1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs
-2. Open an administrator command prompt, and then type a command similar to the following sample script:
+The following steps and sample script exports a new key package from an unlocked, encrypted volume.
 
-    **cscript GetBitLockerKeyPackage.vbs  -?**
+1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackage.vbs`
+
+2. Open an administrator command prompt, and then enter a command similar to the following sample script:
+
+    ```cmd
+    cscript.exe GetBitLockerKeyPackage.vbs  -?
+    ```
+
+<br>
+<details>
+  <summary>Expand to view sample VBscript that exports a new key package from an unlocked, encrypted volume</summary>
 
 ```vb
 ' --------------------------------------------------------------------------------
@@ -826,7 +901,7 @@ End If
 ' Fail case: no recovery key protectors exist.
 If strDefaultKeyProtectorID = "" Then
 WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
-WScript.Echo "For help adding recovery passwords or recovery keys, type ""manage-bde -protectors -add -?""."
+WScript.Echo "For help adding recovery passwords or recovery keys, enter ""manage-bde.exe -protectors -add -?""."
 WScript.Quit -1
 End If
 End If
@@ -886,7 +961,7 @@ End If
 WScript.Echo "Save this recovery password: " & sNumericalPassword
 ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then
 WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
-WScript.Echo "For help re-saving this external key file, type ""manage-bde -protectors -get -?"""
+WScript.Echo "For help re-saving this external key file, enter ""manage-bde.exe -protectors -get -?"""
 End If
 '----------------------------------------------------------------------------------------
 ' Utility functions to save binary data
@@ -911,7 +986,8 @@ Function BinaryToString(Binary)
 End Function
 ```
 
+</details>
 
-## See also
+## Related articles
 
 - [BitLocker overview](bitlocker-overview.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
index 62c8fe56d0..4120e83475 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@@ -3,32 +3,41 @@ title: Breaking out of a BitLocker recovery loop
 description: This article for IT professionals describes how to break out of a BitLocker recovery loop.
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
-ms.date: 10/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # Breaking out of a BitLocker recovery loop
 
-Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This experience can be frustrating.
+Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating.
 
-If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop.
+If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop:
 
 > [!NOTE]
-> Try these steps only after you have restarted your device at least once.
+> Try these steps only after the device has been restarted at least once.
 
-1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**.
+1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**.
 
 2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**.
 
-3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
+3. From the WinRE command prompt, manually unlock the drive with the following command:
 
-4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
+```cmd
+manage-bde.exe -unlock C: -rp <recovery password>
+```
 
-5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system.
+4. Suspend the protection on the operating system with the following command:
+
+```cmd
+manage-bde.exe -protectors -disable C:
+```
+
+5. Once the command is run, exit the command prompt and continue to boot into the operating system.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
index 465a4c3d6d..04035cd1cb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
@@ -3,24 +3,26 @@ metadata:
   title: BitLocker Security FAQ (Windows 10)
   description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?"
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
-  ms.reviewer: 
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: faq
-  ms.date: 03/14/2022
+  ms.date: 11/08/2022
   ms.custom: bitlocker
 title: BitLocker Security FAQ
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
   
   
 
@@ -35,17 +37,17 @@ sections:
       - question: |
           What is the best practice for using BitLocker on an operating system drive?
         answer: |
-          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
+          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer.
 
       - question: |
           What are the implications of using the sleep or hibernate power management options?
         answer: |
-          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since it remains unprotected data in RAM. Therefore, for improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
+          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
           
       - question: |
           What are the advantages of a TPM?
         answer: |
-          Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
+          Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually aren't as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
           
           > [!NOTE]
           > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
index e318b5ed29..1ab54f3689 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
@@ -3,24 +3,24 @@ metadata:
   title: BitLocker To Go FAQ (Windows 10)
   description: "Learn more about BitLocker To Go"
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
-  ms.reviewer: 
-  ms.author: dansimp
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
+  ms.author: frankroj
   ms.mktglfcycl: deploy
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
+  author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: faq
-  ms.date: 07/10/2018
+  ms.date: 11/08/2022
   ms.custom: bitlocker
 title: BitLocker To Go FAQ
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
   
 
 sections:
@@ -37,4 +37,4 @@ sections:
            
           Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
           
-          As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
+          As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
index 40fdb23d9d..2ab78a0734 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
@@ -2,31 +2,34 @@
 metadata:
   title: BitLocker Upgrading FAQ (Windows 10)
   description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?"
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: faq
-  ms.date: 02/28/2019
+  ms.date: 11/08/2022
   ms.reviewer: 
   ms.custom: bitlocker
 title: BitLocker Upgrading FAQ
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
   
 
 sections:
   - name: Ignored
     questions:
       - question: |
-          Can I upgrade to Windows 10 with BitLocker enabled?
+          Can I upgrade to Windows 10 with BitLocker enabled?
         answer: |
           Yes. 
 
@@ -43,12 +46,12 @@ sections:
           No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). 
           Users need to suspend BitLocker for Non-Microsoft software updates, such as:   
           
-          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection.
+          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection.
           -	Non-Microsoft application updates that modify the UEFI\BIOS configuration.
           -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
-          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation).
-           -	You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported).
+          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).
+           -	BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**.
           
           
           > [!NOTE]
-          > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
+          > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index c276611731..573fcb0e51 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -4,20 +4,21 @@ description: This article for the IT professional describes how to use tools to
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
 
-**Applies to**
+**Applies to:**
 
 - Windows 10
 - Windows 11
@@ -29,98 +30,110 @@ BitLocker Drive Encryption Tools include the command-line tools manage-bde and r
 
 Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
 
-Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console.
+Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console.
 
-1.  [Manage-bde](#bkmk-managebde)
-2.  [Repair-bde](#bkmk-repairbde)
-3.  [BitLocker cmdlets for Windows PowerShell](#bkmk-blcmdlets)
+1. [Manage-bde](#manage-bde)
+2. [Repair-bde](#repair-bde)
+3. [BitLocker cmdlets for Windows PowerShell](#bitlocker-cmdlets-for-windows-powershell)
 
-## <a href="" id="bkmk-managebde"></a>Manage-bde
+## Manage-bde
 
-Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference.
+Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference.
 
-Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
+Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
 
 ### Using manage-bde with operating system volumes
 
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume.
 
-A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
+A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
 
-```powershell
-manage-bde -status
+```cmd
+manage-bde.exe -status
 ```
 
 This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
 
 ![Using manage-bde to check encryption status.](images/manage-bde-status.png)
 
-The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
+The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process.
 
-```powershell
-manage-bde –protectors -add C: -startupkey E:
-manage-bde -on C:
+```cmd
+manage-bde.exe -protectors -add C: -startupkey E:
+manage-bde.exe -on C:
 ```
 
 > [!NOTE]
 > After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
- 
-An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
 
-```powershell
-manage-bde -protectors -add C: -pw -sid <user or group>
+An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command:
+
+```cmd
+manage-bde.exe -protectors -add C: -pw -sid <user or group>
 ```
 
-This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker.
+The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on.
 
-On computers with a TPM, it is possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command:
+On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command:
 
-```powershell
-manage-bde -on C:
+```cmd
+manage-bde.exe -on C:
 ```
 
-This command encrypts the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
+The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command:
 
-```powershell
- manage-bde -protectors -get <volume>
+```cmd
+ manage-bde.exe -protectors -get <volume>
 ```
+
 ### Using manage-bde with data volumes
 
-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
 
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
+`manage-bde.exe -on <drive letter>`
 
-```powershell
-manage-bde -protectors -add -pw C:
-manage-bde -on C:
+or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume.
+
+A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on.
+
+```cmd
+manage-bde.exe -protectors -add -pw C:
+manage-bde.exe -on C:
 ```
 
-## <a href="" id="bkmk-repairbde"></a>Repair-bde
+## Repair-bde
 
-You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.
+Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly.
 
-The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
+The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted with BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. This key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With this key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package will work only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS.
 
 > [!TIP]
-> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
- 
-The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
+> If recovery information is not being backed up to AD DS or if key packages need to be saved in an alternative way, the command:
+>
+> `manage-bde.exe -KeyPackage`
+>
+> can be used to generate a key package for a volume.
 
-- You have encrypted the drive by using BitLocker Drive Encryption.
-- Windows does not start, or you cannot start the BitLocker recovery console.
-- You do not have a copy of the data that is contained on the encrypted drive.
+The Repair-bde command-line tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde if the following conditions are true:
+
+- The drive has been encrypted using BitLocker Drive Encryption.
+
+- Windows doesn't start, or the BitLocker recovery console can't be started.
+
+- There isn't a backup copy of the data that is contained on the encrypted drive.
 
 > [!NOTE]
-> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
- 
+> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
+
 The following limitations exist for Repair-bde:
 
--   The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
--   The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
+- The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process.
+
+- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
 
 For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)).
 
-## <a href="" id="bkmk-blcmdlets"></a>BitLocker cmdlets for Windows PowerShell
+## BitLocker cmdlets for Windows PowerShell
 
 Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
 
@@ -138,18 +151,19 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
 |**Resume-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
 |**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
- 
-Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
 
-A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLockerVolume</code> cmdlet.
+Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
 
-The <code>Get-BitLockerVolume</code> cmdlet output gives information on the volume type, protectors, protection status, and other details.
+A good initial step is to determine the current state of the volume(s) on the computer. Determining the current state of the volume(s) can be done using the `Get-BitLockerVolume` cmdlet.
+
+The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status, and other details.
 
 > [!TIP]
-> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
-`Get-BitLockerVolume C: | fl`
- 
-If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If all of the protectors for a volume are not seen, use the Windows PowerShell pipe command (|) to format a full listing of the protectors:
+> 
+> `Get-BitLockerVolume C: | fl`
+
+To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed.
 
 A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
 
@@ -158,9 +172,9 @@ $vol = Get-BitLockerVolume
 $keyprotectors = $vol.KeyProtector
 ```
 
-By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
+By using this script, the information in the $keyprotectors variable can be displayed to determine the GUID for each protector.
 
-By using this information, you can then remove the key protector for a specific volume using the command:
+By using this information, the key protector for a specific volume can be removed using the command:
 
 ```powershell
 Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
@@ -168,10 +182,10 @@ Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
 
 > [!NOTE]
 > The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
- 
+
 ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
 
-Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
+Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
 
 The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
 
@@ -198,11 +212,11 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 
 ### Using an AD Account or Group protector in Windows PowerShell
 
-The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
+The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and become unlocked by any member computer of the cluster.
 
 > [!WARNING]
 > The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
- 
+
 To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
 
 ```powershell
@@ -213,14 +227,14 @@ For users who wish to use the SID for the account or group, the first step is to
 
 > [!NOTE]
 > Use of this command requires the RSAT-AD-PowerShell feature.
- 
+
 ```powershell
 get-aduser -filter {samaccountname -eq "administrator"}
 ```
 
 > [!TIP]
-> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
- 
+> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features.
+
 The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
 
 ```powershell
@@ -229,8 +243,8 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
 
 > [!NOTE]
 > Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
- 
-## More information
+
+## Related articles
 
 - [BitLocker overview](bitlocker-overview.md)
 - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index 56d645428f..4fedd8f3d5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -1,66 +1,73 @@
 ---
 title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
-description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
+description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # BitLocker: Use BitLocker Recovery Password Viewer
 
-**Applies to**
+**Applies to:**
 
 - Windows 10
 - Windows 11
 - Windows Server 2016 and above
 
-This topic describes how to use the BitLocker Recovery Password Viewer.
+This article describes how to use the BitLocker Recovery Password Viewer.
 
-The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).
+The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS) be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords.
 
-## Before you start
+Additionally a domain container can be searched for BitLocker recovery password across all the domains in the Active Directory forest via a right-click. Passwords can also be searched by password identifier (ID).
 
-To complete the procedures in this scenario:
+## Before starting
 
--   You must have domain administrator credentials.
--   Your test computers must be joined to the domain.
--   On the domain-joined test computers, BitLocker must have been turned on.
+To complete the procedures in this scenario, the following requirements must be met:
+
+- Domain administrator credentials.
+- Test computers must be joined to the domain.
+- On the domain-joined test computers, BitLocker must have been turned on.
 
 The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
 
-**To view the recovery passwords for a computer**
+### To view the recovery passwords for a computer
 
-1.  In **Active Directory Users and Computers**, locate and then click the container in which the computer is located.
-2.  Right-click the computer object, and then click **Properties**.
-3.  In the **Properties** dialog box, click the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer.
+1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located.
 
-**To copy the recovery passwords for a computer**
+2. Right-click the computer object, and then select **Properties**.
 
-1.  Follow the steps in the previous procedure to view the BitLocker recovery passwords.
-2.  On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that you want to copy, and then click **Copy Details**.
-3.  Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
+3. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer.
 
-**To locate a recovery password by using a password ID**
+### To copy the recovery passwords for a computer
 
-1.  In Active Directory Users and Computers, right-click the domain container, and then click **Find BitLocker Recovery Password**.
-2.  In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then click **Search**.
-By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate a recovery password.
+1. Follow the steps in the previous procedure to view the BitLocker recovery passwords.
 
-## More information
+2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**.
+
+3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
+
+### To locate a recovery password by using a password ID
+
+1. In Active Directory Users and Computers, right-click the domain container, and then select **Find BitLocker Recovery Password**.
+
+2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then select **Search**.
+
+By completing the procedures in this scenario, the recovery passwords for a computer have been viewed and copied and a password ID was used to locate a recovery password.
+
+## Replated articles
 
 - [BitLocker Overview](bitlocker-overview.md)
 - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
 - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- 
- 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
index bb221372e1..64f9160f29 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
@@ -1,26 +1,28 @@
 ### YamlMime:FAQ
 metadata:
   title: Using BitLocker with other programs FAQ (Windows 10)
-  description: Learn how to integrate BitLocker with other software on your device.
+  description: Learn how to integrate BitLocker with other software on a device.
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
-  ms.reviewer: 
-  ms.prod: m365-security
+  ms.prod: windows-client
+  ms.technology: itpro-security
   ms.mktglfcycl: explore
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: dansimp
-  ms.author: dansimp
+  author: frankroj
+  ms.author: frankroj
   manager: aaroncz
   audience: ITPro
   ms.collection: M365-security-compliance
   ms.topic: faq
-  ms.date: 02/28/2019
+  ms.date: 11/08/2022
   ms.custom: bitlocker
 title: Using BitLocker with other programs FAQ
 summary: |
-  **Applies to**
-  -   Windows 10
+  **Applies to:**
+  - Windows 10
+  - Windows 11
+  - Windows Server 2016 and above
   
 
 sections:
@@ -29,12 +31,12 @@ sections:
       - question: |
           Can I use EFS with BitLocker?
         answer: |
-          Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
+          Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. EFS can also be used in Windows to encrypt files on other drives that aren't encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
 
       - question: |
           Can I run a kernel debugger with BitLocker?
         answer: |
-          Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
+          Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If debugging needs to be turned on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting the computer into recovery mode.
 
       - question: |
           How does BitLocker handle memory dumps?
@@ -44,80 +46,82 @@ sections:
       - question: |
           Can BitLocker support smart cards for pre-boot authentication?
         answer: |
-          BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
+          BitLocker doesn't support smart cards for pre-boot authentication. There's no single industry standard for smart card support in the firmware, and most computers either don't implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
 
       - question: |
           Can I use a non-Microsoft TPM driver?
         answer: |
-          Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
+          Microsoft doesn't support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM isn't present on the computer and not allow the TPM to be used with BitLocker.
 
       - question: |
           Can other tools that manage or modify the master boot record work with BitLocker?
         answer: |
-          We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
+          We don't recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for several security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally and complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
 
       - question: |
-          Why is the system check failing when I am encrypting my operating system drive?
+          Why is the system check failing when I'm encrypting my operating system drive?
         answer: |
-          The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
+          The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
           
-          -   The computer's BIOS or UEFI firmware cannot read USB flash drives.
-          -   The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
-          -   There are multiple USB flash drives inserted into the computer.
-          -   The PIN was not entered correctly.
-          -   The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment.
-          -   The startup key was removed before the computer finished rebooting.
-          -   The TPM has malfunctioned and fails to unseal the keys.
+          - The computer's BIOS or UEFI firmware can't read USB flash drives.
+          - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled.
+          - There are multiple USB flash drives inserted into the computer.
+          - The PIN wasn't entered correctly.
+          - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment.
+          - The startup key was removed before the computer finished rebooting.
+          - The TPM has malfunctioned and fails to unseal the keys.
           
       - question: |
-          What can I do if the recovery key on my USB flash drive cannot be read?
+          What can I do if the recovery key on my USB flash drive can't be read?
         answer: |
-          Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
+          Some computers can't read USB flash drives in the pre-boot environment. First, check the BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it isn't enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings, and then try to read the recovery key from the USB flash drive again. If the USB flash drive still can't be read, the hard drive will need to be mounted as a data drive on another computer so that there's an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, a recovery password may need to be supplied or use the recovery information that was backed up to AD DS. Also, if the recovery key is being used in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
 
       - question: |
           Why am I unable to save my recovery key to my USB flash drive?
         answer: |
-          The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
+          The **Save to USB** option isn't shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
 
       - question: |
           Why am I unable to automatically unlock my drive?
         answer: |
-          Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
+          Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If a computer is being used that doesn't have a BitLocker-protected operating system drive, then the fixed drive can't be automatically unlocked. For removable data drives, automatic unlocking can be added by right-clicking the drive in Windows Explorer and selecting **Manage BitLocker**. Password or smart card credentials that were supplied when BitLocker was turned on can still be used to unlock the removable drive on other computers.
 
       - question: |
           Can I use BitLocker in Safe Mode?
         answer: |
-          Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
+          Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer isn't available in Safe Mode.
 
       - question: |
           How do I "lock" a data drive?
         answer: |
-          Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.
+          Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the -lock command.
           
           > [!NOTE]
           > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
            
           The syntax of this command is:
           
-          <code>manage-bde <i>driveletter</i> -lock</code>
+          ```cmd
+          manage-bde.exe <driveletter> -lock
+          ````
           
           Outside of using this command, data drives will be locked on shutdown and restart of the operating system. A removable data drive will also be locked automatically when the drive is removed from the computer.
           
       - question: |
           Can I use BitLocker with the Volume Shadow Copy Service?
         answer: |
-          Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
+          Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If a hardware encrypted drive is being used, the shadow copies are retained.
 
       - question: |
           Does BitLocker support virtual hard disks (VHDs)?
         answer: |
           BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
-          - With TPM: Yes, it is supported.
-          - Without  TPM: Yes, it is supported (with password protector).
+          - With TPM: Yes, it's supported.
+          - Without  TPM: Yes, it's supported (with password protector).
           
-          BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
+          BitLocker is also supported on data volume VHDs, such as those used by clusters, if running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
           
       - question: |
           Can I use BitLocker with virtual machines (VMs)?
         answer: |
-          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 4473a9d639..56026fd192 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -1,23 +1,23 @@
 ---
-title: Prepare your organization for BitLocker Planning and policies (Windows 10)
-description: This article for the IT professional explains how can you plan your BitLocker deployment.
+title: Prepare the organization for BitLocker Planning and policies (Windows 10)
+description: This article for the IT professional explains how can to plan for a BitLocker deployment.
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
-ms.date: 04/24/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
-# Prepare your organization for BitLocker: Planning and policies
+# Prepare an organization for BitLocker: Planning and policies
 
-**Applies to**
+**Applies to:**
 
 - Windows 10
 - Windows 11
@@ -25,18 +25,22 @@ ms.custom: bitlocker
 
 This article for the IT professional explains how to plan BitLocker deployment.
 
-When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems.
+When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems.
 
-## Audit your environment
+## Audit the environment
 
-To plan your BitLocker deployment, understand your current environment. Do an informal audit to define your current policies, procedures, and hardware environment. Review your existing disk encryption software corporate security policies. If your organization isn't using disk encryption software, then none of these policies will exist. If you use disk encryption software, then you might need to change your organization's policies to use the BitLocker features.
+To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software corporate security policies. If the organization isn't using disk encryption software, then none of these policies will exist. If disk encryption software is being used, then the organization's policies might need to be changed to use the BitLocker features.
 
-To help you document your organization's current disk encryption security policies, answer the following questions:
+To help document the organization's current disk encryption security policies, answer the following questions:
 
 1. Are there policies to determine which computers will use BitLocker and which computers won't use BitLocker?
+
 2. What policies exist to control recovery password and recovery key storage?
+
 3. What are the policies for validating the identity of users who need to perform BitLocker recovery?
+
 4. What policies exist to control who in the organization has access to recovery data?
+
 5. What policies exist to control computer decommissioning or retirement?
 
 ## Encryption keys and authentication
@@ -48,51 +52,52 @@ BitLocker helps prevent unauthorized access to data on lost or stolen computers
 
 The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data. And, help make sure a computer hasn't been tampered with while the system was offline.
 
-Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
+Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
 
-On computers that don't have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
+On computers that don't have a TPM version 1.2 or higher, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
 
 ### BitLocker key protectors
+
 | Key protector | Description |
 | - | - |
-| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
-| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|
-| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
-| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.|
-| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.|
-| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
+| *TPM* | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
+| *PIN* | A user-entered numeric key protector that can only be used in addition to the TPM.|
+| *Enhanced PIN* | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
+| *Startup key* | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or with a TPM for added security.|
+| *Recovery password* | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.|
+| *Recovery key*| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
 
 ### BitLocker authentication methods
 
 | Authentication method | Requires user interaction | Description |
 | - | - | - |
-| TPM only| No| TPM validates early boot components.|
-| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
-| TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
-| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
-| Startup key only | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.|
+| *TPM only*| No| TPM validates early boot components.|
+| *TPM + PIN* | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
+| *TPM + Network key* | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
+| *TPM + startup key* | Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
+| *Startup key only* | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.|
 
-**Will you support computers without TPM 1.2 or higher versions?**
+#### Will computers without TPM 1.2 or higher versions be supported?
 
-Determine whether you will support computers that don't have a TPM 1.2 or higher versions in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication.
+Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support computers with TPM 1.2 or higher versions, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication.
 
-**What areas of your organization need a baseline level of data protection?**
+#### What areas of the organization need a baseline level of data protection?
 
 The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.
 
-However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection.
+However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection.
 
-**What areas of your organization need a more secure level of data protection?**
+#### What areas of the organization need a more secure level of data protection?
 
-If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
+If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. BitLocker Network Unlock can also be used to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
 
-**What multifactor authentication method does your organization prefer?**
+#### What multifactor authentication method does the organization prefer?
 
 The protection differences provided by multifactor authentication methods can't be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and any automated systems management processes.
 
 ## TPM hardware configurations
 
-In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
+In the deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM(s) being used by the organization so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
 
 ### TPM 1.2 states and initialization
 
@@ -102,7 +107,7 @@ For TPM 1.2, there are multiple possible states. Windows automatically initializ
 
 For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM doesn't have an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup.
 
-An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken.
+An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken.
 
 For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (<https://go.microsoft.com/fwlink/p/?linkid=69584>).
 
@@ -110,13 +115,13 @@ For more information about the TPM and the TCG, see the Trusted Computing Group:
 
 Devices that don't include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key.
 
-Use the following questions to identify issues that might affect your deployment in a non-TPM configuration:
+Use the following questions to identify issues that might affect the deployment in a non-TPM configuration:
 
 - Are password complexity rules in place?
-- Do you have budget for USB flash drives for each of these computers?
-- Do your existing non-TPM devices support USB devices at boot time?
+- Is there a budget for USB flash drives for each of these computers?
+- Do existing non-TPM devices support USB devices at boot time?
 
-Test your individual hardware platforms with the BitLocker system check option while you're enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material.
+Test the individual hardware platforms with the BitLocker system check option while enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material.
 
 ## Disk configuration considerations
 
@@ -125,17 +130,17 @@ To function correctly, BitLocker requires a specific disk configuration. BitLock
 - The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
 - The system partition (or boot partition) includes the files needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker isn't enabled on this partition. For BitLocker to work, the system partition must not be encrypted, and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32-file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size.
 
-Windows setup automatically configures the disk drives of your computer to support BitLocker encryption.
+Windows setup automatically configures the disk drives of computers to support BitLocker encryption.
 
 Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE with BitLocker, the Windows RE boot image must be on a volume that isn't protected by BitLocker.
 
-Windows RE can also be used from boot media other than the local hard disk. If you don't install Windows RE on the local hard disk of BitLocker-enabled computers, then you can use different boot methods. For example, you can use Windows Deployment Services, CD-ROM, or USB flash drive for recovery.
+Windows RE can also be used from boot media other than the local hard disk. If Windows RE isn't installed on the local hard disk of BitLocker-enabled computers, then different methods can be used to boot Windows RE. For example, Windows Deployment Services (WDS), CD-ROM, or USB flash drive can be used for recovery.
 
 ## BitLocker provisioning
 
 In Windows Vista and Windows 7, BitLocker was provisioned after the installation for system and data volumes. It used the `manage-bde` command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM.
 
-To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, `manage-bde` tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.
+To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.
 
 When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status.
 
@@ -145,7 +150,7 @@ Administrators can enable BitLocker before to operating system deployment from t
 
 The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker group policy setting to enforce either Used Disk Space Only or Full disk encryption.
 
-Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you're asked to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption.
+Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, the wizard asks to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption.
 
 With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive.
 
@@ -155,7 +160,7 @@ With Full drive encryption, the entire drive is encrypted, whether data is store
 
 BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information:
 
-Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered.
+**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > ***drive type*** > **Choose how BitLocker-protected drives can be recovered**.
 
 By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information).
 
@@ -167,7 +172,7 @@ The following recovery data is saved for each computer object:
 
 - **Key package data**
 
-    With this key package and the recovery password, you will be able to decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID.
+    With this key package and the recovery password, portions of a BitLocker-protected volume can be decrypted if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID.
 
 ## FIPS support for recovery password protector
 
@@ -176,21 +181,25 @@ Functionality introduced in Windows Server 2012 R2 and Windows 8.1 allows BitLoc
 > [!NOTE]
 > The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
 
-Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant).
+Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [The recovery password for Windows BitLocker isn't available when FIPS compliant policy is set in Windows](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant).
 
-But on computers running these supported systems with BitLocker enabled:
+However, on computers running these supported systems with BitLocker enabled:
 
 - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm.
+
 - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
+
 - Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords.
+
 - When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.
+
 - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
 
 The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not.
 
-On Windows Server 2012 R2 and Windows 8.1 and older, you can't use recovery passwords generated on a system in FIPS mode. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead.
+On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generated on a system in FIPS mode can't be used. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead.
 
-## More information
+## Related articles
 
 - [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md)
 - [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md)
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 8a767976cc..edf5fd84f3 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -2,27 +2,29 @@
 title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
 description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
+ms.technology: itpro-security
 ---
 
 # Protecting cluster shared volumes and storage area networks with BitLocker
 
-**Applies to**
--   Windows Server 2016
+**Applies to:**
+
+- Windows Server 2016 and above
 
 This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker.
 
 BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume.
 
-## <a href="" id="configuring-bitlocker-on-cluster-shared-volumes-"></a>Configuring BitLocker on Cluster Shared Volumes
+## Configuring BitLocker on Cluster Shared Volumes
 
 ### Using BitLocker with clustered volumes
 
@@ -30,146 +32,150 @@ Volumes within a cluster are managed with the help of BitLocker based on how the
 
 > [!IMPORTANT]
 > SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/).
- 
+
 Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks:
 
 - It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool.
 - It must put the resource into maintenance mode before BitLocker operations are completed.
 
-Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item.
+Windows PowerShell or the `manage-bde.exe` command-line tool is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item.
 
 > [!NOTE]
 > Mount points can be used to support remote mount points on SMB-based network shares. This type of share is not supported for BitLocker encryption.
- 
-If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. You can't use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **manage-bde -WipeFreeSpace** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
+
+If there's a thinly provisioned storage, such as a dynamic virtual hard disk (VHD), BitLocker runs in **Used Disk Space Only** encryption mode. The **`manage-bde.exe -WipeFreeSpace`** command can't be used to transition the volume to full-volume encryption on thinly provisioned storage volumes. The usage of **`manage-bde.exe -WipeFreeSpace`** command is blocked to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
 
 ### Active Directory-based protector
 
-You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place:
+An Active Directory Domain Services (AD DS) protector can also be used for protecting clustered volumes held within the AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the following events take place:
 
-- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. 
+- BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request.
 - BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
 
-    1.  Clear key
-    2.  Driver-based auto-unlock key
-    3.  **ADAccountOrGroup** protector
-    
+    1. Clear key
+    2. Driver-based auto-unlock key
+    3. **ADAccountOrGroup** protector
+
         a.  Service context protector
-        
+
         b.  User protector
-        
-    4.  Registry-based auto-unlock key
+
+    4. Registry-based auto-unlock key
 
 > [!NOTE]
 > A Windows Server 2012 or later domain controller is required for this feature to work properly.
- 
+
 ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
 
 BitLocker encryption is available for disks before these disks are added to a cluster storage pool.
 > [!NOTE]
-> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool. 
-The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation. 
+> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool.
+The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation.
 To turn on BitLocker for a disk before adding it to a cluster:
 
-1.  Install the BitLocker Drive Encryption feature if it isn't already installed.
-2.  Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it.
-3.  Identify the name of the cluster with Windows PowerShell.
+1. Install the BitLocker Drive Encryption feature if it isn't already installed.
+
+2. Ensure the disk is an NTFS-formatted one and has a drive letter assigned to it.
+
+3. Identify the name of the cluster with Windows PowerShell.
 
     ```powershell
     Get-Cluster
     ```
-4.  Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
+
+4. Enable BitLocker on a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
 
     ```powershell
     Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
     ```
-    > [!WARNING]
-    > You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
-     
-5.  Repeat the preceding steps for each disk in the cluster.
 
-6.  Add the volume(s) to the cluster.
+    > [!WARNING]
+    > An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
+
+5. Repeat the preceding steps for each disk in the cluster.
+
+6. Add the volume(s) to the cluster.
 
 ### Turning on BitLocker for a clustered disk using Windows PowerShell
 
-When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the Bitlocker for a clustered disk using Windows PowerShell, perform the following steps:
+When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the BitLocker for a clustered disk using Windows PowerShell, perform the following steps:
 
-1.  Install the BitLocker drive encryption feature if it isn't already installed.
-2.  Check the status of the cluster disk using Windows PowerShell.
+1. Install the BitLocker drive encryption feature if it isn't already installed.
+
+2. Check the status of the cluster disk using Windows PowerShell.
 
     ```powershell
     Get-ClusterResource "Cluster Disk 1"
     ```
-3.  Put the physical disk resource into maintenance mode using Windows PowerShell.
+
+3. Put the physical disk resource into maintenance mode using Windows PowerShell.
 
     ```powershell
     Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
     ```
-4.  Identify the name of the cluster with Windows PowerShell.
+
+4. Identify the name of the cluster with Windows PowerShell.
 
     ```powershell
     Get-Cluster
     ```
-5.  Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
+
+5. Enable BitLocker a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
 
     ```powershell
     Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
     ```
 
     > [!WARNING]
-    > You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster.
-     
-6.  Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode:
+    > An **ADAccountOrGroup** protector must be configured using the cluster CNO for a BitLocker-enabled volume to either be shared in a cluster-shared Volume or to fail over properly in a traditional failover cluster.
+
+6. Use **Resume-ClusterResource** to take back the physical disk resource out of maintenance mode:
 
     ```powershell
     Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource
     ```
-7.  Repeat the preceding steps for each disk in the cluster.
 
-### Adding BitLocker-encrypted volumes to a cluster using manage-bde
+7. Repeat the preceding steps for each disk in the cluster.
 
-You can also use **manage-bde** to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are:
+### Adding BitLocker-encrypted volumes to a cluster using `manage-bde.exe`
 
-1.  Verify that the BitLocker drive encryption feature is installed on the computer.
-2.  Ensure new storage is formatted as NTFS.
-3.  Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the**manage-bde** command line interface (see example):
+**`Manage-bde.exe`** can also be used to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are:
 
-    -   `Manage-bde -on -used <drive letter> -RP -sid domain\CNO$ -sync`
+1. Verify that the BitLocker drive encryption feature is installed on the computer.
 
-       1.  BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues.
-       2.  Using the -sync parameter is optional. However, using -sync parameter has the following advantage:
-        - The -sync parameter ensures the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool.
+2. Ensure new storage is formatted as NTFS.
 
-4.  Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered.
+3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example:
 
+    ```cmd
+    manage-bde.exe -on -used <drive letter> -RP -sid domain\CNO$ -sync
+    ```
 
-    -   Once the disk is clustered, it's enabled for CSV.
+    1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues.
 
+    2. Using the -sync parameter is optional. However, using the -sync parameter has the advantage of ensuring the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool.
 
-5.  During the resource online operation, cluster checks whether the disk is BitLocker encrypted.
+4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered.
 
-    1.  If the volume isn't BitLocker enabled, traditional cluster online operations occur.
-    2.  If the volume is BitLocker enabled, the following check occurs:
+    - Once the disk is clustered, it's enabled for CSV.
 
+5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted.
 
-       -   If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.
+    1. If the volume isn't BitLocker enabled, traditional cluster online operations occur.
 
-6.  Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**".
-CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task:
+    2. If the volume is BitLocker enabled, BitLocker checks if the volume is **locked**. If the volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.
 
-- Utilize the **manage-bde -status** command with a path to the volume.
+6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource, and choosing "**Add to cluster shared volumes**".
 
- The path must be one that is inside the CSV namespace as seen in the example command line below.
+CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption run the `manage-bde.exe -status` command as an administrator with a path to the volume. The path must be one that is inside the CSV namespace. For example:
 
-
-```powershell
-manage-bde -status "C:\ClusterStorage\volume1"
+```cmd
+manage-bde.exe -status "C:\ClusterStorage\volume1"
 ```
 
 ### Physical disk resources
 
-
-Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking or unlocking volumes require a context to perform. For example, you can't unlock or decrypt a physical disk resource if you aren't administering the cluster node that owns the disk resource because the disk resource isn't available.
+Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This condition means that operations such as encrypting, decrypting, locking, or unlocking volumes require a context to perform. For example, a physical disk resource can't unlock or decrypt if it isn't administering the cluster node that owns the disk resource because the disk resource isn't available.
 
 ### Restrictions on BitLocker actions with cluster volumes
 
@@ -177,31 +183,38 @@ The following table contains information about both physical disk resources (tha
 
 | Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode |
 |--- |--- |--- |--- |--- |
-|**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed|
-|**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed|
-|**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed|
-|**Manage-bde –lock**|Blocked|Blocked|Blocked|Allowed|
-|**manage-bde –wipe**|Blocked|Blocked|Blocked|Allowed|
+|**`Manage-bde.exe -on`**|Blocked|Blocked|Blocked|Allowed|
+|**`Manage-bde.exe -off`**|Blocked|Blocked|Blocked|Allowed|
+|**`Manage-bde.exe Pause/Resume`**|Blocked|Blocked**|Blocked|Allowed|
+|**`Manage-bde.exe -lock`**|Blocked|Blocked|Blocked|Allowed|
+|**`Manage-bde.exe -wipe`**|Blocked|Blocked|Blocked|Allowed|
 |**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed|
-|**manage-bde –protector –add**|Allowed|Allowed|Blocked|Allowed|
-|**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed|
-|**manage-bde –autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)|
-|**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed|
+|**`Manage-bde.exe -protector -add`**|Allowed|Allowed|Blocked|Allowed|
+|**`Manage-bde.exe -protector -delete`**|Allowed|Allowed|Blocked|Allowed|
+|**`Manage-bde.exe -autounlock`**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)|
+|**`Manage-bde.exe -upgrade`**|Allowed|Allowed|Blocked|Allowed|
 |**Shrink**|Allowed|Allowed|Blocked|Allowed|
 |**Extend**|Allowed|Allowed|Blocked|Allowed|
 
 > [!NOTE]
-> Although the **manage-bde -pause** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node.
- 
+> Although the **`manage-bde.exe -pause`** command is blocked in clusters, the cluster service automatically resumes a paused encryption or decryption from the MDS node.
+
 In the case where a physical disk resource experiences a failover event during conversion, the new owning node detects that the conversion isn't complete and completes the conversion process.
 
 ### Other considerations when using BitLocker on CSV2.0
 
 Some other considerations to take into account for BitLocker on clustered storage include:
--   BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume.
--   If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
--   If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode.
--   If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster.
--   If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster.
--   If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance.
--   If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode.
+
+- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume.
+
+- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete.
+
+- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode.
+
+- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster.
+
+- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster.
+
+- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance.
+
+- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode.
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
deleted file mode 100644
index 7242269177..0000000000
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ /dev/null
@@ -1,136 +0,0 @@
----
-title: Guidelines for troubleshooting BitLocker
-description: Describes approaches for investigating BitLocker issues, including how to gather diagnostic information
-ms.reviewer: kaushika
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 10/17/2019
-ms.custom: bitlocker
----
-
-# Guidelines for troubleshooting BitLocker
-
-This article addresses common issues in BitLocker and provides guidelines to troubleshoot these issues. This article also provides information such as what data to collect and what settings to check. This information makes your troubleshooting process much easier.
-
-## Review the event logs
-
-Open Event Viewer and review the following logs under Applications and Services logs\\Microsoft\\Windows:
-
-- **BitLocker-API**. Review the management log, the operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
-   - Microsoft-Windows-BitLocker-API/BitLocker Operational
-   - Microsoft-Windows-BitLocker-API/BitLocker Management
-
-- **BitLocker-DrivePreparationTool**. Review the admin log,  the operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
-   - Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
-   - Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
-
-Additionally, review the Windows logs\\System log for events that were produced by the TPM and TPM-WMI event sources.
-
-To filter and display or export logs, you can use the [wevtutil.exe](/windows-server/administration/windows-commands/wevtutil) command-line tool or the [Get-WinEvent](/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6&preserve-view=true) cmdlet.
-
-
-For example, to use wevtutil to export the contents of the operational log from the BitLocker-API folder to a text file that is named BitLockerAPIOpsLog.txt, open a Command Prompt window, and run the following command:
-
-```cmd
-wevtutil qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLockerAPIOpsLog.txt
-```
-
-To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run the following command:
-
-```ps
-Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv
-```
-
-You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax:
-
-- To display BitLocker-related information:
-   ```ps
-   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | fl
-   ```
-
-   The output of such a command resembles the following.
-
-   ![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png)
-
-- To export BitLocker-related information:
-   ```ps
-   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'BitLocker' | Export-Csv -Path System-BitLocker.csv
-   ```
-
-- To display TPM-related information:
-   ```ps
-   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | fl
-   ```
-
-- To export TPM-related information:
-   ```ps
-   Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object -Property Message -Match 'TPM' | Export-Csv -Path System-TPM.csv
-   ```
-
-   The output of such a command resembles the following.
-
-   ![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png)
-
-> [!NOTE]
-> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
-
-## Gather status information from the BitLocker technologies
-
-Open an elevated Windows PowerShell window, and run each of the following commands.
-
-|Command |Notes |
-| --- | --- |
-|[**get-tpm \> C:\\TPM.txt**](/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps&preserve-view=true) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
-|[**manage-bde –status \>&nbsp;C:\\BDEStatus.txt**](/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
-|[**manage-bde c: <br />-protectors -get \>&nbsp;C:\\Protectors**](/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key.  |
-|[**reagentc&nbsp;/info&nbsp;\>&nbsp;C:\\reagent.txt**](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. |
-|[**get-BitLockerVolume \| fl**](/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps&preserve-view=true) |Gets information about volumes that BitLocker Drive Encryption can protect. |
-
-## Review the configuration information
-
-1. Open an elevated Command Prompt window, and run the following commands.
-
-   |Command |Notes |
-   | --- | --- |
-   |[**gpresult /h \<Filename>**](/windows-server/administration/windows-commands/gpresult) |Exports the Resultant Set of Policy information, and saves the information as an HTML file. |
-   |[**msinfo /report \<Path> /computer&nbsp;\<ComputerName>**](/windows-server/administration/windows-commands/msinfo32) |Exports comprehensive information about the hardware, system components, and software environment on the local computer. The **/report** option saves the information as a .txt file. |
-
-1. Open Registry Editor, and export the entries in the following subkeys:
-
-   - **HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE**
-   - **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\**
-
-## Check the BitLocker prerequisites
-
-Common settings that can cause issues for BitLocker include the following scenarios:
-
-- The TPM must be unlocked. You can check the output of the **get-tpm** command for the status of the TPM.
-- Windows RE must be enabled. You can check the output of the **reagentc** command for the status of WindowsRE.
-- The system-reserved partition must use the correct format.
-  - On Unified Extensible Firmware Interface (UEFI) computers, the system-reserved partition must be formatted as FAT32.
-  - On legacy computers, the system-reserved partition must be formatted as NTFS.
-- If the device that you are troubleshooting is a slate or tablet PC, use <https://gpsearch.azurewebsites.net/#8153> to verify the status of the **Enable use of BitLocker authentication requiring preboot keyboard input on slates** option.
-
-For more information about the BitLocker prerequisites, see [BitLocker basic deployment: Using BitLocker to encrypt volumes](./bitlocker-basic-deployment.md#using-bitlocker-to-encrypt-volumes)
-
-## Next steps
-
-If the information that you have examined so far indicates a specific issue (for example, WindowsRE is not enabled), the issue may have a straightforward fix.
-
-Resolving issues that do not have obvious causes depends on exactly which components are involved and what behavior you see. The information that you have gathered helps you narrow down the areas to investigate.
-
-- If you are working on a device that is managed by Microsoft Intune, see [Enforcing BitLocker policies by using Intune: known issues](ts-bitlocker-intune-issues.md).
-- If BitLocker does not start or cannot encrypt a drive and you notice errors or events that are related to the TPM, see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
-- If BitLocker does not start or cannot encrypt a drive, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
-- If BitLocker Network Unlock does not behave as expected, see [BitLocker Network Unlock: known issues](ts-bitlocker-network-unlock-issues.md).
-- If BitLocker does not behave as expected when you recover an encrypted drive, or if you did not expect BitLocker to recover the drive, see [BitLocker recovery: known issues](ts-bitlocker-recovery-issues.md).
-- If BitLocker or the encrypted drive does not behave as expected, and you notice errors or events that are related to the TPM, see [BitLocker and TPM: other known issues](ts-bitlocker-tpm-issues.md).
-- If BitLocker or the encrypted drive does not behave as expected, see [BitLocker configuration: known issues](ts-bitlocker-config-issues.md).
-
-We recommend that you keep the information that you have gathered handy in case you decide to contact Microsoft Support for help to resolve your issue.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
deleted file mode 100644
index ef0e081dee..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: BitLocker cannot encrypt a drive  known issues
-description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive
-ms.reviewer: kaushika
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 10/17/2019
-ms.custom: bitlocker
----
-
-# BitLocker cannot encrypt a drive: known issues
-
-This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
-
-> [!NOTE]
-> If you have determined that your BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md).
-
-## Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive
-
-When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following:
-
-> **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.
-
-### Cause
-
-This issue may be caused by settings that are controlled by group policy objects (GPOs).
-
-### Resolution
-
-> [!IMPORTANT]
-> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
-
-To resolve this issue, follow these steps:
-
-1. Start Registry Editor, and navigate to the following subkey:
-
-   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE**
-
-1. Delete the following entries:
-   - **OSPlatformValidation\_BIOS**
-   - **OSPlatformValidation\_UEFI**
-   - **PlatformValidation**
-
-1. Exit registry editor, and turn on BitLocker drive encryption again.
-
-## "Access is denied" message when you try to encrypt removable drives
-
-You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:
-
-1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.
-
-1. On the **Choose how you want to unlock this drive** page, select **Use a password to unlock the drive**.
-
-1. Follow the instructions on the page to enter your password.
-
-1. On the **Are you ready to encrypt this drive?** page, select **Start encrypting**.
-
-1. The **Starting encryption** page displays the message "Access is denied."
-
-You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.
-
-### Cause
-
-The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE.
-
-To verify that this issue has occurred, follow these steps:
-
-1. On an affected computer, open an elevated Command Prompt window and an elevated PowerShell window.
-
-1. At the command prompt, enter the following command:
-
-   ```console
-   C:\>sc sdshow bdesvc
-   ```
-
-   The output of this command resembles the following:
-
-   > `D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)`
-
-1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
-
-   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
-
-   If you see NT AUTHORITY\INTERACTIVE (as highlighted) in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
-
-   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
-
-> [!NOTE]
-> GPOs that change the security descriptors of services have been known to cause this issue.
-
-### Resolution
-
-1. To repair the security descriptor of BDESvc, open an elevated PowerShell window and enter the following command:
-
-   ```powershell
-   sc sdset bdesvc D:(A;;CCDCLCSWRPWPDTLORCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLORCWDWO;;;BA)(A;;CCLCSWRPLORC;;;BU)(A;;CCLCSWRPLORC;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)
-   ```
-
-1. Restart the computer.
-
-The issue should now be resolved.
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
deleted file mode 100644
index cff0ac038d..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: BitLocker cannot encrypt a drive known TPM issues
-description: Provides guidance for troubleshooting known issues that may prevent BitLocker Drive Encryption from encrypting a drive, and that you can attribute to the TPM
-ms.reviewer: kaushika
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 10/18/2019
-ms.custom: bitlocker
----
-
-# BitLocker cannot encrypt a drive: known TPM issues
-
-This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues.
-
-> [!NOTE]
-> If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md).
-
-## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period"
-
-When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
-
-### Cause
-
-The TPM is locked out.
-
-### Resolution
-
-To resolve this issue, follow these steps:
-
-1. Open an elevated PowerShell window and run the following script:
-
-   ```powershell
-   $Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
-   $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
-   if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
-   ```
-2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8
-3. Retry starting BitLocker drive encryption.
-
-## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period"
-
-You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period."
-
-### Cause
-
-The TPM is locked out.
-
-### Resolution
-
-To resolve this issue, disable and re-enable the TPM. To do this, follow these steps:
-
-1. Restart the device, and change the BIOS configuration to disable the TPM.
-2. Restart the device again, and return to the TPM management console. Following message is displayed:
-   > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS.
-
-3. Restart the device, and change the BIOS configuration to enable the TPM.
-4. Restart the device, and return to the TPM management console.
-
-If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
-
-> [!WARNING]
-> Clearing the TPM can cause data loss.
-
-## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005
-
-You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights."
-
-### Cause
-
-The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run.
-
-This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10.
-
-### Resolution
-
-To verify that you have correctly identified this issue, use one of the following methods:
-
-- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed.
-- Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container.
-
-1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command:
-
-   ```powershell
-   Get-ADComputer -Filter {Name -like "ComputerName"} -Property * | Format-Table name,msTPM-TPMInformationForComputer
-   ```
-
-   In this command, *ComputerName* is the name of the affected computer.
-
-1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF.
-
-## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server"
-
-Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy.  
-
-You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following:
-
-> 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled
-
-You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformationForComputer** attributes are present.
-
-### Cause
-
-The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set.
-
-### Resolution
-
-To resolve this issue, follow these steps:
-
-1. Upgrade the functional level of the domain and forest to Windows Server 2012 R2.
-2. Download [Add-TPMSelfWriteACE.vbs](/samples/browse/?redirectedfrom=TechNet-Gallery).
-3. In the script, modify the value of **strPathToDomain** to your domain name.
-4. Open an elevated PowerShell window, and run the following command:
-
-   ```powershell
-   cscript <Path>Add-TPMSelfWriteACE.vbs
-   ```
-
-   In this command \<*Path*> is the path to the script file.
-
-For more information, see the following articles:
-
-- [Back up the TPM recovery information to AD DS](../tpm/backup-tpm-recovery-information-to-ad-ds.md)
-- [Prepare your organization for BitLocker: Planning and policies](./prepare-your-organization-for-bitlocker-planning-and-policies.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
deleted file mode 100644
index 0cd7aa0c07..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ /dev/null
@@ -1,181 +0,0 @@
----
-title: BitLocker configuration known issues
-description: Describes common issues that involve your BitLocker configuration and BitLocker's general functionality, and provides guidance for addressing those issues.
-ms.reviewer: kaushika
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 10/17/2019
-ms.custom: bitlocker
----
-
-# BitLocker configuration: known issues
-
-This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues.
-
-## BitLocker encryption is slower in Windows 10 and Windows 11
-
-In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
-
-To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*.
-
-> [!IMPORTANT]
-> To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives.
-
-### Benefits of using the new conversion model
-
-By using the previous conversion model, you cannot consider an internal drive to be protected (and compliant with data protection standards) until the BitLocker conversion is 100 percent complete. Before the process finishes, the data that existed on the drive before encryption began&mdash;that is, potentially compromised data&mdash;can still be read and written without encryption. Therefore, you must wait for the encryption process to finish before you store sensitive data on the drive. Depending on the size of the drive, this delay can be substantial.
-
-By using the new conversion model, you can safely store sensitive data on the drive as soon as you turn on BitLocker. You don't have to wait for the encryption process to finish, and encryption does not adversely affect performance. The tradeoff is that the encryption process for pre-existing data takes more time.
-
-### Other BitLocker enhancements
-
-After Windows 7 was released, several other areas of BitLocker were improved:
-
-- **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text.
-
-   By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software.
-
-- **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces:
-   -  BitLocker Wizard
-   - manage-bde
-   - Group Policy Objects (GPOs)
-   - Mobile Device Management (MDM) policy
-   - Windows PowerShell
-   - Windows Management Interface (WMI)
-
-- **Integration with Azure Active Directory** (Azure AD). BitLocker can store recovery information in Azure AD to make it easier to recover.
-
-- **[Direct memory access (DMA) Port Protection](../kernel-dma-protection-for-thunderbolt.md)**. By using MDM policies to manage BitLocker, you can block a device's DMA ports and secure the device during its startup.
-
-- **[BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md)**. If your BitLocker-enabled desktop or server computer is connected to a wired corporate network in a domain environment, you can automatically unlock its operating system volume during a system restart.
-
-- **Support for [Encrypted Hard Drives](../encrypted-hard-drive.md)**. Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. By taking on that workload, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption.
-
-- **Support for classes of HDD/SSD hybrid disks**. BitLocker can encrypt a disk that uses a small SSD as a non-volatile cache in front of the HDD, such as Intel Rapid Storage Technology.
-
-## Hyper-V Gen 2 VM: Cannot access the volume after BitLocker encryption
-
-Consider the following scenario:
-
-1. You turn on BitLocker on a generation-2 virtual machine (VM) that runs on Hyper-V.
-1. You add data to the data disk as it encrypts.
-1. You restart the VM, and observe the following:
-   - The system volume is not encrypted.
-   - The encrypted volume is not accessible, and the computer lists the volume's file system as "Unknown."
-   - You see a message that resembles: "You need to format the disk in \<*x:*> drive before you can use it"
-
-### Cause
-
-This issue occurs because the third-party filter driver Stcvsm.sys (from StorageCraft) is installed on the VM.
-
-### Resolution
-
-To resolve this issue, remove the third-party software.
-
-## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks
-
-You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
-
-This issue occurs regardless of any of the following variations in the environment:
-
-- How the domain controller volumes are unlocked.
-- Whether the VMs are generation 1 or generation 2.
-- Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2.
-
-In the domain controller application log, the VSS event source records event ID 8229:
-
-> ID: 8229  
-> Level: Warning  
-> ‎Source: VSS  
-> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur.  
->  
-> Changes that the writer made to the writer components while handling the event will not be available to the requester.  
->  
-> Check the event log for related events from the application hosting the VSS writer.  
->  
-> Operation:  
-> PostSnapshot Event
->  
-> Context:  
-> Execution Context: Writer
-> Writer Class Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
-> Writer Name: NTDS  
-> Writer Instance ID: {d170b355-a523-47ba-a5c8-732244f70e75}
-> Command Line: C:\\Windows\\system32\\lsass.exe
->  
-> Process ID: 680  
-
-In the domain controller Directory Services event log, you see an event that resembles the following:
-
-> Error Microsoft-Windows-ActiveDirectory\_DomainService 1168  
-> Internal Processing Internal error: An Active Directory Domain Services error has occurred.
->  
->‎ &nbsp;Additional Data  
-> ‎&nbsp;&nbsp;Error value (decimal):  -1022  
->  
-> Error value (hex): fffffc02  
->  
-> Internal ID: 160207d9  
-
-> [!NOTE]
-> The internal ID of this event may differ based on your operating system release and path level.
-
-After this issue occurs, if you run the **VSSADMIN list writers** command, you see output that resembles the following for the Active Directory Domain Services (NTDS) VSS Writer:  
-
-> Writer name: 'NTDS'  
-> &nbsp;&nbsp;Writer Id: {b2014c9e-8711-4c5c-a5a9-3cf384484757}  
-> &nbsp;&nbsp;Writer Instance Id: {08321e53-4032-44dc-9b03-7a1a15ad3eb8}  
-> &nbsp;&nbsp;State: \[11\] Failed  
-> &nbsp;&nbsp;Last error: Non-retryable error  
-
-Additionally, you cannot back up the VMs until you restart them.
-
-### Cause
-
-After VSS creates a snapshot of a volume, the VSS writer takes "post snapshot" actions. In the case of a "production snapshot," which you initiate from the host server, Hyper-V tries to mount the snapshotted volume. However, it cannot unlock the volume for unencrypted access. BitLocker on the Hyper-V server does not recognize the volume. Therefore, the access attempt fails and then the snapshot operation fails.
-
-This behavior is by design.
-
-### Workaround
-
-There is one supported way to perform backup and restore of a virtualized domain controller:
-
-- Run Windows Server Backup in the guest operating system.
-
-If you have to take a production snapshot of a virtualized domain controller, you can suspend BitLocker in the guest operating system before you start the production snapshot. However, this approach is not recommended.
-
-For more information and recommendations about backing up virtualized domain controllers, see [Virtualizing Domain Controllers using Hyper-V: Backup and Restore Considerations for Virtualized Domain Controllers](/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v#backup-and-restore-considerations-for-virtualized-domain-controllers)
-
-### More information
-
-When the VSS NTDS writer requests access to the encrypted drive, the Local Security Authority Subsystem Service (LSASS) generates an error entry that resembles the following:
-
-```console
-\# for hex 0xc0210000 / decimal -1071579136
-‎ STATUS\_FVE\_LOCKED\_VOLUME ntstatus.h
-‎ \# This volume is locked by BitLocker Drive Encryption.
-```
-
-The operation produces the following call stack:
-
-```console
-\# Child-SP RetAddr Call Site
-‎ 00 00000086\`b357a800 00007ffc\`ea6e7a4c KERNELBASE\!FindFirstFileExW+0x1ba \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 872\]
-‎ 01 00000086\`b357abd0 00007ffc\`e824accb KERNELBASE\!FindFirstFileW+0x1c \[d:\\rs1\\minkernel\\kernelbase\\filefind.c @ 208\]
-‎ 02 00000086\`b357ac10 00007ffc\`e824afa1 ESENT\!COSFileFind::ErrInit+0x10b \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 2476\]
-‎ 03 00000086\`b357b700 00007ffc\`e827bf02 ESENT\!COSFileSystem::ErrFileFind+0xa1 \[d:\\rs1\\onecore\\ds\\esent\\src\\os\\osfs.cxx @ 1443\]
-‎ 04 00000086\`b357b960 00007ffc\`e82882a9 ESENT\!JetGetDatabaseFileInfoEx+0xa2 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11503\]
-‎ 05 00000086\`b357c260 00007ffc\`e8288166 ESENT\!JetGetDatabaseFileInfoExA+0x59 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 11759\]
-‎ 06 00000086\`b357c390 00007ffc\`e84c64fb ESENT\!JetGetDatabaseFileInfoA+0x46 \[d:\\rs1\\onecore\\ds\\esent\\src\\ese\\jetapi.cxx @ 12076\]
-‎ 07 00000086\`b357c3f0 00007ffc\`e84c5f23 ntdsbsrv\!CVssJetWriterLocal::RecoverJetDB+0x12f \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2009\]
-‎ 08 00000086\`b357c710 00007ffc\`e80339e0 ntdsbsrv\!CVssJetWriterLocal::OnPostSnapshot+0x293 \[d:\\rs1\\ds\\ds\\src\\jetback\\snapshot.cxx @ 2190\]
-‎ 09 00000086\`b357cad0 00007ffc\`e801fe6d VSSAPI\!CVssIJetWriter::OnPostSnapshot+0x300 \[d:\\rs1\\base\\stor\\vss\\modules\\jetwriter\\ijetwriter.cpp @ 1704\]
-‎ 0a 00000086\`b357ccc0 00007ffc\`e8022193 VSSAPI\!CVssWriterImpl::OnPostSnapshotGuard+0x1d \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 5228\]
-‎ 0b 00000086\`b357ccf0 00007ffc\`e80214f0 VSSAPI\!CVssWriterImpl::PostSnapshotInternal+0xc3b \[d:\\rs1\\base\\stor\\vss\\modules\\vswriter\\vswrtimp.cpp @ 3552\]
-```
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
deleted file mode 100644
index c36cc4ab98..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: Decode Measured Boot logs to track PCR changes
-description: Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs
-ms.reviewer: kaushika
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 10/17/2019
-ms.custom: bitlocker
----
-
-# Decode Measured Boot logs to track PCR changes
-
-Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.  
-
-By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder.
-
-This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool.
-
-For more information about Measured Boot and PCRs, see the following articles:
-
-- [TPM fundamentals: Measured Boot with support for attestation](../tpm/tpm-fundamentals.md#measured-boot-with-support-for-attestation)  
-- [Understanding PCR banks on TPM 2.0 devices](../tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
-
-## Use TBSLogGenerator to decode Measured Boot logs
-
-Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 11, Windows 10, and earlier versions. You can install this tool on the following systems:
-
-- A computer that is running Windows Server 2016 and that has a TPM enabled
-- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM)
-
-To install the tool, follow these steps:
-
-1. Download the Windows Hardware Lab Kit from one of the following locations:
-
-   - [Windows Hardware Lab Kit](/windows-hardware/test/hlk/)
-   - Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112)
-
-1. Accept the default installation path.
-
-   ![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png)
-
-1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit&mdash;Controller + Studio**.
-
-   ![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png)
-
-1. Finish the installation.
-
-To use TBSLogGenerator, follow these steps:
-
-1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
-
-   **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
-
-   This folder contains the TBSLogGenerator.exe file.
-
-   ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png)
-
-1. Run the following command:
-
-   ```console
-   TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt
-   ```
-
-   where the variables represent the following values:
-   - \<*LogFolderName*> = the name of the folder that contains the file to be decoded
-   - \<*LogFileName*> = the name of the file to be decoded
-   - \<*DestinationFolderName*> = the name of the folder for the decoded text file
-   - \<*DecodedFileName*> = the name of the decoded text file
-
-   For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
-
-    ```console
-    TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
-    ```
-
-   ![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png)
-
-   The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
-
-   ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png)
-
-   The content of this text file resembles the following.
-    
-   ![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
-    
-   To find the PCR information, go to the end of the file.
-    
-   ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
-
-## Use PCPTool to decode Measured Boot logs
-
-> [!NOTE]
-> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool.
-
-PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
-
-To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
-
-To decode a log, run the following command:
-
-```console
-PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml
-```  
-
-where the variables represent the following values:
-- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
-- \<*LogFileName*> = the name of the file to be decoded
-- \<*DestinationFolderName*> = the name of the folder for the decoded text file
-- \<*DecodedFileName*> = the name of the decoded text file
-
-The content of the XML file resembles the following.
-
-:::image type="content" alt-text="Command Prompt window that shows an example of how to use PCPTool." source="./images/pcptool-output.jpg" lightbox="./images/pcptool-output.jpg":::
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
deleted file mode 100644
index abea61f37e..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ /dev/null
@@ -1,358 +0,0 @@
----
-title: Enforcing BitLocker policies by using Intune  known issues
-description: provides assistance for issues that you may see if you use Microsoft Intune policy to manage silent BitLocker encryption on devices.
-ms.reviewer: kaushika
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
-ms.collection:
-  - Windows Security Technologies\BitLocker
-  - highpri
-ms.topic: troubleshooting
-ms.date: 10/18/2019
-ms.custom: bitlocker
----
-
-# Enforcing BitLocker policies by using Intune: known issues
-
-This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
-
-:::image type="content" alt-text="The BitLocker status indictors on the Intune portal." source="./images/4509189-en-1.png" lightbox="./images/4509189-en-1.png":::
-
-To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
-
-- [Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer](#issue-1)
-- [Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer](#issue-2)
-- [Event ID 854: WinRE is not configured](#issue-3)
-- [Event ID 851: Contact manufacturer for BIOS upgrade](#issue-4)
-- [Error message: The UEFI variable 'SecureBoot' could not be read](#issue-6)
-- [Event ID 846, 778, and 851: Error 0x80072f9a](#issue-7)
-- [Error message: Conflicting Group Policy settings for recovery options on operating system drives](#issue-5)
-
-If you do not have a clear trail of events or error messages to follow, other areas to investigate include the following:
-
-- [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements)
-- [Review your BitLocker policy configuration](#policy)
-
-For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly).
-
-## <a id="issue-1"></a>Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer
-
-Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
-
-![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png)
-
-### Cause
-
-The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM.
-
-### Resolution
-
-To resolve this issue, verify the following:
-
-- The TPM is enabled in the device BIOS.  
-- The TPM status in the TPM management console resembles the following:
-   - Ready (TPM 2.0)
-   - Initialized (TPM 1.2)
-
-For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md).
-
-## <a id="issue-2"></a>Event ID 853: Error: BitLocker Drive Encryption detected bootable media (CD or DVD) in the computer
-
-In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
-
-![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png)
-
-### Cause
-
-During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts.
-
-To avoid this situation, the provisioning process stops if it detects a removable bootable media.
-
-### Resolution
-
-Remove the bootable media, and restart the device. After the device restarts, verify the encryption status.
-
-## <a id="issue-3"></a>Event ID 854: WinRE is not configured
-
-The event information resembles the following:
-
-> Failed to enable Silent Encryption. WinRe is not configured.
->  
-> Error: This PC cannot support device encryption because WinRE is not properly configured.
-
-### Cause
-
-Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE.
-
-The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes.
-
-If WinRE is not available on the device, provisioning stops.
-
-### Resolution
-
-You can resolve this issue by verifying the configuration of the disk partitions, the status of WinRE, and the Windows Boot Loader configuration. To do this, follow these steps.
-
-#### Step 1: Verify the configuration of the disk partitions
-
-The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
-
-![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
-
-To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands:
-
-```console
-diskpart 
-list volume
-```
-
-![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
-
-If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager):
-
-![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg)
-
-#### Step 2: Verify the status of WinRE
-
-To verify the status of WinRE on the device, open an elevated Command Prompt window and run the following command:
-
-```console
-reagentc /info
-```
-The output of this command resembles the following.
-
-![Output of the reagentc /info command.](./images/4509193-en-1.png)
-
-If the **Windows RE status** is not **Enabled**, run the following command to enable it:
-
-```console
-reagentc /enable
-```
-
-#### Step 3: Verify the Windows Boot Loader configuration
-
-If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window:
-
-```console
-bcdedit /enum all
-```
-
-The output of this command resembles the following:
-
-:::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::
-
-In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
-
-## <a id="issue-4"></a>Event ID 851: Contact the manufacturer for BIOS upgrade instructions
-
-The event information resembles the following:
-
-> Failed to enable Silent Encryption.
->  
-> Error: BitLocker Drive Encryption cannot be enabled on the operating system drive. Contact the computer manufacturer for BIOS upgrade instructions.
-
-### Cause
-
-The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS.
-
-### Resolution
-
-To verify the BIOS mode, use the System Information application. To do this, follow these steps:
-
-1. Select **Start**, and enter **msinfo32** in the **Search** box.
-
-1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.  
-
-   ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
-
-1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
-
-   > [!NOTE]
-   > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device.
-
-## <a id="issue-6"></a>Error message: The UEFI variable 'SecureBoot' could not be read
-
-You receive an error message that resembles the following:
-
-> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
-
-### Cause
-
-A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on.
-
-### Resolution
-
-You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps:
-
-#### Step 1: Verify the PCR validation profile of the TPM
-
-To verify that PCR 7 is in use, open an elevated Command Prompt window and run the following command:
-
-```console
-Manage-bde -protectors -get %systemdrive%
-```
-
-In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows:
-
-![Output of the manage-bde command.](./images/4509199-en-1.png)
-
-If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on.
-
-![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
-
-#### 2. Verify the secure boot state
-
-To verify the secure boot state, use the System Information application. To do this, follow these steps:
-
-1. Select **Start**, and enter **msinfo32** in the **Search** box.
-
-1. Verify that the **Secure Boot State** setting is **On**, as follows:  
-
-   ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
-
-1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.  
-
-   ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
-
-> [!NOTE]
-> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
->
-> ```ps
-> PS C:\> Confirm-SecureBootUEFI
-> ```
->
-> If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True."  
->  
-> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False."  
->  
-> If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform."  
-
-## <a id="issue-7"></a>Event ID 846, 778, and 851: Error 0x80072f9a
-
-In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
-
-The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):
-
-> Event ID:846
-> 
-> Event:
-> Failed to backup BitLocker Drive Encryption recovery information for volume C: to your Azure AD.
-> 
-> TraceId: {cbac2b6f-1434-4faa-a9c3-597b17c1dfa3}
-> Error: Unknown HResult Error code: 0x80072f9a
-
-> Event ID:778
-> 
-> Event: The BitLocker volume C: was reverted to an unprotected state.
-
-> Event ID: 851
-> 
-> Event:
-> Failed to enable Silent Encryption.
-> 
-> Error: Unknown HResult Error code: 0x80072f9a.
-
-These events refer to Error code 0x80072f9a.
-
-### Cause
-
-These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.
-
-The issue affects Windows 11 and Windows 10 version 1809.
-
-### Resolution
-
-To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update.
-
-## <a id="issue-5"></a>Error message: There are conflicting group policy settings for recovery options on operating system drives
-
-You receive a message that resembles the following:
-
-> **Error:** BitLocker Drive Encryption cannot be applied to this drive because there are conflicting Group Policy settings for recovery options on operating system drives. Storing recovery information to Active Directory Domain Services cannot be required when the generation of recovery passwords is not permitted. Please have your system administrator resolve these policy conflicts before attempting to enable BitLocker…
-
-### Resolution
-
-To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy).
-
-For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)).
-
-## <a id="policy"></a>Review your BitLocker policy configuration
-
-For information about the procedure to use policy together with BitLocker and Intune, see the following resources:
-
-- [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory)
-- [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10))
-- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
-- [Policy CSP &ndash; BitLocker](/windows/client-management/mdm/policy-csp-bitlocker)
-- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
-- [Enable ADMX-backed policies in MDM](/windows/client-management/mdm/enable-admx-backed-policies-in-mdm)
-- [gpresult](/windows-server/administration/windows-commands/gpresult)
-
-Intune offers the following enforcement types for BitLocker:
-
-- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later, or Windows 11.)
-- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later, or Windows 11.)
-- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803, or Windows 11.)
-
-If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.
-
-If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following:
-
-![Intune policy settings.](./images/4509186-en-1.png)
-
-The OMA-URI references for these settings are as follows:
-
-- OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**  
-   Value Type: **Integer**  
-   Value: **1**  (1 = Require, 0 = Not Configured)
-
-- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**  
-   Value Type: **Integer**  
-   Value: **0** (0 = Blocked, 1 = Allowed)  
-
-> [!NOTE]
-> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
-
-> [!NOTE]
-> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard.  
-
-If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.  
-
-The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:
-
-- Be HSTI-compliant
-- Support Modern Standby
-- Use Windows 10 version 1803 or later, or Windows 11
-
-![Intune policy setting.](./images/4509188-en-1.png)
-
-The OMA-URI references for these settings are as follows:
-
-- OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption**  
-   Value Type: **Integer**
-   Value: **1**  
-
-> [!NOTE]
-> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles.
-
-## Verifying that BitLocker is operating correctly
-
-During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845.
-
-![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)
-
-![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png)
-
-You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
-
-![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png)
-
-On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
-
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**  
-
-![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png)
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
deleted file mode 100644
index d10158fc36..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: BitLocker network unlock known issues
-description: Describes several known issues that you may encounter while using network unlock, and provided guidance for addressing those issues.
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: v-tappelgate
-ms.author: v-tappelgate
-manager: kaushika
-ms.reviewer: kaushika
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.custom: bitlocker
----
-
-# BitLocker network unlock: known issues
-
-By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, your environment needs to meet the following requirements:
-
-- Each computer belongs to a domain.
-- Each computer has a wired connection to the internal network.
-- The internal network uses DHCP to manage IP addresses.
-- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware.
-
-For general guidelines about how to troubleshoot network unlock, see [How to enable network unlock: Troubleshoot network unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock).
-
-This article describes several known issues that you may encounter when you use network unlock, and provides guidance to address these issues.
-
-## Tip: Detect whether BitLocker network unlock is enabled on a specific computer
-
-You can use the following steps on computers with either x64 or x32 UEFI firmware. You can also script these commands.
-
-1. Open an elevated command prompt window and run the following command:
-
-   ```cmd
-   manage-bde -protectors -get <Drive>
-   ```
-   
-   ```cmd
-   manage-bde -protectors -get C:
-   ```
-
-   Where `<Drive>` is the drive letter, followed by a colon (`:`), of the bootable drive.
-   If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock.
-
-1. Start Registry Editor, and verify the following settings:
-   - Entry `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE: OSManageNKP` is set to `1`.
-   - Subkey `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates` has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1.
-
-## 1. On a Surface Pro 4 device, BitLocker network unlock doesn't work because the UEFI network stack is incorrectly configured
-
-You've configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You've configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN.  
-
-You test another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device.
-
-### Cause of issue 1
-
-The UEFI network stack on the device was incorrectly configured.
-
-### Resolution for issue 1
-
-To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm).
-
-> [!NOTE]
-> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option.
-
-## 2. Unable to use BitLocker network unlock feature on a Windows client computer
-
-You have configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8 client computer that is connected to the internal network with an ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN.
-
-### Cause of issue 2
-
-A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server.
-
-DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests.
-
-The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option:
-
-- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages.
-- The third message that the BitLocker network unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request.
-
-A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message.
-
-If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message.
-
-For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable network unlock: network unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence).
-
-### Resolution for issue 2
-
-To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
deleted file mode 100644
index 163cc0e029..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ /dev/null
@@ -1,343 +0,0 @@
----
-title: BitLocker recovery known issues
-description: Describes common issues that can occur that prevent BitLocker from behaving as expected when recovering a drive, or may cause BitLocker to start recovery unexpectedly. The article provides guidance for addressing those issues.
-ms.reviewer: kaushika
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
-ms.collection:
-  - Windows Security Technologies\BitLocker
-  - highpri
-ms.topic: troubleshooting
-ms.date: 10/18/2019
-ms.custom: bitlocker
----
-
-# BitLocker recovery: known issues
-
-This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues.
-
-> [!NOTE]
-> In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors).
-
-## Windows prompts for a non-existing BitLocker recovery password
-
-Windows prompts you for a BitLocker recovery password. However, you did not configure a BitLocker recovery password.
-
-### Resolution
-
-The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue:
-
-- [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-)
-
-- [What happens if the backup initially fails? Will BitLocker retry the backup?](./bitlocker-and-adds-faq.yml)
-
-## The recovery password for a laptop was not backed up, and the laptop is locked
-
-You have a Windows 11 or Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password.
-
-### Resolution
-
-You can use either of the following methods to manually back up or synchronize an online client's existing recovery information:
-
-- Create a Windows Management Instrumentation (WMI) script that backs up the information. For more information, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider).
-
-- In an elevated Command Prompt window, use the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command to back up the information.
-
-   For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
-
-   ```console
-   manage-bde -protectors -adbackup C:
-   ```
-
-> [!NOTE]
-> BitLocker does not automatically manage this backup process.  
-
-## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode
-
-You have a tablet or slate device, and you try to test BitLocker recovery by running the following command:
-
-```console
-Manage-bde -forcerecovery
-```
-
-However, after you enter the recovery password, the device cannot start.
-
-### Cause
-
-> [!IMPORTANT]
-> Tablet devices do not support the **manage-bde -forcerecovery** command.
-
-This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.
-
-If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
-
-This behavior is by design for all versions of Windows.
-
-### Workaround
-
-To resolve the restart loop, follow these steps:
-
-1. On the BitLocker Recovery screen, select **Skip this drive**.
-
-1. Select **Troubleshoot** \> **Advanced Options** \> **Command Prompt**.
-
-1. In the Command Prompt window, run the following commands:
-
-   ```console
-   manage-bde –unlock C: -rp <48-digit BitLocker recovery password>
-   manage-bde -protectors -disable C:
-
-   ```
-
-1. Close the Command Prompt window.
-
-1. Shut down the device.
-
-1. Start the device. Windows should start as usual.
-
-## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password
-
-You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update.
-
-You experience one or more of the following symptoms on the Surface device:
-
-- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesn’t start up.
-- Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
-- The Surface device appears to be in an infinite restart loop.
-
-### Cause
-
-This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way:
-
-- Secure boot is turned off.
-- PCR values have been explicitly defined, such as by group policy.
-
-Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)).
-
-### Resolution
-
-To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command:
-
-```console
-manage-bde.exe -protectors -get <OSDriveLetter>:
-```
-
-In this command, &lt;*OSDriveLetter*&gt; represents the drive letter of the operating system drive.  
-
-To resolve this issue and repair the device, follow these steps.
-
-#### <a id="step-1"></a>Step 1: Disable the TPM protectors on the boot drive
-
-If you have installed a TPM or UEFI update and your device cannot start, even if you enter the correct BitLocker recovery password, you can restore the ability to start by using the BitLocker recovery password and a Surface recovery image to remove the TPM protectors from the boot drive.
-
-To do this, follow these steps:
-
-1. Obtain your BitLocker recovery password from [your Microsoft.com account](https://account.microsoft.com/devices/recoverykey). If BitLocker is managed by a different method, such as Microsoft BitLocker Administration and Monitoring (MBAM), contact your administrator for help.
-
-1. Use another computer to download the Surface recovery image from [Download a recovery image for your Surface](https://support.microsoft.com/surfacerecoveryimage). Use the downloaded image to create a USB recovery drive.
-
-1. Insert the USB Surface recovery image drive into the Surface device, and start the device.
-
-1. When you are prompted, select the following items:
-
-   1. Your operating system language.
-
-   1. Your keyboard layout.
-
-1. Select **Troubleshoot** > **Advanced Options** > **Command Prompt**.
-
-1. In the Command Prompt window, run the following commands:  
-
-   ```console
-   manage-bde -unlock -recoverypassword <Password> <DriveLetter>:  
-   manage-bde -protectors -disable <DriveLetter>:  
-
-   ```
-
-   In these commands, \<*Password*\> is the BitLocker recovery password that you obtained in step 1, and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
-
-   > [!NOTE]
-   > For more information about how to use this command, see [manage-bde: unlock](/windows-server/administration/windows-commands/manage-bde-unlock).
-
-1. Restart the computer.
-
-1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1.
-
-> [!NOTE]
-> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
-
-#### <a id="step-2"></a>Step 2: Use Surface BMR to recover data and reset your device
-
-To recover data from your Surface device if you cannot start Windows, follow steps 1 through 5 of [Step 1](#step-1) to return to the Command Prompt window, and then follow these steps:
-
-1. At the command prompt, run the following command:  
-
-   ```console
-   manage-bde -unlock -recoverypassword <Password> <DriveLetter>:  
-   ```
-
-   In this command, \<*Password*\> is the BitLocker recovery password that you obtained in step 1 of [Step 1](#step-1), and \<*DriveLetter*> is the drive letter that is assigned to your operating system drive.  
-
-1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.  
-
-   > [!NOTE]
-   > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands).
-  
-1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).  
-
-#### Step 3: Restore the default PCR values
-
-To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values.
-
-To enable secure boot on a Surface device, follow these steps:
-
-1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet:
-
-   ```powershell
-   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
-   ```
-
-   In this command, <*DriveLetter*> is the letter that is assigned to your drive.
-
-1. Restart the device, and then edit the BIOS to set the **Secure Boot** option to **Microsoft Only**.
-
-1. Restart the device.
-
-1. Open an elevated PowerShell window, and run the following cmdlet:  
-
-   ```powershell
-
-   Resume-BitLocker -MountPoint "<DriveLetter>:"
-   ```
-
-To reset the PCR settings on the TPM, follow these steps:
-
-1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.  
-
-   For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md).
-
-1. Suspend BitLocker. To do this, open an elevated Windows PowerShell window, and run the following cmdlet:
-
-   ```powershell
-   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
-   ```
-   
-   where <*DriveLetter*> is the letter assigned to your drive.
-
-1. Run the following cmdlet:  
-
-   ```powershell
-   Resume-BitLocker -MountPoint "<DriveLetter>:"
-   ```
-
-#### Step 4: Suspend BitLocker during TPM or UEFI firmware updates
-
-You can avoid this scenario when you install updates to system firmware or TPM firmware by temporarily suspending BitLocker before you apply such updates.
-
-> [!IMPORTANT]
-> TPM and UEFI firmware updates may require multiple restarts while they install. To keep BitLocker suspended during this process, you must use [Suspend-BitLocker](/powershell/module/bitlocker/suspend-bitlocker?view=winserver2012r2-ps&preserve-view=true) and set the **Reboot Count** parameter to either of the following values:
-> - **2** or greater: This value sets the number of times the device can restart before BitLocker Device Encryption resumes.
-> - **0**: This value suspends BitLocker Drive Encryption indefinitely, until you use [Resume-BitLocker](/powershell/module/bitlocker/resume-bitlocker?view=winserver2012r2-ps&preserve-view=true) or another mechanism to resume protection.
-
-To suspend BitLocker while you install TPM or UEFI firmware updates:
-
-1. Open an elevated Windows PowerShell window, and run the following cmdlet:
-
-   ```powershell
-   Suspend-BitLocker -MountPoint "<DriveLetter>:" -RebootCount 0  
-
-   ```
-   In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive.
-
-1. Install the Surface device driver and firmware updates.
-
-1. After you install the firmware updates, restart the computer, open an elevated PowerShell window, and then run the following cmdlet:  
-
-   ```powershell
-   Resume-BitLocker -MountPoint "<DriveLetter>:"
-   ```
-
-To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive.
-
-## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000
-
-You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000.
-
-### Workaround
-
-If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE). To do this, follow these steps:
-
-1. Retrieve the 48-digit BitLocker recovery password for the operating system drive from your organization's portal or from wherever the password was stored when BitLocker Drive Encryption was first turned on.
-
-1. On the Recovery screen, press Enter. When you are prompted, enter the recovery password.
-
-1. If your device starts in the (WinRE) and prompts you for the recovery password again, select **Skip the drive**.
-
-1. Select **Advanced options** > **Troubleshoot** > **Advanced options** > **Command Prompt**.
-
-1. In the Command Prompt window, run the following commands:
-
-   ```console
-   Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
-   Manage-bde -protectors -disable c:
-   exit
-   ```
-   
-   These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.
-
-   > [!NOTE]
-   > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
-
-1. Select **Continue**. Windows should start.
-
-1. After Windows has started, open an elevated Command Prompt window and run the following command:
-
-   ```console
-   Manage-bde -protectors -enable c:
-   ```
-
-> [!IMPORTANT]
-> Unless you suspend BitLocker before you start the device, this issue recurs.
-
-To temporarily suspend BitLocker just before you restart the device, open an elevated Command Prompt window and run the following command:
-
-```console
-Manage-bde -protectors -disable c: -rc 1
-```
-
-### Resolution
-
-To resolve this issue, install the appropriate update on the affected device:  
-
-- For Windows 10, version 1703, or Windows 11: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
-- For Windows 11, Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)
-
-## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000
-
-You have a device that uses TPM 1.2 and runs Windows 10, version 1809, or Windows 11. Also, the device uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following.
-
-> Recovery
-> 
-> Your PC/Device needs to be repaired.
-> A required file couldn't be accessed because your BitLocker key wasn't loaded correctly.
->  
-> Error code 0xc0210000
->  
-> You'll need to use recovery tools. If you don't have any installation media (like a disc or USB device), contact your PC administrator or PC/Device manufacturer.
-
-### Cause
-
-TPM 1.2 does not support Secure Launch. For more information, see [System Guard Secure Launch and SMM protection: Requirements Met by System Guard Enabled Machines](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-
-For more information about this technology, see [Windows Defender System Guard: How a hardware-based root of trust helps protect Windows](../../threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
-
-### Resolution
-
-To resolve this issue, do one of the following:
-
-- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch.
-- Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
deleted file mode 100644
index 6a0c6cf979..0000000000
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: BitLocker and TPM other known issues
-description: Describes common issues that relate directly to the TPM, and provides guidance for resolving those issues.
-ms.reviewer: kaushika
-ms.technology: windows-sec
-ms.prod: m365-security
-ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
-ms.collection: Windows Security Technologies\BitLocker
-ms.topic: troubleshooting
-ms.date: 10/18/2019
-ms.custom: bitlocker
----
-
-# BitLocker and TPM: other known issues
-
-This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues.
-
-## Azure AD: Windows Hello for Business and single sign-on don't work
-
-You have an Azure Active Directory (Azure AD)-joined client computer that can't authenticate correctly. You experience one or more of the following symptoms:
-
-- Windows Hello for Business doesn't work.
-- Conditional access fails.
-- Single sign-on (SSO) doesn't work.
-
-Additionally, the computer logs the following entry for Event ID 1026:
-
-> Log Name: System  
-> Source: Microsoft-Windows-TPM-WMI  
-> Date: \<Date and Time>  
-> Event ID: 1026  
-> Task Category: None  
-> Level: Information  
-> Keywords:  
-> User: SYSTEM  
-> Computer: \<Computer name\>  
-> Description:  
-> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.  
-> Error: The TPM is defending against dictionary attacks and is in a time-out period.  
-> Additional Information: 0x840000  
-
-### Cause
-
-This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys.  
-
-Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token).  
-
-### Resolution
-
-To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. This may indicate that the computer couldn't present its certificate for authentication.
-
-To resolve this issue, follow these steps to troubleshoot the TPM:
-
-1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box.
-1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions.  
-1. If you don't see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout.
-1. Contact the hardware vendor to determine whether there's a known fix for the issue.
-1. If you still can't resolve the issue, clear and reinitialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
-   > [!WARNING]
-   > Clearing the TPM can cause data loss.  
-
-## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use
-
-You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message:
-
-> Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.  
-> HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY  
-> The device that is required by this cryptographic provider is not ready for use.  
-> TPM Spec version: TPM v1.2  
-
-On a different device that is running the same version of Windows, you can open the TPM management console.
-
-### Cause (suspected)
-
-These symptoms indicate that the TPM has hardware or firmware issues.
-
-### Resolution
-
-To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0.  
-
-If this doesn't resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0.
-
-## Devices don't join hybrid Azure AD because of a TPM issue
-
-You have a device that you're trying to join to a hybrid Azure AD. However, the join operation appears to fail.
-
-To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded:
-
-- **AzureAdJoined: YES**
-- **DomainName: \<*on-prem Domain name*\>**
-
-If the value of **AzureADJoined** is **No**, the join operation failed.  
-
-### Causes and Resolutions
-
-This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table:
-
-|Message |Reason | Resolution|
-| - | - | - |
-|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
-|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
-|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
-|NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |
-
-For more information about TPM issues, see the following articles:
-
-- [TPM fundamentals: Anti-hammering](../tpm/tpm-fundamentals.md#anti-hammering)
-- [Troubleshooting hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current)
-- [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 0d07d17289..765325f2f0 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -3,16 +3,18 @@ title: Encrypted Hard Drive (Windows)
 description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
 ms.reviewer: 
 manager: aaroncz
-ms.author: dansimp
-ms.prod: m365-security
-author: dulcemontemayor
-ms.date: 04/02/2019
+ms.author: frankroj
+ms.prod: windows-client
+author: frankroj
+ms.date: 11/08/2022
+ms.technology: itpro-security
 ---
 
 # Encrypted Hard Drive
 
-**Applies to**
-- Windows 10
+*Applies to:*
+
+- Windows 10
 - Windows 11
 - Windows Server 2022
 - Windows Server 2019
@@ -21,29 +23,29 @@ ms.date: 04/02/2019
 
 Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management.
 
-By offloading the cryptographic operations to a hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
+By offloading the cryptographic operations to hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
 
 Encrypted hard drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to encrypted hard drives without additional modification, beginning with Windows 8 and Windows Server 2012.
 
 Encrypted hard drives provide:
 
--   **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
--   **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
--   **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
--   **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
+- **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
+- **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
+- **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
+- **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
 
 Encrypted hard drives are supported natively in the operating system through the following mechanisms:
 
--   **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type.
--   **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate.
--   **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate.
--   **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE).
--   **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience.
+- **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type.
+- **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate.
+- **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate.
+- **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE).
+- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience.
 
 >[!WARNING]
 >Self-encrypting hard drives and encrypted hard drives for Windows are not the same type of devices. Encrypted hard drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-encrypting hard drives do not have these requirements. It is important to confirm that the device type is an encrypted hard drive for Windows when planning for deployment.
- 
-If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
+
+If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
 
 ## System Requirements
 
@@ -51,44 +53,44 @@ To use encrypted hard drives, the following system requirements apply:
 
 For an encrypted hard drive used as a **data drive**:
 
--   The drive must be in an uninitialized state.
--   The drive must be in a security inactive state.
+- The drive must be in an uninitialized state.
+- The drive must be in a security inactive state.
 
 For an encrypted hard drive used as a **startup drive**:
 
--   The drive must be in an uninitialized state.
--   The drive must be in a security inactive state.
--   The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
--   The computer must have the compatibility support module (CSM) disabled in UEFI.
--   The computer must always boot natively from UEFI.
+- The drive must be in an uninitialized state.
+- The drive must be in a security inactive state.
+- The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
+- The computer must have the compatibility support module (CSM) disabled in UEFI.
+- The computer must always boot natively from UEFI.
 
 >[!WARNING]
 >All encrypted hard drives must be attached to non-RAID controllers to function properly.
- 
+
 ## Technical overview
 
-Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
+Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
 
 ## Configuring encrypted hard drives as startup drives
 
 Configuration of encrypted hard drives as startup drives is done using the same methods as standard hard drives. These methods include:
 
--   **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process.
--   **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work.
--   **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
--   **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work.
+- **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process.
+- **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work.
+- **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
+- **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work.
 
 ## Configuring hardware-based encryption with group policy
 
-There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: 
+There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption:
 
-- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#bkmk-hdefxd)  
+- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-fixed-data-drives)  
 - [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives)
 - [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives)
 
 ## Encrypted hard drive architecture
 
-Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the data encryption key (DEK) and the authentication key (AK).
+Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These encryption keys are the data encryption key (DEK) and the authentication key (AK).
 
 The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It's stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable.
 
@@ -96,13 +98,13 @@ The AK is the key used to unlock data on the drive. A hash of the key is stored
 
 When a computer with an encrypted hard drive is in a powered-off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the AK decrypts the DEK. Once the AK decrypts the DEK, read-write operations can take place on the device.
 
-When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue.
+When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. If the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK, and read-writes to the volume can continue.
 
-## Re-configuring encrypted hard drives
+## Reconfiguring encrypted hard drives
 
 Many encrypted hard drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state:
 
-1.  Open Disk Management (diskmgmt.msc)
-2.  Initialize the disk and select the appropriate partition style (MBR or GPT)
-3.  Create one or more volumes on the disk.
-4.  Use the BitLocker setup wizard to enable BitLocker on the volume.
+1. Open Disk Management (`diskmgmt.msc`)
+2. Initialize the disk and select the appropriate partition style (MBR or GPT)
+3. Create one or more volumes on the disk.
+4. Use the BitLocker setup wizard to enable BitLocker on the volume.
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
index 13d915e82d..39c23c342b 100644
--- a/windows/security/information-protection/index.md
+++ b/windows/security/information-protection/index.md
@@ -1,13 +1,14 @@
 ---
 title: Information protection (Windows 10)
 description: Learn more about how to protect sensitive data across your organization.
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 10/10/2018
+ms.technology: itpro-security
 ---
 
 # Information protection
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index f06d1f4810..63520fd7a9 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -1,15 +1,16 @@
 ---
 title: Kernel DMA Protection (Windows)
 description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
 ms.date: 03/26/2019
+ms.technology: itpro-security
 ---
 
 # Kernel DMA Protection
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 0151546bcc..4375ada864 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -1,7 +1,6 @@
 ---
 title: Configure Personal Data Encryption (PDE) in Intune
 description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
-
 author: frankroj
 ms.author: frankroj
 ms.reviewer: rafals
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index fb78dc475b..bfb7153548 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -1,7 +1,6 @@
 ---
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
-
 author: frankroj
 ms.author: frankroj
 ms.reviewer: rafals
diff --git a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
index b96b652981..b80634992b 100644
--- a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
+++ b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
@@ -1,18 +1,19 @@
 ---
 title: Microsoft Pluton security processor
 description: Learn more about Microsoft Pluton security processor
-ms.reviewer:
-ms.prod: m365-security
+ms.reviewer: 
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.localizationpriority: medium
-ms.collection:
+ms.collection: 
   - M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/15/2022
-appliesto:
-- ✅ <b>Windows 11, version 22H2</b>
+appliesto: 
+  - ✅ <b>Windows 11, version 22H2</b>
+ms.technology: itpro-security
 ---
 
 # Microsoft Pluton security processor
diff --git a/windows/security/information-protection/pluton/pluton-as-tpm.md b/windows/security/information-protection/pluton/pluton-as-tpm.md
index 121337c071..17a05782e9 100644
--- a/windows/security/information-protection/pluton/pluton-as-tpm.md
+++ b/windows/security/information-protection/pluton/pluton-as-tpm.md
@@ -1,18 +1,19 @@
 ---
 title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
 description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
-ms.reviewer:
-ms.prod: m365-security
+ms.reviewer: 
+ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.localizationpriority: medium
-ms.collection:
+ms.collection: 
   - M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/15/2022
-appliesto:
-- ✅ <b>Windows 11, version 22H2</b>
+appliesto: 
+  - ✅ <b>Windows 11, version 22H2</b>
+ms.technology: itpro-security
 ---
 
 # Microsoft Pluton as Trusted Platform Module
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index d74a5c0d8e..95230d2990 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -1,16 +1,17 @@
 ---
 title: Secure the Windows boot process
 description: This article describes how Windows security features help protect your PC from malware, including rootkits and other applications.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
 ms.date: 05/12/2022
 ms.author: dansimp
+ms.technology: itpro-security
 ---
 
 # Secure the Windows boot process
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index d2cbee5a7b..5122a7ca67 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -2,13 +2,14 @@
 title: Back up the TPM recovery information to AD DS (Windows)
 description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/03/2021
+ms.technology: itpro-security
 ---
 
 # Back up the TPM recovery information to AD DS
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
index 8120809195..5dd050c200 100644
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
@@ -2,13 +2,14 @@
 title: Change the TPM owner password (Windows)
 description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 01/18/2022
+ms.technology: itpro-security
 ---
 
 # Change the TPM owner password
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index a65af80d65..bd02dc2445 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -2,16 +2,16 @@
 title: How Windows uses the TPM
 description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
 ms.date: 09/03/2021
+ms.technology: itpro-security
 ---
 
 # How Windows uses the Trusted Platform Module
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index 7a8a4c7a24..907c31420d 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -2,15 +2,16 @@
 title: Troubleshoot the TPM (Windows)
 description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
 ms.date: 09/06/2021
+ms.technology: itpro-security
 ---
 
 # Troubleshoot the TPM
@@ -38,35 +39,35 @@ Starting with Windows 10 and Windows 11, the operating system automatically init
 
 ## Troubleshoot TPM initialization
 
-If you find that Windows is not able to initialize the TPM automatically, review the following information:
+If you find that Windows isn't able to initialize the TPM automatically, review the following information:
 
 -   You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
 
--   If the TPM is a TPM 2.0 and is not detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM has not been disabled or hidden from the operating system.
+-   If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system.
 
--   If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it is turned back on, Windows will re-initialize it.
+-   If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it.
 
--   If you are attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.
+-   If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.
 
 ### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11
 
-If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM cannot complete when your computer has network connection issues and both of the following conditions exist:
+If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist:
 
 -   An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy.
 
--   A domain controller cannot be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
+-   A domain controller can't be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter).
 
-If these issues occur, an error message appears, and you cannot complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you are connected to the corporate network and you can contact a domain controller.
+If these issues occur, an error message appears, and you can't complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you're connected to the corporate network and you can contact a domain controller.
 
 ### Troubleshoot systems with multiple TPMs
 
 Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
 
-For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed.
+For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection isn't changed.
 
 ## Clear all the keys from the TPM
 
-You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly.
+You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM isn't cleared before a new operating system is installed, most TPM functionality will probably work correctly.
 
 Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again.
 
@@ -77,13 +78,13 @@ Clearing the TPM resets it to an unowned state. After you clear the TPM, the Win
 
 Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
 
--   Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
+-   Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
 
--   Do not clear the TPM on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
+-   Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator.
 
 -   If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article.
 
--   Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Do not clear the TPM directly from UEFI.
+-   Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI.
 
 -   Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website.
 
@@ -107,7 +108,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
 
 ## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher)
 
-Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
+Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
 
 ### Turn on the TPM
 
@@ -121,7 +122,7 @@ If you want to use the TPM after you have turned it off, you can use the followi
 
 3.  Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
 
-    After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM.
+    After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM.
 
 ### Turn off the TPM
 
@@ -137,9 +138,9 @@ If you want to stop using the services that are provided by the TPM, you can use
 
    -   If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
 
-   -   If you do not have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
+   -   If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
 
-   -   If you did not save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
+   -   If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
   
 ## Use the TPM cmdlets
 
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
index 07f6041666..4dae6be6e1 100644
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ b/windows/security/information-protection/tpm/manage-tpm-commands.md
@@ -2,14 +2,14 @@
 title: Manage TPM commands (Windows)
 description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
 ms.author: dansimp
-ms.prod: m365-security
+ms.prod: windows-client
 author: dulcemontemayor
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
 ms.date: 09/06/2021
+ms.technology: itpro-security
 ---
 
 # Manage TPM commands
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
index 395fdd425a..90cfc7c9ac 100644
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md
@@ -3,12 +3,13 @@ title: Manage TPM lockout (Windows)
 description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
 ms.reviewer: 
 ms.author: dansimp
-ms.prod: m365-security
+ms.prod: windows-client
 author: dulcemontemayor
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
+ms.technology: itpro-security
 ---
 # Manage TPM lockout
 
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index 1bcb3e7ac1..4abbc40f2d 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -2,15 +2,15 @@
 title: Understanding PCR banks on TPM 2.0 devices (Windows)
 description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
 ms.date: 09/06/2021
+ms.technology: itpro-security
 ---
 
 # Understanding PCR banks on TPM 2.0 devices
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index cd8329767b..4b69fd9484 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -2,15 +2,15 @@
 title: Trusted Platform Module (TPM) fundamentals (Windows)
 description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
 ms.date: 12/27/2021
+ms.technology: itpro-security
 ---
 
 # TPM fundamentals
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 73c92bb7d8..4cdc7ef9f0 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -2,16 +2,17 @@
 title: TPM recommendations (Windows)
 description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
 ms.date: 09/06/2021
+ms.technology: itpro-security
 ---
 
 # TPM recommendations
@@ -56,7 +57,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
 
   - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers).
 
-  - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
+  - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://www.microsoft.com/security/blog/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption).
 
   - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
 
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 00da150baf..06be1d344b 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -2,16 +2,17 @@
 title: Trusted Platform Module Technology Overview (Windows)
 description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: high
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
 adobe-target: true
+ms.technology: itpro-security
 ---
 
 # Trusted Platform Module Technology Overview
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 5f5f096da0..a9ccf2a714 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -2,15 +2,15 @@
 title: TPM Group Policy settings (Windows)
 description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
-  - highpri
 ms.topic: conceptual
 ms.date: 09/06/2021
+ms.technology: itpro-security
 ---
 
 # TPM Group Policy settings
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index bde22cbed5..59a276f5ee 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -1,16 +1,17 @@
 ---
 title: Trusted Platform Module (Windows)
 description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
-ms.collection:
+ms.collection: 
   - M365-security-compliance
   - highpri
 ms.topic: conceptual
 ms.date: 09/06/2021
+ms.technology: itpro-security
 ---
 
 # Trusted Platform Module
diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 4965160895..687a9b8a7e 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -1,7 +1,7 @@
 ---
 title: Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) (Windows 10)
 description: Learn how unenlightened and enlightened apps might behave, based on Windows Information Protection (WIP) network policies, app configuration, and other criteria
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 02/26/2019
 ms.reviewer: 
+ms.technology: itpro-security
 ---
 
 # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 2caf5a1fae..0949bc418e 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -1,7 +1,7 @@
 ---
 title: How to collect Windows Information Protection (WIP) audit event logs (Windows 10)
 description: How to collect & understand Windows Information Protection audit event logs via the Reporting configuration service provider (CSP) or Windows Event Forwarding.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 02/26/2019
 ms.reviewer: 
+ms.technology: itpro-security
 ---
 
 # How to collect Windows Information Protection (WIP) audit event logs
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index d382f10da0..76c6da850e 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -1,7 +1,7 @@
 ---
 title: Create an EFS Data Recovery Agent certificate
 description: Follow these steps to create, verify, and perform a quick recovery by using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: aczechowski
 ms.author: aaroncz
@@ -10,6 +10,7 @@ ms.reviewer: rafals
 ms.collection: M365-security-compliance
 ms.topic: how-to
 ms.date: 07/15/2022
+ms.technology: itpro-security
 ---
 
 # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
@@ -46,7 +47,7 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
     >[!Important]
     >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
 
-4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md).
+4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Configuration Manager](create-wip-policy-using-configmgr.md).
 
 	> [!NOTE]
 	> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM).
@@ -160,6 +161,6 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
 
 - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
 
-- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](create-wip-policy-using-configmgr.md)
 
 - [Creating a Domain-Based Recovery Agent](/previous-versions/tn-archive/cc875821(v=technet.10)#EJAA)
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index a7284079c5..b7624b94f7 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -1,7 +1,7 @@
 ---
 title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
 description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,9 +10,10 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 02/26/2019
 ms.reviewer: 
+ms.technology: itpro-security
 ---
 
-# Associate and deploy a VPN policy for Windows Information Protection (WIP) using Endpoint Manager
+# Associate and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
 
 **Applies to:**
 
@@ -20,7 +21,7 @@ ms.reviewer:
 
 After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
  
-## Associate your WIP policy to your VPN policy using Endpoint Manager
+## Associate your WIP policy to your VPN policy using Intune
 
 To associate your WIP policy with your organization's existing VPN policy, use the following steps:
 
@@ -53,11 +54,11 @@ To associate your WIP policy with your organization's existing VPN policy, use t
 
 After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
 
-1.  On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
+1.  On the **App policy** blade, select your newly-created policy, select **User groups** from the menu that appears, and then select **Add user group**.
 
     A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade.
 
-2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
+2. Choose the group you want your policy to apply to, and then select **Select** to deploy the policy.
 
     The policy is deployed to the selected users' devices.
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 87e2aed9c2..f4c9cd0e4a 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -1,7 +1,7 @@
 ---
 title: Create and deploy a WIP policy in Configuration Manager
-description: Use Microsoft Endpoint Configuration Manager to create and deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
-ms.prod: m365-security
+description: Use Microsoft Configuration Manager to create and deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: aczechowski
 ms.author: aaroncz
@@ -10,6 +10,7 @@ ms.reviewer: rafals
 ms.collection: M365-security-compliance
 ms.topic: how-to
 ms.date: 07/15/2022
+ms.technology: itpro-security
 ---
 
 # Create and deploy a Windows Information Protection policy in Configuration Manager
@@ -22,7 +23,7 @@ _Applies to:_
 - Windows 10
 - Windows 11
 
-Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy. You can choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
+Microsoft Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy. You can choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
 
 ## Add a WIP policy
 After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 06970b38c5..1294e3f168 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -1,7 +1,7 @@
 ---
 title: Create a WIP policy in Intune
 description: Learn how to use the Microsoft Endpoint Manager admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
-ms.prod: m365-security
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
@@ -9,6 +9,7 @@ ms.reviewer: rafals
 ms.collection: M365-security-compliance
 ms.topic: how-to
 ms.date: 07/15/2022
+ms.technology: itpro-security
 ---
 
 # Create a Windows Information Protection policy in Microsoft Intune
@@ -53,7 +54,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
 ## Create a WIP policy
 
-1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Open Microsoft Intune and select **Apps** > **App protection policies** > **Create policy**.
 
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 58f2b96b0d..6578e9bc6c 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -1,7 +1,7 @@
 ---
 title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
 description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 03/05/2019
 ms.reviewer: 
+ms.technology: itpro-security
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 83bd025c94..6cea050345 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -2,7 +2,7 @@
 title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
 description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 05/02/2019
+ms.technology: itpro-security
 ---
 
 # List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
@@ -83,7 +84,7 @@ Microsoft still has apps that are unenlightened, but which have been tested and
 > [!NOTE]
 > As of January 2019 it is no longer necessary to add Intune Company Portal as an exempt app since it is now included in the default list of protected apps.
 
-You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and Microsoft Endpoint Configuration Manager.
+You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and Microsoft Configuration Manager.
 
 
 |                     Product name                     |                                                                                                                                                                                                                        App info                                                                                                                                                                                                                        |
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 782848bd01..6f758d95da 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -2,7 +2,7 @@
 title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
 description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 02/26/2019
+ms.technology: itpro-security
 ---
 
 # General guidance and best practices for Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
index 1d285e189d..8356183a84 100644
--- a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
+++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
@@ -1,14 +1,15 @@
 ---
 title: How to disable Windows Information Protection (WIP)
-description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Endpoint Configuration Manager.
+description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Configuration Manager.
 ms.date: 07/21/2022
-ms.prod: m365-security
+ms.prod: windows-client
 ms.topic: how-to
 ms.localizationpriority: medium
 author: lizgt2000
 ms.author: lizlong
 ms.reviewer: aaroncz
 manager: dougeby
+ms.technology: itpro-security
 ---
 
 # How to disable Windows Information Protection (WIP)
@@ -33,7 +34,7 @@ When you unassign an existing policy, it removes the intent to deploy WIP from t
 
 If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Open Microsoft Intune and select **Apps** > **App protection policies**.
 1. Select the existing policy to turn off, and then select the **Properties**.
 1. Edit **Required settings**.
@@ -83,7 +84,7 @@ To disable WIP for your organization, first create a configuration item.
 The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. The following sections provide details on the required settings on this page.
 
 > [!TIP]
-> For more information on filling out the required fields, see [Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr).
+> For more information on filling out the required fields, see [Create and deploy a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr).
 
 #### Turn off WIP
 
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 73f91f204f..de06121632 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -1,7 +1,7 @@
 ---
 title: Limitations while using Windows Information Protection (WIP)
 description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
-ms.prod: m365-security
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
@@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/05/2019
 ms.localizationpriority: medium
+ms.technology: itpro-security
 ---
 
 # Limitations while using Windows Information Protection (WIP)
@@ -116,7 +117,7 @@ This following list provides info about the most common problems you might encou
 
   <br/>
 
-  - **How it appears**: Windows Information Protection isn't turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager.
+  - **How it appears**: Windows Information Protection isn't turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Configuration Manager.
   - **Workaround**: Don't set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders.  You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
 
     If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline.
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 8ebb7f6719..9f086b7f07 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -1,7 +1,7 @@
 ---
 title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
 description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 05/25/2022
 ms.reviewer: 
+ms.technology: itpro-security
 ---
 
 # Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index a2d8772636..076aac8eaf 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -1,8 +1,8 @@
 ---
-title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
-description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+title: Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager (Windows 10)
+description: Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,19 +10,20 @@ manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 02/26/2019
+ms.technology: itpro-security
 ---
 
-# Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
+# Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager
 **Applies to:**
 
 - Windows 10, version 1607 and later
 
-Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+Microsoft Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy. It lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
 
 ## In this section
 
-|Topic |Description |
+|Article |Description |
 |------|------------|
-|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
+|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Configuration Manager helps you create and deploy your WIP policy. And, lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
 |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index 0b3a3ef773..49798db25b 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -1,8 +1,8 @@
 ---
 title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
-description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy.
+description: Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 03/11/2019
+ms.technology: itpro-security
 ---
 
 # Create a Windows Information Protection (WIP) policy using Microsoft Intune
@@ -17,12 +18,12 @@ ms.date: 03/11/2019
 
 - Windows 10, version 1607 and later
 
-Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy. It also lets you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
 
 ## In this section
 
-|Topic |Description |
+|Article |Description |
 |------|------------|
-|[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
+|[Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
 |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 82bb52d344..9992aec7b6 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -1,16 +1,17 @@
 ---
 title: Protect your enterprise data using Windows Information Protection
 description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.reviewer: rafals
-ms.collection:
+ms.collection: 
   - M365-security-compliance
 ms.topic: overview
 ms.date: 07/15/2022
+ms.technology: itpro-security
 ---
 
 # Protect your enterprise data using Windows Information Protection (WIP)
@@ -25,10 +26,10 @@ _Applies to:_
 
 With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise's control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
 
-Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
+Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Azure Rights Management, another data protection technology, also works alongside WIP. It extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
 
 >[!IMPORTANT]
->While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
+>While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more information about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
 
 ## Video: Protect enterprise data from being accidentally copied to the wrong place
 
@@ -39,12 +40,12 @@ You'll need this software to run Windows Information Protection in your enterpri
 
 |Operating system | Management solution |
 |-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>Microsoft Endpoint Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
+|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>Microsoft Configuration Manager<br><br>-OR-<br><br>Your current company-wide third party mobile device management (MDM) solution. For info about third party MDM solutions, see the documentation that came with your product. If your third party MDM doesn't have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
 
 ## What is enterprise data control?
-Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can't share anything and it's all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
+Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security. Another extreme is when people can't share anything and it's all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
 
-As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn't guarantee that the data will remain within the secured locations of the enterprise. This means that while access controls are a great start, they're not enough.
+As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn't guarantee that the data will remain within the secured locations of the enterprise. So, access controls are a great start, they're not enough.
 
 In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don't allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
 
@@ -54,9 +55,9 @@ To help address this security insufficiency, companies developed data loss preve
 
 - **A way to scan company data to see whether it matches any of your defined rules.** Currently, Microsoft Exchange Server and Exchange Online provide this service for email in transit, while Microsoft SharePoint and SharePoint Online provide this service for content stored in document libraries.
 
-- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft Purview data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
+- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft Purview Data Loss Prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
 
-Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees' natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn't see and can't understand.
+Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created. This behavior can lead employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. Perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees' natural workflow. It can stop some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn't see and can't understand.
 
 ### Using information rights management systems
 To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on. 
@@ -64,7 +65,7 @@ To help address the potential data loss prevention system problems, companies de
 After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won't be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees' work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
 
 ### And what about when an employee leaves the company or unenrolls a device?
-Finally, there's the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
+Finally, there's the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would erase all of the corporate data from the device, along with any other personal data on the device.
 
 ## Benefits of WIP
 Windows Information Protection provides:
@@ -76,7 +77,7 @@ Windows Information Protection provides:
 
 - Use of audit reports for tracking issues and remedial actions.
 
-- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company.
+- Integration with your existing management system (Microsoft Intune, Microsoft Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company.
 
 ## Why use WIP?
 Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
@@ -93,7 +94,7 @@ Windows Information Protection is the mobile application management (MAM) mechan
     
         You don't have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list.
 
-    -   **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+    -   **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could have overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 
     -   **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media.
@@ -104,10 +105,10 @@ Windows Information Protection is the mobile application management (MAM) mechan
 
     -   **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn't.
 
--   **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
+-   **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or if a device is stolen. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
 
     >[!NOTE]
-    >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.<br>Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+    >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Configuration Manager.<br>Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
 
 ## How WIP works
 Windows Information Protection helps address your everyday challenges in the enterprise. Including:
@@ -144,11 +145,11 @@ You can set your Windows Information Protection policy to use 1 of 4 protection
 |----|-----------|
 |Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization's network.|
 |Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
-|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would've been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn Windows Information Protection back on. |
+|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would have been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
+|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn Windows Information Protection back on. |
 
 ## Turn off WIP
-You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn't recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won't be automatically reapplied.
+You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn't recommended. If you choose to turn off WIP, you can always turn it back on, but your decryption and policy info won't be automatically reapplied.
 
 ## Next steps
 
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index 352be0af55..fef7dcfa1e 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -1,7 +1,7 @@
 ---
 title: Recommended URLs for Windows Information Protection (Windows 10)
 description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 03/25/2019
 ms.reviewer: 
+ms.technology: itpro-security
 ---
 
 # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index fd9719fcaf..35d93c25c4 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -2,7 +2,7 @@
 title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
 description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 03/05/2019
+ms.technology: itpro-security
 ---
 
 # Testing scenarios for Windows Information Protection (WIP)
@@ -42,7 +43,7 @@ You can try any of the processes included in these scenarios, but you should foc
   > [!IMPORTANT]
   > Certain file types like `.exe` and `.dll`, along with certain file paths, such as `%windir%` and `%programfiles%` are excluded from automatic encryption.
 
-  For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md), based on your deployment system.
+  For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Create a Windows Information Protection (WIP) policy using Microsoft Configuration Manager](create-wip-policy-using-configmgr.md), based on your deployment system.
 
 - **Block enterprise data from non-enterprise apps**:
 
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index 6a4963ce99..5f413c3657 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -1,7 +1,7 @@
 ---
 title: Using Outlook on the web with WIP (Windows 10)
 description: Options for using Outlook on the web with Windows Information Protection (WIP).
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 02/26/2019
 ms.reviewer: 
+ms.technology: itpro-security
 ---
 
 # Using Outlook on the web with Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index e19a7707c0..37cf054aa4 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -1,7 +1,7 @@
 ---
 title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
 description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
@@ -10,6 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 02/26/2019
 ms.reviewer: 
+ms.technology: itpro-security
 ---
 
 # Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index f243b85b06..8f15eb8d9c 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -2,7 +2,7 @@
 title: Fine-tune Windows Information Policy (WIP) with WIP Learning
 description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
 ms.reviewer: 
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: aczechowski
 ms.author: aaroncz
@@ -10,6 +10,7 @@ manager: dougeby
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 02/26/2019
+ms.technology: itpro-security
 ---
 
 # Fine-tune Windows Information Protection (WIP) with WIP Learning
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
index b97c053fd9..d2b9b2ae9c 100644
--- a/windows/security/operating-system.md
+++ b/windows/security/operating-system.md
@@ -7,8 +7,8 @@ manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
 ms.collection: M365-security-compliance
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ms.date: 09/21/2021
 ---
 
diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md
index 907d545563..d49045d449 100644
--- a/windows/security/security-foundations.md
+++ b/windows/security/security-foundations.md
@@ -7,8 +7,8 @@ manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
 ms.collection: M365-security-compliance
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ---
 
 # Windows security foundations
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index d4d91dca07..54ddd26b54 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -4,7 +4,7 @@ description: This reference for IT professionals provides information about the
 ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
 ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Advanced security audit policy settings (Windows 10)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index 9bc1f821b8..dfdea1de13 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -4,7 +4,7 @@ description: Advanced security audit policy settings may appear to overlap with
 ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/6/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Advanced security audit policies
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index b176620db8..3838e0f0f4 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -2,7 +2,7 @@
 title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
 description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/06/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Appendix A: Security monitoring recommendations for many audit events
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index cd0cb7d36f..8d2d3f824c 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -4,7 +4,7 @@ description: Apply audit policies to individual files and folders on your comput
 ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -12,10 +12,12 @@ ms.localizationpriority: none
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Apply a basic audit policy on a file or folder
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 12b0ddc395..9d49394e56 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Account Lockout
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index a6bb26f2b2..f7ca99507d 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Application Generated
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 40db38bfb4..706551065b 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Application Group Management
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index af01de791c..aaf65be8db 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Audit Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 1e4d381758..6754a2796a 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Authentication Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index fbf9267a82..e8c3a7d588 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Authorization Policy Change
@@ -21,9 +21,9 @@ Audit Authorization Policy Change allows you to audit assignment and removal of
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server     | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation       | IF             | No              | IF              | No               | IF – With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 
 **Events List:**
 
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index 0f9623bc2a..5e92817efe 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Central Access Policy Staging
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index ab5dc1db6b..bc1ec469f1 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Certification Services
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index 2fca8cb4ff..8c42317e94 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Computer Account Management
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index f09b2e6ceb..b04f1cb5a9 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Credential Validation
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 9f83de62ed..72f481f66b 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Detailed Directory Service Replication
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index cf232819c0..16b1667db6 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Detailed File Share
@@ -34,9 +34,9 @@ There are no system access control lists (SACLs) for shared folders. If this pol
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No              | Yes             | No               | Yes              | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume should not be high. You will be able to see who was not able to get access to a file or folder on a network share on a computer.                                                                                                                                                                                                                                                                                                                                                                                              |
-| Member Server     | IF              | Yes             | IF               | Yes              | IF – If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for member servers should not be high (if they are not File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
-| Workstation       | IF              | Yes             | IF               | Yes              | IF – If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for workstations should not be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer.                                                                                   |
+| Domain Controller | No              | Yes             | No               | Yes              | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume shouldn't be high. You will be able to see who wasn't able to get access to a file or folder on a network share on a computer.                                                                                                                                                                                                                                                                                                                                                                                              |
+| Member Server     | IF              | Yes             | IF               | Yes              | IF – If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for member servers shouldn't be high (if they aren't File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
+| Workstation       | IF              | Yes             | IF               | Yes              | IF – If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.<br>The volume of Failure events for workstations shouldn't be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer.                                                                                   |
 
 **Events List:**
 
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index c6e8118ded..a70119e0d5 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -1,18 +1,18 @@
 ---
 title: Audit Directory Service Access (Windows 10)
-description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (ADA DS) object is accessed.
+description: The policy setting Audit Directory Service Access determines if audit events are generated when an Active Directory Domain Services (AD DS) object is accessed.
 ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Directory Service Access
@@ -34,4 +34,4 @@ This subcategory allows you to audit when an Active Directory Domain Services (A
 
 -   [4662](event-4662.md)(S, F): An operation was performed on an object.
 
--   [4661](event-4661.md)(S, F): A handle to an object was requested.
\ No newline at end of file
+-   [4661](event-4661.md)(S, F): A handle to an object was requested.
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index caa1701475..5aa0e36978 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Directory Service Changes
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index 5a424dae77..f9c45299fe 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Directory Service Replication
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 76eb29a0bc..23341f0d60 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Distribution Group Management
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 00a34ebb03..bc24e85d75 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit DPAPI Activity
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index 29e1ca9570..59c2d6638e 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit File Share
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 12885568e0..c9a66ed82e 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit File System
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index d7e01c186a..7984928783 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Filtering Platform Connection
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index 6f9481da89..15c0bc27d2 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Filtering Platform Packet Drop
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index ae7aca862f..b8f192cccd 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Filtering Platform Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index 1ae73ba656..b3740aca1a 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Group Membership
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index 84d320a966..c468ff02f3 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Handle Manipulation
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index a31f2e95b9..dc52d2d90e 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit IPsec Driver
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 121c17cdf3..92e2d71f5e 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit IPsec Extended Mode
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index e250004563..965715efa2 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit IPsec Main Mode
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 412c2ed30e..7a8be4ff82 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit IPsec Quick Mode
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index cf603612e7..98a1c8f558 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Kerberos Authentication Service
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index 775390d2fd..135c2882b7 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Kerberos Service Ticket Operations
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index 8d8700c72e..bb5d6d221a 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Kernel Object
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index 764e61eca5..b6108a6488 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Logoff
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index 896c41e4c2..74e7fe7f8f 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Logon
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index 25553898cc..a441c97c4c 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit MPSSVC Rule-Level Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index c141fc7bf1..6c9a0fb877 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Network Policy Server
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index ead439de46..b9920a8900 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Non-Sensitive Privilege Use
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index afeebd6098..23ab2587a5 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Other Account Logon Events
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index 1f3ac84620..7d8e27c634 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Other Account Management Events
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index cfadd950fa..43e4b822aa 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Other Logon/Logoff Events
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index 287ef71e1d..901c4b5a7e 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Other Object Access Events
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index 2ebaf41f93..776b3fdec9 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Other Policy Change Events
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index 7ffd11fc64..97a8de3544 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Other Privilege Use Events
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index dd61dda8ea..015eb3ddea 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Other System Events
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index bae8fa6df6..da07e88f35 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit PNP Activity
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index a2e6e0c9c6..3eb6dcf190 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 03/16/2022
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Process Creation
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index 584f8b8880..60a0a05de7 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Process Termination
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 13960b7b4c..e67da43c3e 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 01/05/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Registry
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index eae70e36ee..4277dd71c8 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Removable Storage
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index 0b881d3f43..27dc6938be 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit RPC Events
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 4297c79c86..1f295079c7 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit SAM
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 5d21c7bd36..6fe81c704f 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Security Group Management
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index 7e25a9e858..94c6d1f229 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Security State Change
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index f2a020e961..fbda6e4cbb 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Security System Extension
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index 3b87a0810f..eb8714f152 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Sensitive Privilege Use
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index ef4cf15494..8f865d11bc 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit Special Logon
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index 59ddddcc56..761abff74a 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit System Integrity
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index 5eb81c872a..533703cb10 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -5,8 +5,8 @@ manager: aaroncz
 author: vinaypamnani-msft
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ---
 
 # Audit Token Right Adjusted
@@ -18,9 +18,9 @@ For more information, see [Security Monitoring: A Possible New Way to Detect Pri
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server     | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation       | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server     | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation       | IF              | No              | IF               | No               | IF – With Success auditing for this subcategory, you can get information related to changes to the privileges of a token.<br>However, if you are using an application or system service that dynamically adjusts token privileges, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 
 **Events List:**
 
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index e1460e7aa6..7efa2301e3 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit User Account Management
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index adfe26b5d1..750c5568ca 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -6,13 +6,13 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit User/Device Claims
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index fd30c96538..c40298d5a5 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o
 ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit account logon events
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 5198cd91e7..2327ae1658 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -4,7 +4,7 @@ description: Determines whether to audit each event of account management on a d
 ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit account management
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 6baff08ecd..bbd62c2d7f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -4,7 +4,7 @@ description: Determines whether to audit the event of a user accessing an Active
 ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit directory service access
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 414793c373..c429d26054 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o
 ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -12,10 +12,12 @@ ms.localizationpriority: none
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit logon events
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index eea30b98ef..5223f78f44 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -4,7 +4,7 @@ description: The policy setting, Audit object access, determines whether to audi
 ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit object access
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index b96ea7b99e..698273ad21 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -4,7 +4,7 @@ description: Determines whether to audit every incident of a change to user righ
 ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit policy change
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index a0d131b788..202483cba9 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user exercising a us
 ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit privilege use
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index e1e8ec83dc..96125dc789 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -4,7 +4,7 @@ description: Determines whether to audit detailed tracking information for event
 ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit process tracking
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 0f47401092..951ca143f2 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -4,7 +4,7 @@ description: Determines whether to audit when a user restarts or shuts down the
 ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Audit system events
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index ba11dec1f1..e05747ce76 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -4,7 +4,7 @@ description: Learn about basic security audit policies that specify the categori
 ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Basic security audit policies
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 306c7c8339..bbc3b39ae8 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -4,7 +4,7 @@ description: Basic security audit policy settings are found under Computer Confi
 ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/06/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Basic security audit policy settings
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index af627fc630..431c0d89e2 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -4,7 +4,7 @@ description: By defining auditing settings for specific event categories, you ca
 ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 09/07/2021
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Create a basic audit policy for an event category
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index 32ae7fc631..b5e2bfaf89 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -2,7 +2,7 @@
 title: 1100(S) The event logging service has shut down. (Windows 10)
 description: Describes security event 1100(S) The event logging service has shut down.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 1100(S): The event logging service has shut down.
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index 26db20429c..3da9fc2a33 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -2,7 +2,7 @@
 title: 1102(S) The audit log was cleared. (Windows 10)
 description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S).
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 1102(S): The audit log was cleared.
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index 2dc26ce28a..71e08f1f79 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -2,7 +2,7 @@
 title: 1104(S) The security log is now full. (Windows 10)
 description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 1104(S): The security log is now full.
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index 876b254fac..6eea66a2d6 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -2,7 +2,7 @@
 title: 1105(S) Event log automatic backup. (Windows 10)
 description: This event generates every time Windows security log becomes full and new event log file was created.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 1105(S): Event log automatic backup
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index b29bdbea27..3ef547a322 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -2,7 +2,7 @@
 title: The event logging service encountered an error (Windows 10)
 description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index e461d3a1f0..51e0c51819 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -2,7 +2,7 @@
 title: 4608(S) Windows is starting up. (Windows 10)
 description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4608(S): Windows is starting up.
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index a9256d7167..cbb410b55d 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -2,7 +2,7 @@
 title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10)
 description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4610(S): An authentication package has been loaded by the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index ddfd12cebd..0f4b7b7a55 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -2,7 +2,7 @@
 title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10)
 description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4611(S): A trusted logon process has been registered with the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index 1894b7e87a..15ba866bce 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -2,7 +2,7 @@
 title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10)
 description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index 00aa2bf61d..1dbbdeeefe 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -2,7 +2,7 @@
 title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10)
 description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4614(S): A notification package has been loaded by the Security Account Manager.
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index a71a72d981..d3cd763690 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -2,7 +2,7 @@
 title: 4615(S) Invalid use of LPC port. (Windows 10)
 description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4615(S): Invalid use of LPC port.
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 62f402ee6c..dfd4eb58db 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -2,7 +2,7 @@
 title: 4616(S) The system time was changed. (Windows 10)
 description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4616(S): The system time was changed.
@@ -163,9 +163,9 @@ For 4616(S): The system time was changed.
 > [!IMPORTANT]
 > For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
--   Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service.
+-   Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made by Windows Time service.
 
--   Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made not by Windows Time service.
+-   Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made by Windows Time service.
 
 <!-- -->
 
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index 52790766da..dcbe79c3ac 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -2,7 +2,7 @@
 title: 4618(S) A monitored security event pattern has occurred. (Windows 10)
 description: Describes security event 4618(S) A monitored security event pattern has occurred.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4618(S): A monitored security event pattern has occurred.
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index 145a52481e..8d85ca11c8 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -2,7 +2,7 @@
 title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10)
 description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4621(S): Administrator recovered system from CrashOnAuditFail.
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index d71804453a..b4d338e351 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -2,7 +2,7 @@
 title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10)
 description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4622(S): A security package has been loaded by the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index af8492549e..9a2a4e5b64 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -2,7 +2,7 @@
 title: 4624(S) An account was successfully logged on. (Windows 10)
 description: Describes security event 4624(S) An account was successfully logged on.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,9 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
+ms.collection: 
+  - highpri
 ---
 
 # 4624(S): An account was successfully logged on.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index a8cf41f43c..8030b3d479 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -2,7 +2,7 @@
 title: 4625(F) An account failed to log on. (Windows 10)
 description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,9 @@ ms.date: 01/03/2022
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
+ms.collection: 
+  - highpri
 ---
 
 # 4625(F): An account failed to log on.
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index 40dda4fb91..d855d40847 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -2,7 +2,7 @@
 title: 4626(S) User/Device claims information. (Windows 10)
 description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4626(S): User/Device claims information.
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 2ced3b38aa..b86dcd5739 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -2,7 +2,7 @@
 title: 4627(S) Group membership information. (Windows 10)
 description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4627(S): Group membership information.
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index 3c9d5b5fcb..467dedd19f 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -2,7 +2,7 @@
 title: 4634(S) An account was logged off. (Windows 10)
 description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4634(S): An account was logged off.
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 75ebc4000b..9ff4d6507e 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -2,7 +2,7 @@
 title: 4647(S) User initiated logoff. (Windows 10)
 description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4647(S): User initiated logoff.
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index 38f6872968..b0cab6c7cd 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -2,7 +2,7 @@
 title: 4648(S) A logon was attempted using explicit credentials. (Windows 10)
 description: Describes security event 4648(S) A logon was attempted using explicit credentials.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4648(S): A logon was attempted using explicit credentials.
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index eb4add10ec..4447ed9ef5 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -2,7 +2,7 @@
 title: 4649(S) A replay attack was detected. (Windows 10)
 description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4649(S): A replay attack was detected.
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index e00a414562..4f9aa3d55a 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -2,7 +2,7 @@
 title: 4656(S, F) A handle to an object was requested. (Windows 10)
 description: Describes security event 4656(S, F) A handle to an object was requested.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4656(S, F): A handle to an object was requested.
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index 5d5f2aa622..fbe96e603d 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -2,7 +2,7 @@
 title: 4657(S) A registry value was modified. (Windows 10)
 description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4657(S): A registry value was modified.
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 2529318f4c..c577dd8cb1 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -2,7 +2,7 @@
 title: 4658(S) The handle to an object was closed. (Windows 10)
 description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4658(S): The handle to an object was closed.
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 78d23e5710..52e57a1502 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -2,7 +2,7 @@
 title: 4660(S) An object was deleted. (Windows 10)
 description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4660(S): An object was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index 21aab6e49b..bf8b9b0543 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -2,7 +2,7 @@
 title: 4661(S, F) A handle to an object was requested. (Windows 10)
 description: Describes security event 4661(S, F) A handle to an object was requested.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4661(S, F): A handle to an object was requested.
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index 46ca1c34bf..cdc37e9ac3 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -2,7 +2,7 @@
 title: 4662(S, F) An operation was performed on an object. (Windows 10)
 description: Describes security event 4662(S, F) An operation was performed on an object.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4662(S, F): An operation was performed on an object.
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index b407e338d2..e92604294e 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -2,7 +2,7 @@
 title: 4663(S) An attempt was made to access an object. (Windows 10)
 description: Describes security event 4663(S) An attempt was made to access an object.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4663(S): An attempt was made to access an object.
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index c3c06a1bff..5d20d8cbda 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -2,7 +2,7 @@
 title: 4664(S) An attempt was made to create a hard link. (Windows 10)
 description: Describes security event 4664(S) An attempt was made to create a hard link.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4664(S): An attempt was made to create a hard link.
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 3c34a477b3..1775901f8b 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -2,7 +2,7 @@
 title: 4670(S) Permissions on an object were changed. (Windows 10)
 description: Describes security event 4670(S) Permissions on an object were changed.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/07/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 4670(S): Permissions on an object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 3de0d6acc5..2416040af7 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -14,7 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ---
 
-# 4688(S): A new process has been created.
+# 4688(S): A new process has been created. (Windows 10)
 
 
 <img src="images/event-4688.png" alt="Event 4688 illustration" width="417" height="479" hspace="10" align="left" />
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index a4200af9ea..b4571317fc 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -23,7 +23,7 @@ ms.technology: itpro-security
 
 ***Event Description:***
 
-This event generates when [token privileges](/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--) were enabled or disabled for a specific account’s token.  As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
+This event generates when [token privileges](/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--) were enabled or disabled for a specific account’s token.  As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
 
 > **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
 
@@ -182,7 +182,7 @@ Token privileges provide the ability to take certain system-level actions that y
 
 For 4703(S): A user right was adjusted.
 
-As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703.
+As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703.
 
 Otherwise, see the recommendations in the following table.
 
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index b0725e0cf9..0d4c72e45f 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -12,6 +12,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.technology: itpro-security
+ms.collection: 
+  - highpri
 ---
 
 # 4771(F): Kerberos pre-authentication failed.
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index 2301e2110f..4cf831e05b 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/07/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index 0a115b9db4..cebb01a7c7 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -12,6 +12,8 @@ ms.reviewer:
 manager: aaroncz
 ms.author: vinpa
 ms.technology: itpro-security
+ms.collection: 
+  - highpri
 ---
 
 # 4776(S, F): The computer attempted to validate the credentials for an account.
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index 6c069ab814..26cd95b0d4 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -2,7 +2,7 @@
 title: 5059(S, F) Key migration operation. (Windows 10)
 description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5059(S, F): Key migration operation.
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 00c3fc26b4..1a65f76633 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -2,7 +2,7 @@
 title: 5060(F) Verification operation failed. (Windows 10)
 description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5060(F): Verification operation failed.
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index 2b6cc4b64c..d47254485f 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -2,7 +2,7 @@
 title: 5061(S, F) Cryptographic operation. (Windows 10)
 description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5061(S, F): Cryptographic operation.
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
index b038353b7d..08b0f7bce0 100644
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ b/windows/security/threat-protection/auditing/event-5062.md
@@ -2,7 +2,7 @@
 title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10)
 description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5062(S): A kernel-mode cryptographic self-test was performed.
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index 52e68d3dbd..784019bc18 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -2,7 +2,7 @@
 title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10)
 description: Describes security event 5063(S, F) A cryptographic provider operation was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5063(S, F): A cryptographic provider operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 9dd6ca5e47..807d3ee45d 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -2,7 +2,7 @@
 title: 5064(S, F) A cryptographic context operation was attempted. (Windows 10)
 description: Describes security event 5064(S, F) A cryptographic context operation was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5064(S, F): A cryptographic context operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 46772ff759..3e978d64a3 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -2,7 +2,7 @@
 title: 5065(S, F) A cryptographic context modification was attempted. (Windows 10)
 description: Describes security event 5065(S, F) A cryptographic context modification was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5065(S, F): A cryptographic context modification was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index 1a4dd7ae96..e834a9e584 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -2,7 +2,7 @@
 title: 5066(S, F) A cryptographic function operation was attempted. (Windows 10)
 description: Describes security event 5066(S, F) A cryptographic function operation was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5066(S, F): A cryptographic function operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index 01b6ce22cb..5aa395a688 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -2,7 +2,7 @@
 title: 5067(S, F) A cryptographic function modification was attempted. (Windows 10)
 description: Describes security event 5067(S, F) A cryptographic function modification was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5067(S, F): A cryptographic function modification was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index c365519a4c..814ea02d50 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -2,7 +2,7 @@
 title: 5068(S, F) A cryptographic function provider operation was attempted. (Windows 10)
 description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5068(S, F): A cryptographic function provider operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index 68a9da47b3..b8d6466c09 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -2,7 +2,7 @@
 title: 5069(S, F) A cryptographic function property operation was attempted. (Windows 10)
 description: Describes security event 5069(S, F) A cryptographic function property operation was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5069(S, F): A cryptographic function property operation was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index 85ccd666f0..1232c68bd4 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -2,7 +2,7 @@
 title: 5070(S, F) A cryptographic function property modification was attempted. (Windows 10)
 description: Describes security event 5070(S, F) A cryptographic function property modification was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5070(S, F): A cryptographic function property modification was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index d58033c0a7..97f862f3a6 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -2,7 +2,7 @@
 title: 5136(S) A directory service object was modified. (Windows 10)
 description: Describes security event 5136(S) A directory service object was modified.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5136(S): A directory service object was modified.
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index a0d084c4f8..072f6dede2 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -2,7 +2,7 @@
 title: 5137(S) A directory service object was created. (Windows 10)
 description: Describes security event 5137(S) A directory service object was created.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5137(S): A directory service object was created.
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index abb03c8027..5fcb9a3381 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -2,7 +2,7 @@
 title: 5138(S) A directory service object was undeleted. (Windows 10)
 description: Describes security event 5138(S) A directory service object was undeleted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5138(S): A directory service object was undeleted.
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index ca0b1825f9..e89fd1eb91 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -2,7 +2,7 @@
 title: 5139(S) A directory service object was moved. (Windows 10)
 description: Describes security event 5139(S) A directory service object was moved.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5139(S): A directory service object was moved.
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index ea890e4738..5d72bf2c8c 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -2,7 +2,7 @@
 title: 5140(S, F) A network share object was accessed. (Windows 10)
 description: Describes security event 5140(S, F) A network share object was accessed.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5140(S, F): A network share object was accessed.
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index fbc9435158..d7ba9c67d4 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -2,7 +2,7 @@
 title: 5141(S) A directory service object was deleted. (Windows 10)
 description: Describes security event 5141(S) A directory service object was deleted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5141(S): A directory service object was deleted.
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index 74e31d363f..6930a066d4 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -2,7 +2,7 @@
 title: 5142(S) A network share object was added. (Windows 10)
 description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5142(S): A network share object was added.
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index e485322da4..ccfe6641b0 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -2,7 +2,7 @@
 title: 5143(S) A network share object was modified. (Windows 10)
 description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5143(S): A network share object was modified.
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 50f697a96f..69aa754e48 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -2,7 +2,7 @@
 title: 5144(S) A network share object was deleted. (Windows 10)
 description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5144(S): A network share object was deleted.
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 782cdb4911..8f47f2b4d1 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -2,7 +2,7 @@
 title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. (Windows 10)
 description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5145(S, F): A network share object was checked to see whether client can be granted desired access.
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index 109b4da544..bb9ab2267c 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -2,7 +2,7 @@
 title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10)
 description: Details on Security event 5148(F), The Windows Filtering Platform has detected a DoS attack and entered a defensive mode.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
index b94279645b..0e4b73fcde 100644
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ b/windows/security/threat-protection/auditing/event-5149.md
@@ -2,7 +2,7 @@
 title: 5149(F) The DoS attack has subsided and normal processing is being resumed. (Windows 10)
 description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5149(F): The DoS attack has subsided and normal processing is being resumed.
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 23c35f76d7..f1310cde61 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -2,7 +2,7 @@
 title: 5150(-) The Windows Filtering Platform blocked a packet. (Windows 10)
 description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5150(-): The Windows Filtering Platform blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 239d0556a2..bf55e6a6eb 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -2,7 +2,7 @@
 title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
 description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index 7fd8072d96..27438881cb 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -2,7 +2,7 @@
 title: 5152(F) The Windows Filtering Platform blocked a packet. (Windows 10)
 description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5152(F): The Windows Filtering Platform blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index 355b963812..f7a61cc8fe 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -2,7 +2,7 @@
 title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
 description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index 4ada326421..2002fbb907 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -2,7 +2,7 @@
 title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10)
 description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index b24e159daf..94377b1098 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -2,7 +2,7 @@
 title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10)
 description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index a22acae52c..fbe87f79bc 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -2,7 +2,7 @@
 title: 5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10)
 description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5156(S): The Windows Filtering Platform has permitted a connection.
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index c555d5aa36..6967921a48 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -2,7 +2,7 @@
 title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10)
 description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5157(F): The Windows Filtering Platform has blocked a connection.
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index 1255e8d0bb..af16821b1f 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -2,7 +2,7 @@
 title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10)
 description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index bbd1141c71..5ecd816d89 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -2,7 +2,7 @@
 title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10)
 description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index 1b97127e7f..3b59d54629 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -2,7 +2,7 @@
 title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
 description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5168(F): SPN check for SMB/SMB2 failed.
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index eaa77a9e64..3145af538e 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -2,7 +2,7 @@
 title: 5376(S) Credential Manager credentials were backed up. (Windows 10)
 description: Describes security event 5376(S) Credential Manager credentials were backed up.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5376(S): Credential Manager credentials were backed up.
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index fd9c84db3a..a60bd13f29 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -2,7 +2,7 @@
 title: 5377(S) Credential Manager credentials were restored from a backup. (Windows 10)
 description: Describes security event 5377(S) Credential Manager credentials were restored from a backup.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5377(S): Credential Manager credentials were restored from a backup.
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index d25246b249..64f48471be 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -2,7 +2,7 @@
 title: 5378(F) The requested credentials delegation was disallowed by policy. (Windows 10)
 description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5378(F): The requested credentials delegation was disallowed by policy.
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index 801d206b0b..732d1ae81e 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -2,7 +2,7 @@
 title: 5447(S) A Windows Filtering Platform filter has been changed. (Windows 10)
 description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5447(S): A Windows Filtering Platform filter has been changed.
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index 26c41df186..b5af7f21a3 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -2,16 +2,16 @@
 title: 5632(S, F) A request was made to authenticate to a wireless network. (Windows 10)
 description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: vinaypamnani-msft
 ms.date: 09/08/2021
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5632(S, F): A request was made to authenticate to a wireless network.
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index e0591f9a05..1583b0b945 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -2,7 +2,7 @@
 title: 5633(S, F) A request was made to authenticate to a wired network. (Windows 10)
 description: Describes security event 5633(S, F) A request was made to authenticate to a wired network.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5633(S, F): A request was made to authenticate to a wired network.
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index dbafd70da3..d0dc85fe45 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -2,7 +2,7 @@
 title: 5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10)
 description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5712(S): A Remote Procedure Call (RPC) was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 0ac72b6488..5c45a9698a 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -2,7 +2,7 @@
 title: 5888(S) An object in the COM+ Catalog was modified. (Windows 10)
 description: Describes security event 5888(S) An object in the COM+ Catalog was modified.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5888(S): An object in the COM+ Catalog was modified.
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index 821162c968..3b60e803d9 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -2,7 +2,7 @@
 title: 5889(S) An object was deleted from the COM+ Catalog. (Windows 10)
 description: Describes security event 5889(S) An object was deleted from the COM+ Catalog.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5889(S): An object was deleted from the COM+ Catalog.
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index a59fadc788..09c79bee05 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -2,7 +2,7 @@
 title: 5890(S) An object was added to the COM+ Catalog. (Windows 10)
 description: Describes security event 5890(S) An object was added to the COM+ Catalog.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 5890(S): An object was added to the COM+ Catalog.
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index 959f1b969c..dfad64c1da 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -2,7 +2,7 @@
 title: 6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10)
 description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6144(S): Security policy in the group policy objects has been applied successfully.
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index 266a490fdd..60ed2e8ad8 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -2,7 +2,7 @@
 title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10)
 description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/08/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6145(F): One or more errors occurred while processing security policy in the group policy objects.
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index d6701e243e..76f546a222 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -2,7 +2,7 @@
 title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. (Windows 10)
 description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file aren't valid.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/09/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6281(F): Code Integrity determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index f3cc62235d..d8bcc6f1c7 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -2,7 +2,7 @@
 title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10)
 description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/09/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index cdd2869db5..3e60d3515a 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -2,7 +2,7 @@
 title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10)
 description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/09/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 5c2a2775b2..3148f9b03e 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -2,7 +2,7 @@
 title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10)
 description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/09/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index 3b5d284082..ad426fdacc 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -2,7 +2,7 @@
 title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10)
 description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/09/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index ff6b32947a..e2fed0d583 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -2,7 +2,7 @@
 title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10)
 description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/09/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index f83340addb..48746ad277 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -2,7 +2,7 @@
 title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10)
 description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/09/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index d6109b695e..42541a3842 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -2,7 +2,7 @@
 title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10)
 description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2.
 ms.pagetype: security
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
@@ -11,7 +11,7 @@ ms.date: 09/09/2021
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index 48d4234dae..e76f4cde92 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/09/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index e0e4b5e90d..b13c6f8d8c 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -3,12 +3,12 @@ title: Block untrusted fonts in an enterprise (Windows 10)
 description: To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature.
 ms.reviewer: 
 manager: aaroncz
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 ms.date: 08/14/2017
 ms.localizationpriority: medium
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Block untrusted fonts in an enterprise
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index b80fbf3a1e..b322223819 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -8,7 +8,9 @@ ms.author: vinpa
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 12/16/2021
 ms.reviewer: 
@@ -41,7 +43,7 @@ To enable HVCI on Windows 10 and Windows 11 devices with supporting hardware thr
 - [Windows Security app](#windows-security-app)
 - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
 - [Group Policy](#enable-hvci-using-group-policy)
-- [Microsoft Endpoint Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
+- [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
 - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
 
 ### Windows Security app
@@ -50,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a
 
 ### Enable HVCI using Intune
 
-Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
+Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure the settings in Windows by using the [settings catalog](/mem/intune/configuration/settings-catalog).
 
 ### Enable HVCI using Group Policy
 
@@ -202,9 +204,6 @@ Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related pro
 Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
 ```
 
-> [!NOTE]
-> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11.
-
 > [!NOTE]
 > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2.
 
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 1c0f4c927f..c5729ba1e1 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -1,15 +1,18 @@
 ---
 title: Federal Information Processing Standard (FIPS) 140 Validation
 description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
-ms.prod: m365-security
+ms.prod: windows-client
+ms.date: 11/03/2022
 manager: aaroncz
 ms.author: paoloma
 author: paolomatarazzo
-ms.collection: M365-identity-device-management
+ms.collection: 
+  - M365-identity-device-management
+  - highpri
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: 
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # FIPS 140-2 Validation
@@ -18,17 +21,17 @@ ms.technology: windows-sec
 
 The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products.
 
-The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
+The [Cryptographic Module Validation Program (CMVP)][HTTP-1]) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
 
-## Microsoft’s approach to FIPS 140-2 validation
+## Microsoft's approach to FIPS 140-2 validation
 
 Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.  Microsoft validates its cryptographic modules under the NIST CMVP, as described above.  Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
 
 ## Using Windows in a FIPS 140-2 approved mode of operation
 
-Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation, commonly referred to as "FIPS mode."  If you turn on FIPS mode, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests are run according to FIPS 140-2 Section 4.9. They ensure that the modules are functioning properly.
+Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation, commonly referred to as "FIPS mode."  If you turn on FIPS mode, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests are run according to FIPS 140-2 Section 4.9. They ensure that the modules are functioning properly.
 
-The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by FIPS mode. FIPS mode won't prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. FIPS mode is merely advisory for applications or components other than the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library.
+The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by FIPS mode. FIPS mode won't prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. FIPS mode is merely advisory for applications or components other than the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library.
 
 US government regulations continue to mandate FIPS mode for government devices running Windows. Other customers should decide for themselves if FIPS mode is right for them. There are many applications and protocols that use FIPS mode policy to determine which cryptographic functionality to run. Customers seeking to follow the FIPS 140-2 standard should research the configuration settings of their applications and protocols. This research will help ensure that they can be configured to use FIPS 140-2 validated cryptography.
 
@@ -40,7 +43,7 @@ Administrators must ensure that all cryptographic modules installed are FIPS 140
 
 ### Step 2: Ensure all security policies for all cryptographic modules are followed
 
-Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode.  The security policy may be found in each module’s published Security Policy Document (SPD).  The SPDs for each module may be found in the table of validated modules at the end of this article.  Select the module version number to view the published SPD for the module. 
+Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode.  The security policy may be found in each module's published Security Policy Document (SPD).  The SPDs for each module may be found in the table of validated modules at the end of this article.  Select the module version number to view the published SPD for the module. 
 
 ### Step 3: Enable the FIPS security policy
 
@@ -55,6 +58,1027 @@ In short, an application or service is running in FIPS mode if it:
 * Checks for the policy flag
 * Enforces security policies of validated modules
 
+
+
+## Microsoft FIPS 140-2 validated cryptographic modules
+
+The following tables identify the cryptographic modules used in an operating system, organized by release.
+
+### Modules used by Windows clients
+
+For more details, expand each operating system section.
+
+<br>
+<details>
+<summary><b>Windows 10, version 1809</b></summary>
+
+Validated Editions: Home, Pro, Enterprise, Education
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library|[10.0.17763][sp-3197]|[#3197][certificate-3197]|See Security Policy and Certificate page for algorithm information|
+|Kernel Mode Cryptographic Primitives Library|[10.0.17763][sp-3196]|[#3196][certificate-3196]|See Security Policy and Certificate page for algorithm information|
+|Code Integrity|[10.0.17763][sp-3644]|[#3644][certificate-3644]|See Security Policy and Certificate page for algorithm information|
+|Windows OS Loader|[10.0.17763][sp-3615]|[#3615][certificate-3615]|See Security Policy and Certificate page for algorithm information|
+|Secure Kernel Code Integrity|[10.0.17763][sp-3651]|[#3651][certificate-3651]|See Security Policy and Certificate page for algorithm information|
+|BitLocker Dump Filter|[10.0.17763][sp-3092]|[#3092][certificate-3092]|See Security Policy and Certificate page for algorithm information|
+|Boot Manager|[10.0.17763][sp-3089]|[#3089][certificate-3089]|See Security Policy and Certificate page for algorithm information|
+|Virtual TPM|[10.0.17763][sp-3690]|[#3690][certificate-3690]|See Security Policy and Certificate page for algorithm information|
+
+</details>
+
+<details>
+<summary><b>Windows 10, version 1803</b></summary>
+
+Validated Editions: Home, Pro, Enterprise, Education
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library|[10.0.17134][sp-3197]|[#3197][certificate-3197]|See Security Policy and Certificate page for algorithm information|
+|Kernel Mode Cryptographic Primitives Library|[10.0.17134][sp-3196]|[#3196][certificate-3196]|See Security Policy and Certificate page for algorithm information|
+|Code Integrity|[10.0.17134][sp-3195]|[#3195][certificate-3195]|See Security Policy and Certificate page for algorithm information|
+|Windows OS Loader|[10.0.17134][sp-3480]|[#3480][certificate-3480]|See Security Policy and Certificate page for algorithm information|
+|Secure Kernel Code Integrity|[10.0.17134][sp-3096]|[#3096][certificate-3096]|See Security Policy and Certificate page for algorithm information|
+|BitLocker Dump Filter|[10.0.17134][sp-3092]|[#3092][certificate-3092]|See Security Policy and Certificate page for algorithm information|
+|Boot Manager|[10.0.17134][sp-3089]|[#3089][certificate-3089]|See Security Policy and Certificate page for algorithm information|
+
+</details>
+
+<details>
+<summary><b>Windows 10, version 1709</b></summary>
+
+Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library|[10.0.16299][sp-3197]|[#3197][certificate-3197]|See Security Policy and Certificate page for algorithm information|
+|Kernel Mode Cryptographic Primitives Library|[10.0.16299][sp-3196]|[#3196][certificate-3196]|See Security Policy and Certificate page for algorithm information|
+|Code Integrity|[10.0.16299][sp-3195]|[#3195][certificate-3195]|See Security Policy and Certificate page for algorithm information|
+|Windows OS Loader|[10.0.16299][sp-3194]|[#3194][certificate-3194]|See Security Policy and Certificate page for algorithm information|
+|Secure Kernel Code Integrity|[10.0.16299][sp-3096]|[#3096][certificate-3096]|See Security Policy and Certificate page for algorithm information|
+|BitLocker Dump Filter|[10.0.16299][sp-3092]|[#3092][certificate-3092]|See Security Policy and Certificate page for algorithm information|
+|Windows Resume|[10.0.16299][sp-3091]|[#3091][certificate-3091]|See Security Policy and Certificate page for algorithm information|
+|Boot Manager|[10.0.16299][sp-3089]|[#3089][certificate-3089]|See Security Policy and Certificate page for algorithm information|
+
+</details>
+
+<details>
+<summary><b>Windows 10, version 1703</b></summary>
+
+Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.15063][sp-3095]|[#3095][certificate-3095]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); CKG (vendor affirmed); CVL (Certs<p>[#1278][component-1278] and [#1281][component-1281]); DRBG (Cert. [#1555][drbg-1555]); DSA (Cert. [#1223][dsa-1223]); ECDSA (Cert. [#1133][ecdsa-1133]); HMAC (Cert. [#3061][hmac-3061]); KAS (Cert. [#127][kas-127]); KBKDF (Cert. [#140][kdf-140]); KTS (AES Cert. [#4626][aes-4626]; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2521][rsa-2521] and [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790]); Triple-DES (Cert. [#2459][tdes-2459]<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#1133][component-1133]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#2521][component-2521]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#1281][component-1281]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#1278][component-1278])|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.15063][sp-3094]|[#3094][certificate-3094]|[#3094][certificate-3094]<p>FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4626][aes-4626]); CKG (vendor affirmed); CVL (Certs. [#1278][component-1278] and [#1281][component-1281]); DRBG (Cert. [#1555][drbg-1555]); DSA (Cert. [#1223][dsa-1223]); ECDSA (Cert. [#1133][ecdsa-1133]); HMAC (Cert. [#3061][hmac-3061]); KAS (Cert. [#127][kas-127]); KBKDF (Cert. [#140][kdf-140]); KTS (AES Cert. [#4626][aes-4626]; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2521][rsa-2521] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]); Triple-DES (Cert. [#2459][tdes-2459]<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>[Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages ([Cert. [#3094]][certificate-3094])<p>[#1133][component-1133][); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.][certificate-3094][#2521][component-2521][); FIPS186-4 RSA; RSADP - RSADP Primitive [Cert.][certificate-3094]<p>[#1281][component-1281][Cert. #3094][certificate-3094]|
+|Boot Manager|[10.0.15063][sp-3089]|[#3089][certificate-3089]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); CKG (vendor affirmed); HMAC (Cert. [#3061][hmac-3061]); PBKDF (vendor affirmed); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)|
+|Windows OS Loader|[10.0.15063][sp-3090]|[#3090][certificate-3090]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>[Other algorithms: NDRNG][certificate-3090]|
+|Windows Resume <sup>[1]</sup>|[10.0.15063][sp-3091]|[#3091][certificate-3091]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790])|
+|BitLocker® Dump Filter <sup>[2]</sup>|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])|
+|Code Integrity (ci.dll)|[10.0.15063][sp-3093]|[#3093][certificate-3093]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])|
+|Secure Kernel Code Integrity (skci.dll)<sup>[3]</sup>|[10.0.15063][sp-3096]|[#3096][certificate-3096]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])|
+
+
+<sup>\[1\]</sup> Applies only to Home, Pro, Enterprise, Education, and S.
+
+<sup>\[2\]</sup> Applies only to Pro, Enterprise, Education, S, Mobile, and Surface Hub
+
+<sup>\[3\]</sup> Applies only to Pro, Enterprise, Education, and S
+
+</details>
+
+<details>
+<summary><b>Windows 10, version 1607</b></summary>
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[#2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#886][component-886])|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[#2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887])|
+|Boot Manager|[10.0.14393][sp-2931]|[#2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5; PBKDF (non-compliant); VMK KDF|
+|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
+|BitLocker® Windows Resume (winresume)<sup>[1]</sup>|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
+|BitLocker® Dump Filter (dumpfve.sys)<sup>[2]</sup>|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
+|Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[#2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])|
+|Secure Kernel Code Integrity (skci.dll)<sup>[3]</sup>|[10.0.14393][sp-2938]|[#2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])|
+
+<sup>\[1\]</sup> Applies only to Home, Pro, Enterprise, and Enterprise LTSB
+
+<sup>\[2\]</sup> Applies only to Pro, Enterprise, Enterprise LTSB, and Mobile
+
+<sup>\[3\]</sup> Applies only to Pro, Enterprise, and Enterprise LTSB
+
+</details>
+
+<details>
+<summary><b>Windows 10, version 1511</b></summary>
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10586][sp-2605]|[#2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs. [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#664][component-664])|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10586][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs.  [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663])|
+|Boot Manager <sup>[4]</sup>|[10.0.10586][sp-2700]|[#2700][certificate-2700]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); HMAC (Cert. [#2381][hmac-2381]); PBKDF (vendor affirmed); RSA (Cert. [#1871][rsa-1871]); SHS (Certs. [#3047][shs-3047] and [#3048][shs-3048])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
+|BitLocker® Windows OS Loader (winload)<sup>[5]</sup>|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5; NDRNG|
+|BitLocker® Windows Resume (winresume)<sup>[6]</sup>|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5|
+|BitLocker® Dump Filter (dumpfve.sys)<sup>[7]</sup>|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])|
+|Code Integrity (ci.dll)|[10.0.10586][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])|
+|Secure Kernel Code Integrity (skci.dll)<sup>[8]</sup>|[10.0.10586][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])|
+
+<sup>\[4\]</sup> Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
+
+<sup>\[5\]</sup> Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
+
+<sup>\[6\]</sup> Applies only to Home, Pro, and Enterprise
+
+<sup>\[7\]</sup> Applies only to Pro, Enterprise, Mobile, and Surface Hub
+
+<sup>\[8\]</sup> Applies only to Enterprise and Enterprise LTSB
+
+</details>
+
+<details>
+<summary><b>Windows 10, version 1507</b></summary>
+
+Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10240][sp-2605]|#[2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#575][component-575])|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10240][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576])|
+|Boot Manager<sup>[9]</sup>|[10.0.10240][sp-2600]|[#2600][certificate-2600]|FIPS approved algorithms: AES (Cert. [#3497][aes-3497]); HMAC (Cert. [#2233][hmac-2233]); KTS (AES Cert. [#3498][aes-3498]); PBKDF (vendor affirmed); RSA (Cert. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871] and [#2886][shs-2886])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
+|BitLocker® Windows OS Loader (winload)<sup>[10]</sup>|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5; NDRNG|
+|BitLocker® Windows Resume (winresume)<sup>[11]</sup>|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5|
+|BitLocker® Dump Filter (dumpfve.sys)<sup>[12]</sup>|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])|
+|Code Integrity (ci.dll)|[10.0.10240][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])|
+|Secure Kernel Code Integrity (skci.dll)<sup>[13]</sup>|[10.0.10240][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])|
+
+
+<sup>\[9\]</sup> Applies only to Home, Pro, Enterprise, and Enterprise LTSB
+
+<sup>\[10\]</sup> Applies only to Home, Pro, Enterprise, and Enterprise LTSB
+
+<sup>\[11\]</sup> Applies only to Home, Pro, Enterprise, and Enterprise LTSB
+
+<sup>\[12\]</sup> Applies only to Pro, Enterprise, and Enterprise LTSB
+
+<sup>\[13\]</sup> Applies only to Enterprise and Enterprise LTSB
+
+</details>
+
+<details>
+<summary><b>Windows 8.1</b></summary>
+
+Validated Editions: RT, Pro, Enterprise, Phone, Embedded
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[#2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#323][component-323])|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[#2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])|
+|Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[#2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
+|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
+|BitLocker® Windows Resume (winresume)<sup>[14]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
+|BitLocker® Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
+|Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[#2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])<p>Other algorithms: MD5<p>Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])|
+
+<sup>\[14\]</sup> Applies only to Pro, Enterprise, and Embedded 8.
+
+</details>
+
+<details>
+<summary><b>Windows 8</b></summary>
+
+Validated Editions: RT, Home, Pro, Enterprise, Phone
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[#1892][sp-1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[#1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
+|Boot Manager|[6.2.9200][sp-1895]|[#1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
+|BitLocker® Windows Resume (WINRESUME)<sup>[15]</sup>|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
+|Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[#1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[#1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[#1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. #1346); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])<p>Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+
+<sup>\[15\]</sup> Applies only to Home and Pro
+
+</details>
+
+<details>
+<summary><b>Windows 7</b></summary>
+
+Validated Editions: Windows 7, Windows 7 SP1
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.1.7600.16385][sp-1329]<p>[6.1.7601.17514][sp-1329]|[1329][certificate-1329]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1178][aes-1178]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#24][drbg-24]); DSA (Cert. [#386][dsa-386]); ECDSA (Cert. [#141][ecdsa-141]); HMAC (Cert. [#677][hmac-677]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#560][rsa-560]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385][sp-1328]<p>[6.1.7600.16915][sp-1328]<p>[6.1.7600.21092][sp-1328]<p>[6.1.7601.17514][sp-1328]<p>[6.1.7601.17725][sp-1328]<p>[6.1.7601.17919][sp-1328]<p>[6.1.7601.21861][sp-1328]<p>[6.1.7601.22076][sp-1328]|[1328][certificate-1328]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1178][aes-1178]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#24][drbg-24]); ECDSA (Cert. [#141][ecdsa-141]); HMAC (Cert. [#677][hmac-677]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#560][rsa-560]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4|
+|Boot Manager|[6.1.7600.16385][sp-1319]<p>[6.1.7601.17514][sp-1319]|[1319][certificate-1319]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)<p>Other algorithms: MD5|
+|Winload OS Loader (winload.exe)|[6.1.7600.16385][sp-1326]<p>[6.1.7600.16757][sp-1326]<p>[6.1.7600.20897][sp-1326]<p>[6.1.7600.20916][sp-1326]<p>[6.1.7601.17514][sp-1326]<p>[6.1.7601.17556][sp-1326]<p>[6.1.7601.21655][sp-1326]<p>[6.1.7601.21675][sp-1326]|[1326][certificate-1326]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
+|BitLocker™ Drive Encryption|[6.1.7600.16385][sp-1332]<p>[6.1.7600.16429][sp-1332]<p>[6.1.7600.16757][sp-1332]<p>[6.1.7600.20536][sp-1332]<p>[6.1.7600.20873][sp-1332]<p>[6.1.7600.20897][sp-1332]<p>[6.1.7600.20916][sp-1332]<p>[6.1.7601.17514][sp-1332]<p>[6.1.7601.17556][sp-1332]<p>[6.1.7601.21634][sp-1332]<p>[6.1.7601.21655][sp-1332]<p>[6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
+|Code Integrity (CI.DLL)|[6.1.7600.16385][sp-1327]<p>[6.1.7600.17122][sp-1327]v[6.1.7600.21320][sp-1327]<p>[6.1.7601.17514][sp-1327]<p>[6.1.7601.17950][sp-1327]v[6.1.7601.22108][sp-1327]|[1327][certificate-1327]|FIPS approved algorithms: RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.1.7600.16385][sp-1331]<p>(no change in SP1)|[1331][certificate-1331]|FIPS approved algorithms: DSA (Cert. [#385][dsa-385]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4|
+|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.1.7600.16385][sp-1330]<p>(no change in SP1)|[1330][certificate-1330]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#673][hmac-673]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#557][rsa-557] and [#559][rsa-559]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+
+</details>
+
+<details>
+<summary><b>Windows Vista SP1</b></summary>
+
+Validated Editions: Ultimate Edition
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Boot Manager (bootmgr)|[6.0.6001.18000 and 6.0.6002.18005][sp-978]|[978][certificate-978]|FIPS approved algorithms: AES (Certs. [#739][aes-739] and [#760][aes-760]); HMAC (Cert. [#415][hmac-415]); RSA (Cert. [#354][rsa-354]); SHS (Cert. [#753][shs-753])|
+|Winload OS Loader (winload.exe)|[6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596][sp-979]|[979][certificate-979]|FIPS approved algorithms: AES (Certs. [#739][aes-739] and [#760][aes-760]); RSA (Cert. [#354][rsa-354]); SHS (Cert. [#753][shs-753])<p>Other algorithms: MD5|
+|Code Integrity (ci.dll)|[6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005][sp-980]|[980][certificate-980]|FIPS approved algorithms: RSA (Cert. [#354][rsa-354]); SHS (Cert. [#753][shs-753])<p>Other algorithms: MD5|
+|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869][sp-1000]|[1000][certificate-1000]|FIPS approved algorithms: AES (Certs. [#739][aes-739] and [#756][aes-756]); ECDSA (Cert. [#82][ecdsa-82]); HMAC (Cert. [#412][hmac-412]); RNG (Cert. [#435][rng-435] and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. [#353][rsa-353] and [#357][rsa-357]); SHS (Cert. [#753][shs-753]); Triple-DES (Cert. [#656][tdes-656])#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+|Cryptographic Primitives Library (bcrypt.dll)|[6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872][sp-1002]|[1001][certificate-1001]|FIPS approved algorithms: AES (Certs. [#739][aes-739] and [#756][aes-756]); DSA (Cert. [#283][dsa-283]); ECDSA (Cert. [#82][ecdsa-82]); HMAC (Cert. [#412][hmac-412]); RNG (Cert. [#435][rng-435] and SP 800-90, vendor affirmed); RSA (Certs. [#353][rsa-353] and [#357][rsa-357]); SHS (Cert. [#753][shs-753]); Triple-DES (Cert. [#656][tdes-656])<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)|
+|Enhanced Cryptographic Provider (RSAENH)|[6.0.6001.22202 and 6.0.6002.18005][sp-1002]|[1002][certificate-1002]|FIPS approved algorithms: AES (Cert. [#739][aes-739]); HMAC (Cert. [#407][hmac-407]); RNG (SP 800-90, vendor affirmed); RSA (Certs. [#353][rsa-353] and [#354][rsa-354]); SHS (Cert. [#753][shs-753]); Triple-DES (Cert. [#656][tdes-656])<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6001.18000 and 6.0.6002.18005][sp-1003]|[1003][certificate-1003]|FIPS approved algorithms: DSA (Cert. [#281][dsa-281]); RNG (Cert. [#435][rng-435]); SHS (Cert. [#753][shs-753]); Triple-DES (Cert. [#656][tdes-656]); Triple-DES MAC (Triple-DES Cert. [#656][tdes-656], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4|
+
+</details>
+
+<details>
+<summary><b>Windows Vista</b></summary>
+
+Validated Editions: Ultimate Edition
+
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Enhanced Cryptographic Provider (RSAENH) | [6.0.6000.16386][sp-893] | [893][certificate-893] | FIPS approved algorithms: AES (Cert. [#553][aes-553]); HMAC (Cert. [#297][hmac-297]); RNG (Cert. [#321][rng-321]); RSA (Certs. [#255][rsa-255] and [#258][rsa-258]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549])<br/><br/>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6000.16386][sp-894]|[894][certificate-894]|FIPS approved algorithms: DSA (Cert. [#226][dsa-226]); RNG (Cert. [#321][rng-321]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549]); Triple-DES MAC (Triple-DES Cert. [#549][tdes-549], vendor affirmed)<br/><br/>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4|
+|BitLocker™ Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])<br/><br/>Other algorithms: Elephant Diffuser|
+|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067][sp-891]|[891][certificate-891]|FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)<br/><br/>Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5|
+
+</details>
+
+<details>
+<summary><b>Windows XP SP3</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.1.2600.5512][sp-997]|[997][certificate-997]|FIPS approved algorithms: HMAC (Cert. [#429][shs-429]); RNG (Cert. [#449][rng-449]); SHS (Cert. [#785][shs-785]); Triple-DES (Cert. [#677][tdes-677]); Triple-DES MAC (Triple-DES Cert. [#677][tdes-677], vendor affirmed)<p>Other algorithms: DES; MD5; HMAC MD5|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.1.2600.5507][sp-990]|[990][certificate-990]|FIPS approved algorithms: DSA (Cert. [#292][dsa-292]); RNG (Cert. [#448][rng-448]); SHS (Cert. [#784][shs-784]); Triple-DES (Cert. [#676][tdes-676]); Triple-DES MAC (Triple-DES Cert. [#676][tdes-676], vendor affirmed)<p>Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4|
+|Enhanced Cryptographic Provider (RSAENH)|[5.1.2600.5507][sp-989]|[989][certificate-989]|FIPS approved algorithms: AES (Cert. [#781][aes-781]); HMAC (Cert. [#428][shs-428]); RNG (Cert. [#447][rng-447]); RSA (Cert. [#371][rsa-371]); SHS (Cert. [#783][shs-783]); Triple-DES (Cert. [#675][tdes-675]); Triple-DES MAC (Triple-DES Cert. [#675][tdes-675], vendor affirmed)<p>Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits)|
+
+</details>
+
+<details>
+<summary><b>Windows XP SP2</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|DSS/Diffie-Hellman Enhanced Cryptographic Provider|[5.1.2600.2133][sp-240]|[240][certificate-240]|FIPS approved algorithms: Triple-DES (Cert. [#16][tdes-16]); DSA/SHA-1 (Cert. [#29][dsa-29])<p>Other algorithms: DES (Cert. [#66][des-66]); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)|
+|Microsoft Enhanced Cryptographic Provider|[5.1.2600.2161][sp-238]|[238][certificate-238]|FIPS approved algorithms: Triple-DES (Cert. [#81][tdes-81]); AES (Cert. [#33][aes-33]); SHA-1 (Cert. [#83][shs-83]); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. [#83][shs-83], vendor affirmed)<p>Other algorithms: DES (Cert. [#156][des-156]); RC2; RC4; MD5|
+
+
+</details>
+
+<details>
+<summary><b>Windows XP SP1</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Microsoft Enhanced Cryptographic Provider|[5.1.2600.1029][sp-238]|[238][certificate-238]|FIPS approved algorithms: Triple-DES (Cert. [#81][tdes-81]); AES (Cert. [#33][aes-33]); SHA-1 (Cert. [#83][shs-83]); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. [#83][shs-83], vendor affirmed)<p>Other algorithms: DES (Cert. [#156][des-156]); RC2; RC4; MD5|
+
+</details>
+
+<details>
+<summary><b>Windows XP</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Kernel Mode Cryptographic Module|[5.1.2600.0][sp-241]|[241][certificate-241]|FIPS approved algorithms: Triple-DES (Cert. [#16][tdes-16]); DSA/SHA-1 (Cert. [#35][dsa-35]); HMAC-SHA-1 (Cert. [#35][shs-35], vendor affirmed)<p>Other algorithms: DES (Cert. [#89][des-89])|
+
+</details>
+
+<details>
+<summary><b>Windows 2000 SP3</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.0.2195.1569][sp-106]|[106][certificate-106]|FIPS approved algorithms: Triple-DES (Cert. [#16][tdes-16]); SHA-1 (Certs. [#35][shs-35])<p>Other algorithms: DES (Certs. [#89][des-89])|
+|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[(Base DSS: 5.0.2195.3665 [SP3])][sp-103]<p>[(Base: 5.0.2195.3839 [SP3])][sp-103]<p>[(DSS/DH Enh: 5.0.2195.3665 [SP3])][sp-103]<p>[(Enh: 5.0.2195.3839 [SP3]][sp-103]|[103][certificate-103]|FIPS approved algorithms: Triple-DES (Cert. [#16][tdes-16]); DSA/SHA-1 (Certs. [#28][dsa-28] and [#29][dsa-29]); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#65][des-65], [66][des-66], [67][des-67] and [68][des-68]); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5|
+
+</details>
+
+<details>
+<summary><b>Windows 2000 SP2</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.0.2195.1569][sp-106]|[106][certificate-106]|FIPS approved algorithms: Triple-DES (Cert. [#16][tdes-16]); SHA-1 (Certs. [#35][shs-35])<p>Other algorithms: DES (Certs. [#89][des-89])|
+|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[(Base DSS:][sp-103]<p>[5.0.2195.2228 [SP2])][sp-103]<p>[(Base:][sp-103]<p>[5.0.2195.2228 [SP2])][sp-103]<p>[(DSS/DH Enh:][sp-103]<p>[5.0.2195.2228 [SP2])][sp-103]<p>[(Enh:][sp-103]<p>[5.0.2195.2228 [SP2])][sp-103]|[103][certificate-103]|FIPS approved algorithms: Triple-DES (Cert. [#16][tdes-16]); DSA/SHA-1 (Certs. [#28][dsa-28] and [#29][dsa-29]); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#65][des-65], [66][des-66], [67][des-67] and [68][des-68]); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5|
+
+</details>
+
+<details>
+<summary><b>Windows 2000 SP1</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|([Base DSS: 5.0.2150.1391 [SP1])][sp-103]<p>[(Base: 5.0.2150.1391 [SP1])][sp-103]<p>[(DSS/DH Enh: 5.0.2150.1391 [SP1])][sp-103]<p>[(Enh: 5.0.2150.1391 [SP1])][sp-103]|[103][certificate-103]|FIPS approved algorithms: Triple-DES (Cert. [#16][tdes-16]); DSA/SHA-1 (Certs. [#28][dsa-28] and [#29][dsa-29]); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#65][des-65], [66][des-66], [67][des-67] and [68][des-68]); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5|
+
+</details>
+
+<details>
+<summary><b>Windows 2000</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[5.0.2150.1][sp-76]|[76][certificate-76]|FIPS approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. [#28][dsa-28] and [29][dsa-29]); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#65][des-65], [66][des-66], [67][des-67] and [68][des-68]); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)|
+
+</details>
+
+<details>
+<summary><b>Windows 95 and Windows 98</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[5.0.1877.6 and 5.0.1877.7][sp-75]|[75][certificate-75]|FIPS approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. [#20][shs-20] and [21][shs-21]); DSA/SHA-1 (Certs. [#25][dsa-25] and [26][dsa-26]); RSA (vendor- affirmed)<p>Other algorithms: DES (Certs. [#61][des-61], [62][des-62], [63][des-63] and [64][des-64]); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)|
+
+</details>
+
+<details>
+<summary><b>Windows NT 4.0</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Base Cryptographic Provider|[5.0.1877.6 and 5.0.1877.7][sp-68]|[68][certificate-68]|FIPS approved algorithms: SHA-1 (Certs. [#20][shs-20] and [21][shs-21]); DSA/SHA- 1 (Certs. [#25][dsa-25] and [26][dsa-26]); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#61][des-61], [62][des-62], [63][des-63] and [64][des-64]); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)|
+
+</details>
+
+### Modules used by Windows Server
+
+For more details, expand each operating system section.
+
+<br>
+<details>
+<summary><b>Windows Server 2019, version 1809</b></summary>
+
+Validated Editions: Standard, Datacenter
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library|[10.0.17763][sp-3197]|[#3197][certificate-3197]|See Security Policy and Certificate page for algorithm information|
+|Kernel Mode Cryptographic Primitives Library|[10.0.17763][sp-3196]|[#3196][certificate-3196]|See Security Policy and Certificate page for algorithm information|
+|Code Integrity|[10.0.17763][sp-3644]|[#3644][certificate-3644]|See Security Policy and Certificate page for algorithm information|
+|Windows OS Loader|[10.0.17763][sp-3615]|[#3615][certificate-3615]|See Security Policy and Certificate page for algorithm information|
+|Secure Kernel Code Integrity|[10.0.17763][sp-3651]|[#3651][certificate-3651]|See Security Policy and Certificate page for algorithm information|
+|BitLocker Dump Filter|[10.0.17763][sp-3092]|[#3092][certificate-3092]|See Security Policy and Certificate page for algorithm information|
+|Boot Manager|[10.0.17763][sp-3089]|[#3089][certificate-3089]|See Security Policy and Certificate page for algorithm information|
+|Virtual TPM|[10.0.17763][sp-3690]|[#3690][certificate-3690]|See Security Policy and Certificate page for algorithm information|
+
+</details>
+
+<details>
+<summary><b>Windows Server, version 1803</b></summary>
+
+Validated Editions: Standard, Datacenter
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library|[10.0.17134][sp-3197]|[#3197][certificate-3197]|See Security Policy and Certificate page for algorithm information|
+|Kernel Mode Cryptographic Primitives Library|[10.0.17134][sp-3196]|[#3196][certificate-3196]|See Security Policy and Certificate page for algorithm information|
+|Code Integrity|[10.0.17134][sp-3195]|[#3195][certificate-3195]|See Security Policy and Certificate page for algorithm information|
+|Windows OS Loader|[10.0.17134][sp-3480]|[#3480][certificate-3480]|See Security Policy and Certificate page for algorithm information|
+|Secure Kernel Code Integrity|[10.0.17134][sp-3096]|[#3096][certificate-3096]|See Security Policy and Certificate page for algorithm information|
+|BitLocker Dump Filter|[10.0.17134][sp-3092]|[#3092][certificate-3092]|See Security Policy and Certificate page for algorithm information|
+|Boot Manager|[10.0.17134][sp-3089]|[#3089][certificate-3089]|See Security Policy and Certificate page for algorithm information|
+
+</details>
+
+<details>
+<summary><b>Windows Server, version 1709</b></summary>
+
+Validated Editions: Standard, Datacenter
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library|[10.0.16299][sp-3197]|[#3197][certificate-3197]|See Security Policy and Certificate page for algorithm information|
+|Kernel Mode Cryptographic Primitives Library|[10.0.16299][sp-3196]|[#3196][certificate-3196]|See Security Policy and Certificate page for algorithm information|
+|Code Integrity|[10.0.16299][sp-3195]|[#3195][certificate-3195]|See Security Policy and Certificate page for algorithm information|
+|Windows OS Loader|[10.0.16299][sp-3194]|[#3194][certificate-3194]|See Security Policy and Certificate page for algorithm information|
+|Secure Kernel Code Integrity|[10.0.16299][sp-3096]|[#3096][certificate-3096]|See Security Policy and Certificate page for algorithm information|
+|BitLocker Dump Filter|[10.0.16299][sp-3092]|[#3092][certificate-3092]|See Security Policy and Certificate page for algorithm information|
+|Windows Resume|[10.0.16299][sp-3091]|[#3091][certificate-3091]|See Security Policy and Certificate page for algorithm information|
+|Boot Manager|[10.0.16299][sp-3089]|[#3089][certificate-3089]|See Security Policy and Certificate page for algorithm information|
+
+</details>
+
+<details>
+<summary><b>Windows Server 2016</b></summary>
+
+Validated Editions: Standard, Datacenter, Storage Server
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)|
+|Boot Manager|[10.0.14393][sp-2931]|[2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5; PBKDF (non-compliant); VMK KDF|
+|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
+|BitLocker® Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
+|BitLocker® Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
+|Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: AES (non-compliant); MD5|
+|Secure Kernel Code Integrity (skci.dll)|[10.0.14393][sp-2938]|[2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])<p>Other algorithms: MD5|
+
+</details>
+
+<details>
+<summary><b>Windows Server 2012 R2</b></summary>
+
+Validated Editions: Server, Storage Server,
+
+**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)|
+|Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
+|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
+|BitLocker® Windows Resume (winresume)<sup>[16]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
+|BitLocker® Dump Filter (dumpfve.sys)<sup>[17]</sup>|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
+|Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])<p>Other algorithms: MD5|
+
+<sup>\[16\]</sup> Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+<sup>\[17\]</sup> Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+
+</details>
+
+<details>
+<summary><b>Windows Server 2012</b></summary>
+
+Validated Editions: Server, Storage Server
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. #[1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
+|Boot Manager|[6.2.9200][sp-1895]|[1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
+|BitLocker® Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
+|Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. [#1346][hmac-1346]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])<p>Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+</details>
+
+<details>
+<summary><b>Windows Server 2008 R2</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Boot Manager (bootmgr)|[6.1.7600.16385 or 6.1.7601.17514][sp-1321]|[1321][certificate-1321]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); RSA (Cert. [#568][rsa-568]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
+|Winload OS Loader (winload.exe)|[6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675][sp-1333]|[1333][certificate-1333]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); RSA (Cert. [#568][rsa-568]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
+|Code Integrity (ci.dll)|[6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108][sp-1334]|[1334][certificate-1334]|FIPS approved algorithms: RSA (Cert. [#568][rsa-568]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
+|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076][sp-1335]|[1335][certificate-1335]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#27][drbg-27]); ECDSA (Cert. [#142][ecdsa-142]); HMAC (Cert. [#686][hmac-686]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#567][rsa-567]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4|
+|Cryptographic Primitives Library (bcryptprimitives.dll)|[66.1.7600.16385 or 6.1.7601.17514][sp-1336]|[1336][certificate-1336]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#27][drbg-27]); DSA (Cert. [#391][dsa-391]); ECDSA (Cert. [#142][ecdsa-142]); HMAC (Cert. [#686][hmac-686]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#567][rsa-567]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4|
+|Enhanced Cryptographic Provider (RSAENH)|[6.1.7600.16385][sp-1337]|[1337][certificate-1337]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#687][hmac-687]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#559][rsa-559] and [#568][rsa-568]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.1.7600.16385][sp-1338]|[1338][certificate-1338]|FIPS approved algorithms: DSA (Cert. [#390][dsa-390]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4|
+|BitLocker™ Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
+
+</details>
+
+<details>
+<summary><b>Windows Server 2008</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Boot Manager (bootmgr)|[6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497][sp-1004]|[1004][certificate-1004]|FIPS approved algorithms: AES (Certs. [#739][aes-739] and [#760][aes-760]); HMAC (Cert. [#415][hmac-415]); RSA (Cert. [#355][rsa-355]); SHS (Cert. [#753][shs-753])<p>Other algorithms: N/A|
+|Winload OS Loader (winload.exe)|[6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596][sp-1005]|[1005][certificate-1005]|FIPS approved algorithms: AES (Certs. [#739][aes-739] and [#760][aes-760]); RSA (Cert. [#355][rsa-355]); SHS (Cert. [#753][shs-753])<p>Other algorithms: MD5|
+|Code Integrity (ci.dll)|[6.0.6001.18000 and 6.0.6002.18005][sp-1006]|[1006][certificate-1006]|FIPS approved algorithms: RSA (Cert. [#355][rsa-355]); SHS (Cert. [#753][shs-753])<p>Other algorithms: MD5|
+|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869][sp-1007]|[1007][certificate-1007]|FIPS approved algorithms: AES (Certs. [#739][aes-739] and [#757][aes-757]); ECDSA (Cert. [#83][ecdsa-83]); HMAC (Cert. [#413][hmac-413]); RNG (Cert. [#435][rng-435] and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. [#353][rsa-353] and [#358][rsa-358]); SHS (Cert. [#753][shs-753]); Triple-DES (Cert. [#656][tdes-656])<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+|Cryptographic Primitives Library (bcrypt.dll)|[6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872][sp-1008]|[1008][certificate-1008]|FIPS approved algorithms: AES (Certs. [#739][aes-739] and [#757][aes-757]); DSA (Cert. [#284][dsa-284]); ECDSA (Cert. [#83][ecdsa-83]); HMAC (Cert. [#413][hmac-413]); RNG (Cert. [#435][rng-435] and SP800-90, vendor affirmed); RSA (Certs. [#353][rsa-353] and [#358][rsa-358]); SHS (Cert. [#753][shs-753]); Triple-DES (Cert. [#656][tdes-656])<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6001.18000 and 6.0.6002.18005][sp-1009]|[1009][certificate-1009]|FIPS approved algorithms: DSA (Cert. [#282][dsa-282]); RNG (Cert. [#435][rng-435]); SHS (Cert. [#753][shs-753]); Triple-DES (Cert. [#656][tdes-656]); Triple-DES MAC (Triple-DES Cert. [#656][tdes-656], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4|
+|Enhanced Cryptographic Provider (RSAENH)|[6.0.6001.22202 and 6.0.6002.18005][sp-1010]|[1010][certificate-1010]|FIPS approved algorithms: AES (Cert. [#739][aes-739]); HMAC (Cert. [#408][hmac-408]); RNG (SP 800-90, vendor affirmed); RSA (Certs. [#353][rsa-353] and [#355][rsa-355]); SHS (Cert. [#753][shs-753]); Triple-DES (Cert. [#656][tdes-656])<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+
+</details>
+
+<details>
+<summary><b>Windows Server 2003 SP2</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.3959][sp-875]|[875][certificate-875]|FIPS approved algorithms: DSA (Cert. [#221][dsa-221]); RNG (Cert. [#314][rng-314]); RSA (Cert. [#245][rsa-245]); SHS (Cert. [#611][shs-611]); Triple-DES (Cert. [#543][tdes-543])<p>Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4|
+|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.3959][sp-869]|[869][certificate-869]|FIPS approved algorithms: HMAC (Cert. [#287][hmac-287]); RNG (Cert. [#313][rng-313]); SHS (Cert. [#610][shs-610]); Triple-DES (Cert. [#542][tdes-542])<p>Other algorithms: DES; HMAC-MD5|
+|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.3959][sp-868]|[868][certificate-868]|FIPS approved algorithms: AES (Cert. [#548][aes-548]); HMAC (Cert. [#289][hmac-289]); RNG (Cert. [#316][rng-316]); RSA (Cert. [#245][rsa-245]); SHS (Cert. [#613][shs-613]); Triple-DES (Cert. [#544][tdes-544])<p>Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
+
+</details>
+
+<details>
+<summary><b>Windows Server 2003 SP1</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.1830 [SP1]][sp-405]|[405][certificate-405]|FIPS approved algorithms: Triple-DES (Certs. [#201][tdes-201][1] and [#370][tdes-370][1]); SHS (Certs. [#177][shs-177][1] and [#371][shs-371][2])<p>Other algorithms: DES (Cert. [#230][des-230][1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)<p>[1] x86<p>[2] SP1 x86, x64, IA64|
+|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.1830 [Service Pack 1])][sp-382]|[382][certificate-382]|FIPS approved algorithms: Triple-DES (Cert. [#192][tdes-192][1] and [#365][tdes-365][2]); AES (Certs. [#80][aes-80][1] and [#290][aes-290][2]); SHS (Cert. [#176][shs-176][1] and [#364][shs-364][2]); HMAC (Cert. [#176][shs-176], vendor affirmed[1] and [#99][hmac-99][2]); RSA (PKCS#1, vendor affirmed[1] and [#81][rsa-81][2])<p>Other algorithms: DES (Cert. [#226][des-226][1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5<p>[1] x86<p>[2] SP1 x86, x64, IA64|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.1830 [Service Pack 1]][sp-381]|[381][certificate-381]|FIPS approved algorithms: Triple-DES (Certs. [#199][tdes-199][1] and [#381][tdes-381][2]); SHA-1 (Certs. [#181][shs-181][1] and [#385][shs-385][2]); DSA (Certs. [#95][dsa-95][1] and [#146][dsa-146][2]); RSA (Cert. [#81][rsa-81])<p>Other algorithms: DES (Cert. [#229][des-229][1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40<p>[1] x86<p>[2] SP1 x86, x64, IA64|
+
+</details>
+
+<details>
+<summary><b>Windows Server 2003</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.0][sp-405]|[405][certificate-405]|FIPS approved algorithms: Triple-DES (Certs. [#201][tdes-201][1] and [#370][tdes-370][1]); SHS (Certs. [#177][shs-177][1] and [#371][shs-371][2])<p>Other algorithms: DES (Cert. [#230][des-230] [1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)<p>[1] x86<p>[2] SP1 x86, x64, IA64|
+|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.0][sp-382]|[382][certificate-382]|FIPS approved algorithms: Triple-DES (Cert. [#192][tdes-192][1] and [#365][tdes-365][2]); AES (Certs. [#80][aes-80][1] and [#290][aes-290][2]); SHS (Cert. [#176][shs-176][1] and [#364][shs-364][2]); HMAC (Cert. [#176][shs-176], vendor affirmed[1] and [#99][hmac-99][2]); RSA (PKCS#1, vendor affirmed[1] and [#81][rsa-81][2])<p>Other algorithms: DES (Cert. [#226][des-226][1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5<p>[1] x86<p>[2] SP1 x86, x64, IA64|
+|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.0][sp-381]|[381][certificate-381]|FIPS approved algorithms: Triple-DES (Certs. [#199][tdes-199][1] and [#381][tdes-381][2]); SHA-1 (Certs. [#181][shs-181][1] and [#385][shs-385][2]); DSA (Certs. [#95][dsa-95][1] and [#146][dsa-146][2]); RSA (Cert. [#81][rsa-81])<p>Other algorithms: DES (Cert. [#229][des-229][1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40<p>[1] x86<p>[2] SP1 x86, x64, IA64|
+
+</details>
+
+## Other Products
+
+For more details, expand each product section.
+
+<br>
+<details>
+<summary><b>Windows Embedded Compact 7 and Windows Embedded Compact 8</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Enhanced Cryptographic Provider|[7.00.2872 [1] and 8.00.6246 [2]][sp-2957]|[2957][certificate-2957]|FIPS approved algorithms: AES (Certs.[#4433][aes-4433]and[#4434][aes-4434]); CKG (vendor affirmed); DRBG (Certs.[#1432][drbg-1432]and[#1433][drbg-1433]); HMAC (Certs.[#2946][hmac-2946]and[#2945][hmac-2945]); RSA (Certs.[#2414][rsa-2414]and[#2415][rsa-2415]); SHS (Certs.[#3651][shs-3651]and[#3652][shs-3652]); Triple-DES (Certs.[#2383][tdes-2383]and[#2384][tdes-2384])<p>Allowed algorithms: HMAC-MD5, MD5, NDRNG|
+|Cryptographic Primitives Library (bcrypt.dll)|[7.00.2872 [1] and 8.00.6246 [2]][sp-2956]|[2956][certificate-2956]|FIPS approved algorithms: AES (Certs.[#4430][aes-4430]and[#4431][aes-4431]); CKG (vendor affirmed); CVL (Certs.[#1139][component-1139]and[#1140][component-1140]); DRBG (Certs.[#1429][drbg-1429]and[#1430][drbg-1430]); DSA (Certs.[#1187][dsa-1187]and[#1188][dsa-1188]); ECDSA (Certs.[#1072][ecdsa-1072]and[#1073][ecdsa-1073]); HMAC (Certs.[#2942][hmac-2942]and[#2943][hmac-2943]); KAS (Certs.[#114][kas-114]and[#115][kas-115]); RSA (Certs.[#2411][rsa-2411]and[#2412][rsa-2412]); SHS (Certs.[#3648][shs-3648]and[#3649][shs-3649]); Triple-DES (Certs.[#2381][tdes-2381]and[#2382][tdes-2382])<p>Allowed algorithms: MD5, NDRNG, RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength|
+
+</details>
+
+<details>
+<summary><b>Windows CE 6.0 and Windows Embedded Compact 7</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Enhanced Cryptographic Provider|[6.00.1937 [1] and 7.00.1687 [2]][sp-825]|[825][certificate-825]|FIPS approved algorithms: AES (Certs. [#516][aes-516] [1] and [#2024][aes-2024] [2]); HMAC (Certs. [#267][shs-267] [1] and [#1227][hmac-1227] [2]); RNG (Certs. [#292][rng-292] [1] and [#1060][rng-1060] [2]); RSA (Cert. [#230][rsa-230] [1] and [#1052][rsa-1052] [2]); SHS (Certs. [#589][shs-589] [1] and #1774 [2]); Triple-DES (Certs. [#526][tdes-526] [1] and [#1308][tdes-1308] [2])<p>Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES|
+
+</details>
+
+<details>
+<summary><b>Outlook Cryptographic Provider</b></summary>
+
+|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
+|--- |--- |--- |--- |
+|Outlook Cryptographic Provider (EXCHCSP)|[SR-1A (3821)][sp-110]|[110][certificate-110]|FIPS approved algorithms: Triple-DES (Cert. [#18][tdes-18]); SHA-1 (Certs. [#32][shs-32]); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#91][des-91]); DES MAC; RC2; MD2; MD5|
+
+</details>
+
+## Cryprtographic algorithms
+
+The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.\
+For more details, expand each algorithm section.
+
+<br>
+<details>
+<summary><b>Advanced Encryption Standard (AES)</b></summary>
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|<p>AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-OFB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)|Microsoft Surface Hub Virtual TPM Implementations [#4904][aes-4904]<p>Version 10.0.15063.674|
+|<p>AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-OFB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#4903][aes-4903]<p>Version 10.0.16299|
+|<p>AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CCM:<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)<li>IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB8:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CMAC:<li>Generation:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>Verification:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-ECB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-GCM:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 96, 104, 112, 120, 128 (bits)<li>Plain Text Lengths: 0, 8, 1016, 1024 (bits)<li>Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)<li>96 bit IV supported<p>AES-XTS:<li>Key Size: 128:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full<li>Key Size: 256:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#4902][aes-4902]<p>Version 10.0.15063.674|
+|<p>AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CCM:<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)<li>IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB8:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CMAC:<li>Generation:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<li>Verification:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-ECB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-GCM:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 96, 104, 112, 120, 128 (bits)<li>Plain Text Lengths: 0, 8, 1016, 1024 (bits)<li>Additional authenticated data lengths: 0, 8, 1016, 1024 (bits),96 bit IV supported<p>AES-XTS:<li>Key Size: 128:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full<li>Key Size: 256:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#4901][aes-4901]<p>Version 10.0.15254|
+|AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CCM:<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)<li>IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB8:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CMAC:<li>Generation:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>Verification:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-ECB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-GCM:<li>Modes: Decrypt, Encrypt<li>IV Generation: External<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 96, 104, 112, 120, 128 (bits)<li>Plain Text Lengths: 0, 8, 1016, 1024 (bits)<li>Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)<li>96 bit IV supported<p>AES-XTS:<li>Key Size: 128:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full<li>Key Size: 256:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#4897][aes-4897]<p>Version 10.0.16299|
+|AES-KW:<li>Modes: Decrypt, Encrypt<li>CIPHK transformation direction: Forward<li>Key Lengths: 128, 192, 256 (bits)<li>Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)<p>AES [validation number 4902][aes-4902]|Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations [#4900][aes-4900]<p>Version 10.0.15063.674|
+|AES-KW:<li>Modes: Decrypt, Encrypt<li>CIPHK transformation direction: Forward<li>Key Lengths: 128, 192, 256 (bits)<li>Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)<p>AES [validation number 4901][aes-4901]|Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations [#4899][aes-4899]<p>Version 10.0.15254|
+|AES-KW:<li>Modes: Decrypt, Encrypt<li>CIPHK transformation direction: Forward<li>Key Lengths: 128, 192, 256 (bits)<li>Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)<p>AES [validation number 4897][aes-4897]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations [#4898][aes-4898]<p>Version 10.0.16299|
+|AES-CCM:<li>Key Lengths: 256 (bits)<li>Tag Lengths: 128 (bits)<li>IV Lengths: 96 (bits)<li>Plain<li>Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES [validation number 4902][aes-4902]|Microsoft Surface Hub BitLocker(R) Cryptographic Implementations [#4896][aes-4896]<p>Version 10.0.15063.674|
+|AES-CCM:<li>Key Lengths: 256 (bits)<li>Tag Lengths: 128 (bits)<li>IV Lengths: 96 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES [validation number 4901][aes-4901]|Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations [#4895][aes-4895]<p>Version 10.0.15254|
+|AES-CCM:<li>Key Lengths: 256 (bits)<li>Tag Lengths: 128 (bits)<li>IV Lengths: 96 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES [validation number 4897][aes-4897]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations [#4894][aes-4894]<p>Version 10.0.16299|
+|**CBC** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**OFB** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#4627][aes-4627]<p>Version 10.0.15063|
+|**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 4624][aes-4624]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations [#4626][aes-4626]<p>Version 10.0.15063|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 4624][aes-4624]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations [#4625][aes-4625]<p>Version 10.0.15063|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC** (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported<p>GMAC supported<p>**XTS**((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#4624][aes-4624]<p>Version 10.0.15063|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#4434][aes-4434]<p>Version 7.00.2872|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#4433][aes-4433]<p>Version 8.00.6246|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#4431][aes-4431]<p>Version 7.00.2872|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#4430][aes-4430]<p>Version 8.00.6246|
+|**CBC** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**OFB** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#4074][aes-4074]<p>Version 10.0.14393|
+|**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#4064][aes-4064]<p>Version 10.0.14393|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#4063][aes-4063]<p>Version 10.0.14393|
+|**KW**  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)<p>AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#4062][aes-4062]<p>Version 10.0.14393|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations [#4061][aes-4061]<p>Version 10.0.14393|
+|**KW**  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" Cryptography Next Generation (CNG) Implementations [#3652][aes-3652]<p>Version 10.0.10586|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker® Cryptographic Implementations [#3653][aes-3653]<p>Version 10.0.10586|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" RSA32 Algorithm Implementations [#3630][aes-3630]<p>Version 10.0.10586|
+|**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)v**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d) (f)) **KS: XTS_256**((e/d) (f))|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" SymCrypt Cryptographic Implementations [#3629][aes-3629]<p>Version 10.0.10586|
+|**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 3497][aes-3497]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#3507][aes-3507]<p>Version 10.0.10240|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations [#3498][aes-3498]<p>Version 10.0.10240|
+|**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC(Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#3497][aes-3497]<p>Version 10.0.10240|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#3476][aes-3476]<p>Version 10.0.10240|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#2853][aes-2853]<p>Version 6.3.9600|
+|**CCM (KS: 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 2832][aes-2832]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations [#2848][aes-2848]<p>Version 6.3.9600|
+|**CCM (KS: 128, 192, 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification) (KS: 128**; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM (KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>**(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;<p>**OtherIVLen_Supported<p>GMAC supported**|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #[2832][aes-2832]<p>Version 6.3.9600|
+|**CCM (KS: 128, 192, 256**) **(Assoc. Data Len Range**: 0-0, 2^16) **(Payload Length Range**: 0 - 32 (**Nonce Length(s)**: 7 8 9 10 11 12 13 **(Tag Length(s)**: 4 6 8 10 12 14 16)<p>AES [validation number 2197][aes-2197]<p>**CMAC** (Generation/Verification) **(KS: 128;** Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 192**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 256**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16)<p>AES [validation number 2197][aes-2197]<p>**GCM(KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) **(KS: AES_192**(e/d) Tag Length(s): 128 120 112 104 96)<p>**(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:** (Externally); **PT Lengths Tested:** (0, 128, 1024, 8, 1016); **Additional authenticated data lengths tested:** (0, 128, 1024, 8, 1016); **IV Lengths Tested:** (8, 1024); **96 bit IV supported<p>GMAC supported**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#2216][aes-2216]|
+|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)<p>AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations [#2198][aes-2198]|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#2197][aes-2197]|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#2196][aes-2196]|
+|**CCM (KS: 128, 192, 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 **(Nonce Length(s):** 7 8 9 10 11 12 13 **(Tag Length(s): **4 6 8 10 12 14 16**)**<p>AES [validation number 1168][aes-1168]|Windows Server 2008 R2 and SP1 CNG algorithms [#1187][aes-1187]<p>Windows 7 Ultimate and SP1 CNG algorithms [#1178][aes-1178]|
+|**CCM (KS: 128, 256) (Assoc. Data Len Range: **0 - 8**) (Payload Length Range:** 4 - 32 **(Nonce Length(s):** 7 8 12 13 **(Tag Length(s): **4 6 8 14 16**)**<p>AES [validation number 1168][aes-1168]|Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations [#1177][aes-1177]|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation [#1168][aes-1168]|
+|**GCM**<p>**GMAC**|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation [#1168][aes-1168], vendor-affirmed|
+|**CCM (KS: 128, 256) (Assoc. Data Len Range: **0 - 8**) (Payload Length Range:** 4 - 32 **(Nonce Length(s):** 7 8 12 13 **(Tag Length(s): **4 6 8 14 16**)**|Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations [#760][aes-760]|
+|**CCM (KS: 128, 192, 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 1 - 32 **(Nonce Length(s):** 7 8 9 10 11 12 13 **(Tag Length(s):** 4 6 8 10 12 14 16**)**|Windows Server 2008 CNG algorithms [#757][aes-757]<p>Windows Vista Ultimate SP1 CNG algorithms [#756][aes-756]|
+|**CBC** (e/d; 128, 256);<p>**CCM** (**KS: 128, 256**) (**Assoc. Data Len Range**: 0 - 8) (**Payload Length Range**: 4 - 32 (**Nonce Length(s)**: 7 8 12 13 (**Tag Length(s)**: 4 6 8 14 16)|Windows Vista Ultimate BitLocker Drive Encryption [#715][aes-715]<p>Windows Vista Ultimate BitLocker Drive Encryption [#424][aes-424]|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation [#739][aes-739]<p>Windows Vista Symmetric Algorithm Implementation [#553][aes-553]|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#2023][aes-2023]|
+|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#2024][aes-2024]<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#818][aes-818]<p>Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#781][aes-781]<p>Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#548][aes-548]<p>Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#516][aes-516]<p>Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) [#507][aes-507]<p>Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#290][aes-290]<p>Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) [#224][aes-224]<p>Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) [#80][aes-80]<p>Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) [#33][aes-33]|
+
+</details>
+
+<details>
+<summary><b>Component</b></summary>
+
+|**Publication / Component Validated / Description**|**Implementation and Certificate #**|
+|--- |--- |
+|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#489][drbg-489]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#1540][component-1540]<p>Version 6.3.9600|
+|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Microsoft Surface Hub Virtual TPM Implementations [#1519][component-1519]<p>Version 10.0.15063.674|
+|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#1518][component-1518]<p>Version 10.0.16299|
+|RSADP:<p>Modulus Size: 2048 (bits)|Microsoft Surface Hub MsBignum Cryptographic Implementations [#1517][component-1517]<p>Version 10.0.15063.674|
+|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Microsoft Surface Hub MsBignum Cryptographic Implementations [#1516][component-1516]<p>Version 10.0.15063.674|
+|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1732][drbg-1732]|Microsoft Surface Hub MsBignum Cryptographic Implementations [#1515][component-1515]<p>Version 10.0.15063.674|
+|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1732][drbg-1732]|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1514][component-1514]<p>Version 10.0.15063.674|
+|RSADP:<p>Modulus Size: 2048 (bits)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1513][component-1513]<p>Version 10.0.15063.674|
+|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1512][component-1512]<p>Version 10.0.15063.674|
+|<p>IKEv1:<li>Methods: Digital Signature, Pre-shared Key, Public Key Encryption<li>Pre-shared Key Length: 64-2048<p>Diffie-Hellman shared secrets:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4011][shs-4011], HMAC [#3269][hmac-3269]<p>IKEv2:<li>Derived Keying Material length: 192-1792<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4011][shs-4011], HMAC [#3269][hmac-3269]<p>TLS:<li>Supports TLS 1.0/1.1<li>Supports TLS 1.2:<p>SHA Functions: SHA-256, SHA-384<p>Prerequisite: SHS [#4011][shs-4011], HMAC [#3269][hmac-3269]|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1511][component-1511]<p>Version 10.0.15063.674|
+|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1510][component-1510]<p>Version 10.0.15254|
+|RSADP:<p>Modulus Size: 2048 (bits)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1509][component-1509]<p>Version 10.0.15254|
+|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1508][component-1508]<p>Version 10.0.15254|
+|<p>IKEv1:<li>Methods: Digital Signature, Pre-shared Key, Public Key Encryption<li>Pre-shared Key Length: 64-2048<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4010][shs-4010], HMAC [#3268][hmac-3268]<p>IKEv2:<li>Derived Keying Material length: 192-1792<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4010][shs-4010], HMAC [#3268][hmac-3268]<p>TLS:<li>Supports TLS 1.0/1.1<li>Supports TLS 1.2:<p>SHA Functions: SHA-256, SHA-384<p>Prerequisite: SHS [#4010][shs-4010], HMAC [#3268][hmac-3268]|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1507][component-1507]<p>Version 10.0.15254|
+|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#1506][component-1506]<p>Version 10.0.15254|
+|RSADP:<p>Modulus Size: 2048 (bits)|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#1505][component-1505]<p>Version 10.0.15254|
+|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#1504][component-1504]<p>Version 10.0.15254|
+|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#1503][component-1503]<p>Version 10.0.16299|
+|RSADP:<p>Modulus Size: 2048 (bits)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#1502][component-1502]<p>Version 10.0.16299|
+|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#1501][component-1501]<p>Version 10.0.16299|
+|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1499][component-1499]<p>Version 10.0.16299|
+|RSADP:<p>Modulus Size: 2048 (bits)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1498][component-1498]<p>Version 10.0.16299|
+|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  [#1497][component-1497]<p>Version 10.0.16299|
+|<p>IKEv1:<li>Methods: Digital Signature, Pre-shared Key, Public Key Encryption<li>Pre-shared Key Length: 64-2048<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4009][shs-4009], HMAC [#3267][hmac-3267]<p>IKEv2:<li>Derived Keying Material length: 192-1792<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4009][shs-4009], HMAC [#3267][hmac-3267]<p>TLS:<li>Supports TLS 1.0/1.1<li>Supports TLS 1.2:<p>SHA Functions: SHA-256, SHA-384<p>Prerequisite: SHS [#4009][shs-4009], HMAC [#3267][hmac-3267]|Windows 10 Home, Pro, Enterprise, Education,Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  [#1496][component-1496]<p>Version 10.0.16299|
+|FIPS186-4 ECDSA<p>Signature Generation of hash sized messages<p>ECDSA SigGen Component: CURVES(P-256 P-384 P-521)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#1284][component-1284]<p>Version 10.0. 15063<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1279][component-1279]<p>Version 10.0. 15063<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#922][component-922]<p>Version 10.0.14393<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#894][component-894]<p>Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" MsBignum Cryptographic Implementations [#666][component-666]<p>Version 10.0.10586<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#288][component-288]<p>Version 6.3.9600|
+|FIPS186-4 RSA; PKCS#1 v2.1<p>RSASP1 Signature Primitive<p>RSASP1: (Mod2048: PKCS1.5 PKCSPSS)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#1285][component-1285]<p>Version 10.0.15063<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#1282][component-1282]<p>Version 10.0.15063<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1280][component-1280]<p>Version 10.0.15063<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#893][component-893]<p>Version 10.0.14393<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#888][component-888]<p>Version 10.0.14393<p>Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" MsBignum Cryptographic Implementations [#665][component-665]<p>Version 10.0.10586<p>Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations [#572][component-572]<p>Version  10.0.10240<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations [#289][component-289]<p>Version 6.3.9600|
+|FIPS186-4 RSA; RSADP<p>RSADP Primitive<p>RSADP: (Mod2048)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#1283][component-1283]<p>Version 10.0.15063<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1281][component-1281]<p>Version 10.0.15063<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#895][component-895]<p>Version 10.0.14393<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#887][component-887]<p>Version 10.0.14393<p>Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" Cryptography Next Generation (CNG) Implementations [#663][component-663]<p>Version 10.0.10586<p>Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations [#576][component-576]<p>Version  10.0.10240|
+|SP800-135<p>Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  [#1496][component-1496]<p>Version 10.0.16299<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1278][component-1278]<p>Version 10.0.15063<p>Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1140][component-1140]<p>Version 7.00.2872<p>Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1139][component-1139]<p>Version 8.00.6246<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp [#886][component-886]<p>Version 10.0.14393<p>Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BCryptPrimitives and NCryptSSLp [#664][component-664]<p>Version 10.0.10586<p>Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp [#575][component-575]<p>Version  10.0.10240<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp [#323][component-323]<p>Version 6.3.9600|
+
+</details>
+
+<details>
+<summary><b>Deterministic Random Bit Generator (DRBG)</b></summary>
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function not used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4904][aes-4904]|Microsoft Surface Hub Virtual TPM Implementations [#1734][drbg-1734]<p>Version 10.0.15063.674|
+|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function not used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4903][aes-4903]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#1733][drbg-1733]<p>Version 10.0.16299|
+|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4902][aes-4902]|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1732][drbg-1732]<p>Version 10.0.15063.674|
+|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4901][aes-4901]|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1731][drbg-1731]<p>Version 10.0.15254|
+|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4897][aes-4897]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1730][drbg-1730]<p>Version 10.0.16299|
+|**CTR_DRBG:** [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256)<p>(AES [validation number 4627][aes-4627])]|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#1556][drbg-1556]<p>Version 10.0.15063|
+|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256 (AES [validation number 4624][aes-4624])]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1555][drbg-1555]<p>Version 10.0.15063|
+|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4434][aes-4434])]|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#1433][drbg-1433]<p>Version 7.00.2872|
+|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4433][aes-4433])]|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#1432][drbg-1432]<p>Version 8.00.6246|
+|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4431][aes-4431])]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1430][drbg-1430]<p>Version 7.00.2872|
+|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4430][aes-4430])]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1429][drbg-1429]<p>Version 8.00.6246|
+|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4074][aes-4074])]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#1222][drbg-1222]<p>Version 10.0.14393|
+|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 4064][aes-4064])]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#1217][drbg-1217]<p>Version 10.0.14393|
+|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 3629][aes-3629])]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations [#955][drbg-955]<p>Version 10.0.10586|
+|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 3497][aes-3497])]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#868][drbg-868]<p>Version 10.0.10240|
+|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 2832][aes-2832])]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#489][drbg-489]<p>Version 6.3.9600|
+|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 2197][aes-2197])]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#258][drbg-258]|
+|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 2023][aes-2023])]|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#193][drbg-193]|
+|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 1168][aes-1168])]|Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library [#23][drbg-23]|
+|**DRBG** (SP 800-90)|Windows Vista Ultimate SP1, vendor-affirmed|
+
+</details>
+
+<details>
+<summary><b>Digital Signature Algorithm (DSA)</b></summary>
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|DSA:<li>186-4:<p>PQGGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>PQGVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>KeyPair:<li>L = 2048, N = 256<li>L = 3072, N = 256<p>Prerequisite: SHS [#4011][shs-4011], DRBG [#1732][drbg-1732]|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1303][dsa-1303]<p>Version 10.0.15063.674|
+|DSA:<li>186-4:<p>PQGGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>PQGVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>KeyPair:<li>L = 2048, N = 256<li>L = 3072, N = 256<p>Prerequisite: SHS [#4010][shs-4010], DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1302][dsa-1302]<p>Version 10.0.15254|
+|DSA:<li>186-4:<p>PQGGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>PQGVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>KeyPair:<li>L = 2048, N = 256<li>L = 3072, N = 256<p>Prerequisite: SHS [#4009][shs-4009], DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1301][dsa-1301]<p>Version 10.0.16299|
+|**FIPS186-4:**<br>**PQG(gen)** PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<br>**KeyPairGen**:   [(2048,256); (3072,256)]<p>**SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)** PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number 3790][shs-3790]<p>DRBG: [validation number  1555][drbg-1555]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1223][dsa-1223]<p>Version 10.0.15063|
+|**FIPS186-4:<br>PQG(ver)PARMS TESTED:**   [(1024,160) SHA(1)]<p>**SIG(ver)PARMS TESTED:**   [(1024,160) SHA(1)]<p>SHS: [validation number  3649][shs-3649]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1188][dsa-1188]<p>Version 7.00.2872|
+|**FIPS186-4:<br>PQG(ver)PARMS TESTED:**   [(1024,160) SHA(1)]<p>**SIG(ver)PARMS TESTED:**   [(1024,160) SHA(1)]<p>SHS: [validation number 3648][shs-3648]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1187][dsa-1187]<p>Version 8.00.6246|
+|**FIPS186-4:<br>PQG(gen)** PARMS TESTED: [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<br>KeyPairGen:    [(2048,256); (3072,256)]<p>**SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number  3347][shs-3347]<p>DRBG: [validation number  1217][drbg-1217]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#1098][dsa-1098]<p>Version 10.0.14393|
+|**FIPS186-4:<br>PQG(gen)** PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<br>KeyPairGen:    [(2048,256); (3072,256)] **SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number  3047][shs-3047]<p>DRBG: [validation number  955][drbg-955]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" MsBignum Cryptographic Implementations [#1024][dsa-1024]<p>Version 10.0.10586|
+|**FIPS186-4:<br>PQG(gen)** PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<br>KeyPairGen: [(2048,256); (3072,256)]<p>**SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)] **SIG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number  2886][shs-2886]<p>DRBG: [validation number  868][drbg-868]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations [#983][dsa-983]<p>Version 10.0.10240|
+|**FIPS186-4:<br>PQG(gen)** PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver**)PARMS TESTED:   [(2048,256), SHA(256); (3072,256) SHA(256)]<br>KeyPairGen:    [(2048,256); (3072,256)]<p>**SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number  2373][shs-2373]<p>DRBG: [validation number  489][drbg-489]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#855][dsa-855]<p>Version 6.3.9600|
+|**FIPS186-2**:<p>**PQG(ver)** MOD(1024);<p>**SIG(ver)** MOD(1024);<p>SHS: [#1903][shs-1903]<P>DRBG: [#258][drbg-258]<p>**FIPS186-4: PQG(gen)PARMS TESTED**: [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)PARMS TESTED**: [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(gen)PARMS TESTED**: [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)PARMS TESTED**: [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [#1903][shs-1903]<p>DRBG: [#258][drbg-258]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#687][dsa-687]|
+|**FIPS186-2:<br>PQG(ver)** MOD(1024);<p>**SIG(ver)** MOD(1024);<p>SHS: [#1902][shs-1902]<p>DRBG: [#258][drbg-258]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) [#686][dsa-686]|
+|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  1773][shs-1773]<p>DRBG: [validation number  193][drbg-193]|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#645][dsa-645]|
+|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  1081][shs-1081]<p>DRBG: [validation number  23][drbg-23]|Windows Server 2008 R2 and SP1 CNG algorithms [#391][dsa-391]<p>Windows 7 Ultimate and SP1 CNG algorithms [#386][dsa-386]|
+|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  1081][shs-1081]<p>RNG: [validation number  649][rng-649]|Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) [#390][dsa-390]<p>Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) [#385][dsa-385]|
+|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  753][shs-753]|Windows Server 2008 CNG algorithms [#284][dsa-284]<p>Windows Vista Ultimate SP1 CNG algorithms [#283][dsa-283]|
+|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  753][shs-753]<p>RNG: [validation number  435][rng-435]|Windows Server 2008 Enhanced DSS (DSSENH) [#282][dsa-282]<p>Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) [#281][dsa-281]|
+|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  618][shs-618]<p>RNG: [validation number  321][rng-321]|Windows Vista CNG algorithms [#227][dsa-227]<p>Windows Vista Enhanced DSS (DSSENH) [#226][dsa-226]|
+|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  784][shs-784]<p>RNG: [validation number  448][rng-448]|Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#292][dsa-292]|
+|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  783][shs-783]<p>RNG: [validation number  447][rng-447]|Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#291][dsa-291]|
+|**FIPS186-2:<br>PQG(gen)** MOD(1024);<p>**PQG(ver)** MOD(1024);<p>**KEYGEN(Y)** MOD(1024);<p>**SIG(gen)** MOD(1024);<P>**SIG(ver)** MOD(1024);<p>SHS: [validation number  611][shs-611]<p>RNG: [validation number  314][rng-314]|Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider [#221][dsa-221]|
+|**FIPS186-2:<br>PQG(gen)** MOD(1024);<p>**PQG(ver)** MOD(1024);<p>**KEYGEN(Y)** MOD(1024);<p>**SIG(gen)** MOD(1024);v**SIG(ver)** MOD(1024);vSHS: [validation number  385][shs-385]|Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#146][dsa-146]|
+|**FIPS186-2:<br>PQG(ver)** MOD(1024);<p>**KEYGEN(Y)** MOD(1024);v**SIG(gen)** MOD(1024);<p>**SIG(ver)** MOD(1024);<p>SHS: [validation number  181][shs-181]|Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#95][dsa-95]|
+|**FIPS186-2:<br>PQG(gen)** MOD(1024);<p>**PQG(ver)** MOD(1024);<p>**KEYGEN(Y)** MOD(1024);<p>**SIG(gen)** MOD(1024); SHS: SHA-1 (BYTE)<p>**SIG(ver)** MOD(1024); SHS: SHA-1 (BYTE)|Windows 2000 DSSENH.DLL [#29][dsa-29]<p>Windows 2000 DSSBASE.DLL [#28][dsa-28]<p>Windows NT 4 SP6 DSSENH.DLL [#26][dsa-26]<p>Windows NT 4 SP6 DSSBASE.DLL [#25][dsa-25]|
+|**FIPS186-2: PRIME;<br>FIPS186-2:**<p>**KEYGEN(Y):**SHS: SHA-1 (BYTE)<p>**SIG(gen):SIG(ver)** MOD(1024);<p>SHS: SHA-1 (BYTE)|Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider [#17][dsa-17]|
+
+</details>
+
+<details>
+<summary><b>Elliptic Curve Digital Signature Algorithm (ECDSA)</b></summary>
+
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|<p>ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#2373][shs-2373], DRBG [#489][drbg-489]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#1263][ecdsa-1263]<p>Version 6.3.9600|
+|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384<li>Generation Methods: Testing Candidates<p>Prerequisite: SHS [#4011][shs-4011], DRBG [#1734][drbg-1734]|Microsoft Surface Hub Virtual TPM Implementations [#1253][ecdsa-1253]<p>Version 10.0.15063.674|
+|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384<li>Generation Methods: Testing Candidates<p>Prerequisite: SHS [#4009][shs-4009], DRBG [#1733][drbg-1733]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#1252][ecdsa-1252]<p>Version 10.0.16299|
+|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4011][shs-4011], DRBG [#1732][drbg-1732]|Microsoft Surface Hub MsBignum Cryptographic Implementations [#1251][ecdsa-1251]<p>Version 10.0.15063.674|
+|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4011][shs-4011], DRBG [#1732][drbg-1732]|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1250][ecdsa-1250]<p>Version 10.0.15063.674|
+|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4010][shs-4010], DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1249][ecdsa-1249]<p>Version 10.0.15254|
+|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4010][shs-4010], DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#1248][ecdsa-1248]<p>Version 10.0.15254|
+|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4009][shs-4009], DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#1247][ecdsa-1247]<p>Version 10.0.16299|
+|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4009][shs-4009], DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1246][ecdsa-1246]<p>Version 10.0.16299|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 TestingCandidates)<p>SHS: [validation number 3790][shs-3790]<p>DRBG: [validation number  1555][drbg-1555]|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#1136][ecdsa-1136]<p>Version 10.0.15063|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number 3790][shs-3790]<p>DRBG: [validation number  1555][drbg-1555]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#1135][ecdsa-1135]<p>Version 10.0.15063|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number 3790][shs-3790]<p>DRBG: [validation number  1555][drbg-1555]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1133][ecdsa-1133]<p>Version 10.0.15063|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SigVer: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))<p>**SHS:**[validation number  3649][shs-3649]<p>**DRBG:**[validation number  1430][drbg-1430]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1073][ecdsa-1073]<p>Version 7.00.2872|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SigVer: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))<p>**SHS:**[validation number 3648][shs-3648]<p>**DRBG:**[validation number  1429][drbg-1429]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1072][ecdsa-1072]<p>Version 8.00.6246|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 TestingCandidates)v**PKV: CURVES**(P-256 P-384)<p>**SigGen: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.v**SigVer: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))<p>SHS: [validation number  3347][shs-3347]<p>DRBG: [validation number  1222][drbg-1222]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#920][ecdsa-920]<p>Version 10.0.14393|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))vSHS: [validation number  3347][shs-3347]<p>DRBG: [validation number  1217][drbg-1217]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#911][ecdsa-911]<p>Version 10.0.14393|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number  3047][shs-3047]<p>DRBG: [validation number  955][drbg-955]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" MsBignum Cryptographic Implementations [#760][ecdsa-760]<p>Version 10.0.10586|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer**: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number  2886][shs-2886]<p>DRBG: [validation number  868][drbg-868]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations [#706][ecdsa-706]<p>Version 10.0.10240|
+|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number 2373][shs-2373]<p>DRBG: [validation number  489][drbg-489]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#505][ecdsa-505]<p>Version 6.3.9600|
+|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [#1903][shs-1903]<p>**DRBG**: [#258][drbg-258]<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [#1903][shs-1903]<p>**DRBG**: [#258][drbg-258]<p>**FIPS186-4: <br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>**SHS**: [#1903][shs-1903]<p>**DRBG**: [#258][drbg-258].|Windows 8,<p>Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#341][ecdsa-341]|
+|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 1773][shs-1773]<p>**DRBG**: [validation number  193][drbg-193]<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 1773][shs-1773]<p>**DRBG**: [validation number  193][drbg-193]<p>**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>**SHS**: [validation number 1773][shs-1773]<p>**DRBG**: [validation number  193][drbg-193].|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#295][ecdsa-295]|
+|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 1081][shs-1081]<p>**DRBG**: [validation number  23][drbg-23]<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 1081][shs-1081]<p>**DRBG**: [validation number  23][drbg-23].|Windows Server 2008 R2 and SP1 CNG algorithms [#142][ecdsa-142]<p>Windows 7 Ultimate and SP1 CNG algorithms [#141][ecdsa-141]|
+|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 753][shs-753]<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 753][shs-753].|Windows Server 2008 CNG algorithms [#83][ecdsa-83]<p>Windows Vista Ultimate SP1 CNG algorithms [#82][ecdsa-82]|
+|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 618][shs-618]<p>**RNG**: [validation number  321][shs-618]<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 618][shs-618]<p>**RNG**: [validation number  321][rng-321].|Windows Vista CNG algorithms [#60][ecdsa-60]|
+
+</details>
+
+<details>
+<summary><b>Keyed-Hash Message Authentication Code (HMAC)</b></summary>
+
+|**Modes / States / <li>Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|<p>HMAC-SHA-1:<li><li>Key Sizes &lt; Block Size<li><li>Key Sizes &gt; Block Size<li><li>Key Sizes = Block Size<p><p>HMAC-SHA2-256:<li><li>Key Sizes &lt; Block Size<li><li>Key Sizes &gt; Block Size<li><li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4011][shs-4011]|Microsoft Surface Hub Virtual TPM Implementations [#3271][hmac-3271]<p>Version 10.0.15063.674|
+|<p>HMAC-SHA-1:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-256:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4009][shs-4009]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#3270][hmac-3270]<p>Version 10.0.16299|
+|<p>HMAC-SHA-1:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-256:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-512:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4011][shs-4011]|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#3269][hmac-3269]<p>Version 10.0.15063.674|
+|<p>HMAC-SHA-1:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-256:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-512:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4010][shs-4010]|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#3268][hmac-3268]<p>Version 10.0.15254|
+|<p>HMAC-SHA-1:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-256:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-512:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4009][shs-4009]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#3267][hmac-3267]<p>Version 10.0.16299|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number 3790][shs-3790]<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790][shs-3790]<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790][shs-3790]|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#3062][hmac-3062]<p>Version 10.0.15063|
+|<p> **HMAC-SHA1(Key Sizes Ranges Tested:** KSBS) SHS [validation number 3790][shs-3790]<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790][shs-3790]<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790][shs-3790]<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790][shs-3790]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#3061][hmac-3061]<p>Version 10.0.15063|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number 3652][shs-3652]<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3652][shs-3652]<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3652][shs-3652]<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS[validation number 3652][shs-3652]|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2946][hmac-2946]<p>Version 7.00.2872|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number 3651][shs-3651]<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3651][shs-3651]<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3651][shs-3651]<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS[validation number 3651][shs-3651]|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2945][hmac-2945]<p>Version 8.00.6246|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number  3649][shs-3649]<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number  3649][shs-3649]<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number  3649][shs-3649]<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS[validation number  3649][shs-3649]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2943][hmac-2943]<p>Version 7.00.2872|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number 3648][shs-3648]<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3648][shs-3648]<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3648][shs-3648]<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS[validation number 3648][shs-3648]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2942][hmac-2942]<p>Version 8.00.6246|
+|<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<p>SHS [validation number  3347][shs-3347]<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS) SHS [validation number  3347][shs-3347]<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS) SHS [validation number  3347][shs-3347]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#2661][hmac-2661]<p>Version 10.0.14393|
+|<p> **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS) SHS [validation number  3347][shs-3347]<p> **HMAC-SHA256** (Key Size Ranges Tested: KSBS) SHS [validation number  3347][shs-3347]<p> **HMAC-SHA384** (Key Size Ranges Tested: KSBS) SHS [validation number  3347][shs-3347]<p> **HMAC-SHA512** (Key Size Ranges Tested: KSBS) SHS [validation number  3347][shs-3347]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#2651][hmac-2651]<p>Version 10.0.14393|
+|<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS [validation number  3047][shs-3047]<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number  3047][shs-3047]<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number  3047][shs-3047]<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number  3047][shs-3047]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" SymCrypt Cryptographic Implementations [#2381][hmac-2381]<p>Version 10.0.10586|
+|<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>[ SHSvalidation number  2886][shs-2886]<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#2233][hmac-2233]<p>Version 10.0.10240|
+|<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#1773][hmac-1773]<p>Version 6.3.9600|
+|<p> **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA256** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA384** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA512** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]|Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) [#2122][hmac-2122]<p>Version 5.2.29344|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #[1347][hmac-1347]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #[1346][hmac-1346]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #[1345][hmac-1345]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<br>**Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll), [#1364][hmac-1364]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1774][shs-1774]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1774][shs-1774]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1774][shs-1774]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1774][shs-1774]|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1227][hmac-1227]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1081][shs-1081]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1081][shs-1081]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1081][shs-1081]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1081][shs-1081]|Windows Server 2008 R2 and SP1 CNG algorithms [#686][hmac-686]<p>Windows 7 and SP1 CNG algorithms [#677][hmac-677]<p>Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) [#687][hmac-687]<p>Windows 7 Enhanced Cryptographic Provider (RSAENH) [#673][hmac-673]|
+|<p> **HMAC-SHA1(Key Sizes Ranges Tested: KS**[validation number 1081][shs-1081]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[validation number 1081][shs-1081]|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations [#675][hmac-675]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 816][shs-816]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 816][shs-816]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 816][shs-816]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 816][shs-816]|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#452][hmac-452]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[validation number 753][shs-753]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[validation number 753][shs-753]|Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations [#415][hmac-415]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 753][shs-753]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 753][shs-753]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 753][shs-753]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS)** SHS [validation number 753][shs-753]|Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) [#408][hmac-408]<p>Windows Vista Enhanced Cryptographic Provider (RSAENH) [#407][hmac-407]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHS** [validation number 618][shs-618]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 618][shs-618]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 618][shs-618]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 618][shs-618]|Windows Vista Enhanced Cryptographic Provider (RSAENH) [#297][hmac-297]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 785][shs-785]|Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) [#429][hmac-429]<p>Windows XP, vendor-affirmed|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 783][shs-783]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 783][shs-783]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 783][shs-783]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 783][shs-783]|Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#428][hmac-428]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 613][shs-613]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 613][shs-613]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 613][shs-613]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 613][shs-613]|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#289][hmac-289]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 610][shs-610]|Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) [#287][hmac-287]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 753][shs-753]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 753][shs-753]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 753][shs-753]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 753][shs-753]|Windows Server 2008 CNG algorithms [#413][hmac-413]<p>Windows Vista Ultimate SP1 CNG algorithms [#412][hmac-412]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[validation number 737][shs-737]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[validation number 737][shs-737]|Windows Vista Ultimate BitLocker Drive Encryption [#386][hmac-386]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 618][shs-618]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 618][shs-618]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 618][shs-618]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 618][shs-618]|Windows Vista CNG algorithms [#298][hmac-298]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 589][shs-589]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHS** [validation number 589][shs-589]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 589][shs-589]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 589][shs-589]|Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#267][hmac-267]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 578][shs-578]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 578][shs-578]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 578][shs-578]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 578][shs-578]|Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) [#260][hmac-260]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[validation number 495][shs-495]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[validation number 495][shs-495]|Windows Vista BitLocker Drive Encryption [#199][hmac-199]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 364][shs-364]|Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#99][hmac-99]<p>Windows XP, vendor-affirmed|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 305][shs-305]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 305][shs-305]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 305][shs-305]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 305][shs-305]|Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) [#31][hmac-31]|
+
+</details>
+
+<details>
+<summary><b>Key Agreement Scheme (KAS)</b></summary>
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|KAS ECC: <br>Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration<p>Schemes:<br><p>Full Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<br>Prerequisite: SHS [#4011][shs-4011], ECDSA [#1253][ecdsa-1253], DRBG [#1734][drbg-1734]|Microsoft Surface Hub Virtual TPM Implementations [#150][kas-150]<p>Version 10.0.15063.674|
+|KAS ECC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration<p>Schemes:<br><p>Full Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<br>Prerequisite: SHS [#4009][shs-4009], ECDSA [#1252][ecdsa-1252], DRBG [#1733][drbg-1733]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#149][kas-149]<p>Version 10.0.16299|
+|KAS ECC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration<p>Schemes:<p>Ephemeral Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>One-Pass DH:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>Static Unified:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<p><li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<br>Prerequisite: SHS [#4011][shs-4011], ECDSA [#1250][ecdsa-1250], DRBG [#1732][drbg-1732]<p>KAS FFC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation<p>Schemes:<p>dhEphem:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<p>dhOneFlow:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC<li>SHA: SHA-256<li>MAC: HMAC<p>dhStatic:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<br>Prerequisite: SHS [#4011][shs-4011], DSA [#1303][dsa-1303], DRBG [#1732][drbg-1732]|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#148][kas-148]<p>Version 10.0.15063.674|
+|KAS ECC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration<p>Schemes:<p>Ephemeral Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMA<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>One-Pass DH:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>Static Unified:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<br>Prerequisite: SHS [#4010][shs-4010], ECDSA [#1249][ecdsa-1249], DRBG [#1731][drbg-1731]<p>KAS FFC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation<p>Schemes:<p>dhEphem:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<p>dhOneFlow:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC<li>SHA: SHA-256<li>MAC: HMAC<p>dhStatic:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<br>Prerequisite: SHS [#4010][shs-4010], DSA [#1302][dsa-1302], DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#147][kas-147]<p>Version 10.0.15254|
+|KAS ECC:<p><br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration<p>Schemes:<p>Ephemeral Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>One-Pass DH:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>Static Unified:<p><li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<br>Prerequisite: SHS [#4009][shs-4009], ECDSA [#1246][ecdsa-1246], DRBG [#1730][drbg-1730]<p>KAS FFC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation<p>Schemes:<p>dhEphem:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<p>dhOneFlow:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<p>dhStatic:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<br>Prerequisite: SHS [#4009][shs-4009], DSA [#1301][dsa-1301], DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#146][kas-146]<p>Version 10.0.16299|
+|**ECC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration) **SCHEMES** [**FullUnified** (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC)]<P>SHS [validation number 3790][shs-3790]<P>DSA [validation number 1135][dsa-1135]<p>DRBG [validation number 1556][drbg-1556]|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#128][kas-128]<p>Version 10.0.15063|
+|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)<p>**SCHEMES** [**dhEphem** (KARole(s): Initiator / Responder)(**FB:** SHA256) (**FC:** SHA256)]<p>[**dhOneFlow** (**FB:** SHA256) (**FC:** SHA256)]<p>[**dhStatic** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FB:** SHA256 HMAC) (**FC:** SHA256   HMAC)]<P>SHS [validation number 3790][shs-3790]<P>DSA [validation number 1223][dsa-1223]<p>DRBG [validation number 1555][drbg-1555]**ECC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) **SCHEMES** [**EphemeralUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[**OnePassDH** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<p>[**StaticUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number 3790][shs-3790]<P>ECDSA [validation number 1133][ecdsa-1133]DRBG [validation number 1555][drbg-1555]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#127][kas-127]<p>Version 10.0.15063|
+|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)<p>**SCHEMES** [**dhEphem** (KARole(s): Initiator / Responder)(**FB:** SHA256) (**FC:** SHA256)]<p>[**dhOneFlow** (KARole(s): Initiator / Responder) (**FB:** SHA256) (**FC:** SHA256)] [**dhStatic** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FB:** SHA256 HMAC) (**FC:** SHA256   HMAC)]<P>SHS [validation number  3649][shs-3649]<P>DSA [validation number 1188][dsa-1188]<p>DRBG [validation number 1430][drbg-1430]<p>**ECC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration)<p>**SCHEMES** [**EphemeralUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[**OnePassDH** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<p>[**StaticUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#115][kas-115]<p>Version 7.00.2872|
+|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)<p>**SCHEMES** [**dhEphem** (KARole(s): Initiator / Responder)(**FB:** SHA256) (**FC:** SHA256)]<p>[**dhHybridOneFlow** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FB:**SHA256 HMAC) (**FC:** SHA256   HMAC)]<p>[**dhStatic** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FB:**SHA256 HMAC) (**FC:** SHA256   HMAC)]<P>SHS [validation number 3648][shs-3648]<P>DSA [validation number 1187][dsa-1187]<p>DRBG [validation number 1429][drbg-1429]<p>**ECC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration)<p>**SCHEMES** [**EphemeralUnified** (**No_KC**) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[**OnePassDH** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<p>[**StaticUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number 3648][shs-3648]<P>ECDSA [validation number 1072][ecdsa-1072]<p>DRBG [validation number 1429][drbg-1429]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#114][kas-114]<p>Version 8.00.6246|
+|**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration)<p>**SCHEMES  [FullUnified  (No_KC**  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt;) (**EC:**  P-256   SHA256   HMAC) (**ED:**  P-384   SHA384   HMAC)]<P>SHS [validation number  3347][shs-3347] ECDSA [validation number 920][ecdsa-920] DRBG [validation number 1222][drbg-1222]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#93][kas-93]<p>Version 10.0.14393|
+|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)<p>**SCHEMES**  [dhEphem  (KARole(s): Initiator / Responder)(**FB:** SHA256) (**FC:** SHA256)]<p>[dhOneFlow (KARole(s): Initiator / Responder) (**FB:**  SHA256) (**FC:**  SHA256)] [**dhStatic (No_KC**  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]<P>SHS [validation number  3347][shs-3347] DSA [validation number 1098][dsa-1098] DRBG [validation number 1217][drbg-1217]<p>**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) **SCHEMES**  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<p>[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number  3347][shs-3347] DSA [validation number 1098][dsa-1098] ECDSA [validation number 911][ecdsa-911] DRBG [validation number 1217][drbg-1217] HMAC [validation number 2651][hmac-2651]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#92][kas-92]<p>Version 10.0.14393|
+|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)]<p>[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]<P>SHS [validation number  3047][shs-3047] DSA [validation number 1024][dsa-1024] DRBG [validation number 955][drbg-955]<p>**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<p>[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number  3047][shs-3047] ECDSA [validation number 760][ecdsa-760] DRBG [validation number 955][drbg-955]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations [#72][dsa-72]<p>Version 10.0.10586|
+|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)]<p>[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]<P>SHS [validation number  2886][shs-2886] DSA [validation number 983][dsa-983] DRBG [validation number 868][drbg-868]<p>**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<p>[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number  2886][shs-2886] ECDSA [validation number 706][ecdsa-706] DRBG [validation number 868][drbg-868]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations [#64][kas-64]<p>Version 10.0.10240|
+|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)]<p>[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]<P>SHS [validation number 2373][shs-2373] DSA [validation number 855][dsa-855] DRBG [validation number 489][drbg-489]<p>**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<p>[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number 2373][shs-2373] ECDSA [validation number 505][ecdsa-505] DRBG [validation number 489][drbg-489]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations [#47][kas-47]<p>Version 6.3.9600|
+|**FFC**: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [**dhEphem** (KARole(s): Initiator / Responder)<p>(**FA**: SHA256) (**FB**: SHA256) (**FC**: SHA256)]<p>[**dhOneFlow** (KARole(s): Initiator / Responder) (**FA**: SHA256) (**FB**: SHA256) (**FC**: SHA256)]<p>[**dhStatic** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FA**: SHA256 HMAC) (**FB**: SHA256 HMAC) (**FC**: SHA256 HMAC)]<P>SHS [#1903][shs-1903] DSA [validation number 687][dsa-687] DRBG [#258][drbg-258]<p>**ECC**: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) **SCHEMES**<p>[**EphemeralUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256 HMAC) (**ED**: P-384 SHA384 HMAC) (**EE**: P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[**OnePassDH(No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC**: P-256 SHA256) (**ED**: P-384 SHA384) (**EE**: P-521 (SHA512, HMAC_SHA512)))]<p>[**StaticUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC**: P-256 SHA256 HMAC) (**ED**: P-384 SHA384 HMAC) (**EE**: P-521 HMAC (SHA512, HMAC_SHA512))]<P>SHS [#1903][shs-1903] <P>ECDSA [validation number 341][ecdsa-341] DRBG [#258][drbg-258]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#36][kas-36]|
+|**KAS (SP 800-56A)**<li>Key Agreement: Key establishment methodology provides 80 bits to 256 bits of encryption strength|Windows 7 and SP1, vendor-affirmed<p>Windows Server 2008 R2 and SP1, vendor-affirmed|
+
+</details>
+
+<details>
+<summary><b>SP 800-108 Key-Based Key Derivation Functions (KBKDF)</b></summary>
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|Counter:<p>MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384<p>MAC prerequisite: HMAC [#3271][hmac-3271]<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: DRBG [#1734][drbg-1734], KAS [#150][kas-150]|Microsoft Surface Hub Virtual TPM Implementations [#161][kdf-161]<p>Version 10.0.15063.674|
+|Counter:<p>MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384<p>MAC prerequisite: HMAC [#3270][hmac-3270]<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: DRBG [#1733][drbg-1733], KAS [#149][kas-149]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#160][kdf-160]<p>Version 10.0.16299|
+|Counter:<p>MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512<p>MAC prerequisite: AES [#4902][aes-4902], HMAC [#3269][hmac-3269]<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: KAS [#148][kas-148]|Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations [#159][kdf-159]<p>Version 10.0.15063.674|
+|Counter:<p>MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512<p>MAC prerequisite: AES [#4901][aes-4901], HMAC [#3268][hmac-3268]<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: KAS [#147][kas-147]|Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations [#158][kdf-158]<p>Version 10.0.15254|
+|Counter:<p>MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512<p>MAC prerequisite: AES [#4897][aes-4897], HMAC [#3267][hmac-3267]<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: KAS [#146][kas-146]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations [#157][kdf-157]<p>Version 10.0.16299|
+|**CTR_Mode:** (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256][HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 128][kas-128]<p>DRBG [validation number 1556][drbg-1556]<p>MAC [validation number 3062][hmac-3062]|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#141][kdf-141]<p>Version 10.0.15063|
+|**CTR_Mode:** (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 127][kas-127]<p>AES [validation number 4624][aes-4624]<p>DRBG [validation number 1555][drbg-1555]<p>MAC [validation number 3061][hmac-3061]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations [#140][kdf-140]<p>Version 10.0.15063|
+|**CTR_Mode:**  (Llength(Min20 Max64) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 93][kas-93] DRBG [validation number 1222][drbg-1222] MAC [validation number 2661][hmac-2661]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#102][kdf-102]<p>Version 10.0.14393|
+|**CTR_Mode:**  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 92][kas-92] AES [validation number 4064][aes-4064] DRBG [validation number 1217][drbg-1217] MAC [validation number 2651][hmac-2651]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#101][kdf-101]<p>Version 10.0.14393|
+|**CTR_Mode:**  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 72][kas-72] AES [validation number 3629][aes-3629] DRBG [validation number 955][drbg-955] MAC [validation number 2381][hmac-2381]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" Cryptography Next Generation (CNG) Implementations [#72][kdf-72]<p>Version 10.0.10586|
+|**CTR_Mode:**  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 64][kas-64] AES [validation number 3497][aes-3497] RBG [validation number 868][drbg-868] MAC [validation number 2233][hmac-2233]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations [#66][kdf-66]<p>Version 10.0.10240|
+|**CTR_Mode:**  (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>DRBG [validation number 489][drbg-489] MAC [validation number 1773][hmac-1773]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations [#30][kdf-30]<p>Version 6.3.9600|
+|**CTR_Mode**: (Llength(Min0 Max4) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>DRBG [#258][drbg-258] HMAC [validation number 1345][hmac-1345]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#3][kdf-3]|
+
+</details>
+
+<details>
+<summary><b>Random Number Generator (RNG)</b></summary>
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|**FIPS 186-2 General Purpose**<br>**[(x-Original); (SHA-1)]**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #[1110][rng-1110]|
+|**FIPS 186-2<br>[(x-Original); (SHA-1)]**|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1060][rng-1060]<p>Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#292][rng-292]<p>Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) [#286][rng-286]<p>Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) [#66][rng-66]|
+|**FIPS 186-2<br>[(x-Change Notice); (SHA-1)]**; **FIPS 186-2 General Purpose<br>[(x-Change Notice); (SHA-1)]**|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library [#649][rng-649]<p>Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation [#435][rng-435]<p>Windows Vista RNG implementation [#321][rng-321]|
+|**FIPS 186-2 General Purpose<br>[(x-Change Notice); (SHA-1)]**|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#470][rng-470]<p>Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) [#449][rng-449]<p>Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#447][rng-447]<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#316][rng-316]<p>Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) [#313][rng-313]|
+|**FIPS 186-2<br>[(x-Change Notice); (SHA-1)]**|Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#448][rng-448]<p>Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider [#314][rng-314]|
+
+</details>
+
+<details>
+<summary><b>RSA</b></summary>
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|RSA:<p>186-4:<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: SHA-1, <li>SHA-256, <li>SHA-384<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: SHA-1, <li>SHA-256, <li>SHA-384<p>Mod 2048 SHA: SHA-1, <li>SHA-256, <li>SHA-384<br><p>Signature Verification PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<p>Prerequisite: SHS [#4011][shs-4011], DRBG [#1734][drbg-1734]|Microsoft Surface Hub Virtual TPM Implementations [#2677][rsa-2677]<p>Version 10.0.15063.674|
+|RSA:<p>186-4:<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 240 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384<br><p>Signature Verification PSS:<p>Mod 1024<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<p>Prerequisite: SHS [#4009][shs-4009], DRBG [#1733][drbg-1733]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (<p>Version 1709); Virtual TPM Implementations [#2676][rsa-2676]<p>Version 10.0.16299|
+|RSA:<p>186-4:<p>Key Generation:<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256<li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Prerequisite: SHS [#4011][shs-4011], DRBG [#1732][drbg-1732]|Microsoft Surface Hub RSA32 Algorithm Implementations [#2675][rsa-2675]<p>Version 10.0.15063.674|
+|RSA:<p>186-4:<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384,<li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Prerequisite: SHS [#4009][shs-4009], DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations [#2674][rsa-2674]<p>Version 10.0.16299|
+|RSA:<p>186-4:<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Prerequisite: SHS [#4010][shs-4010], DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations [#2673][rsa-2673]<p>Version 10.0.15254|
+|RSA:<p>186-4:<p>Key Generation:<li>Public Key Exponent: Fixed (10001)<li>Provable Primes with Conditions:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.3<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS<p>Mod 1024<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4011][shs-4011], DRBG [#1732][drbg-1732]|Microsoft Surface Hub MsBignum Cryptographic Implementations [#2672][rsa-2672]<p>Version 10.0.15063.674|
+|RSA:<p>186-4:<p>Key Generation:<p>Probable Random Primes:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C 2<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4011][shs-4011], DRBG [#1732][drbg-1732]|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#2671][rsa-2671]<p>Version 10.0.15063.674|
+|RSA:<p>186-4:<p>Key Generation:<p>Probable Random Primes:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.2<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits)<p>Mod 2048<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4010][shs-4010], DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#2670][rsa-2670]<p>Version 10.0.15254|
+|RSA:<p>186-4:<p>Key Generation:<p>Public Key Exponent: Fixed (10001)<p>Provable Primes with Conditions:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.3<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits)<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4010][shs-4010], DRBG [#1731][drbg-1731]|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#2669][rsa-2669]<p>Version 10.0.15254|
+|<p>186-4:<p>Key Generation:<p>Public Key Exponent: Fixed (10001)<p>Provable Primes with Conditions:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.3<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1,<li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits)<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4009][shs-4009], DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#2668][rsa-2668]<p><p>Version 10.0.16299|
+|<p>186-4:<p>Key Generation<p>Probable Random Primes:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.2<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-51<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits)<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4009][shs-4009], DRBG [#1730][drbg-1730]|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#2667][rsa-2667]<p>Version 10.0.16299|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))<p>SHA [validation number 3790][shs-3790]|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#2524][rsa-2524]<p>Version 10.0.15063|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3790][shs-3790]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations [#2523][rsa-2523]<p>Version 10.0.15063|
+|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001);<p>**PGM(ProbPrimeCondition):** 2048, 3072 **PPTT:**(C.3)**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))**SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64<p>SHA [validation number 3790][shs-3790]<p>DRBG: [validation number  1555][drbg-1555]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#2522][rsa-2522]<p>Version 10.0.15063|
+|<p>**FIPS186-4:<p>186-4KEY(gen):**PGM(ProbRandom:** (2048, 3072) **PPTT:**(C.2)**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number 3790][shs-3790]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#2521][rsa-2521]<p>Version 10.0.15063|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3652][shs-3652]**<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 4096, SHS: <li>SHA-256[validation number 3652][shs-3652], <li>SHA-384[validation number 3652][shs-3652], <li>SHA-512[validation number 3652][shs-3652], SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3652][shs-3652], <li>SHA-256[validation number 3652][shs-3652], <li>SHA-384[validation number 3652][shs-3652], <li>SHA-512[validation number 3652][shs-3652]<p>**FIPS186-4:<br>ALG[ANSIX9.31]** Sig(Gen): (2048 SHA(1)) (3072 SHA(1))**SIG(gen) with SHA-1 affirmed for use with protocols only.**SIG(ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3652][shs-3652]|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2415][rsa-2415]<p>Version 7.00.2872|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3651][shs-3651]**<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 4096, SHS: <li>SHA-256[validation number 3651][shs-3651], <li>SHA-384[validation number 3651][shs-3651], <li>SHA-512[validation number 3651][shs-3651]SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3651][shs-3651], <li>SHA-256[validation number 3651][shs-3651], <li>SHA-384[validation number 3651][shs-3651], <li>SHA-512[validation number 3651][shs-3651]<p>**FIPS186-4:<br>ALG[ANSIX9.31]** Sig(Gen): (2048 SHA(1)) (3072 SHA(1))**SIG(gen) with SHA-1 affirmed for use with protocols only.** SIG(ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3651][shs-3651]|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2414][rsa-2414]<p>Version 8.00.6246|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 4096, SHS: <li>SHA-256[validation number  3649][shs-3649], <li>SHA-384[validation number  3649][shs-3649], <li>SHA-512[validation number  3649][shs-3649]SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number  3649][shs-3649], <li>SHA-256[validation number  3649][shs-3649], <li>SHA-384[validation number  3649][shs-3649], <li>SHA-512[validation number  3649][shs-3649]<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001);<p>**PGM(ProbRandom:** (2048, 3072) **PPTT:**(C.2)<br>**ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number  3649][shs-3649]<p>DRBG: [validation number  1430][drbg-1430]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2412][rsa-2412]<p>Version 7.00.2872|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 4096, SHS: <li>SHA-256[validation number 3648][shs-3648], <li>SHA-384[validation number 3648][shs-3648], <li>SHA-512[validation number 3648][shs-3648], SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3648][shs-3648], <li>SHA-256[validation number 3648][shs-3648], <li>SHA-384[validation number 3648][shs-3648], <li>SHA-512[validation number 3648][shs-3648]<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001);<p>**PGM(ProbRandom:** (2048, 3072) **PPTT:**(C.2)**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3648][shs-3648]<p>DRBG: [validation number  1429][drbg-1429]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2411][rsa-2411]<p>Version 8.00.6246|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))<p>SHA [validation number  3347][shs-3347]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#2206][rsa-2206]<p>Version 10.0.14393|
+|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001<p>**PGM(ProbPrimeCondition):** 2048, 3072 PPTT:(C.3)<p>SHA [validation number  3347][shs-3347] DRBG: [validation number  1217][drbg-1217]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation [#2195][rsa-2195]<p>Version 10.0.14393|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3346][shs-3346]|soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#2194][rsa-2194]<p>Version 10.0.14393|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))<p>**SIG(Ver)** (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number  3347][shs-3347] DRBG: [validation number  1217][drbg-1217]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#2193][rsa-2193]<p>Version 10.0.14393|
+|<p>**FIPS186-4:<br>[RSASSA-PSS]: Sig(Gen):** (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))<p>**Sig(Ver):** (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number  3347][shs-3347] DRBG: [validation number  1217][drbg-1217]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#2192][rsa-2192]<p>Version 10.0.14393|
+|<p>**FIPS186-4:<p>186-4KEY(gen)**:  FIPS186-4_Fixed_e (10001);<p>**PGM(ProbPrimeCondition**): 2048, 3072 PPTT:(C.3)<p>SHA [validation number  3047][shs-3047] DRBG: [validation number  955][drbg-955]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" RSA Key Generation Implementation [#1889][rsa-1889]<p>Version 10.0.10586|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3048][shs-3048]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations [#1871][rsa-1871]<p>Version 10.0.10586|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))<p>**SIG(Ver)** (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number  3047][shs-3047]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations [#1888][rsa-1888]<p>Version 10.0.10586|
+|<p>**FIPS186-4:<br>[RSASSA-PSS]: Sig(Gen)**: (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>**Sig(Ver):** (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number  3047][shs-3047]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations [#1887][rsa-1887]<p>Version 10.0.10586|
+|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001);PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)<p>SHA [validation number  2886][shs-2886] DRBG: [validation number  868][drbg-868]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation [#1798][rsa-1798]<p>Version 10.0.10240|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 2871][shs-2871]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#1784][rsa-1784]<p>Version 10.0.10240|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 2871][shs-2871]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations [#1783][rsa-1783]<p>Version 10.0.10240|
+|<p>**FIPS186-4:<br>[RSASSA-PSS]:** Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))), Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number  2886][shs-2886]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations [#1802][rsa-1802]<p>Version 10.0.10240|
+|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e;<p>**PGM(ProbPrimeCondition):** 2048, 3072 PPTT:(C.3)<p>SHA [validation number 2373][shs-2373] DRBG: [validation number  489][drbg-489]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation [#1487][rsa-1487]<p>Version 6.3.9600|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 2373][shs-2373]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#1494][rsa-1494]<p>Version 6.3.9600|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512)), SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 2373][shs-2373]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#1493][rsa-1493]<p>Version 6.3.9600|
+|<p>**FIPS186-4:<br>[RSASSA-PSS]:** Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))), Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number 2373][shs-2373]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations [#1519][rsa-1519]<p>Version 6.3.9600|
+|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(256, 384, 512-256)) (3072 SHA(256, 384, 512-256)), SIG(Ver) (1024 SHA(1, 256, 384, 512-256)) (2048 SHA(1, 256, 384, 512-256)) (3072 SHA(1, 256, 384, 512-256))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512)), Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512, 512)), SHA [#1903][shs-1903].|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#1134][rsa-1134]|
+|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e, FIPS186-4_Fixed_e_Value<p>**PGM(ProbPrimeCondition):** 2048, 3072 **PPTT:**(C.3)<p>SHA [#1903][shs-1903] DRBG: [#258][drbg-258]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation [#1133][rsa-1133]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: [#258][drbg-258]<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[#1902][shs-1902], <li>SHA-384[#1902][shs-1902], <li>SHA-512[#1902][shs-1902],, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[#1902][shs-1902], <li>SHA-256[#1902][shs-1902], SHA-[#1902][shs-1902], <li>SHA-512[#1902][shs-1902],.|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) [#1132][rsa-1132]|
+|<p>**FIPS186-2:ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1774][shs-1774]<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1774][shs-1774], <li>SHA-384[validation number 1774][shs-1774], <li>SHA-512[validation number 1774][shs-1774],SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1774][shs-1774], <li>SHA-256[validation number 1774][shs-1774], <li>SHA-384[validation number 1774][shs-1774], <li>SHA-512[validation number 1774][shs-1774],.|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1052][rsa-1052]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: [validation number  193][drbg-193]<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1773][shs-1773], <li>SHA-384[validation number 1773][shs-1773], <li>SHA-512[validation number 1773][shs-1773],SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1773][shs-1773], <li>SHA-256[validation number 1773][shs-1773], <li>SHA-384[validation number 1773][shs-1773], <li>SHA-512[validation number 1773][shs-1773],.|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1051][rsa-1051]|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1081][shs-1081], <li>SHA-384[validation number 1081][shs-1081], <li>SHA-512[validation number 1081][shs-1081],SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1081][shs-1081], <li>SHA-256[validation number 1081][shs-1081], <li>SHA-384[validation number 1081][shs-1081], <li>SHA-512[validation number 1081][shs-1081],.|Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) [#568][rsa-568]|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1081][shs-1081], <li>SHA-384[validation number 1081][shs-1081], <li>SHA-512[validation number 1081][shs-1081], SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1081][shs-1081], <li>SHA-256[validation number 1081][shs-1081], <li>SHA-384[validation number 1081][shs-1081], <li>SHA-512[validation number 1081][shs-1081],<br>**ALG[RSASSA-PSS]:** SIG(gen); 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1081][shs-1081], <li>SHA-384[validation number 1081][shs-1081], <li>SHA-512[validation number 1081][shs-1081], SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1081][shs-1081], <li>SHA-256[validation number 1081][shs-1081], <li>SHA-384[validation number 1081][shs-1081], <li>SHA-512[validation number 1081][shs-1081].|Windows Server 2008 R2 and SP1 CNG algorithms [#567][rsa-567]<p>Windows 7 and SP1 CNG algorithms [#560][rsa-560]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: [validation number  23][drbg-23].|Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation [#559][rsa-559]|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS:<li>SHA-256[validation number 1081][shs-1081], <li>SHA-384[validation number 1081][shs-1081], <li>SHA-512[validation number 1081][shs-1081], SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1081][shs-1081], <li>SHA-256[validation number 1081][shs-1081], <li>SHA-384[validation number 1081][shs-1081], <li>SHA-512[validation number 1081][shs-1081],.|Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) [#557][rsa-557]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 816][shs-816], <li>SHA-384[validation number 816][shs-816], <li>SHA-512[validation number 816][shs-816],SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 816][shs-816], <li>SHA-256[validation number 816][shs-816], <li>SHA-384[validation number 816][shs-816], <li>SHA-512[validation number 816][shs-816],.|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#395][rsa-395]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 783][shs-783]**<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 783][shs-783], <li>SHA-384[validation number 783][shs-783], <li>SHA-512[validation number 783][shs-783],.|Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#371][rsa-371]|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 753][shs-753], <li>SHA-384[validation number 753][shs-753], <li>SHA-512[validation number 753][shs-753], SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 753][shs-753], <li>SHA-256[validation number 753][shs-753], <li>SHA-384[validation number 753][shs-753], <li>SHA-512[validation number 753][shs-753],<br>**ALG[RSASSA-PSS]:** SIG(gen); 2048, 3072, 4096, SHS: <li>SHA-256[validation number 753][shs-753], <li>SHA-384[validation number 753][shs-753], <li>SHA-512[validation number 753][shs-753], SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 753][shs-753], <li>SHA-256[validation number 753][shs-753], <li>SHA-384[validation number 753][shs-753], <li>SHA-512[validation number 753][shs-753].|Windows Server 2008 CNG algorithms [#358][rsa-358]<p>Windows Vista SP1 CNG algorithms [#357][rsa-357]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 753][shs-753]<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 753][shs-753], <li>SHA-384[validation number 753][shs-753], <li>SHA-512[validation number 753][shs-753], SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 753][shs-753], <li>SHA-256[validation number 753][shs-753], <li>SHA-384[validation number 753][shs-753], <li>SHA-512[validation number 753][shs-753].|Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) [#355][rsa-355]<p>Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) [#354][rsa-354]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537.|Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation [#353][rsa-353]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: [validation number  321][rng-321].|Windows Vista RSA key generation implementation [#258][rsa-258]|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 618][shs-618], <li>SHA-384[validation number 618][shs-618], <li>SHA-512[validation number 618][shs-618],SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 618][shs-618], <li>SHA-256[validation number 618][shs-618], <li>SHA-384[validation number 618][shs-618], <li>SHA-512[validation number 618][shs-618],<br>**ALG[RSASSA-PSS]:** SIG(gen); 2048, 3072, 4096, SHS: <li>SHA-256[validation number 618][shs-618], <li>SHA-384[validation number 618][shs-618], <li>SHA-512[validation number 618][shs-618], SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 618][shs-618], <li>SHA-256[validation number 618][shs-618], <li>SHA-384[validation number 618][shs-618], <li>SHA-512[validation number 618][shs-618].|Windows Vista CNG algorithms [#257][rsa-257]|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 618][shs-618], <li>SHA-384[validation number 618][shs-618], <li>SHA-512[validation number 618][shs-618],, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 618][shs-618], <li>SHA-256[validation number 618][shs-618], <li>SHA-384[validation number 618][shs-618], <li>SHA-512[validation number 618][shs-618],.|Windows Vista Enhanced Cryptographic Provider (RSAENH) [#255][rsa-255]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 613][shs-613]<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 613][shs-613], <li>SHA-384[validation number 613][shs-613], <li>SHA-512[validation number 613][shs-613], SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 613][shs-613], <li>SHA-256[validation number 613][shs-613], <li>SHA-384[validation number 613][shs-613], <li>SHA-512[validation number 613][shs-613],.|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#245][rsa-245]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 589][shs-589]<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 589][shs-589], <li>SHA-384[validation number 589][shs-589], <li>SHA-512[validation number 589][shs-589],, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 589][shs-589], <li>SHA-256[validation number 589][shs-589], <li>SHA-384[validation number 589][shs-589], <li>SHA-512[validation number 589][shs-589],.|Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#230][rsa-230]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 578][shs-578]<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 578][shs-578], <li>SHA-384[validation number 578][shs-578], <li>SHA-512[validation number 578][shs-578],, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 578][shs-578], <li>SHA-256[validation number 578][shs-578], <li>SHA-384[validation number 578][shs-578], <li>SHA-512[validation number 578][shs-578],.|Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) [#222][rsa-222]|
+|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:**<p>SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 364][shs-364].|Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#81][rsa-81]|
+|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 305][shs-305]<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 305][shs-305], <li>SHA-384[validation number 305][shs-305], <li>SHA-512[validation number 305][shs-305],, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 305][shs-305], <li>SHA-256[validation number 305][shs-305], <li>SHA-384[validation number 305][shs-305], <li>SHA-512[validation number 305][shs-305],.|Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) [#52][rsa-52]|
+|<p>**FIPS186-2:**: <li>PKCS#1 v1.5, Signature generation, and verification<li>Mod sizes: 1024, 1536, 2048, 3072, 4096<li>SHS: SHA-1/256/384/512|Windows XP, vendor-affirmed<p>Windows 2000, vendor-affirmed|
+
+</details>
+
+<details>
+<summary><b>Secure Hash Standard (SHS)</b></summary>
+
+|Modes / States / Key Sizes|Algorithm Implementation and Certificate #|
+|--- |--- |
+|<p>SHA-1:<br>Supports Empty Message<p>SHA-256:<br>Supports Empty Message<p>SHA-384:<br>Supports Empty Message<p>SHA-512:<br>Supports Empty Message|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#4011][shs-4011]<p>Version 10.0.15063.674|
+|<p>SHA-1:<br>Supports Empty Message<p>SHA-256:<br>Supports Empty Message<p>SHA-384:<br>Supports Empty Message<p>SHA-512:<br>Supports Empty Message|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#4010][shs-4010]<p>Version 10.0.15254|
+|<p>SHA-1:<br>Supports Empty Message<p>SHA-256:<br>Supports Empty Message<p>SHA-384:<br>Supports Empty Message<p>SHA-512:<br>Supports Empty Message|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#4009][shs-4009]<p>Version 10.0.16299|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only)<li>**SHA-512**  (BYTE-only)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#3790][shs-3790]<p>Version 10.0.15063|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only)<li>**SHA-512**  (BYTE-only)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#3652][shs-3652]<p>Version 7.00.2872|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only<li>**SHA-512**  (BYTE-only)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#3651][shs-3651]<p>Version 8.00.6246|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only)<li>**SHA-512**  (BYTE-only)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#3649][shs-3649]<p>Version 7.00.2872|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only)<li>**SHA-512**  (BYTE-only)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#3648][shs-3648]<p>Version 8.00.6246|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#3347][shs-3347]<p>Version 10.0.14393|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#3346][shs-3346]<p>Version 10.0.14393|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations [#3048][shs-3048]<p>Version 10.0.10586|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations [#3047][shs-3047]<p>Version 10.0.10586|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#2886][shs-2886]<p>Version 10.0.10240|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#2871][shs-2871]<p>Version 10.0.10240|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#2396][shs-2396]<p>Version 6.3.9600|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#2373][shs-2373]<p>Version 6.3.9600|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)<p>Implementation does not support zero-length (null) messages.|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#1903][shs-1903]<p>Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#1902][shs-1902]|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1774][shs-1774]<p>Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#1773][shs-1773]|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation [#1081][shs-1081]<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#816][shs-816]|
+|<li>**SHA-1** (BYTE-only)|Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) [#785][shs-785]<p>Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#784][shs-784]|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#783][shs-783]|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation [#753][shs-753]<p>Windows Vista Symmetric Algorithm Implementation [#618][shs-618]|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)|Windows Vista BitLocker Drive Encryption [#737][shs-737]<p>Windows Vista Beta 2 BitLocker Drive Encryption [#495][shs-495]|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#613][shs-613]<p>Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#364][shs-364]|
+|<li>**SHA-1** (BYTE-only)|Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider [#611][shs-611]<p>Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) [#610][shs-610]<p>Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#385][shs-385]<p>Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) [#371][shs-371]<p>Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#181][shs-181]<p>Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) [#177][shs-177]<p>Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) [#176][shs-176]|
+|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#589][shs-589]<p>Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) [#578][shs-578]<p>Windows CE 5.00 and Windows CE 5.01 Enhanced<p>Cryptographic Provider (RSAENH) [#305][shs-305]|
+|<li>**SHA-1** (BYTE-only)|Windows XP Microsoft Enhanced Cryptographic Provider [#83][shs-83]<p>Crypto Driver for Windows 2000 (fips.sys) [#35][shs-35]<p>Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) [#32][shs-32]<p>Windows 2000 RSAENH.DLL [#24][shs-24]<p>Windows 2000 RSABASE.DLL [#23][shs-23]<p>Windows NT 4 SP6 RSAENH.DLL [#21][shs-21]<p>Windows NT 4 SP6 RSABASE.DLL [#20][shs-20]|
+
+</details>
+
+<details>
+<summary><b>SP 800-132 Password-Based Key Derivation Function (PBKDF)</b></summary>
+
+| Modes / States / Key Sizes | Algorithm Implementation and Certificate # |
+| --- | --- |
+| PBKDF (vendor affirmed) |  Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 [#2937][certificate-2937]<br/>(Software Version: 10.0.14393)<br/><br/>Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 [#2936][certificate-2936]<br/>(Software Version: 10.0.14393)<br/><br/>Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 [#2935][certificate-2935]<br/>(Software Version: 10.0.14393) |
+| PBKDF (vendor affirmed) | Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 [#2936][certificate-2936]<br/>(Software Version: 10.0.14393)<br/><br/>Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed |
+
+</details>
+
+<details>
+<summary><b>Triple DES</b></summary>
+
+|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
+|--- |--- |
+|<p>TDES-CBC:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB64:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB8:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-ECB:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#2558][tdes-2558]<p>Version 10.0.15063.674|
+|<p>TDES-CBC:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB64:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB8:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-ECB:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#2557][tdes-2557]<p>Version 10.0.15254|
+|<p>TDES-CBC:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB64:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB8:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-ECB:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#2556][tdes-2556]<p>Version 10.0.16299|
+|**TECB**(KO 1 e/d); **TCBC**(KO 1 e/d); **TCFB8**(KO 1 e/d); **TCFB64**(KO 1 e/d)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#2459][tdes-2459]<p>Version 10.0.15063|
+|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2384][tdes-2384]<p>Version 8.00.6246|
+|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2383][tdes-2383]<p>Version 8.00.6246|
+|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**CTR** (int only)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2382][tdes-2382]<p>Version 7.00.2872|
+|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2381][tdes-2381]<p>Version 8.00.6246|
+|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**TCFB8**(KO 1 e/d);**TCFB64**(KO 1 e/d)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#2227][tdes-2227]<p>Version 10.0.14393|
+|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**TCFB8**(KO 1 e/d);**TCFB64**(KO 1 e/d)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations [#2024][tdes-2024]<p>Version 10.0.10586|
+|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**TCFB8**(KO 1 e/d);**TCFB64**(KO 1 e/d)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#1969][tdes-1969]<p>Version 10.0.10240|
+|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**TCFB8**(KO 1 e/d);**TCFB64**(KO 1 e/d)|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#1692][tdes-1692]<p>Version 6.3.9600|
+|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2);**TCFB64**(e/d; KO 1, 2)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#1387][tdes-1387]|
+|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#1386][tdes-1386]|
+|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2)|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation [#846][tdes-846]|
+|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2)|Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation [#656][tdes-656]|
+|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2)|Windows Vista Symmetric Algorithm Implementation [#549][tdes-549]|
+|**Triple DES MAC**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 [#1386][tdes-1386], vendor-affirmedWindows 7 and SP1 and Windows Server 2008 R2 and SP1 [#846][tdes-846], vendor-affirmed|
+|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2)|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1308][tdes-1308]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#1307][tdes-1307]<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#691][tdes-691]<p>Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) [#677][tdes-677]<p>Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#676][tdes-676]<p>Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#675][tdes-675]<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#544][tdes-544]<p>Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider [#543][tdes-543]<p>Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) [#542][tdes-542]Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#526][tdes-526]<p>Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) [#517][tdes-517]<p>Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#381][tdes-381]<p>Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) [#370][tdes-370]<p>Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#365][tdes-365]Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) [#315][tdes-315]<p>Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) [#201][tdes-201]<p>Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#199][tdes-199]<p>Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) [#192][tdes-192]Windows XP Microsoft Enhanced Cryptographic Provider [#81][tdes-81]<p>Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) [#18][tdes-18]Crypto Driver for Windows 2000 (fips.sys) [#16][tdes-16]|
+
+</details>
+
+## Contact
+
+fips@microsoft.com
+
+## References
+
+* [FIPS 140-2, Security Requirements for Cryptographic Modules](https://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf))
+* [Cryptographic Module Validation Program (CMVP) FAQ](https://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)
+* [SP 800-57 - Recommendation for Key Management - Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
+* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)
+
+---
+
 ## Frequently asked questions
 
 ### How long does it take to certify a cryptographic module?
@@ -89,874 +1113,670 @@ Suite B is a set of cryptographic algorithms defined by the U.S. National Securi
 
 SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 mode on both client and server.  In FIPS mode, SMB3 relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.
 
-## Microsoft FIPS 140-2 validated cryptographic modules
-
-The following tables identify the cryptographic modules used in an operating system, organized by release.
-
-## Modules used by Windows
-
-##### Windows 10 Fall 2018 Update (Version 1809)
-
-Validated Editions: Home, Pro, Enterprise, Education
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf)|[#3197](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197)|See Security Policy and Certificate page for algorithm information|
-|Kernel Mode Cryptographic Primitives Library|[10.0.17763](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf)|[#3196](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196)|See Security Policy and Certificate page for algorithm information|
-|Code Integrity|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf)|[#3644](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3644)|See Security Policy and Certificate page for algorithm information|
-|Windows OS Loader|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf)|[#3615](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3615)|See Security Policy and Certificate page for algorithm information|
-|Secure Kernel Code Integrity|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf)|[#3651](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3651)|See Security Policy and Certificate page for algorithm information|
-|BitLocker Dump Filter|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf)|[#3092](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092)|See Security Policy and Certificate page for algorithm information|
-|Boot Manager|[10.0.17763](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf)|[#3089](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089)|See Security Policy and Certificate page for algorithm information|
-|Virtual TPM|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf)|[#3690](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3690)|See Security Policy and Certificate page for algorithm information|
-
-##### Windows 10 Spring 2018 Update (Version 1803)
-
-Validated Editions: Home, Pro, Enterprise, Education
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library|[10.0.17134](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf)|[#3197](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197)|See Security Policy and Certificate page for algorithm information|
-|Kernel Mode Cryptographic Primitives Library|[10.0.17134](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf)|[#3196](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196)|See Security Policy and Certificate page for algorithm information|
-|Code Integrity|[10.0.17134](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3195.pdf)|[#3195](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3195)|See Security Policy and Certificate page for algorithm information|
-|Windows OS Loader|[10.0.17134](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3480.pdf)|[#3480](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3480)|See Security Policy and Certificate page for algorithm information|
-|Secure Kernel Code Integrity|[10.0.17134](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3096.pdf)|[#3096](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3096)|See Security Policy and Certificate page for algorithm information|
-|BitLocker Dump Filter|[10.0.17134](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf)|[#3092](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092)|See Security Policy and Certificate page for algorithm information|
-|Boot Manager|[10.0.17134](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf)|[#3089](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089)|See Security Policy and Certificate page for algorithm information|
-
-##### Windows 10 Fall Creators Update (Version 1709)
-
-Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library|[10.0.16299](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf)|[#3197](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197)|See Security Policy and Certificate page for algorithm information|
-|Kernel Mode Cryptographic Primitives Library|[10.0.16299](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf)|[#3196](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196)|See Security Policy and Certificate page for algorithm information|
-|Code Integrity|[10.0.16299](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3195.pdf)|[#3195](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3195)|See Security Policy and Certificate page for algorithm information|
-|Windows OS Loader|[10.0.16299](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3194.pdf)|[#3194](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3194)|See Security Policy and Certificate page for algorithm information|
-|Secure Kernel Code Integrity|[10.0.16299](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3096.pdf)|[#3096](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3096)|See Security Policy and Certificate page for algorithm information|
-|BitLocker Dump Filter|[10.0.16299](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf)|[#3092](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092)|See Security Policy and Certificate page for algorithm information|
-|Windows Resume|[10.0.16299](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3091.pdf)|[#3091](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3091)|See Security Policy and Certificate page for algorithm information|
-|Boot Manager|[10.0.16299](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf)|[#3089](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089)|See Security Policy and Certificate page for algorithm information|
-
-##### Windows 10 Creators Update (Version 1703)
-
-Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.15063](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3095.pdf)|[#3095](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3095)|FIPS approved algorithms: AES (Cert. [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624)); CKG (vendor affirmed); CVL (Certs<p>[#1278](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1278) and [#1281](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1281)); DRBG (Cert. [#1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)); DSA (Cert. [#1223](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1223)); ECDSA (Cert. [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1133)); HMAC (Cert. [#3061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3061)); KAS (Cert. [#127](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#127)); KBKDF (Cert. [#140](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#140)); KTS (AES Cert. [#4626](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4626); key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2521](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2521) and [#2522](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2522)); SHS (Cert. [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)); Triple-DES (Cert. [#2459](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2459)<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1133)); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#2521](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#2521)); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#1281](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1281)); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#1278](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1278))|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.15063](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3094.pdf)|[#3094](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3094)|[#3094](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3094)<p>FIPS approved algorithms: AES (Certs. [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624) and [#4626](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4626)); CKG (vendor affirmed); CVL (Certs. [#1278](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1278) and [#1281](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1281)); DRBG (Cert. [#1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)); DSA (Cert. [#1223](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1223)); ECDSA (Cert. [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1133)); HMAC (Cert. [#3061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3061)); KAS (Cert. [#127](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#127)); KBKDF (Cert. [#140](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#140)); KTS (AES Cert. [#4626](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4626); key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2521](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2521) and [#2523](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2523)); SHS (Cert. [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)); Triple-DES (Cert. [#2459](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2459)<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>[Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3094<p>[#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1133)[); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3094)[#2521](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#2521)[); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3094<p>[#1281](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1281)[)](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3094)|
-|Boot Manager|[10.0.15063](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf)|[#3089](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089)|FIPS approved algorithms: AES (Certs. [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624) and [#4625](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4625)); CKG (vendor affirmed); HMAC (Cert. [#3061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3061)); PBKDF (vendor affirmed); RSA (Cert. [#2523](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2523)); SHS (Cert. [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)|
-|Windows OS Loader|[10.0.15063](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3090.pdf)|[#3090](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3090)|FIPS approved algorithms: AES (Certs. [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624) and [#4625](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4625)); RSA (Cert. [#2523](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2523)); SHS (Cert. [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>[Other algorithms: NDRNG](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3090)|
-|Windows Resume <sup>[1]</sup>|[10.0.15063](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3091.pdf)|[#3091](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3091)|FIPS approved algorithms: AES (Certs. [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624) and [#4625](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4625)); RSA (Cert. [#2523](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2523)); SHS (Cert. [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790))|
-|BitLocker® Dump Filter <sup>[2]</sup>|[10.0.15063](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf)|[#3092](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092)|FIPS approved algorithms: AES (Certs. [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624) and [#4625](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4625)); RSA (Cert. [#2522](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2522)); SHS (Cert. [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790))|
-|Code Integrity (ci.dll)|[10.0.15063](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3093.pdf)|[#3093](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3093)|FIPS approved algorithms: AES (Cert. [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624)); RSA (Certs. [#2522](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2522) and [#2523](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2523)); SHS (Cert. [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1282))|
-|Secure Kernel Code Integrity (skci.dll)<sup>[3]</sup>|[10.0.15063](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3096.pdf)|[#3096](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3096)|FIPS approved algorithms: AES (Cert. [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624)); RSA (Certs. [#2522](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2522) and [#2523](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2523)); SHS (Cert. [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1282))|
-
-
-<sup>\[1\]</sup> Applies only to Home, Pro, Enterprise, Education, and S.
-
-<sup>\[2\]</sup> Applies only to Pro, Enterprise, Education, S, Mobile, and Surface Hub
-
-<sup>\[3\]</sup> Applies only to Pro, Enterprise, Education, and S
-
-##### Windows 10 Anniversary Update (Version 1607)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2937.pdf)|[#2937](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2937)|FIPS approved algorithms: AES (Cert. [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); DRBG (Cert. [#1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)); DSA (Cert. [#1098](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1098)); ECDSA (Cert. [#911](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#911)); HMAC (Cert. [#2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)); KAS (Cert. [#92](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#92)); KBKDF (Cert. [#101](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#101)); KTS (AES Cert. [#4062](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4062); key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2192), [#2193, and #2195](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)); Triple-DES (Cert. [#2227](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2227))<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#922)); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#888)); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#887)); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#886))|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2936.pdf)|[#2936](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2936)|FIPS approved algorithms: AES (Cert. [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); DRBG (Cert. [#1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)); DSA (Cert. [#1098](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1098)); ECDSA (Cert. [#911](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#911)); HMAC (Cert. [#2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)); KAS (Cert. [#92](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#92)); KBKDF (Cert. [#101](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#101)); KTS (AES Cert. [#4062](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4062); key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2192), [#2193, and #2195](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)); Triple-DES (Cert. [#2227](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2227))<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#922)); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#888)); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#887))|
-|Boot Manager|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2931.pdf)|[#2931](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2931)|FIPS approved algorithms: AES (Certs. [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061) and [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); HMAC (Cert. [#2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)); PBKDF (vendor affirmed); RSA (Cert. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: MD5; PBKDF (non-compliant); VMK KDF|
-|BitLocker® Windows OS Loader (winload)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2932.pdf)|[#2932](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2932)|FIPS approved algorithms: AES (Certs. [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061) and [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); RSA (Cert. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: NDRNG; MD5|
-|BitLocker® Windows Resume (winresume)<sup>[1]</sup>|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2933.pdf)|[#2933](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2933)|FIPS approved algorithms: AES (Certs. [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061) and [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); RSA (Cert. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[2]</sup>|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2934.pdf)|[#2934](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2934)|FIPS approved algorithms: AES (Certs. [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061) and [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064))|
-|Code Integrity (ci.dll)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2935.pdf)|[#2935](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2935)|FIPS approved algorithms: RSA (Cert. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#888))|
-|Secure Kernel Code Integrity (skci.dll)<sup>[3]</sup>|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2938.pdf)|[#2938](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2938)|FIPS approved algorithms: RSA (Certs. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Certs. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#888))|
-
-<sup>\[1\]</sup> Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-
-<sup>\[2\]</sup> Applies only to Pro, Enterprise, Enterprise LTSB, and Mobile
-
-<sup>\[3\]</sup> Applies only to Pro, Enterprise, and Enterprise LTSB
-
-##### Windows 10 November 2015 Update (Version 1511)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10586](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2605.pdf)|[#2606](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2606)|FIPS approved algorithms: AES (Certs. [#3629](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3629)); DRBG (Certs. [#955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955)); DSA (Certs. [#1024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1024)); ECDSA (Certs. [#760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#760)); HMAC (Certs. [#2381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2381)); KAS (Certs. [#72](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#72); key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#72)); KTS (AES Certs. [#3653](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3653); key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1887), [#1888, and #1889](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1888)); SHS (Certs. [#3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)); Triple-DES (Certs. [#2024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2024))<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#666)); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#665)); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#663)); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#664](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#664))|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10586](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2605.pdf)|[#2605](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2605)|FIPS approved algorithms: AES (Certs. [#3629](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3629)); DRBG (Certs. [#955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955)); DSA (Certs.  [#1024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1024)); ECDSA (Certs. [#760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#760)); HMAC (Certs. [#2381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2381)); KAS (Certs. [#72](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#72); key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#72)); KTS (AES Certs. [#3653](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3653); key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1887), [#1888, and #1889](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1888)); SHS (Certs. [#3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)); Triple-DES (Certs. [#2024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2024))<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#666)); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#665)); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#663))|
-|Boot Manager <sup>[4]</sup>|[10.0.10586](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2700.pdf)|[#2700](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2700)|FIPS approved algorithms: AES (Certs. [#3653](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3653)); HMAC (Cert. [#2381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2381)); PBKDF (vendor affirmed); RSA (Cert. [#1871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1871)); SHS (Certs. [#3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047) and [#3048](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3048))<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)<sup>[5]</sup>|[10.0.10586](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2701.pdf)|[#2701](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2701)|FIPS approved algorithms: AES (Certs. [#3629](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3629) and [#3653](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3653)); RSA (Cert. [#1871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1871)); SHS (Cert. [#3048](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3048))<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[6]</sup>|[10.0.10586](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2702.pdf)|[#2702](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2702)|FIPS approved algorithms: AES (Certs. [#3653](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3653)); RSA (Cert. [#1871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1871)); SHS (Cert. [#3048](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3048))<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[7]</sup>|[10.0.10586](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2703.pdf)|[#2703](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2703)|FIPS approved algorithms: AES (Certs. [#3653](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3653))|
-|Code Integrity (ci.dll)|[10.0.10586](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2604.pdf)|[#2604](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2604)|FIPS approved algorithms: RSA (Certs. [#1871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1871)); SHS (Certs. [#3048](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3048))<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#665))|
-|Secure Kernel Code Integrity (skci.dll)<sup>[8]</sup>|[10.0.10586](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2607.pdf)|[#2607](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2607)|FIPS approved algorithms: RSA (Certs. [#1871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1871)); SHS (Certs. [#3048](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3048))<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#665))|
-
-<sup>\[4\]</sup> Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
-
-<sup>\[5\]</sup> Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
-
-<sup>\[6\]</sup> Applies only to Home, Pro, and Enterprise
-
-<sup>\[7\]</sup> Applies only to Pro, Enterprise, Mobile, and Surface Hub
-
-<sup>\[8\]</sup> Applies only to Enterprise and Enterprise LTSB
-
-##### Windows 10 (Version 1507)
-
-Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10240](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2605.pdf)|#[2606](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2606)|FIPS approved algorithms: AES (Certs. [#3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497)); DRBG (Certs. [#868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868)); DSA (Certs. [#983](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#983)); ECDSA (Certs. [#706](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#706)); HMAC (Certs. [#2233](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2233)); KAS (Certs. [#64](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#64); key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#66)); KTS (AES Certs. [#3507](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3507); key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1783), [#1798](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1798), and [#1802](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1802)); SHS (Certs. [#2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)); Triple-DES (Certs. [#1969](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1969))<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#572)); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#576)); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#575](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#575))|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10240](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2605.pdf)|[#2605](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2605)|FIPS approved algorithms: AES (Certs. [#3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497)); DRBG (Certs. [#868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868)); DSA (Certs. [#983](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#983)); ECDSA (Certs. [#706](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#706)); HMAC (Certs. [#2233](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2233)); KAS (Certs. [#64](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#64); key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#66)); KTS (AES Certs. [#3507](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3507); key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1783), [#1798](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1798), and [#1802](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1802)); SHS (Certs. [#2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)); Triple-DES (Certs. [#1969](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1969))<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#572)); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#576))|
-|Boot Manager<sup>[9]</sup>|[10.0.10240](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2600.pdf)|[#2600](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2600)|FIPS approved algorithms: AES (Cert. [#3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497)); HMAC (Cert. [#2233](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2233)); KTS (AES Cert. [#3498](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3498)); PBKDF (vendor affirmed); RSA (Cert. [#1784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1784)); SHS (Certs. [#2871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2871) and [#2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886))<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)<sup>[10]</sup>|[10.0.10240](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2601.pdf)|[#2601](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2601)|FIPS approved algorithms: AES (Certs. [#3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497) and [#3498](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3498)); RSA (Cert. [#1784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1784)); SHS (Cert. [#2871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2871))<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[11]</sup>|[10.0.10240](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2602.pdf)|[#2602](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2602)|FIPS approved algorithms: AES (Certs. [#3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497) and [#3498](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3498)); RSA (Cert. [#1784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1784)); SHS (Cert. [#2871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2871))<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[12]</sup>|[10.0.10240](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2603.pdf)|[#2603](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2603)|FIPS approved algorithms: AES (Certs. [#3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497) and [#3498](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3498))|
-|Code Integrity (ci.dll)|[10.0.10240](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2604.pdf)|[#2604](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2604)|FIPS approved algorithms: RSA (Certs. [#1784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1784)); SHS (Certs. [#2871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2871))<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#572))|
-|Secure Kernel Code Integrity (skci.dll)<sup>[13]</sup>|[10.0.10240](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2607.pdf)|[#2607](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2607)|FIPS approved algorithms: RSA (Certs. [#1784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1784)); SHS (Certs. [#2871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2871))<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#572))|
-
-
-<sup>\[9\]</sup> Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-
-<sup>\[10\]</sup> Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-
-<sup>\[11\]</sup> Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-
-<sup>\[12\]</sup> Applies only to Pro, Enterprise, and Enterprise LTSB
-
-<sup>\[13\]</sup> Applies only to Enterprise and Enterprise LTSB
-
-##### Windows 8.1
-
-Validated Editions: RT, Pro, Enterprise, Phone, Embedded
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2357.pdf)|[#2357](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2357)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); DRBG (Certs. [#489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)); DSA (Cert. [#855](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#855)); ECDSA (Cert. [#505](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#505)); HMAC (Cert. [#1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1773)); KAS (Cert. [#47](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#47)); KBKDF (Cert. [#30](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#30)); PBKDF (vendor affirmed); RSA (Certs. [#1487](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1487), [#1493, and #1519](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1493)); SHS (Cert. [#2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)); Triple-DES (Cert. [#1692](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1692))<p>Other algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#288)); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#289)); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#323](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#323))|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2356.pdf)|[#2356](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2356)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); DRBG (Certs. [#489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)); ECDSA (Cert. [#505](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#505)); HMAC (Cert. [#1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1773)); KAS (Cert. [#47](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#47)); KBKDF (Cert. [#30](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#30)); PBKDF (vendor affirmed); RSA (Certs. [#1487](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1487), [#1493, and #1519](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1493)); SHS (Cert. [# 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)); Triple-DES (Cert. [#1692](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1692))<p>Other algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#288)); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#289))|
-|Boot Manager|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2351.pdf)|[#2351](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2351)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); HMAC (Cert. [#1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1773)); PBKDF (vendor affirmed); RSA (Cert. [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)); SHS (Certs. [# 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373) and [#2396](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2396))<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2352.pdf)|[#2352](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2352)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); RSA (Cert. [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)); SHS (Cert. [#2396](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2396))<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[14]</sup>|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2353.pdf)|[#2353](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2353)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); RSA (Cert. [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)); SHS (Certs. [# 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373) and [#2396](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2396))<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2354.pdf)|[#2354](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2354)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832))<p>Other algorithms: N/A|
-|Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2355.pdf)|[#2355](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2355)|FIPS approved algorithms: RSA (Cert. [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)); SHS (Cert. [# 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373))<p>Other algorithms: MD5<p>Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#289))|
-
-<sup>\[14\]</sup> Applies only to Pro, Enterprise, and Embedded 8.
-
-##### Windows 8
-
-Validated Editions: RT, Home, Pro, Enterprise, Phone
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1892.pdf)|[#1892](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1892)|FIPS approved algorithms: AES (Certs. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197) and [#2216](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2216)); DRBG (Certs. [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)); DSA (Cert. [#687](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#687)); ECDSA (Cert. [#341](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#341)); HMAC (Cert. [#1345](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1345)); KAS (Cert. [#36](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#36)); KBKDF (Cert. [#3](http://csrc.nist.gov/groups/stm/cavp/documents/kbkdf800-108/kbkdfval.htm#3)); PBKDF (vendor affirmed); RSA (Certs. [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1133) and [#1134](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1134)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)); Triple-DES (Cert. [#1387](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1387))<p>Other algorithms: AES (Cert. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1891.pdf)|[#1891](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1891)|FIPS approved algorithms: AES (Certs. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197) and [#2216](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2216)); DRBG (Certs. [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258) and [#259](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#259)); ECDSA (Cert. [#341](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#341)); HMAC (Cert. [#1345](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1345)); KAS (Cert. [#36](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#36)); KBKDF (Cert. [#3](http://csrc.nist.gov/groups/stm/cavp/documents/kbkdf800-108/kbkdfval.htm#3)); PBKDF (vendor affirmed); RNG (Cert. [#1110](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#1110)); RSA (Certs. [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1133) and [#1134](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1134)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)); Triple-DES (Cert. [#1387](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1387))<p>Other algorithms: AES (Cert. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
-|Boot Manager|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1895.pdf)|[#1895](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1895)|FIPS approved algorithms: AES (Certs. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196) and [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198)); HMAC (Cert. #[1347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1347)); RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903))<p>Other algorithms: MD5|
-|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1896.pdf)|[#1896](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1896)|FIPS approved algorithms: AES (Certs. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196) and [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198)); RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903))<p>Other algorithms: AES (Cert. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197); non-compliant); MD5; Non-Approved RNG|
-|BitLocker® Windows Resume (WINRESUME)<sup>[15]</sup>|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1898.pdf)|[#1898](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1898)|FIPS approved algorithms: AES (Certs. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196) and [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198)); RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903))<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1899.pdf)|[#1899](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1899)|FIPS approved algorithms: AES (Certs. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196) and [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198))<p>Other algorithms: N/A|
-|Code Integrity (CI.DLL)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1897.pdf)|[#1897](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1897)|FIPS approved algorithms: RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903))<p>Other algorithms: MD5|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1893.pdf)|[#1893](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1893)|FIPS approved algorithms: DSA (Cert. [#686](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#686)); SHS (Cert. [#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)); Triple-DES (Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386)); Triple-DES MAC (Triple-DES Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386), vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386), key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1894.pdf)|[#1894](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1894)|FIPS approved algorithms: AES (Cert. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196)); HMAC (Cert. #1346); RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)); Triple-DES (Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386))<p>Other algorithms: AES (Cert. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386), key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-
-<sup>\[15\]</sup> Applies only to Home and Pro
-
-**Windows 7**
-
-Validated Editions: Windows 7, Windows 7 SP1
-
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1329.pdf)<p>[6.1.7601.17514](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1329.pdf)|[1329](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1329)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1178](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1178)); AES GCM (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed); AES GMAC (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed); DRBG (Certs. [#23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23) and [#24](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#24)); DSA (Cert. [#386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#386)); ECDSA (Cert. [#141](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#141)); HMAC (Cert. [#677](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#677)); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. [#649](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#649)); RSA (Certs. [#559](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#559) and [#560](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#560)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)); Triple-DES (Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846))<p>Other algorithms: AES (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1328.pdf)<p>[6.1.7600.16915](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1328.pdf)<p>[6.1.7600.21092](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1328.pdf)<p>[6.1.7601.17514](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1328.pdf)<p>[6.1.7601.17725](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1328.pdf)<p>[6.1.7601.17919](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1328.pdf)<p>[6.1.7601.21861](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1328.pdf)<p>[6.1.7601.22076](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1328.pdf)|[1328](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1328)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1178](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1178)); AES GCM (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed); AES GMAC (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed); DRBG (Certs. [#23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23) and [#24](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#24)); ECDSA (Cert. [#141](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#141)); HMAC (Cert. [#677](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#677)); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. [#649](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#649)); RSA (Certs. [#559](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#559) and [#560](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#560)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)); Triple-DES (Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846))<p>Other algorithms: AES (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4|
-|Boot Manager|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1319.pdf)<p>[6.1.7601.17514](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1319.pdf)|[1319](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1319)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)); HMAC (Cert. [#675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#675)); RSA (Cert. [#557](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#557)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081))<p>Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)<p>Other algorithms: MD5|
-|Winload OS Loader (winload.exe)|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1326.pdf)<p>[6.1.7600.16757](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1326.pdf)<p>[6.1.7600.20897](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1326.pdf)<p>[6.1.7600.20916](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1326.pdf)<p>[6.1.7601.17514](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1326.pdf)<p>[6.1.7601.17556](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1326.pdf)<p>[6.1.7601.21655](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1326.pdf)<p>[6.1.7601.21675](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1326.pdf)|[1326](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1326)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)); RSA (Cert. [#557](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#557)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081))<p>Other algorithms: MD5|
-|BitLocker™ Drive Encryption|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7600.16429](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7600.16757](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7600.20536](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7600.20873](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7600.20897](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7600.20916](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7601.17514](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7601.17556](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7601.21634](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7601.21655](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)<p>[6.1.7601.21675](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1332.pdf)|[1332](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1332)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)); HMAC (Cert. [#675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#675)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081))<p>Other algorithms: Elephant Diffuser|
-|Code Integrity (CI.DLL)|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1327.pdf)<p>[6.1.7600.17122](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1327.pdf)v[6.1.7600.21320](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1327.pdf)<p>[6.1.7601.17514](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1327.pdf)<p>[6.1.7601.17950](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1327.pdf)v[6.1.7601.22108](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1327.pdf)|[1327](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1327)|FIPS approved algorithms: RSA (Cert. [#557](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#557)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081))<p>Other algorithms: MD5|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1331.pdf)<p>(no change in SP1)|[1331](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1331)|FIPS approved algorithms: DSA (Cert. [#385](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#385)); RNG (Cert. [#649](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#649)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)); Triple-DES (Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846)); Triple-DES MAC (Triple-DES Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846), vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4|
-|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1330.pdf)<p>(no change in SP1)|[1330](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1330)|FIPS approved algorithms: AES (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168)); DRBG (Cert. [#23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23)); HMAC (Cert. [#673](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#673)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)); RSA (Certs. [#557](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#557) and [#559](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#559)); Triple-DES (Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846))<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-
-##### Windows Vista SP1
-
-Validated Editions: Ultimate Edition
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Boot Manager (bootmgr)|[6.0.6001.18000 and 6.0.6002.18005](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp978.pdf)|[978](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/978)|FIPS approved algorithms: AES (Certs. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739) and [#760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#760)); HMAC (Cert. [#415](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#415)); RSA (Cert. [#354](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#354)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753))|
-|Winload OS Loader (winload.exe)|[6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp979.pdf)|[979](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/979)|FIPS approved algorithms: AES (Certs. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739) and [#760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#760)); RSA (Cert. [#354](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#354)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753))<p>Other algorithms: MD5|
-|Code Integrity (ci.dll)|[6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp980.pdf)|[980](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/980)|FIPS approved algorithms: RSA (Cert. [#354](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#354)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753))<p>Other algorithms: MD5|
-|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1000.pdf)|[1000](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1000)|FIPS approved algorithms: AES (Certs. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739) and [#756](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#756)); ECDSA (Cert. [#82](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#82)); HMAC (Cert. [#412](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#412)); RNG (Cert. [#435](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#435) and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. [#353](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#353) and [#357](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#357)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)); Triple-DES (Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656))#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-|Cryptographic Primitives Library (bcrypt.dll)|[6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1002.pdf)|[1001](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1001)|FIPS approved algorithms: AES (Certs. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739) and [#756](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#756)); DSA (Cert. [#283](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#283)); ECDSA (Cert. [#82](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#82)); HMAC (Cert. [#412](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#412)); RNG (Cert. [#435](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#435) and SP 800-90, vendor affirmed); RSA (Certs. [#353](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#353) and [#357](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#357)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)); Triple-DES (Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656))<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)|
-|Enhanced Cryptographic Provider (RSAENH)|[6.0.6001.22202 and 6.0.6002.18005](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1002.pdf)|[1002](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1002)|FIPS approved algorithms: AES (Cert. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739)); HMAC (Cert. [#407](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#407)); RNG (SP 800-90, vendor affirmed); RSA (Certs. [#353](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#353) and [#354](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#354)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)); Triple-DES (Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656))<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6001.18000 and 6.0.6002.18005](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1003.pdf)|[1003](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1003)|FIPS approved algorithms: DSA (Cert. [#281](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#281)); RNG (Cert. [#435](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#435)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)); Triple-DES (Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656)); Triple-DES MAC (Triple-DES Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656), vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4|
-
-##### Windows Vista
-
-Validated Editions: Ultimate Edition
-
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Enhanced Cryptographic Provider (RSAENH) | [6.0.6000.16386](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp893.pdf) | [893](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/893) | FIPS approved algorithms: AES (Cert. [#553](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#553)); HMAC (Cert. [#297](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#297)); RNG (Cert. [#321](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#321)); RSA (Certs. [#255](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#255) and [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#258)); SHS (Cert. [#618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)); Triple-DES (Cert. [#549](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#549))<br/><br/>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6000.16386](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp894.pdf)|[894](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/894)|FIPS approved algorithms: DSA (Cert. [#226](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#226)); RNG (Cert. [#321](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#321)); SHS (Cert. [#618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)); Triple-DES (Cert. [#549](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#549)); Triple-DES MAC (Triple-DES Cert. [#549](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#549), vendor affirmed)<br/><br/>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4|
-|BitLocker™ Drive Encryption|[6.0.6000.16386](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp947.pdf)|[947](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/947)|FIPS approved algorithms: AES (Cert. [#715](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#715)); HMAC (Cert. [#386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#386)); SHS (Cert. [#737](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#737))<br/><br/>Other algorithms: Elephant Diffuser|
-|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp891.pdf)|[891](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/891)|FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)<br/><br/>Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5|
-
-##### Windows XP SP3
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.1.2600.5512](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp997.pdf)|[997](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/997)|FIPS approved algorithms: HMAC (Cert. [#429](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#429)); RNG (Cert. [#449](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#449)); SHS (Cert. [#785](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#785)); Triple-DES (Cert. [#677](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#677)); Triple-DES MAC (Triple-DES Cert. [#677](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#677), vendor affirmed)<p>Other algorithms: DES; MD5; HMAC MD5|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.1.2600.5507](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp990.pdf)|[990](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/990)|FIPS approved algorithms: DSA (Cert. [#292](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#292)); RNG (Cert. [#448](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#448)); SHS (Cert. [#784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#784)); Triple-DES (Cert. [#676](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#676)); Triple-DES MAC (Triple-DES Cert. [#676](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#676), vendor affirmed)<p>Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4|
-|Enhanced Cryptographic Provider (RSAENH)|[5.1.2600.5507](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp989.pdf)|[989](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/989)|FIPS approved algorithms: AES (Cert. [#781](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#781)); HMAC (Cert. [#428](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#428)); RNG (Cert. [#447](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#447)); RSA (Cert. [#371](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#371)); SHS (Cert. [#783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783)); Triple-DES (Cert. [#675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#675)); Triple-DES MAC (Triple-DES Cert. [#675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#675), vendor affirmed)<p>Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits)|
-
-##### Windows XP SP2
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|DSS/Diffie-Hellman Enhanced Cryptographic Provider|[5.1.2600.2133](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp240.pdf)|[240](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/240)|FIPS approved algorithms: Triple-DES (Cert. [#16](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#16)); DSA/SHA-1 (Cert. [#29](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#29))<p>Other algorithms: DES (Cert. [#66](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#66)); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)|
-|Microsoft Enhanced Cryptographic Provider|[5.1.2600.2161](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp238.pdf)|[238](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/238)|FIPS approved algorithms: Triple-DES (Cert. [#81](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#81)); AES (Cert. [#33](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#33)); SHA-1 (Cert. [#83](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#83)); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. [#83](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#83), vendor affirmed)<p>Other algorithms: DES (Cert. [#156](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#156)); RC2; RC4; MD5|
-
-
-##### Windows XP SP1
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Microsoft Enhanced Cryptographic Provider|[5.1.2600.1029](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp238.pdf)|[238](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/238)|FIPS approved algorithms: Triple-DES (Cert. [#81](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#81)); AES (Cert. [#33](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#33)); SHA-1 (Cert. [#83](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#83)); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. [#83](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#83), vendor affirmed)<p>Other algorithms: DES (Cert. [#156](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#156)); RC2; RC4; MD5|
-
-##### Windows XP
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Kernel Mode Cryptographic Module|[5.1.2600.0](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp241.pdf)|[241](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/241)|FIPS approved algorithms: Triple-DES (Cert. [#16](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#16)); DSA/SHA-1 (Cert. [#35](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#35)); HMAC-SHA-1 (Cert. [#35](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#35), vendor affirmed)<p>Other algorithms: DES (Cert. [#89](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#89))|
-
-##### Windows 2000 SP3
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.0.2195.1569](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp106.pdf)|[106](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/106)|FIPS approved algorithms: Triple-DES (Cert. [#16](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#16)); SHA-1 (Certs. [#35](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#35))<p>Other algorithms: DES (Certs. [#89](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#89))|
-|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[(Base DSS: 5.0.2195.3665 [SP3])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(Base: 5.0.2195.3839 [SP3])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(DSS/DH Enh: 5.0.2195.3665 [SP3])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(Enh: 5.0.2195.3839 [SP3]](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)|[103](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/103)|FIPS approved algorithms: Triple-DES (Cert. [#16](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#16)); DSA/SHA-1 (Certs. [#28](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#28) and [#29](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#29)); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#65](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#65), [66](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#66), [67](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#67) and [68](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#68)); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5|
-
-##### Windows 2000 SP2
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.0.2195.1569](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp106.pdf)|[106](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/106)|FIPS approved algorithms: Triple-DES (Cert. [#16](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#16)); SHA-1 (Certs. [#35](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#35))<p>Other algorithms: DES (Certs. [#89](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#89))|
-|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[(Base DSS:](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[5.0.2195.2228 [SP2])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(Base:](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[5.0.2195.2228 [SP2])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(DSS/DH Enh:](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[5.0.2195.2228 [SP2])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(Enh:](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[5.0.2195.2228 [SP2])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)|[103](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/103)|FIPS approved algorithms: Triple-DES (Cert. [#16](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#16)); DSA/SHA-1 (Certs. [#28](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#28) and [#29](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#29)); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#65](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#65), [66](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#66), [67](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#67) and [68](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#68)); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5|
-
-##### Windows 2000 SP1
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|([Base DSS: 5.0.2150.1391 [SP1])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(Base: 5.0.2150.1391 [SP1])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(DSS/DH Enh: 5.0.2150.1391 [SP1])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)<p>[(Enh: 5.0.2150.1391 [SP1])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp103.pdf)|[103](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/103)|FIPS approved algorithms: Triple-DES (Cert. [#16](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#16)); DSA/SHA-1 (Certs. [#28](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#28) and [#29](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#29)); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#65](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#65), [66](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#66), [67](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#67) and [68](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#68)); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5|
-
-##### Windows 2000
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[5.0.2150.1](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp76.pdf)|[76](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/76)|FIPS approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. [#28](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#28) and [29](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#29)); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#65](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#65), [66](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#66), [67](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#67) and [68](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#68)); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)|
-
-##### Windows 95 and Windows 98
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider|[5.0.1877.6 and 5.0.1877.7](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp75.pdf)|[75](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/75)|FIPS approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. [#20](https://social.msdn.microsoft.com/forums/en-us/f93c9ee5-89b9-41a4-96c4-6eb9346625b9/msrai-msra-parsing-remote-assistance-packets-in-network-monitor?forum=os_windowsprotocolshttps://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#20) and [21](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#21)); DSA/SHA-1 (Certs. [#25](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#25) and [26](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#26)); RSA (vendor- affirmed)<p>Other algorithms: DES (Certs. [#61](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#61), [62](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#62), [63](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#63) and [64](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#64)); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)|
-
-
-##### Windows NT 4.0
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Base Cryptographic Provider|[5.0.1877.6 and 5.0.1877.7](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp68.pdf)|[68](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/68)|FIPS approved algorithms: SHA-1 (Certs. [#20](https://social.msdn.microsoft.com/forums/en-us/f93c9ee5-89b9-41a4-96c4-6eb9346625b9/msrai-msra-parsing-remote-assistance-packets-in-network-monitor?forum=os_windowsprotocolshttps://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#20) and [21](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#21)); DSA/SHA- 1 (Certs. [#25](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#25) and [26](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#26)); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#61](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#61), [62](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#62), [63](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#63) and [64](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#64)); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)|
-
-## Modules used by Windows Server
-
-##### Windows Server 2019 (Version 1809)
-
-Validated Editions: Standard, Datacenter
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf)|[#3197](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197)|See Security Policy and Certificate page for algorithm information|
-|Kernel Mode Cryptographic Primitives Library|[10.0.17763](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf)|[#3196](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196)|See Security Policy and Certificate page for algorithm information|
-|Code Integrity|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf)|[#3644](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3644)|See Security Policy and Certificate page for algorithm information|
-|Windows OS Loader|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf)|[#3615](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3615)|See Security Policy and Certificate page for algorithm information|
-|Secure Kernel Code Integrity|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf)|[#3651](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3651)|See Security Policy and Certificate page for algorithm information|
-|BitLocker Dump Filter|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf)|[#3092](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092)|See Security Policy and Certificate page for algorithm information|
-|Boot Manager|[10.0.17763](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf)|[#3089](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089)|See Security Policy and Certificate page for algorithm information|
-|Virtual TPM|[10.0.17763](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf)|[#3690](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3690)|See Security Policy and Certificate page for algorithm information|
-
-##### Windows Server (Version 1803)
-
-Validated Editions: Standard, Datacenter
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library|[10.0.17134](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf)|[#3197](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197)|See Security Policy and Certificate page for algorithm information|
-|Kernel Mode Cryptographic Primitives Library|[10.0.17134](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf)|[#3196](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196)|See Security Policy and Certificate page for algorithm information|
-|Code Integrity|[10.0.17134](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3195.pdf)|[#3195](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3195)|See Security Policy and Certificate page for algorithm information|
-|Windows OS Loader|[10.0.17134](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3480.pdf)|[#3480](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3480)|See Security Policy and Certificate page for algorithm information|
-|Secure Kernel Code Integrity|[10.0.17134](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3096.pdf)|[#3096](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3096)|See Security Policy and Certificate page for algorithm information|
-|BitLocker Dump Filter|[10.0.17134](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf)|[#3092](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092)|See Security Policy and Certificate page for algorithm information|
-|Boot Manager|[10.0.17134](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf)|[#3089](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089)|See Security Policy and Certificate page for algorithm information|
-
-##### Windows Server (Version 1709)
-
-Validated Editions: Standard, Datacenter
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library|[10.0.16299](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf)|[#3197](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197)|See Security Policy and Certificate page for algorithm information|
-|Kernel Mode Cryptographic Primitives Library|[10.0.16299](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf)|[#3196](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196)|See Security Policy and Certificate page for algorithm information|
-|Code Integrity|[10.0.16299](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3195.pdf)|[#3195](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3195)|See Security Policy and Certificate page for algorithm information|
-|Windows OS Loader|[10.0.16299](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3194.pdf)|[#3194](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3194)|See Security Policy and Certificate page for algorithm information|
-|Secure Kernel Code Integrity|[10.0.16299](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3096.pdf)|[#3096](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3096)|See Security Policy and Certificate page for algorithm information|
-|BitLocker Dump Filter|[10.0.16299](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf)|[#3092](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092)|See Security Policy and Certificate page for algorithm information|
-|Windows Resume|[10.0.16299](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3091.pdf)|[#3091](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3091)|See Security Policy and Certificate page for algorithm information|
-|Boot Manager|[10.0.16299](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf)|[#3089](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089)|See Security Policy and Certificate page for algorithm information|
-
-##### Windows Server 2016
-
-Validated Editions: Standard, Datacenter, Storage Server
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2937.pdf)|[2937](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2937)|FIPS approved algorithms: AES (Cert. [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); DRBG (Cert. [#1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)); DSA (Cert. [#1098](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1098)); ECDSA (Cert. [#911](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#911)); HMAC (Cert. [#2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)); KAS (Cert. [#92](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#92)); KBKDF (Cert. [#101](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#101)); KTS (AES Cert. [#4062](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4062); key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2192), [#2193, and #2195](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)); Triple-DES (Cert. [#2227](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2227))<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2936.pdf)|[2936](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2936)|FIPS approved algorithms: AES (Cert. [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); DRBG (Cert. [#1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)); DSA (Cert. [#1098](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1098)); ECDSA (Cert. [#911](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#911)); HMAC (Cert. [#2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)); KAS (Cert. [#92](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#92)); KBKDF (Cert. [#101](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#101)); KTS (AES Cert. [#4062](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4062); key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2192), [#2193, and #2195](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)); Triple-DES (Cert. [#2227](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2227))<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)|
-|Boot Manager|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2931.pdf)|[2931](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2931)|FIPS approved algorithms: AES (Certs. [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061) and [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); HMAC (Cert. [#2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)); PBKDF (vendor affirmed); RSA (Cert. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: MD5; PBKDF (non-compliant); VMK KDF|
-|BitLocker® Windows OS Loader (winload)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2932.pdf)|[2932](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2932)|FIPS approved algorithms: AES (Certs. [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061) and [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); RSA (Cert. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: NDRNG; MD5|
-|BitLocker® Windows Resume (winresume)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2933.pdf)|[2933](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2934)|FIPS approved algorithms: AES (Certs. [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061) and [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)); RSA (Cert. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2934.pdf)|[2934](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2934)|FIPS approved algorithms: AES (Certs. [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061) and [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064))|
-|Code Integrity (ci.dll)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2935.pdf)|[2935](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2935)|FIPS approved algorithms: RSA (Cert. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Cert. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: AES (non-compliant); MD5|
-|Secure Kernel Code Integrity (skci.dll)|[10.0.14393](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2938.pdf)|[2938](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2938)|FIPS approved algorithms: RSA (Certs. [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)); SHS (Certs. [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347))<p>Other algorithms: MD5|
-
-##### Windows Server 2012 R2
-
-Validated Editions: Server, Storage Server,
-
-**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2357.pdf)|[2357](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2357)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); DRBG (Certs. [#489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)); DSA (Cert. [#855](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#855)); ECDSA (Cert. [#505](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#505)); HMAC (Cert. [#1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1773)); KAS (Cert. [#47](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#47)); KBKDF (Cert. [#30](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#30)); PBKDF (vendor affirmed); RSA (Certs. [#1487](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1487), [#1493, and #1519](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1493)); SHS (Cert. [#2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)); Triple-DES (Cert. [#1692](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1692))<p>Other algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2356.pdf)|[2356](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2356)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); DRBG (Certs. [#489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)); ECDSA (Cert. [#505](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#505)); HMAC (Cert. [#1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1773)); KAS (Cert. [#47](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#47)); KBKDF (Cert. [#30](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#30)); PBKDF (vendor affirmed); RSA (Certs. [#1487](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1487), [#1493, and #1519](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1493)); SHS (Cert. [# 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)); Triple-DES (Cert. [#1692](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1692))<p>Other algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)|
-|Boot Manager|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2351.pdf)|[2351](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2351)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); HMAC (Cert. [#1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1773)); PBKDF (vendor affirmed); RSA (Cert. [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)); SHS (Certs. [# 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373) and [#2396](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2396))<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2352.pdf)|[2352](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2352)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); RSA (Cert. [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)); SHS (Cert. [#2396](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2396))<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[16]</sup>|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2353.pdf)|[2353](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2353)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)); RSA (Cert. [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)); SHS (Certs. [# 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373) and [#2396](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2396))<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[17]</sup>|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2354.pdf)|[2354](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2354)|FIPS approved algorithms: AES (Cert. [#2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832))<p>Other algorithms: N/A|
-|Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2355.pdf)|[2355](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2355)|FIPS approved algorithms: RSA (Cert. [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)); SHS (Cert. [# 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373))<p>Other algorithms: MD5|
-
-<sup>\[16\]</sup> Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-<sup>\[17\]</sup> Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-
-**Windows Server 2012**
-
-Validated Editions: Server, Storage Server
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1892.pdf)|[1892](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1892)|FIPS approved algorithms: AES (Certs. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197) and [#2216](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2216)); DRBG (Certs. [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)); DSA (Cert. [#687](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#687)); ECDSA (Cert. [#341](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#341)); HMAC (Cert. #[1345](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1345)); KAS (Cert. [#36](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#36)); KBKDF (Cert. [#3](http://csrc.nist.gov/groups/stm/cavp/documents/kbkdf800-108/kbkdfval.htm#3)); PBKDF (vendor affirmed); RSA (Certs. [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1133) and [#1134](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1134)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)); Triple-DES (Cert. [#1387](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1387))<p>Other algorithms: AES (Cert. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1891.pdf)|[1891](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1891)|FIPS approved algorithms: AES (Certs. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197) and [#2216](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2216)); DRBG (Certs. [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258) and [#259](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#259)); ECDSA (Cert. [#341](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#341)); HMAC (Cert. [#1345](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1345)); KAS (Cert. [#36](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#36)); KBKDF (Cert. [#3](http://csrc.nist.gov/groups/stm/cavp/documents/kbkdf800-108/kbkdfval.htm#3)); PBKDF (vendor affirmed); RNG (Cert. [#1110](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#1110)); RSA (Certs. [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1133) and [#1134](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1134)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)); Triple-DES (Cert. [#1387](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1387))<p>Other algorithms: AES (Cert. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
-|Boot Manager|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1895.pdf)|[1895](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1895)|FIPS approved algorithms: AES (Certs. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196) and [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198)); HMAC (Cert. #[1347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1347)); RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903))<p>Other algorithms: MD5|
-|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1896.pdf)|[1896](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1896)|FIPS approved algorithms: AES (Certs. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196) and [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198)); RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903))<p>Other algorithms: AES (Cert. [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197); non-compliant); MD5; Non-Approved RNG|
-|BitLocker® Windows Resume (WINRESUME)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1898.pdf)|[1898](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1898)|FIPS approved algorithms: AES (Certs. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196) and [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198)); RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903))<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1899.pdf)|[1899](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1899)|FIPS approved algorithms: AES (Certs. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196) and [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198))<p>Other algorithms: N/A|
-|Code Integrity (CI.DLL)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1897.pdf)|[1897](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1897)|FIPS approved algorithms: RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903))<p>Other algorithms: MD5|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1893.pdf)|[1893](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1893)|FIPS approved algorithms: DSA (Cert. [#686](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#686)); SHS (Cert. [#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)); Triple-DES (Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386)); Triple-DES MAC (Triple-DES Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386), vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386), key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-|Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1894.pdf)|[1894](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm#1894)|FIPS approved algorithms: AES (Cert. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196)); HMAC (Cert. [#1346](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1346)); RSA (Cert. [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)); SHS (Cert. [#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)); Triple-DES (Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386))<p>Other algorithms: AES (Cert. [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386), key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-
-##### Windows Server 2008 R2
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Boot Manager (bootmgr)|[6.1.7600.16385 or 6.1.7601.17514](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1321.pdf)|[1321](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1321)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)); HMAC (Cert. [#675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#675)); RSA (Cert. [#568](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#568)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081))<p>Other algorithms: MD5|
-|Winload OS Loader (winload.exe)|[6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1333.pdf)|[1333](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1333)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)); RSA (Cert. [#568](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#568)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081))<p>Other algorithms: MD5|
-|Code Integrity (ci.dll)|[6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1334.pdf)|[1334](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1334)|FIPS approved algorithms: RSA (Cert. [#568](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#568)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081))<p>Other algorithms: MD5|
-|Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1335.pdf)|[1335](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1335)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)); AES GCM (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed); AES GMAC (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed); DRBG (Certs. [#23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23) and [#27](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#27)); ECDSA (Cert. [#142](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#142)); HMAC (Cert. [#686](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#686)); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. [#649](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#649)); RSA (Certs. [#559](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#559) and [#567](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#567)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)); Triple-DES (Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846))<p>Other algorithms: AES (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4|
-|Cryptographic Primitives Library (bcryptprimitives.dll)|[66.1.7600.16385 or 6.1.7601.17514](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1336.pdf)|[1336](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1336)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)); AES GCM (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed); AES GMAC (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed); DRBG (Certs. [#23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23) and [#27](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#27)); DSA (Cert. [#391](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#391)); ECDSA (Cert. [#142](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#142)); HMAC (Cert. [#686](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#686)); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. [#649](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#649)); RSA (Certs. [#559](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#559) and [#567](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#567)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)); Triple-DES (Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846))<p>Other algorithms: AES (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4|
-|Enhanced Cryptographic Provider (RSAENH)|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1337.pdf)|[1337](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1337)|FIPS approved algorithms: AES (Cert. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168)); DRBG (Cert. [#23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23)); HMAC (Cert. [#687](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#687)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)); RSA (Certs. [#559](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#559) and [#568](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#568)); Triple-DES (Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846))<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.1.7600.16385](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1338.pdf)|[1338](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1338)|FIPS approved algorithms: DSA (Cert. [#390](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#390)); RNG (Cert. [#649](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#649)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)); Triple-DES (Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846)); Triple-DES MAC (Triple-DES Cert. [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846), vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4|
-|BitLocker™ Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1339.pdf)|[1339](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1339)|FIPS approved algorithms: AES (Certs. [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168) and [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)); HMAC (Cert. [#675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#675)); SHS (Cert. [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081))<p>Other algorithms: Elephant Diffuser|
-
-##### Windows Server 2008
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Boot Manager (bootmgr)|[6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1004.pdf)|[1004](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1004)|FIPS approved algorithms: AES (Certs. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739) and [#760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#760)); HMAC (Cert. [#415](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#415)); RSA (Cert. [#355](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#355)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753))<p>Other algorithms: N/A|
-|Winload OS Loader (winload.exe)|[6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1005.pdf)|[1005](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1005)|FIPS approved algorithms: AES (Certs. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739) and [#760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#760)); RSA (Cert. [#355](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#355)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753))<p>Other algorithms: MD5|
-|Code Integrity (ci.dll)|[6.0.6001.18000 and 6.0.6002.18005](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1006.pdf)|[1006](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1006)|FIPS approved algorithms: RSA (Cert. [#355](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#355)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753))<p>Other algorithms: MD5|
-|Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1007.pdf)|[1007](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1007)|FIPS approved algorithms: AES (Certs. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739) and [#757](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#757)); ECDSA (Cert. [#83](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#83)); HMAC (Cert. [#413](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#413)); RNG (Cert. [#435](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#435) and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. [#353](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#353) and [#358](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#358)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)); Triple-DES (Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656))<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-|Cryptographic Primitives Library (bcrypt.dll)|[6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1008.pdf)|[1008](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1008)|FIPS approved algorithms: AES (Certs. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739) and [#757](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#757)); DSA (Cert. [#284](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#284)); ECDSA (Cert. [#83](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#83)); HMAC (Cert. [#413](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#413)); RNG (Cert. [#435](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#435) and SP800-90, vendor affirmed); RSA (Certs. [#353](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#353) and [#358](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#358)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)); Triple-DES (Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656))<p>Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6001.18000 and 6.0.6002.18005](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1009.pdf)|[1009](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1009)|FIPS approved algorithms: DSA (Cert. [#282](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#282)); RNG (Cert. [#435](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#435)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)); Triple-DES (Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656)); Triple-DES MAC (Triple-DES Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656), vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4|
-|Enhanced Cryptographic Provider (RSAENH)|[6.0.6001.22202 and 6.0.6002.18005](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp1010.pdf)|[1010](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1010)|FIPS approved algorithms: AES (Cert. [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739)); HMAC (Cert. [#408](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#408)); RNG (SP 800-90, vendor affirmed); RSA (Certs. [#353](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#353) and [#355](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#355)); SHS (Cert. [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)); Triple-DES (Cert. [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656))<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-
-##### Windows Server 2003 SP2
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.3959](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp875.pdf)|[875](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/875)|FIPS approved algorithms: DSA (Cert. [#221](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#221)); RNG (Cert. [#314](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#314)); RSA (Cert. [#245](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#245)); SHS (Cert. [#611](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#611)); Triple-DES (Cert. [#543](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#543))<p>Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4|
-|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.3959](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp869.pdf)|[869](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/869)|FIPS approved algorithms: HMAC (Cert. [#287](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#287)); RNG (Cert. [#313](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#313)); SHS (Cert. [#610](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#610)); Triple-DES (Cert. [#542](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#542))<p>Other algorithms: DES; HMAC-MD5|
-|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.3959](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp868.pdf)|[868](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/868)|FIPS approved algorithms: AES (Cert. [#548](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#548)); HMAC (Cert. [#289](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#289)); RNG (Cert. [#316](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#316)); RSA (Cert. [#245](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#245)); SHS (Cert. [#613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613)); Triple-DES (Cert. [#544](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#544))<p>Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
-
-##### Windows Server 2003 SP1
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.1830 [SP1]](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp405.pdf)|[405](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/405)|FIPS approved algorithms: Triple-DES (Certs. [#201](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#201)[1] and [#370](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#370)[1]); SHS (Certs. [#177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#177)[1] and [#371](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#371)[2])<p>Other algorithms: DES (Cert. [#230](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#230)[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)<p>[1] x86<p>[2] SP1 x86, x64, IA64|
-|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.1830 [Service Pack 1])](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp382.pdf)|[382](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/382)|FIPS approved algorithms: Triple-DES (Cert. [#192](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#192)[1] and [#365](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#365)[2]); AES (Certs. [#80](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#80)[1] and [#290](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#290)[2]); SHS (Cert. [#176](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#176)[1] and [#364](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#364)[2]); HMAC (Cert. [#176](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#176), vendor affirmed[1] and [#99](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#99)[2]); RSA (PKCS#1, vendor affirmed[1] and [#81](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#81)[2])<p>Other algorithms: DES (Cert. [#226](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#226)[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5<p>[1] x86<p>[2] SP1 x86, x64, IA64|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.1830 [Service Pack 1]](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp381.pdf)|[381](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/381)|FIPS approved algorithms: Triple-DES (Certs. [#199](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#199)[1] and [#381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#381)[2]); SHA-1 (Certs. [#181](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#181)[1] and [#385](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#385)[2]); DSA (Certs. [#95](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#95)[1] and [#146](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#146)[2]); RSA (Cert. [#81](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#81))<p>Other algorithms: DES (Cert. [#229](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#229)[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40<p>[1] x86<p>[2] SP1 x86, x64, IA64|
-
-##### Windows Server 2003
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Kernel Mode Cryptographic Module (FIPS.SYS)|[5.2.3790.0](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp405.pdf)|[405](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/405)|FIPS approved algorithms: Triple-DES (Certs. [#201](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#201)[1] and [#370](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#370)[1]); SHS (Certs. [#177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#177)[1] and [#371](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#371)[2])<p>Other algorithms: DES (Cert. [#230](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#230)[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)<p>[1] x86<p>[2] SP1 x86, x64, IA64|
-|Enhanced Cryptographic Provider (RSAENH)|[5.2.3790.0](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp382.pdf)|[382](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/382)|FIPS approved algorithms: Triple-DES (Cert. [#192](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#192)[1] and [#365](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#365)[2]); AES (Certs. [#80](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#80)[1] and [#290](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#290)[2]); SHS (Cert. [#176](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#176)[1] and [#364](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#364)[2]); HMAC (Cert. [#176](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#176), vendor affirmed[1] and [#99](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#99)[2]); RSA (PKCS#1, vendor affirmed[1] and [#81](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#81)[2])<p>Other algorithms: DES (Cert. [#226](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#226)[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5<p>[1] x86<p>[2] SP1 x86, x64, IA64|
-|Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[5.2.3790.0](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp381.pdf)|[381](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/381)|FIPS approved algorithms: Triple-DES (Certs. [#199](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#199)[1] and [#381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#381)[2]); SHA-1 (Certs. [#181](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#181)[1] and [#385](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#385)[2]); DSA (Certs. [#95](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#95)[1] and [#146](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#146)[2]); RSA (Cert. [#81](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#81))<p>Other algorithms: DES (Cert. [#229](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#229)[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40<p>[1] x86<p>[2] SP1 x86, x64, IA64|
-
-#### Other Products
-
-##### Windows Embedded Compact 7 and Windows Embedded Compact 8
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Enhanced Cryptographic Provider|[7.00.2872 [1] and 8.00.6246 [2]](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2957.pdf)|[2957](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2957)|FIPS approved algorithms: AES (Certs.[#4433](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4433)and[#4434](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4434)); CKG (vendor affirmed); DRBG (Certs.[#1432](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1432)and[#1433](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1433)); HMAC (Certs.[#2946](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2946)and[#2945](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2945)); RSA (Certs.[#2414](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2414)and[#2415](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2415)); SHS (Certs.[#3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)and[#3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)); Triple-DES (Certs.[#2383](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2383)and[#2384](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2384))<p>Allowed algorithms: HMAC-MD5, MD5, NDRNG|
-|Cryptographic Primitives Library (bcrypt.dll)|[7.00.2872 [1] and 8.00.6246 [2]](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp2956.pdf)|[2956](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2956)|FIPS approved algorithms: AES (Certs.[#4430](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4430)and[#4431](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4431)); CKG (vendor affirmed); CVL (Certs.[#1139](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1139)and[#1140](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1140)); DRBG (Certs.[#1429](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1429)and[#1430](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1430)); DSA (Certs.[#1187](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1187)and[#1188](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1188)); ECDSA (Certs.[#1072](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1072)and[#1073](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1073)); HMAC (Certs.[#2942](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2942)and[#2943](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2943)); KAS (Certs.[#114](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#114)and[#115](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#115)); RSA (Certs.[#2411](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2411)and[#2412](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2412)); SHS (Certs.[#3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)and[#3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)); Triple-DES (Certs.[#2381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2381)and[#2382](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2382))<p>Allowed algorithms: MD5, NDRNG, RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength|
-
-##### Windows CE 6.0 and Windows Embedded Compact 7
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Enhanced Cryptographic Provider|[6.00.1937 [1] and 7.00.1687 [2]](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp825.pdf)|[825](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/825)|FIPS approved algorithms: AES (Certs. [#516](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#516) [1] and [#2024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2024) [2]); HMAC (Certs. [#267](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#267) [1] and [#1227](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1227) [2]); RNG (Certs. [#292](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#292) [1] and [#1060](http://csrc.nist.gov/groups/stm/cavp/documents/rng/rnghistoricalval.html#1060) [2]); RSA (Cert. [#230](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#230) [1] and [#1052](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1052) [2]); SHS (Certs. [#589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589) [1] and #1774 [2]); Triple-DES (Certs. [#526](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#526) [1] and [#1308](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1308) [2])<p>Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES|
-
-##### Outlook Cryptographic Provider
-
-|Cryptographic Module|Version (link to Security Policy)|FIPS Certificate #|Algorithms|
-|--- |--- |--- |--- |
-|Outlook Cryptographic Provider (EXCHCSP)|[SR-1A (3821)](http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/140sp/140sp110.pdf)|[110](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/110)|FIPS approved algorithms: Triple-DES (Cert. [#18](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#18)); SHA-1 (Certs. [#32](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#32)); RSA (vendor affirmed)<p>Other algorithms: DES (Certs. [#91](http://csrc.nist.gov/groups/stm/cavp/documents/des/desval.html#91)); DES MAC; RC2; MD2; MD5|
-
-### Cryptographic Algorithms
-
-The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.
-
-### Advanced Encryption Standard (AES)
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|<p>AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-OFB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)|Microsoft Surface Hub Virtual TPM Implementations [#4904](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4904)<p>Version 10.0.15063.674|
-|<p>AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-OFB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#4903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4903)<p>Version 10.0.16299|
-|<p>AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CCM:<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)<li>IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB8:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CMAC:<li>Generation:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>Verification:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-ECB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-GCM:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 96, 104, 112, 120, 128 (bits)<li>Plain Text Lengths: 0, 8, 1016, 1024 (bits)<li>Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)<li>96 bit IV supported<p>AES-XTS:<li>Key Size: 128:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full<li>Key Size: 256:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#4902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4902)<p>Version 10.0.15063.674|
-|<p>AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CCM:<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)<li>IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB8:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CMAC:<li>Generation:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<li>Verification:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-ECB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-GCM:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 96, 104, 112, 120, 128 (bits)<li>Plain Text Lengths: 0, 8, 1016, 1024 (bits)<li>Additional authenticated data lengths: 0, 8, 1016, 1024 (bits),96 bit IV supported<p>AES-XTS:<li>Key Size: 128:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full<li>Key Size: 256:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#4901](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4901)<p>Version 10.0.15254|
-|AES-CBC:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CCM:<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)<li>IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES-CFB128:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CFB8:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-CMAC:<li>Generation:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>Verification:<p>AES-128:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-192:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-256:<li>Block Sizes: Full, Partial<li>Message Length: 0-65536<li>Tag Length: 16-16<p>AES-CTR:<p>Counter Source: Internal<li>Key Lengths: 128, 192, 256 (bits)<p>AES-ECB:<li>Modes: Decrypt, Encrypt<li>Key Lengths: 128, 192, 256 (bits)<p>AES-GCM:<li>Modes: Decrypt, Encrypt<li>IV Generation: External<li>Key Lengths: 128, 192, 256 (bits)<li>Tag Lengths: 96, 104, 112, 120, 128 (bits)<li>Plain Text Lengths: 0, 8, 1016, 1024 (bits)<li>Additional authenticated data lengths: 0, 8, 1016, 1024 (bits)<li>96 bit IV supported<p>AES-XTS:<li>Key Size: 128:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full<li>Key Size: 256:<li>Modes: Decrypt, Encrypt<li>Block Sizes: Full|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#4897](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4897)<p>Version 10.0.16299|
-|AES-KW:<li>Modes: Decrypt, Encrypt<li>CIPHK transformation direction: Forward<li>Key Lengths: 128, 192, 256 (bits)<li>Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)<p>AES [validation number 4902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4902)|Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations [#4900](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4900)<p>Version 10.0.15063.674|
-|AES-KW:<li>Modes: Decrypt, Encrypt<li>CIPHK transformation direction: Forward<li>Key Lengths: 128, 192, 256 (bits)<li>Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)<p>AES [validation number 4901](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4901)|Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations [#4899](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4899)<p>Version 10.0.15254|
-|AES-KW:<li>Modes: Decrypt, Encrypt<li>CIPHK transformation direction: Forward<li>Key Lengths: 128, 192, 256 (bits)<li>Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)<p>AES [validation number 4897](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4897)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations [#4898](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4898)<p>Version 10.0.16299|
-|AES-CCM:<li>Key Lengths: 256 (bits)<li>Tag Lengths: 128 (bits)<li>IV Lengths: 96 (bits)<li>Plain<li>Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES [validation number 4902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4902)|Microsoft Surface Hub BitLocker(R) Cryptographic Implementations [#4896](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4896)<p>Version 10.0.15063.674|
-|AES-CCM:<li>Key Lengths: 256 (bits)<li>Tag Lengths: 128 (bits)<li>IV Lengths: 96 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES [validation number 4901](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4901)|Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations [#4895](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4895)<p>Version 10.0.15254|
-|AES-CCM:<li>Key Lengths: 256 (bits)<li>Tag Lengths: 128 (bits)<li>IV Lengths: 96 (bits)<li>Plain Text Length: 0-32<li>Additional authenticated data length: 0-65536<p>AES [validation number 4897](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4897)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations [#4894](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4894)<p>Version 10.0.16299|
-|**CBC** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**OFB** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#4627](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4627)<p>Version 10.0.15063|
-|**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations [#4626](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4626)<p>Version 10.0.15063|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations [#4625](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4625)<p>Version 10.0.15063|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC** (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported<p>GMAC supported<p>**XTS**((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624)<p>Version 10.0.15063|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#4434](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4434)<p>Version 7.00.2872|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#4433](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4433)<p>Version 8.00.6246|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#4431](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4431)<p>Version 7.00.2872|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#4430](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4430)<p>Version 8.00.6246|
-|**CBC** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**OFB** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#4074](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4074)<p>Version 10.0.14393|
-|**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)<p>Version 10.0.14393|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#4063](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4063)<p>Version 10.0.14393|
-|**KW**  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)<p>AES [validation number 4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#4062](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4062)<p>Version 10.0.14393|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations [#4061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4061)<p>Version 10.0.14393|
-|**KW**  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 3629](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3629)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations [#3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3652)<p>Version 10.0.10586|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3629](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3629)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations [#3653](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3653)<p>Version 10.0.10586|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations [#3630](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3630)<p>Version 10.0.10586|
-|**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)v**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d) (f)) **KS: XTS_256**((e/d) (f))|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations [#3629](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3629)<p>Version 10.0.10586|
-|**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#3507](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3507)<p>Version 10.0.10240|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations [#3498](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3498)<p>Version 10.0.10240|
-|**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC(Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497)<p>Version 10.0.10240|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#3476](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3476)<p>Version 10.0.10240|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#2853](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2853)<p>Version 6.3.9600|
-|**CCM (KS: 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations [#2848](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2848)<p>Version 6.3.9600|
-|**CCM (KS: 128, 192, 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification) (KS: 128**; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM (KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>**(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;<p>**OtherIVLen_Supported<p>GMAC supported**|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #[2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832)<p>Version 6.3.9600|
-|**CCM (KS: 128, 192, 256**) **(Assoc. Data Len Range**: 0-0, 2^16) **(Payload Length Range**: 0 - 32 (**Nonce Length(s)**: 7 8 9 10 11 12 13 **(Tag Length(s)**: 4 6 8 10 12 14 16)<p>AES [validation number 2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197)<p>**CMAC** (Generation/Verification) **(KS: 128;** Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 192**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 256**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16)<p>AES [validation number 2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197)<p>**GCM(KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) **(KS: AES_192**(e/d) Tag Length(s): 128 120 112 104 96)<p>**(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:** (Externally); **PT Lengths Tested:** (0, 128, 1024, 8, 1016); **Additional authenticated data lengths tested:** (0, 128, 1024, 8, 1016); **IV Lengths Tested:** (8, 1024); **96 bit IV supported<p>GMAC supported**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#2216](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2216)|
-|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)<p>AES [validation number 2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations [#2198](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2198)|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197)|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#2196](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2196)|
-|**CCM (KS: 128, 192, 256) (Assoc. Data Len Range: **0 – 0, 2^16**) (Payload Length Range:** 0 - 32 **(Nonce Length(s):** 7 8 9 10 11 12 13 **(Tag Length(s): **4 6 8 10 12 14 16**)**<p>AES [validation number 1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168)|Windows Server 2008 R2 and SP1 CNG algorithms [#1187](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1187)<p>Windows 7 Ultimate and SP1 CNG algorithms [#1178](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1178)|
-|**CCM (KS: 128, 256) (Assoc. Data Len Range: **0 - 8**) (Payload Length Range:** 4 - 32 **(Nonce Length(s):** 7 8 12 13 **(Tag Length(s): **4 6 8 14 16**)**<p>AES [validation number 1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168)|Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations [#1177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1177)|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168)|
-|**GCM**<p>**GMAC**|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation [#1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168), vendor-affirmed|
-|**CCM (KS: 128, 256) (Assoc. Data Len Range: **0 - 8**) (Payload Length Range:** 4 - 32 **(Nonce Length(s):** 7 8 12 13 **(Tag Length(s): **4 6 8 14 16**)**|Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations [#760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#760)|
-|**CCM (KS: 128, 192, 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 1 - 32 **(Nonce Length(s):** 7 8 9 10 11 12 13 **(Tag Length(s):** 4 6 8 10 12 14 16**)**|Windows Server 2008 CNG algorithms [#757](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#757)<p>Windows Vista Ultimate SP1 CNG algorithms [#756](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#756)|
-|**CBC** (e/d; 128, 256);<p>**CCM** (**KS: 128, 256**) (**Assoc. Data Len Range**: 0 - 8) (**Payload Length Range**: 4 - 32 (**Nonce Length(s)**: 7 8 12 13 (**Tag Length(s)**: 4 6 8 14 16)|Windows Vista Ultimate BitLocker Drive Encryption [#715](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#715)<p>Windows Vista Ultimate BitLocker Drive Encryption [#424](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#424)|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation [#739](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#739)<p>Windows Vista Symmetric Algorithm Implementation [#553](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#553)|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#2023](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2023)|
-|**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#2024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2024)<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#818](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#818)<p>Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#781](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#781)<p>Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#548](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#548)<p>Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#516](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#516)<p>Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) [#507](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#507)<p>Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#290](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#290)<p>Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) [#224](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#224)<p>Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) [#80](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#80)<p>Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) [#33](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#33)|
-
-### Deterministic Random Bit Generator (DRBG)
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function not used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4904](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4904)|Microsoft Surface Hub Virtual TPM Implementations [#1734](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1734)<p>Version 10.0.15063.674|
-|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function not used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4903)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#1733](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1733)<p>Version 10.0.16299|
-|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4902)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)<p>Version 10.0.15063.674|
-|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4901](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4901)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)<p>Version 10.0.15254|
-|<p>Counter:<li>Modes: AES-256<li>Derivation Function States: Derivation Function used<li>Prediction Resistance Modes: Not Enabled<p>Prerequisite: AES [#4897](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4897)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)<p>Version 10.0.16299|
-|**CTR_DRBG:** [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256)<p>(AES [validation number 4627](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4627))]|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#1556](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1556)<p>Version 10.0.15063|
-|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256 (AES [validation number 4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624))]|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)<p>Version 10.0.15063|
-|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4434](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4434))]|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#1433](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1433)<p>Version 7.00.2872|
-|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4433](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4433))]|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#1432](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1432)<p>Version 8.00.6246|
-|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4431](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4431))]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1430](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1430)<p>Version 7.00.2872|
-|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4430](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4430))]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1429](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1429)<p>Version 8.00.6246|
-|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 4074](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4074))]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#1222](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1222)<p>Version 10.0.14393|
-|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064))]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)<p>Version 10.0.14393|
-|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 3629](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3629))]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations [#955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955)<p>Version 10.0.10586|
-|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497))]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868)<p>Version 10.0.10240|
-|**CTR_DRBG:**[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 2832](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2832))]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)<p>Version 6.3.9600|
-|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES [validation number 2197](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2197))]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)|
-|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 2023](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#2023))]|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#193)|
-|**CTR_DRBG**:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES [validation number 1168](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#1168))]|Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library [#23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23)|
-|**DRBG** (SP 800–90)|Windows Vista Ultimate SP1, vendor-affirmed|
-
-#### Digital Signature Algorithm (DSA)
-
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|DSA:<li>186-4:<p>PQGGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>PQGVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>KeyPair:<li>L = 2048, N = 256<li>L = 3072, N = 256<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1303](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1303)<p>Version 10.0.15063.674|
-|DSA:<li>186-4:<p>PQGGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>PQGVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>KeyPair:<li>L = 2048, N = 256<li>L = 3072, N = 256<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1302](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1302)<p>Version 10.0.15254|
-|DSA:<li>186-4:<p>PQGGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>PQGVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigGen:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>SigVer:<li>L = 2048, N = 256 SHA: SHA-256<li>L = 3072, N = 256 SHA: SHA-256<p>KeyPair:<li>L = 2048, N = 256<li>L = 3072, N = 256<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1301](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1301)<p>Version 10.0.16299|
-|**FIPS186-4:**<br>**PQG(gen)** PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<br>**KeyPairGen**:   [(2048,256); (3072,256)]<p>**SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)** PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>DRBG: [validation number  1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1223](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1223)<p>Version 10.0.15063|
-|**FIPS186-4:<br>PQG(ver)PARMS TESTED:**   [(1024,160) SHA(1)]<p>**SIG(ver)PARMS TESTED:**   [(1024,160) SHA(1)]<p>SHS: [validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1188](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1188)<p>Version 7.00.2872|
-|**FIPS186-4:<br>PQG(ver)PARMS TESTED:**   [(1024,160) SHA(1)]<p>**SIG(ver)PARMS TESTED:**   [(1024,160) SHA(1)]<p>SHS: [validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1187](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1187)<p>Version 8.00.6246|
-|**FIPS186-4:<br>PQG(gen)** PARMS TESTED: [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<br>KeyPairGen:    [(2048,256); (3072,256)]<p>**SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p>DRBG: [validation number  1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#1098](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1098)<p>Version 10.0.14393|
-|**FIPS186-4:<br>PQG(gen)** PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<br>KeyPairGen:    [(2048,256); (3072,256)] **SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)<p>DRBG: [validation number  955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations [#1024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1024)<p>Version 10.0.10586|
-|**FIPS186-4:<br>PQG(gen)** PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<br>KeyPairGen: [(2048,256); (3072,256)]<p>**SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)] **SIG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)<p>DRBG: [validation number  868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations [#983](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#983)<p>Version 10.0.10240|
-|**FIPS186-4:<br>PQG(gen)** PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver**)PARMS TESTED:   [(2048,256), SHA(256); (3072,256) SHA(256)]<br>KeyPairGen:    [(2048,256); (3072,256)]<p>**SIG(gen)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)**PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [validation number  2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)<p>DRBG: [validation number  489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#855](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#855)<p>Version 6.3.9600|
-|**FIPS186-2**:<p>**PQG(ver)** MOD(1024);<p>**SIG(ver)** MOD(1024);<p>SHS: [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<P>DRBG: [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)<p>**FIPS186-4: PQG(gen)PARMS TESTED**: [(2048,256)SHA(256); (3072,256) SHA(256)]<p>**PQG(ver)PARMS TESTED**: [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(gen)PARMS TESTED**: [(2048,256) SHA(256); (3072,256) SHA(256)]<p>**SIG(ver)PARMS TESTED**: [(2048,256) SHA(256); (3072,256) SHA(256)]<p>SHS: [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p>DRBG: [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 687](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#687).|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#687](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#687)|
-|**FIPS186-2:<br>PQG(ver)** MOD(1024);<p>**SIG(ver)** MOD(1024);<p>SHS: [#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)<p>DRBG: [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 686](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#686).|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) [#686](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#686)|
-|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)<p>DRBG: [validation number  193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#193)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 645](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#645).|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#645](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#645)|
-|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p>DRBG: [validation number  23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 391](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#391). See [Historical DSA List validation number 386](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#386).|Windows Server 2008 R2 and SP1 CNG algorithms [#391](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#391)<p>Windows 7 Ultimate and SP1 CNG algorithms [#386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#386)|
-|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p>RNG: [validation number  649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#649)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 390](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#390). See [Historical DSA List validation number 385](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#385).|Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) [#390](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#390)<p>Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) [#385](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#385)|
-|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 284](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#284). See [Historical DSA List validation number 283](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#283).|Windows Server 2008 CNG algorithms [#284](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#284)<p>Windows Vista Ultimate SP1 CNG algorithms [#283](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#283)|
-|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p>RNG: [validation number  435](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#435)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 282](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#282). See [Historical DSA List validation number 281](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#281).|Windows Server 2008 Enhanced DSS (DSSENH) [#282](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#282)<p>Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) [#281](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#281)|
-|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p>RNG: [validation number  321](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#321)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 227](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#227). See [Historical DSA List validation number 226](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#226).|Windows Vista CNG algorithms [#227](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#227)<p>Windows Vista Enhanced DSS (DSSENH) [#226](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#226)|
-|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#784)<p>RNG: [validation number  448](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#448)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 292](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#292).|Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#292](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#292)|
-|**FIPS186-2:<br>SIG(ver)** MOD(1024);<p>SHS: [validation number  783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783)<p>RNG: [validation number  447](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#447)vSome of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical DSA List validation number 291](http://csrc.nist.gov/groups/stm/cavp/documents/dss/dsahistoricalval.htm#291).|Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#291](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#291)|
-|**FIPS186-2:<br>PQG(gen)** MOD(1024);<p>**PQG(ver)** MOD(1024);<p>**KEYGEN(Y)** MOD(1024);<p>**SIG(gen)** MOD(1024);<P>**SIG(ver)** MOD(1024);<p>SHS: [validation number  611](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#611)<p>RNG: [validation number  314](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#314)|Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider [#221](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#221)|
-|**FIPS186-2:<br>PQG(gen)** MOD(1024);<p>**PQG(ver)** MOD(1024);<p>**KEYGEN(Y)** MOD(1024);<p>**SIG(gen)** MOD(1024);v**SIG(ver)** MOD(1024);vSHS: [validation number  385](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#385)|Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#146](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#146)|
-|**FIPS186-2:<br>PQG(ver)** MOD(1024);<p>**KEYGEN(Y)** MOD(1024);v**SIG(gen)** MOD(1024);<p>**SIG(ver)** MOD(1024);<p>SHS: [validation number  181](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#181)|Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#95](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#95)|
-|**FIPS186-2:<br>PQG(gen)** MOD(1024);<p>**PQG(ver)** MOD(1024);<p>**KEYGEN(Y)** MOD(1024);<p>**SIG(gen)** MOD(1024); SHS: SHA-1 (BYTE)<p>**SIG(ver)** MOD(1024); SHS: SHA-1 (BYTE)|Windows 2000 DSSENH.DLL [#29](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#29)<p>Windows 2000 DSSBASE.DLL [#28](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#28)<p>Windows NT 4 SP6 DSSENH.DLL [#26](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#26)<p>Windows NT 4 SP6 DSSBASE.DLL [#25](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#25)|
-|**FIPS186-2: PRIME;<br>FIPS186-2:**<p>**KEYGEN(Y):**SHS: SHA-1 (BYTE)<p>**SIG(gen):SIG(ver)** MOD(1024);<p>SHS: SHA-1 (BYTE)|Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider [#17](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#17)|
-
-
-#### Elliptic Curve Digital Signature Algorithm (ECDSA)
-
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|<p>ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373), DRBG [#489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#1263](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1263)<p>Version 6.3.9600|
-|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384<li>Generation Methods: Testing Candidates<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DRBG [#1734](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1734)|Microsoft Surface Hub Virtual TPM Implementations [#1253](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1253)<p>Version 10.0.15063.674|
-|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384<li>Generation Methods: Testing Candidates<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DRBG [#1733](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1733)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#1252](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1252)<p>Version 10.0.16299|
-|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub MsBignum Cryptographic Implementations [#1251](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1251)<p>Version 10.0.15063.674|
-|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1250](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1250)<p>Version 10.0.15063.674|
-|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1249](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1249)<p>Version 10.0.15254|
-|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#1248](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1248)<p>Version 10.0.15254|
-|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#1247](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1247)<p>Version 10.0.16299|
-|ECDSA:186-4:<p>Key Pair Generation:<li>Curves: P-256, P-384, P-521<li>Generation Methods: Extra Random Bits<p>Public Key Validation:<li>Curves: P-256, P-384, P-521<p>Signature Generation:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Signature Verification:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1246](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1246)<p>Version 10.0.16299|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 TestingCandidates)<p>SHS: [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>DRBG: [validation number  1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#1136](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1136)<p>Version 10.0.15063|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>DRBG: [validation number  1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#1135](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1135)<p>Version 10.0.15063|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>DRBG: [validation number  1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1133)<p>Version 10.0.15063|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SigVer: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))<p>**SHS:**[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)<p>**DRBG:**[validation number  1430](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1430)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1073](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1073)<p>Version 7.00.2872|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SigVer: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))<p>**SHS:**[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<p>**DRBG:**[validation number  1429](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1429)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1072](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1072)<p>Version 8.00.6246|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 TestingCandidates)v**PKV: CURVES**(P-256 P-384)<p>**SigGen: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.v**SigVer: CURVES**(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))<p>SHS: [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p>DRBG: [validation number  1222](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1222)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#920](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#920)<p>Version 10.0.14393|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**PKV: CURVES**(P-256 P-384 P-521)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))vSHS: [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p>DRBG: [validation number  1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#911](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#911)<p>Version 10.0.14393|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)<p>DRBG: [validation number  955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations [#760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#760)<p>Version 10.0.10586|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer**: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)<p>DRBG: [validation number  868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations [#706](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#706)<p>Version 10.0.10240|
-|**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>SHS: [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)<p>DRBG: [validation number  489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#505](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#505)<p>Version 6.3.9600|
-|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p>**DRBG**: [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p>**DRBG**: [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)<p>**FIPS186-4: <br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>**SHS**: [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p>**DRBG**: [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical ECDSA List validation number 341](http://csrc.nist.gov/groups/stm/cavp/documents/dss/ecdsahistoricalval.html#341).|Windows 8,<p>Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#341](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#341)|
-|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)<p>**DRBG**: [validation number  193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#193)<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)<p>**DRBG**: [validation number  193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#193)<p>**FIPS186-4:<br>PKG: CURVES**(P-256 P-384 P-521 ExtraRandomBits)<p>**SigGen: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)<p>**SigVer: CURVES**(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))<p>**SHS**: [validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)<p>**DRBG**: [validation number  193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#193)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical ECDSA List validation number 295](http://csrc.nist.gov/groups/stm/cavp/documents/dss/ecdsahistoricalval.html#295).|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#295](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#295)|
-|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p>**DRBG**: [validation number  23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23)<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p>**DRBG**: [validation number  23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical ECDSA List validation number 142](http://csrc.nist.gov/groups/stm/cavp/documents/dss/ecdsahistoricalval.html#142). See [Historical ECDSA List validation number 141](http://csrc.nist.gov/groups/stm/cavp/documents/dss/ecdsahistoricalval.html#141).|Windows Server 2008 R2 and SP1 CNG algorithms [#142](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#142)<p>Windows 7 Ultimate and SP1 CNG algorithms [#141](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#141)|
-|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical ECDSA List validation number 83](http://csrc.nist.gov/groups/stm/cavp/documents/dss/ecdsahistoricalval.html#83). See [Historical ECDSA List validation number 82](http://csrc.nist.gov/groups/stm/cavp/documents/dss/ecdsahistoricalval.html#82).|Windows Server 2008 CNG algorithms [#83](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#83)<p>Windows Vista Ultimate SP1 CNG algorithms [#82](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#82)|
-|**FIPS186-2:<br>PKG: CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p>**RNG**: [validation number  321](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p>**SIG(ver): CURVES**(P-256 P-384 P-521)<p>**SHS**: [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p>**RNG**: [validation number  321](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#321)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical ECDSA List validation number 60](http://csrc.nist.gov/groups/stm/cavp/documents/dss/ecdsahistoricalval.html#60).|Windows Vista CNG algorithms [#60](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#60)|
-
-#### Keyed-Hash Message Authentication Code (HMAC)
-
-
-|**Modes / States / <li>Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|<p>HMAC-SHA-1:<li><li>Key Sizes &lt; Block Size<li><li>Key Sizes &gt; Block Size<li><li>Key Sizes = Block Size<p><p>HMAC-SHA2-256:<li><li>Key Sizes &lt; Block Size<li><li>Key Sizes &gt; Block Size<li><li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011)|Microsoft Surface Hub Virtual TPM Implementations [#3271](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/<p>HMAC#3271)<p>Version 10.0.15063.674|
-|<p>HMAC-SHA-1:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-256:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#3270](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/<p>HMAC#3270)<p>Version 10.0.16299|
-|<p>HMAC-SHA-1:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-256:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-512:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#3269](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/<p>HMAC#3269)<p>Version 10.0.15063.674|
-|<p>HMAC-SHA-1:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-256:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-512:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#3268](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/<p>HMAC#3268)<p>Version 10.0.15254|
-|<p>HMAC-SHA-1:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-256:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-384:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>HMAC-SHA2-512:<li>Key Sizes &lt; Block Size<li>Key Sizes &gt; Block Size<li>Key Sizes = Block Size<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#3267](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/<p>HMAC#3267)<p>Version 10.0.16299|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#3062](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3062)<p>Version 10.0.15063|
-|<p> **HMAC-SHA1(Key Sizes Ranges Tested:** KSBS) SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#3061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3061)<p>Version 10.0.15063|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2946](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2946)<p>Version 7.00.2872|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2945](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2945)<p>Version 8.00.6246|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2943](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2943)<p>Version 7.00.2872|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested:** KSBS) SHS [validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<p> **HMAC-SHA256 (Key Size Ranges Tested:** KSBS) SHS [validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<p> **HMAC-SHA384 (Key Size Ranges Tested:** KSBS) SHS [validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<p> **HMAC-SHA512 (Key Size Ranges Tested:** KSBS) SHS[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2942](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2942)<p>Version 8.00.6246|
-|<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<p>SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS) SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS) SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#2661](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2661)<p>Version 10.0.14393|
-|<p> **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS) SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p> **HMAC-SHA256** (Key Size Ranges Tested: KSBS) SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p> **HMAC-SHA384** (Key Size Ranges Tested: KSBS) SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p> **HMAC-SHA512** (Key Size Ranges Tested: KSBS) SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)<p>Version 10.0.14393|
-|<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations [#2381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2381)<p>Version 10.0.10586|
-|<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS[validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS[validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>[ SHSvalidation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS[validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#2233](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2233)<p>Version 10.0.10240|
-|<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1773)<p>Version 6.3.9600|
-|<p> **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS) SHS [validation number 2764](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2764)<p> **HMAC-SHA256** (Key Size Ranges Tested: KSBS) SHS [validation number 2764](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2764)<p> **HMAC-SHA384** (Key Size Ranges Tested: KSBS) SHS [validation number 2764](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2764)<p> **HMAC-SHA512** (Key Size Ranges Tested: KSBS) SHS [validation number 2764](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2764)|Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) [#2122](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2122)<p>Version 5.2.29344|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #[1347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1347)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS**[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS**[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS**[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS**[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #[1346](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1346)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)**<br>**SHS**[#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #[1345](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1345)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)<br>**Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll), [#1364](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1364)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774)|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1227](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1227)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)|Windows Server 2008 R2 and SP1 CNG algorithms [#686](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#686)<p>Windows 7 and SP1 CNG algorithms [#677](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#677)<p>Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) [#687](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#687)<p>Windows 7 Enhanced Cryptographic Provider (RSAENH) [#673](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#673)|
-|<p> **HMAC-SHA1(Key Sizes Ranges Tested: KS**[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations [#675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#675)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816)|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#452](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#452)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)|Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations [#415](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#415)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS)** SHS [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)|Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) [#408](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#408)<p>Windows Vista Enhanced Cryptographic Provider (RSAENH) [#407](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#407)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHS** [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)|Windows Vista Enhanced Cryptographic Provider (RSAENH) [#297](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#297)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 785](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#785)|Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) [#429](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#429)<p>Windows XP, vendor-affirmed|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783)|Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#428](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#428)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613)|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#289](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#289)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 610](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#610)|Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) [#287](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#287)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)|Windows Server 2008 CNG algorithms [#413](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#413)<p>Windows Vista Ultimate SP1 CNG algorithms [#412](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#412)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[validation number 737](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#737)<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[validation number 737](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#737)|Windows Vista Ultimate BitLocker Drive Encryption [#386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#386)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 618](http://csrc.nist.gov/groups/stm/cavp/documents/shs/shaval.htm#618)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)|Windows Vista CNG algorithms [#298](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#298)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHS** [validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589)|Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#267](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#267)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578)|Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) [#260](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#260)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[validation number 495](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#495)<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[validation number 495](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#495)|Windows Vista BitLocker Drive Encryption [#199](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#199)|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 364](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#364)|Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#99](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#99)<p>Windows XP, vendor-affirmed|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305)<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305)<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305)<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305)|Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) [#31](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#31)|
-
-
-
-#### Key Agreement Scheme (KAS)
-
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|KAS ECC: <br>Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration<p>Schemes:<br><p>Full Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<br>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), ECDSA [#1253](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1253), DRBG [#1734](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1734)|Microsoft Surface Hub Virtual TPM Implementations [#150](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#150)<p>Version 10.0.15063.674|
-|KAS ECC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration<p>Schemes:<br><p>Full Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<br>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), ECDSA [#1252](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1252), DRBG [#1733](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1733)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#149](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#149)<p>Version 10.0.16299|
-|KAS ECC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration<p>Schemes:<p>Ephemeral Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>One-Pass DH:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>Static Unified:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<p><li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<br>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), ECDSA [#1250](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1250), DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)<p>KAS FFC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation<p>Schemes:<p>dhEphem:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<p>dhOneFlow:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC<li>SHA: SHA-256<li>MAC: HMAC<p>dhStatic:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<br>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DSA [#1303](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1303), DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#148](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#148)<p>Version 10.0.15063.674|
-|KAS ECC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration<p>Schemes:<p>Ephemeral Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMA<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>One-Pass DH:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>Static Unified:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<br>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), ECDSA [#1249](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1249), DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)<p>KAS FFC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation<p>Schemes:<p>dhEphem:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<p>dhOneFlow:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC<li>SHA: SHA-256<li>MAC: HMAC<p>dhStatic:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<br>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), DSA [#1302](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1302), DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#147](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#147)<p>Version 10.0.15254|
-|KAS ECC:<p><br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration<p>Schemes:<p>Ephemeral Unified:<li>Key Agreement Roles: Initiator, Responder<li>KDFs: Concatenation<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>One-Pass DH:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<p>Static Unified:<p><li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>EC:<li>Curve: P-256<li>SHA: SHA-256<li>MAC: HMAC<p>ED:<li>Curve: P-384<li>SHA: SHA-384<li>MAC: HMAC<p>EE:<li>Curve: P-521<li>SHA: SHA-512<li>MAC: HMAC<br>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), ECDSA [#1246](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1246), DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)<p>KAS FFC:<br>Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation<p>Schemes:<p>dhEphem:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<p>dhOneFlow:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<p>dhStatic:<li>Key Agreement Roles: Initiator, Responder<li>Parameter Sets:<p>FB:<li>SHA: SHA-256<li>MAC: HMAC<p>FC:<li>SHA: SHA-256<li>MAC: HMAC<br>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DSA [#1301](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1301), DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#146](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#146)<p>Version 10.0.16299|
-|**ECC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration) **SCHEMES** [**FullUnified** (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC)]<P>SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<P>DSA [validation number 1135](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1135)<p>DRBG [validation number 1556](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1556)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#128](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#128)<p>Version 10.0.15063|
-|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)<p>**SCHEMES** [**dhEphem** (KARole(s): Initiator / Responder)(**FB:** SHA256) (**FC:** SHA256)]<p>[**dhOneFlow** (**FB:** SHA256) (**FC:** SHA256)]<p>[**dhStatic** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FB:** SHA256 HMAC) (**FC:** SHA256   HMAC)]<P>SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<P>DSA [validation number 1223](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1223)<p>DRBG [validation number 1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)**ECC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) **SCHEMES** [**EphemeralUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[**OnePassDH** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<p>[**StaticUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<P>ECDSA [validation number 1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1133)DRBG [validation number 1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#127](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#127)<p>Version 10.0.15063|
-|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)<p>**SCHEMES** [**dhEphem** (KARole(s): Initiator / Responder)(**FB:** SHA256) (**FC:** SHA256)]<p>[**dhOneFlow** (KARole(s): Initiator / Responder) (**FB:** SHA256) (**FC:** SHA256)] [**dhStatic** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FB:** SHA256 HMAC) (**FC:** SHA256   HMAC)]<P>SHS [validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)<P>DSA [validation number 1188](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1188)<p>DRBG [validation number 1430](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1430)<p>**ECC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration)<p>**SCHEMES** [**EphemeralUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[**OnePassDH** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<p>[**StaticUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#115](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#115)<p>Version 7.00.2872|
-|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)<p>**SCHEMES** [**dhEphem** (KARole(s): Initiator / Responder)(**FB:** SHA256) (**FC:** SHA256)]<p>[**dhHybridOneFlow** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FB:**SHA256 HMAC) (**FC:** SHA256   HMAC)]<p>[**dhStatic** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FB:**SHA256 HMAC) (**FC:** SHA256   HMAC)]<P>SHS [validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<P>DSA [validation number 1187](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1187)<p>DRBG [validation number 1429](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1429)<p>**ECC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration)<p>**SCHEMES** [**EphemeralUnified** (**No_KC**) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[**OnePassDH** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<p>[**StaticUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC:** P-256   SHA256   HMAC) (**ED:** P-384   SHA384   HMAC) (**EE:** P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<P>ECDSA [validation number 1072](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1072)<p>DRBG [validation number 1429](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1429)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#114](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#114)<p>Version 8.00.6246|
-|**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration)<p>**SCHEMES  [FullUnified  (No_KC**  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt;) (**EC:**  P-256   SHA256   HMAC) (**ED:**  P-384   SHA384   HMAC)]<P>SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347) ECDSA [validation number 920](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#920) DRBG [validation number 1222](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1222)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#93](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#93)<p>Version 10.0.14393|
-|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)<p>**SCHEMES**  [dhEphem  (KARole(s): Initiator / Responder)(**FB:** SHA256) (**FC:** SHA256)]<p>[dhOneFlow (KARole(s): Initiator / Responder) (**FB:**  SHA256) (**FC:**  SHA256)] [**dhStatic (No_KC**  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]<P>SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347) DSA [validation number 1098](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1098) DRBG [validation number 1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)<p>**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) **SCHEMES**  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<p>[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347) DSA [validation number 1098](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1098) ECDSA [validation number 911](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#911) DRBG [validation number 1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217) HMAC [validation number 2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#92](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#92)<p>Version 10.0.14393|
-|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)]<p>[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]<P>SHS [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047) DSA [validation number 1024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1024) DRBG [validation number 955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955)<p>**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<p>[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047) ECDSA [validation number 760](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#760) DRBG [validation number 955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations [#72](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#72)<p>Version 10.0.10586|
-|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)]<p>[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]<P>SHS [validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886) DSA [validation number 983](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#983) DRBG [validation number 868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868)<p>**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<p>[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886) ECDSA [validation number 706](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#706) DRBG [validation number 868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations [#64](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#64)<p>Version 10.0.10240|
-|**FFC:** (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)(FB: SHA256) (FC: SHA256)]<p>[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]<P>SHS [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373) DSA [validation number 855](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#855) DRBG [validation number 489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)<p>**ECC:**  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<p>[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]<P>SHS [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373) ECDSA [validation number 505](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#505) DRBG [validation number 489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations [#47](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#47)<p>Version 6.3.9600|
-|**FFC**: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [**dhEphem** (KARole(s): Initiator / Responder)<p>(**FA**: SHA256) (**FB**: SHA256) (**FC**: SHA256)]<p>[**dhOneFlow** (KARole(s): Initiator / Responder) (**FA**: SHA256) (**FB**: SHA256) (**FC**: SHA256)]<p>[**dhStatic** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**FA**: SHA256 HMAC) (**FB**: SHA256 HMAC) (**FC**: SHA256 HMAC)]<P>SHS [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903) DSA [validation number 687](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#687) DRBG [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)<p>**ECC**: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) **SCHEMES**<p>[**EphemeralUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256 HMAC) (**ED**: P-384 SHA384 HMAC) (**EE**: P-521 HMAC (SHA512, HMAC_SHA512)))]<p>[**OnePassDH(No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC**: P-256 SHA256) (**ED**: P-384 SHA384) (**EE**: P-521 (SHA512, HMAC_SHA512)))]<p>[**StaticUnified** (**No_KC** &lt; KARole(s): Initiator / Responder&gt;) (**EC**: P-256 SHA256 HMAC) (**ED**: P-384 SHA384 HMAC) (**EE**: P-521 HMAC (SHA512, HMAC_SHA512))]<P>SHS [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903) <P>ECDSA [validation number 341](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#341) DRBG [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#36](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#36)|
-|**KAS (SP 800–56A)**<li>Key Agreement: Key establishment methodology provides 80 bits to 256 bits of encryption strength|Windows 7 and SP1, vendor-affirmed<p>Windows Server 2008 R2 and SP1, vendor-affirmed|
-
-SP 800-108 Key-Based Key Derivation Functions (KBKDF)
-
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|Counter:<p>MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384<p>MAC prerequisite: HMAC [#3271](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3271)<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: DRBG [#1734](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1734), KAS [#150](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#150)|Microsoft Surface Hub Virtual TPM Implementations [#161](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#161)<p>Version 10.0.15063.674|
-|Counter:<p>MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384<p>MAC prerequisite: HMAC [#3270](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3270)<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: DRBG [#1733](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1733), KAS [#149](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#149)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#160](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#160)<p>Version 10.0.16299|
-|Counter:<p>MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512<p>MAC prerequisite: AES [#4902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4902), HMAC [#3269](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3269)<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: KAS [#148](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#148)|Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations [#159](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#159)<p>Version 10.0.15063.674|
-|Counter:<p>MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512<p>MAC prerequisite: AES [#4901](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4901), HMAC [#3268](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3268)<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: KAS [#147](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#147)|Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations [#158](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#158)<p>Version 10.0.15254|
-|Counter:<p>MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512<p>MAC prerequisite: AES [#4897](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4897), HMAC [#3267](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3267)<p><li>Counter Location: Before Fixed Data<li>R Length: 32 (bits)<li>SPs used to generate K: SP 800-56A, SP 800-90A<p>K prerequisite: KAS [#146](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#146)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations [#157](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#157)<p>Version 10.0.16299|
-|**CTR_Mode:** (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256][HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 128](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#128)<p>DRBG [validation number 1556](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1556)<p>MAC [validation number 3062](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3062)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#141](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#141)<p>Version 10.0.15063|
-|**CTR_Mode:** (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 127](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#127)<p>AES [validation number 4624](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4624)<p>DRBG [validation number 1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)<p>MAC [validation number 3061](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3061)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations [#140](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#140)<p>Version 10.0.15063|
-|**CTR_Mode:**  (Llength(Min20 Max64) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 93](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#93) DRBG [validation number 1222](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1222) MAC [validation number 2661](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2661)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#102](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#102)<p>Version 10.0.14393|
-|**CTR_Mode:**  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 92](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#92) AES [validation number 4064](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4064) DRBG [validation number 1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217) MAC [validation number 2651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2651)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#101](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#101)<p>Version 10.0.14393|
-|**CTR_Mode:**  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 72](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#72) AES [validation number 3629](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3629) DRBG [validation number 955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955) MAC [validation number 2381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2381)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations [#72](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#72)<p>Version 10.0.10586|
-|**CTR_Mode:**  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>KAS [validation number 64](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#64) AES [validation number 3497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#3497) RBG [validation number 868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868) MAC [validation number 2233](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2233)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations [#66](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#66)<p>Version 10.0.10240|
-|**CTR_Mode:**  (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>DRBG [validation number 489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489) MAC [validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1773)|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations [#30](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#30)<p>Version 6.3.9600|
-|**CTR_Mode**: (Llength(Min0 Max4) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))<p>DRBG [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258) HMAC [validation number 1345](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#1345)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#3](http://csrc.nist.gov/groups/stm/cavp/documents/kbkdf800-108/kbkdfval.htm#3)|
-
-Random Number Generator (RNG)
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|**FIPS 186-2 General Purpose**<br>**[(x-Original); (SHA-1)]**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #[1110](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#1110)|
-|**FIPS 186-2<br>[(x-Original); (SHA-1)]**|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1060](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#1060)<p>Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#292](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#292)<p>Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) [#286](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#286)<p>Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) [#66](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#66)|
-|**FIPS 186-2<br>[(x-Change Notice); (SHA-1)]**; **FIPS 186-2 General Purpose<br>[(x-Change Notice); (SHA-1)]**|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library [#649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#649)<p>Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation [#435](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#435)<p>Windows Vista RNG implementation [#321](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#321)|
-|**FIPS 186-2 General Purpose<br>[(x-Change Notice); (SHA-1)]**|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#470](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#470)<p>Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) [#449](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#449)<p>Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#447](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#447)<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#316](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#316)<p>Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) [#313](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#313)|
-|**FIPS 186-2<br>[(x-Change Notice); (SHA-1)]**|Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#448](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#448)<p>Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider [#314](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#314)|
-
-#### RSA
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|RSA:<p>186-4:<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: SHA-1, <li>SHA-256, <li>SHA-384<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: SHA-1, <li>SHA-256, <li>SHA-384<p>Mod 2048 SHA: SHA-1, <li>SHA-256, <li>SHA-384<br><p>Signature Verification PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DRBG [#1734](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1734)|Microsoft Surface Hub Virtual TPM Implementations [#2677](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2677)<p>Version 10.0.15063.674|
-|RSA:<p>186-4:<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 240 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384<br><p>Signature Verification PSS:<p>Mod 1024<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DRBG [#1733](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1733)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (<p>Version 1709); Virtual TPM Implementations [#2676](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2676)<p>Version 10.0.16299|
-|RSA:<p>186-4:<p>Key Generation:<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256<li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub RSA32 Algorithm Implementations [#2675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2675)<p>Version 10.0.15063.674|
-|RSA:<p>186-4:<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384,<li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations [#2674](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2674)<p>Version 10.0.16299|
-|RSA:<p>186-4:<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations [#2673](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2673)<p>Version 10.0.15254|
-|RSA:<p>186-4:<p>Key Generation:<li>Public Key Exponent: Fixed (10001)<li>Provable Primes with Conditions:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.3<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS<p>Mod 1024<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub MsBignum Cryptographic Implementations [#2672](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2672)<p>Version 10.0.15063.674|
-|RSA:<p>186-4:<p>Key Generation:<p>Probable Random Primes:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C 2<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#2671](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2671)<p>Version 10.0.15063.674|
-|RSA:<p>186-4:<p>Key Generation:<p>Probable Random Primes:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.2<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits)<p>Mod 2048<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#2670](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2670)<p>Version 10.0.15254|
-|RSA:<p>186-4:<p>Key Generation:<p>Public Key Exponent: Fixed (10001)<p>Provable Primes with Conditions:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.3<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits)<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#2669](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2669)<p>Version 10.0.15254|
-|<p>186-4:<p>Key Generation:<p>Public Key Exponent: Fixed (10001)<p>Provable Primes with Conditions:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.3<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1,<li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits)<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#2668](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2668)<p><p>Version 10.0.16299|
-|<p>186-4:<p>Key Generation<p>Probable Random Primes:<p>Mod lengths: 2048, 3072 (bits)<p>Primality Tests: C.2<br><p>Signature Generation PKCS1.5:<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-51<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Generation PSS:<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<br><p>Signature Verification PKCS1.5:<p>Mod 1024 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 2048 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<p>Mod 3072 SHA: <li>SHA-1, <li>SHA-256, <li>SHA-384, <li>SHA-512<br><p>Signature Verification PSS:<p>Mod 1024:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 496 (bits)<p>Mod 2048:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Mod 3072:<li>SHA-1: Salt Length: 160 (bits)<li>SHA-256: Salt Length: 256 (bits)<li>SHA-384: Salt Length: 384 (bits)<li>SHA-512: Salt Length: 512 (bits)<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#2667](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2667)<p>Version 10.0.16299|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))<p>SHA [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#2524](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2524)<p>Version 10.0.15063|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations [#2523](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2523)<p>Version 10.0.15063|
-|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001);<p>**PGM(ProbPrimeCondition):** 2048, 3072 **PPTT:**(C.3)**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))**SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64<p>SHA [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>DRBG: [validation number  1555](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1555)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#2522](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2522)<p>Version 10.0.15063|
-|<p>**FIPS186-4:<p>186-4KEY(gen):**PGM(ProbRandom:** (2048, 3072) **PPTT:**(C.2)**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number 3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#2521](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2521)<p>Version 10.0.15063|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)**<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 4096, SHS: <li>SHA-256[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652), <li>SHA-384[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652), <li>SHA-512[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652), SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652), <li>SHA-256[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652), <li>SHA-384[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652), <li>SHA-512[validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)<p>**FIPS186-4:<br>ALG[ANSIX9.31]** Sig(Gen): (2048 SHA(1)) (3072 SHA(1))**SIG(gen) with SHA-1 affirmed for use with protocols only.**SIG(ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2415](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2415)<p>Version 7.00.2872|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)**<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 4096, SHS: <li>SHA-256[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651), <li>SHA-384[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651), <li>SHA-512[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651), <li>SHA-256[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651), <li>SHA-384[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651), <li>SHA-512[validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)<p>**FIPS186-4:<br>ALG[ANSIX9.31]** Sig(Gen): (2048 SHA(1)) (3072 SHA(1))**SIG(gen) with SHA-1 affirmed for use with protocols only.** SIG(ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2414](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2414)<p>Version 8.00.6246|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 4096, SHS: <li>SHA-256[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649), <li>SHA-384[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649), <li>SHA-512[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649), <li>SHA-256[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649), <li>SHA-384[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649), <li>SHA-512[validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001);<p>**PGM(ProbRandom:** (2048, 3072) **PPTT:**(C.2)<br>**ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number  3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)<p>DRBG: [validation number  1430](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1430)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2412](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2412)<p>Version 7.00.2872|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 4096, SHS: <li>SHA-256[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648), <li>SHA-384[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648), <li>SHA-512[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648), SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648), <li>SHA-256[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648), <li>SHA-384[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648), <li>SHA-512[validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001);<p>**PGM(ProbRandom:** (2048, 3072) **PPTT:**(C.2)**<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) **SIG(gen) with SHA-1 affirmed for use with protocols only.<p>**SIG(ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<p>DRBG: [validation number  1429](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1429)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2411](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2411)<p>Version 8.00.6246|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))<p>SHA [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#2206](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2206)<p>Version 10.0.14393|
-|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001<p>**PGM(ProbPrimeCondition):** 2048, 3072 PPTT:(C.3)<p>SHA [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347) DRBG: [validation number  1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation [#2195](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2195)<p>Version 10.0.14393|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3346](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3346)|soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#2194](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2194)<p>Version 10.0.14393|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))<p>**SIG(Ver)** (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347) DRBG: [validation number  1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#2193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2193)<p>Version 10.0.14393|
-|<p>**FIPS186-4:<br>[RSASSA-PSS]: Sig(Gen):** (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))<p>**Sig(Ver):** (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number  3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347) DRBG: [validation number  1217](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1217)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#2192](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2192)<p>Version 10.0.14393|
-|<p>**FIPS186-4:<p>186-4KEY(gen)**:  FIPS186-4_Fixed_e (10001);<p>**PGM(ProbPrimeCondition**): 2048, 3072 PPTT:(C.3)<p>SHA [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047) DRBG: [validation number  955](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#955)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation [#1889](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1889)<p>Version 10.0.10586|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 3048](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3048)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations [#1871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1871)<p>Version 10.0.10586|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))<p>**SIG(Ver)** (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations [#1888](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1888)<p>Version 10.0.10586|
-|<p>**FIPS186-4:<br>[RSASSA-PSS]: Sig(Gen)**: (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>**Sig(Ver):** (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number  3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations [#1887](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1887)<p>Version 10.0.10586|
-|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e (10001);PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)<p>SHA [validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886) DRBG: [validation number  868](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#868)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation [#1798](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1798)<p>Version 10.0.10240|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 2871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2871)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#1784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1784)<p>Version 10.0.10240|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 2871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2871)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations [#1783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1783)<p>Version 10.0.10240|
-|<p>**FIPS186-4:<br>[RSASSA-PSS]:** Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))), Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number  2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations [#1802](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1802)<p>Version 10.0.10240|
-|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e;<p>**PGM(ProbPrimeCondition):** 2048, 3072 PPTT:(C.3)<p>SHA [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373) DRBG: [validation number  489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation [#1487](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1487)<p>Version 6.3.9600|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#1494](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1494)<p>Version 6.3.9600|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512)), SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))<p>SHA [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#1493](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1493)<p>Version 6.3.9600|
-|<p>**FIPS186-4:<br>[RSASSA-PSS]:** Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))), Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))<p>SHA [validation number 2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations [#1519](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1519)<p>Version 6.3.9600|
-|<p>**FIPS186-4:<br>ALG[RSASSA-PKCS1_V1_5]** SIG(gen) (2048 SHA(256, 384, 512-256)) (3072 SHA(256, 384, 512-256)), SIG(Ver) (1024 SHA(1, 256, 384, 512-256)) (2048 SHA(1, 256, 384, 512-256)) (3072 SHA(1, 256, 384, 512-256))<p>**[RSASSA-PSS]:**  Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512)), Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512, 512)), SHA [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 1134](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#1134).|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#1134](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1134)|
-|<p>**FIPS186-4:<p>186-4KEY(gen):** FIPS186-4_Fixed_e, FIPS186-4_Fixed_e_Value<p>**PGM(ProbPrimeCondition):** 2048, 3072 **PPTT:**(C.3)<p>SHA [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903) DRBG: [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation [#1133](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1133)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#258)<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902), <li>SHA-384[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902), <li>SHA-512[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902),, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902), <li>SHA-256[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902), SHA-[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902), <li>SHA-512[#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 1132](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#1132).|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) [#1132](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1132)|
-|<p>**FIPS186-2:ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774)<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774), <li>SHA-384[validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774), <li>SHA-512[validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774),SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774), <li>SHA-256[validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774), <li>SHA-384[validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774), <li>SHA-512[validation number 1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 1052](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#1052).|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1052](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1052)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: [validation number  193](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#193)<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773), <li>SHA-384[validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773), <li>SHA-512[validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773),SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773), <li>SHA-256[validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773), <li>SHA-384[validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773), <li>SHA-512[validation number 1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 1051](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#1051).|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1051](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#1051)|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-384[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-512[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081),SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-256[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-384[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-512[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 568](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#568).|Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) [#568](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#568)|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-384[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-512[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-256[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-384[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-512[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081),<br>**ALG[RSASSA-PSS]:** SIG(gen); 2048, 3072, 4096, SHS: <li>SHA-256[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-384[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-512[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-256[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-384[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-512[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 567](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#567). See [Historical RSA List validation number 560](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#560).|Windows Server 2008 R2 and SP1 CNG algorithms [#567](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#567)<p>Windows 7 and SP1 CNG algorithms [#560](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#560)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: [validation number  23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#23)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 559](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#559).|Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation [#559](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#559)|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS:<li>SHA-256[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-384[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-512[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-256[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-384[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081), <li>SHA-512[validation number 1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 557](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#557).|Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) [#557](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#557)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816), <li>SHA-384[validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816), <li>SHA-512[validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816),SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816), <li>SHA-256[validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816), <li>SHA-384[validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816), <li>SHA-512[validation number 816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 395](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#395).|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#395](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#395)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783)**<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783), <li>SHA-384[validation number 783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783), <li>SHA-512[validation number 783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 371](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#371).|Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#371](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#371)|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-384[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-512[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-256[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-384[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-512[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753),<br>**ALG[RSASSA-PSS]:** SIG(gen); 2048, 3072, 4096, SHS: <li>SHA-256[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-384[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-512[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-256[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-384[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-512[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 358](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#358). See [Historical RSA List validation number 357](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#357).|Windows Server 2008 CNG algorithms [#358](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#358)<p>Windows Vista SP1 CNG algorithms [#357](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#357)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-384[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-512[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-256[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-384[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753), <li>SHA-512[validation number 753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 355](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#355). See [Historical RSA List validation number 354](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#354).|Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) [#355](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#355)<p>Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) [#354](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#354)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 353](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#353).|Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation [#353](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#353)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: [validation number  321](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rng#321)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 258](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#258).|Windows Vista RSA key generation implementation [#258](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#258)|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-384[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-512[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618),SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-256[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-384[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-512[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618),<br>**ALG[RSASSA-PSS]:** SIG(gen); 2048, 3072, 4096, SHS: <li>SHA-256[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-384[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-512[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-256[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-384[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-512[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 257](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#257).|Windows Vista CNG algorithms [#257](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#257)|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-384[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-512[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618),, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-256[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-384[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618), <li>SHA-512[validation number 618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 255](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#255).|Windows Vista Enhanced Cryptographic Provider (RSAENH) [#255](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#255)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613)<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613), <li>SHA-384[validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613), <li>SHA-512[validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613), SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613), <li>SHA-256[validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613), <li>SHA-384[validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613), <li>SHA-512[validation number 613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 245](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#245).|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#245](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#245)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589)<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589), <li>SHA-384[validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589), <li>SHA-512[validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589),, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589), <li>SHA-256[validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589), <li>SHA-384[validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589), <li>SHA-512[validation number 589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 230](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#230).|Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#230](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#230)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578)<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578), <li>SHA-384[validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578), <li>SHA-512[validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578),, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578), <li>SHA-256[validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578), <li>SHA-384[validation number 578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578), <li>SHA-512[validation number 578](http://csrc.nist.gov/groups/stm/cavp/documents/shs/shaval.htm#578),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 222](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#222).|Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) [#222](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#222)|
-|<p>**FIPS186-2:<br>ALG[RSASSA-PKCS1_V1_5]:**<p>SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 364](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#364)<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 81](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#81).|Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#81](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#81)|
-|<p>**FIPS186-2:<br>ALG[ANSIX9.31]:** SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 305](http://csrc.nist.gov/groups/stm/cavp/documents/shs/shaval.htm#305)<br>**ALG[RSASSA-PKCS1_V1_5]:** SIG(gen) 2048, 3072, 4096, SHS: <li>SHA-256[validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305), <li>SHA-384[validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305), <li>SHA-512[validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305),, SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1[validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305), <li>SHA-256[validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305), <li>SHA-384[validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305), <li>SHA-512[validation number 305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305),<p>Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See [Historical RSA List validation number 52](http://csrc.nist.gov/groups/stm/cavp/documents/dss/rsahistoricalval.html#52).|Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) [#52](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#52)|
-|<p>**FIPS186-2:**: <li>PKCS#1 v1.5, Signature generation, and verification<li>Mod sizes: 1024, 1536, 2048, 3072, 4096<li>SHS: SHA–1/256/384/512|Windows XP, vendor-affirmed<p>Windows 2000, vendor-affirmed|
-
-#### Secure Hash Standard (SHS)
-
-|Modes / States / Key Sizes|Algorithm Implementation and Certificate #|
-|--- |--- |
-|<p>SHA-1:<br>Supports Empty Message<p>SHA-256:<br>Supports Empty Message<p>SHA-384:<br>Supports Empty Message<p>SHA-512:<br>Supports Empty Message|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011)<p>Version 10.0.15063.674|
-|<p>SHA-1:<br>Supports Empty Message<p>SHA-256:<br>Supports Empty Message<p>SHA-384:<br>Supports Empty Message<p>SHA-512:<br>Supports Empty Message|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010)<p>Version 10.0.15254|
-|<p>SHA-1:<br>Supports Empty Message<p>SHA-256:<br>Supports Empty Message<p>SHA-384:<br>Supports Empty Message<p>SHA-512:<br>Supports Empty Message|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009)<p>Version 10.0.16299|
-|<li>**SHA-1**      (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only)<li>**SHA-512**  (BYTE-only)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#3790](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3790)<p>Version 10.0.15063|
-|<li>**SHA-1**      (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only)<li>**SHA-512**  (BYTE-only)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#3652](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3652)<p>Version 7.00.2872|
-|<li>**SHA-1**      (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only<li>**SHA-512**  (BYTE-only)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#3651](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3651)<p>Version 8.00.6246|
-|<li>**SHA-1**      (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only)<li>**SHA-512**  (BYTE-only)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#3649](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3649)<p>Version 7.00.2872|
-|<li>**SHA-1**      (BYTE-only)<li>**SHA-256**  (BYTE-only)<li>**SHA-384**  (BYTE-only)<li>**SHA-512**  (BYTE-only)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#3648](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3648)<p>Version 8.00.6246|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#3347](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3347)<p>Version 10.0.14393|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#3346](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3346)<p>Version 10.0.14393|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations [#3048](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3048)<p>Version 10.0.10586|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations [#3047](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#3047)<p>Version 10.0.10586|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#2886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2886)<p>Version 10.0.10240|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#2871](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2871)<p>Version 10.0.10240|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#2396](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2396)<p>Version 6.3.9600|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#2373](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#2373)<p>Version 6.3.9600|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)<p>Implementation does not support zero-length (null) messages.|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#1903](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1903)<p>Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#1902](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1902)|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1774](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1774)<p>Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#1773](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1773)|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation [#1081](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#1081)<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#816](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#816.)|
-|<li>**SHA-1** (BYTE-only)|Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) [#785](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#785)<p>Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#784](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#784)|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#783](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#783)|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation [#753](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#753)<p>Windows Vista Symmetric Algorithm Implementation [#618](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#618)|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)|Windows Vista BitLocker Drive Encryption [#737](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#737)<p>Windows Vista Beta 2 BitLocker Drive Encryption [#495](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#495)|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#613](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#613)<p>Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#364](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#364)|
-|<li>**SHA-1** (BYTE-only)|Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider [#611](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#611)<p>Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) [#610](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#610)<p>Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#385](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#385)<p>Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) [#371](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#371)<p>Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#181](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#181)<p>Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) [#177](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#177)<p>Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) [#176](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#176)|
-|<li>**SHA-1** (BYTE-only)<li>**SHA-256** (BYTE-only)<li>**SHA-384** (BYTE-only)<li>**SHA-512** (BYTE-only)|Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#589](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#589)<p>Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) [#578](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#578)<p>Windows CE 5.00 and Windows CE 5.01 Enhanced<p>Cryptographic Provider (RSAENH) [#305](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#305)|
-|<li>**SHA-1** (BYTE-only)|Windows XP Microsoft Enhanced Cryptographic Provider [#83](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#83)<p>Crypto Driver for Windows 2000 (fips.sys) [#35](http://csrc.nist.gov/groups/stm/cavp/documents/shs/shaval.htmlhttp:/csrc.nist.gov/groups/stm/cavp/documents/shs/shaval.html#35)<p>Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) [#32](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#32)<p>Windows 2000 RSAENH.DLL [#24](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#24)<p>Windows 2000 RSABASE.DLL [#23](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#23)<p>Windows NT 4 SP6 RSAENH.DLL [#21](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#21)<p>Windows NT 4 SP6 RSABASE.DLL [#20](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#20)|
-
-
-#### Triple DES
-
-
-|**Modes / States / Key Sizes**|**Algorithm Implementation and Certificate #**|
-|--- |--- |
-|<p>TDES-CBC:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB64:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB8:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-ECB:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#2558](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2558)<p>Version 10.0.15063.674|
-|<p>TDES-CBC:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB64:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB8:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-ECB:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#2557](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2557)<p>Version 10.0.15254|
-|<p>TDES-CBC:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB64:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-CFB8:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1<p>TDES-ECB:<li>Modes: Decrypt, Encrypt<li>Keying Option: 1|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#2556](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2556)<p>Version 10.0.16299|
-|**TECB**(KO 1 e/d); **TCBC**(KO 1 e/d); **TCFB8**(KO 1 e/d); **TCFB64**(KO 1 e/d)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#2459](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2459)<p>Version 10.0.15063|
-|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2384](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2384)<p>Version 8.00.6246|
-|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d)|Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) [#2383](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2383)<p>Version 8.00.6246|
-|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**CTR** (int only)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2382](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2382)<p>Version 7.00.2872|
-|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d)|Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#2381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2381)<p>Version 8.00.6246|
-|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**TCFB8**(KO 1 e/d);**TCFB64**(KO 1 e/d)|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#2227](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2227)<p>Version 10.0.14393|
-|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**TCFB8**(KO 1 e/d);**TCFB64**(KO 1 e/d)|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations [#2024](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2024)<p>Version 10.0.10586|
-|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**TCFB8**(KO 1 e/d);**TCFB64**(KO 1 e/d)|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#1969](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1969)<p>Version 10.0.10240|
-|**TECB**(KO 1 e/d);**TCBC**(KO 1 e/d);**TCFB8**(KO 1 e/d);**TCFB64**(KO 1 e/d)|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#1692](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1692)<p>Version 6.3.9600|
-|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2);**TCFB64**(e/d; KO 1, 2)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#1387](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1387)|
-|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386)|
-|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2)|Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846)|
-|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2)|Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation [#656](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#656)|
-|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2);**TCFB8**(e/d; KO 1, 2)|Windows Vista Symmetric Algorithm Implementation [#549](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#549)|
-|**Triple DES MAC**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 [#1386](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1386), vendor-affirmedWindows 7 and SP1 and Windows Server 2008 R2 and SP1 [#846](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#846), vendor-affirmed|
-|**TECB**(e/d; KO 1, 2);**TCBC**(e/d; KO 1, 2)|Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) [#1308](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1308)Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) [#1307](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#1307)<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#691](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#691)<p>Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) [#677](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#677)<p>Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#676](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#676)<p>Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) [#675](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#675)<p>Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) [#544](http://csrc.nist.gov/groups/stm/cavp/documents/des/tripledesval.html#544)<p>Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider [#543](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#543)<p>Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) [#542](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#542)Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) [#526](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#526)<p>Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) [#517](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#517)<p>Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#381](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#381)<p>Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) [#370](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#370)<p>Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) [#365](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#365)Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) [#315](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#315)<p>Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) [#201](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#201)<p>Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) [#199](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#199)<p>Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) [#192](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#192)Windows XP Microsoft Enhanced Cryptographic Provider [#81](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#81)<p>Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) [#18](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#18)Crypto Driver for Windows 2000 (fips.sys) [#16](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#16)|
-
-#### SP 800-132 Password-Based Key Derivation Function (PBKDF)
-
-| Modes / States / Key Sizes | Algorithm Implementation and Certificate # |
-| --- | --- |
-| PBKDF (vendor affirmed) |  Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 [#2937](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2937)<br/>(Software Version: 10.0.14393)<br/><br/>Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 [#2936](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2936)<br/>(Software Version: 10.0.14393)<br/><br/>Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 [#2935](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2935)<br/>(Software Version: 10.0.14393) |
-| PBKDF (vendor affirmed) | Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 [#2936](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2936)<br/>(Software Version: 10.0.14393)<br/><br/>Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed |
-
-#### Component Validation List
-
-
-|**Publication / Component Validated / Description**|**Implementation and Certificate #**|
-|--- |--- |
-|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#489](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#489)|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#1540](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1540)<p>Version 6.3.9600|
-|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Microsoft Surface Hub Virtual TPM Implementations [#1519](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1519)<p>Version 10.0.15063.674|
-|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations [#1518](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1518)<p>Version 10.0.16299|
-|RSADP:<p>Modulus Size: 2048 (bits)|Microsoft Surface Hub MsBignum Cryptographic Implementations [#1517](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1517)<p>Version 10.0.15063.674|
-|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Microsoft Surface Hub MsBignum Cryptographic Implementations [#1516](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1516)<p>Version 10.0.15063.674|
-|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub MsBignum Cryptographic Implementations [#1515](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1515)<p>Version 10.0.15063.674|
-|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1732](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1732)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1514](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1514)<p>Version 10.0.15063.674|
-|RSADP:<p>Modulus Size: 2048 (bits)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1513](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1513)<p>Version 10.0.15063.674|
-|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1512](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1512)<p>Version 10.0.15063.674|
-|<p>IKEv1:<li>Methods: Digital Signature, Pre-shared Key, Public Key Encryption<li>Pre-shared Key Length: 64-2048<p>Diffie-Hellman shared secrets:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), HMAC [#3269](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3269)<p>IKEv2:<li>Derived Keying Material length: 192-1792<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), HMAC [#3269](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3269)<p>TLS:<li>Supports TLS 1.0/1.1<li>Supports TLS 1.2:<p>SHA Functions: SHA-256, SHA-384<p>Prerequisite: SHS [#4011](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4011), HMAC [#3269](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3269)|Microsoft Surface Hub SymCrypt Cryptographic Implementations [#1511](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1511)<p>Version 10.0.15063.674|
-|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1510](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1510)<p>Version 10.0.15254|
-|RSADP:<p>Modulus Size: 2048 (bits)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1509](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1509)<p>Version 10.0.15254|
-|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1508](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1508)<p>Version 10.0.15254|
-|<p>IKEv1:<li>Methods: Digital Signature, Pre-shared Key, Public Key Encryption<li>Pre-shared Key Length: 64-2048<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), HMAC [#3268](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3268)<p>IKEv2:<li>Derived Keying Material length: 192-1792<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), HMAC [#3268](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3268)<p>TLS:<li>Supports TLS 1.0/1.1<li>Supports TLS 1.2:<p>SHA Functions: SHA-256, SHA-384<p>Prerequisite: SHS [#4010](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4010), HMAC [#3268](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3268)|Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations [#1507](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1507)<p>Version 10.0.15254|
-|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1731](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1731)|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#1506](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1506)<p>Version 10.0.15254|
-|RSADP:<p>Modulus Size: 2048 (bits)|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#1505](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1505)<p>Version 10.0.15254|
-|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations [#1504](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1504)<p>Version 10.0.15254|
-|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#1503](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1503)<p>Version 10.0.16299|
-|RSADP:<p>Modulus Size: 2048 (bits)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#1502](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1502)<p>Version 10.0.16299|
-|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations [#1501](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1501)<p>Version 10.0.16299|
-|<p>ECDSA SigGen:<li>P-256 SHA: SHA-256<li>P-384 SHA: SHA-384<li>P-521 SHA: SHA-512<p>Prerequisite: DRBG [#1730](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1499](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1499)<p>Version 10.0.16299|
-|RSADP:<p>Modulus Size: 2048 (bits)|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations [#1498](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1498)<p>Version 10.0.16299|
-|<p>RSASP1:<p>Modulus Size: 2048 (bits)<br>Padding Algorithms: PKCS 1.5|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  [#1497](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1497)<p>Version 10.0.16299|
-|<p>IKEv1:<li>Methods: Digital Signature, Pre-shared Key, Public Key Encryption<li>Pre-shared Key Length: 64-2048<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), HMAC [#3267](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3267)<p>IKEv2:<li>Derived Keying Material length: 192-1792<p>Diffie-Hellman shared secret:<li>Length: 2048 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 256 (bits)<li>SHA Functions: SHA-256<p>Diffie-Hellman shared secret:<li>Length: 384 (bits)<li>SHA Functions: SHA-384<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), HMAC [#3267](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3267)<p>TLS:<li>Supports TLS 1.0/1.1<li>Supports TLS 1.2:<p>SHA Functions: SHA-256, SHA-384<p>Prerequisite: SHS [#4009](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009), HMAC [#3267](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3267)|Windows 10 Home, Pro, Enterprise, Education,Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  [#1496](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1496)<p>Version 10.0.16299|
-|FIPS186-4 ECDSA<p>Signature Generation of hash sized messages<p>ECDSA SigGen Component: CURVES(P-256 P-384 P-521)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#1284](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1284)<p>Version 10.0. 15063<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1279](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1279)<p>Version 10.0. 15063<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#922](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#922)<p>Version 10.0.14393<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#894](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#894)<p>Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations [#666](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#666)<p>Version 10.0.10586<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations [#288](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#288)<p>Version 6.3.9600|
-|FIPS186-4 RSA; PKCS#1 v2.1<p>RSASP1 Signature Primitive<p>RSASP1: (Mod2048: PKCS1.5 PKCSPSS)|Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations [#1285](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1285)<p>Version 10.0.15063<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#1282](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1282)<p>Version 10.0.15063<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1280](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1280)<p>Version 10.0.15063<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#893](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#893)<p>Version 10.0.14393<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations [#888](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#888)<p>Version 10.0.14393<p>Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations [#665](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#665)<p>Version 10.0.10586<p>Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations [#572](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#572)<p>Version  10.0.10240<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations [#289](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#289)<p>Version 6.3.9600|
-|FIPS186-4 RSA; RSADP<p>RSADP Primitive<p>RSADP: (Mod2048)|Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations [#1283](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1283)<p>Version 10.0.15063<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1281](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1281)<p>Version 10.0.15063<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations [#895](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#895)<p>Version 10.0.14393<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#887](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#887)<p>Version 10.0.14393<p>Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations [#663](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#663)<p>Version 10.0.10586<p>Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations [#576](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#576)<p>Version  10.0.10240|
-|SP800-135<p>Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS|Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  [#1496](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1496)<p>Version 10.0.16299<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations [#1278](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1278)<p>Version 10.0.15063<p>Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1140](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1140)<p>Version 7.00.2872<p>Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) [#1139](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1139)<p>Version 8.00.6246<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp [#886](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#886)<p>Version 10.0.14393<p>Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp [#664](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#664)<p>Version 10.0.10586<p>Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp [#575](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#575)<p>Version  10.0.10240<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp [#323](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#323)<p>Version 6.3.9600|
-
-## Contact
-
-fips@microsoft.com
-
-## References
-
-* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf))
-* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)
-* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
-* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)
+---
+
+<!-- Links -->
+
+[HTTP-1]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program
+
+
+[aes-33]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=33
+[aes-80]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=80
+[aes-224]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=224
+[aes-290]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=290
+[aes-424]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=424
+[aes-507]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=507
+[aes-516]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=516
+[aes-548]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=548
+[aes-553]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=553
+[aes-715]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=715
+[aes-739]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=739
+[aes-756]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=756
+[aes-757]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=757
+[aes-760]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=760
+[aes-781]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=781
+[aes-818]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=818
+[aes-1168]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=1168
+[aes-1177]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=1177
+[aes-1178]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=1178
+[aes-1187]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=1187
+[aes-2023]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2023
+[aes-2024]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2024
+[aes-2196]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2196
+[aes-2197]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2197
+[aes-2198]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2198
+[aes-2216]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2216
+[aes-2832]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2832
+[aes-2848]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2848
+[aes-2853]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=2853
+[aes-3476]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=3476
+[aes-3497]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=3497
+[aes-3498]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=3498
+[aes-3507]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=3507
+[aes-3629]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=3629
+[aes-3630]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=3630
+[aes-3652]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=3652
+[aes-3653]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=3653
+[aes-4061]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4061
+[aes-4062]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4062
+[aes-4063]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4063
+[aes-4064]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4064
+[aes-4074]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4074
+[aes-4430]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4430
+[aes-4431]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4431
+[aes-4433]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4433
+[aes-4434]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4434
+[aes-4624]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4624
+[aes-4625]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4625
+[aes-4626]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4626
+[aes-4627]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4627
+[aes-4894]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4894
+[aes-4895]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4895
+[aes-4896]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4896
+[aes-4897]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4897
+[aes-4898]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4898
+[aes-4899]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4899
+[aes-4900]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4900
+[aes-4901]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4901
+[aes-4902]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4902
+[aes-4903]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4903
+[aes-4904]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=aes&number=4904
+
+[component-288]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=288
+[component-289]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=289
+[component-323]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=323
+[component-572]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=572
+[component-575]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=575
+[component-576]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=576
+[component-663]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=663
+[component-664]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=664
+[component-665]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=665
+[component-666]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=666
+[component-886]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=886
+[component-887]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=887
+[component-888]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=888
+[component-893]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=893
+[component-894]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=894
+[component-895]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=895
+[component-922]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=922
+[component-1133]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1133
+[component-1139]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1139
+[component-1140]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1140
+[component-1278]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1278
+[component-1279]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1279
+[component-1280]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1280
+[component-1281]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1281
+[component-1282]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1282
+[component-1283]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1283
+[component-1284]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1284
+[component-1285]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1285
+[component-1496]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1496
+[component-1497]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1497
+[component-1498]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1498
+[component-1499]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1499
+[component-1501]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1501
+[component-1502]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1502
+[component-1503]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1503
+[component-1504]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1504
+[component-1505]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1505
+[component-1506]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1506
+[component-1507]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1507
+[component-1508]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1508
+[component-1509]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1509
+[component-1510]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1510
+[component-1511]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1511
+[component-1512]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1512
+[component-1513]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1513
+[component-1514]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1514
+[component-1515]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1515
+[component-1516]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1516
+[component-1517]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1517
+[component-1518]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1518
+[component-1519]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1519
+[component-1540]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=1540
+[component-2521]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=component&number=2521
+
+[des-91]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=des&number=91
+[des-156]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=des&number=156
+[des-230]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=des&number=230
+
+[drbg-23]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=23
+[drbg-24]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=24
+[drbg-27]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=27
+[drbg-193]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=193
+[drbg-258]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=258
+[drbg-259]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=259
+[drbg-489]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=489
+[drbg-868]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=868
+[drbg-955]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=955
+[drbg-1217]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1217
+[drbg-1222]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1222
+[drbg-1429]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1429
+[drbg-1430]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1430
+[drbg-1432]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1432
+[drbg-1433]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1433
+[drbg-1555]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1555
+[drbg-1556]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1556
+[drbg-1730]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1730
+[drbg-1731]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1731
+[drbg-1732]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1732
+[drbg-1733]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1733
+[drbg-1734]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=drbg&number=1734
+
+[dsa-17]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=17
+[dsa-25]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=25
+[dsa-26]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=26
+[dsa-28]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=28
+[dsa-29]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=29
+[dsa-35]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=35
+[dsa-72]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=72
+[dsa-95]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=95
+[dsa-146]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=146
+[dsa-221]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=221
+[dsa-226]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=226
+[dsa-227]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=227
+[dsa-281]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=281
+[dsa-282]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=282
+[dsa-283]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=283
+[dsa-284]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=284
+[dsa-291]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=291
+[dsa-292]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=292
+[dsa-385]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=385
+[dsa-386]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=386
+[dsa-390]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=390
+[dsa-391]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=391
+[dsa-645]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=645
+[dsa-686]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=686
+[dsa-687]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=687
+[dsa-855]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=855
+[dsa-983]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=983
+[dsa-1024]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1024
+[dsa-1098]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1098
+[dsa-1135]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1135
+[dsa-1187]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1187
+[dsa-1188]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1188
+[dsa-1223]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1223
+[dsa-1301]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1301
+[dsa-1302]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1302
+[dsa-1303]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=dsa&number=1303
+
+[ecdsa-60]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=60
+[ecdsa-82]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=82
+[ecdsa-83]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=83
+[ecdsa-141]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=141
+[ecdsa-142]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=142
+[ecdsa-295]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=295
+[ecdsa-341]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=341
+[ecdsa-505]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=505
+[ecdsa-706]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=706
+[ecdsa-760]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=760
+[ecdsa-911]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=911
+[ecdsa-920]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=920
+[ecdsa-1072]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1072
+[ecdsa-1073]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1073
+[ecdsa-1133]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1133
+[ecdsa-1135]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1135
+[ecdsa-1136]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1136
+[ecdsa-1246]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1246
+[ecdsa-1247]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1247
+[ecdsa-1248]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1248
+[ecdsa-1249]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1249
+[ecdsa-1250]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1250
+[ecdsa-1251]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1251
+[ecdsa-1252]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1252
+[ecdsa-1253]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1253
+[ecdsa-1263]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=ecdsa&number=1263
+
+[hmac-31]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=31
+[hmac-99]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=99
+[hmac-199]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=199
+[hmac-260]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=260
+[hmac-267]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=267
+[hmac-287]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=287
+[hmac-289]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=289
+[hmac-297]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=297
+[hmac-298]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=298
+[hmac-386]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=386
+[hmac-407]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=407
+[hmac-408]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=408
+[hmac-412]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=412
+[hmac-413]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=413
+[hmac-415]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=415
+[hmac-428]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=428
+[hmac-429]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=429
+[hmac-452]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=452
+[hmac-673]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=673
+[hmac-675]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=675
+[hmac-677]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=677
+[hmac-686]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=686
+[hmac-687]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=687
+[hmac-1227]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=1227
+[hmac-1345]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=1345
+[hmac-1346]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=1346
+[hmac-1347]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=1347
+[hmac-1364]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=1364
+[hmac-1773]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=1773
+[hmac-2122]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2122
+[hmac-2233]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2233
+[hmac-2381]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2381
+[hmac-2651]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2651
+[hmac-2661]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2661
+[hmac-2942]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2942
+[hmac-2943]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2943
+[hmac-2945]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2945
+[hmac-2946]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=2946
+[hmac-3061]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=3061
+[hmac-3062]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=3062
+[hmac-3267]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=3267
+[hmac-3268]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=3268
+[hmac-3269]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=3269
+[hmac-3270]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=3270
+[hmac-3271]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=hmac&number=3271
+
+[kas-36]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=36
+[kas-47]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=47
+[kas-64]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=64
+[kas-72]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=72
+[kas-92]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=92
+[kas-93]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=93
+[kas-114]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=114
+[kas-115]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=115
+[kas-127]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=127
+[kas-128]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=128
+[kas-146]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=146
+[kas-147]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=147
+[kas-148]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=148
+[kas-149]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=149
+[kas-150]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kas&number=150
+
+[kdf-3]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=3
+[kdf-30]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=30
+[kdf-66]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=66
+[kdf-72]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=72
+[kdf-101]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=101
+[kdf-102]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=102
+[kdf-140]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=140
+[kdf-141]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=141
+[kdf-157]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=157
+[kdf-158]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=158
+[kdf-159]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=159
+[kdf-160]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=160
+[kdf-161]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=kdf&number=161
+
+[rng-66]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=66
+[rng-286]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=286
+[rng-292]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=292
+[rng-313]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=313
+[rng-314]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=314
+[rng-316]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=316
+[rng-321]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=321
+[rng-435]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=435
+[rng-447]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=447
+[rng-448]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=448
+[rng-449]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=449
+[rng-470]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=470
+[rng-649]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=649
+[rng-1060]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=1060
+[rng-1110]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rng&number=1110
+
+[rsa-52]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=52
+[rsa-81]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=81
+[rsa-222]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=222
+[rsa-230]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=230
+[rsa-245]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=245
+[rsa-255]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=255
+[rsa-257]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=257
+[rsa-258]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=258
+[rsa-353]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=353
+[rsa-354]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=354
+[rsa-355]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=355
+[rsa-357]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=357
+[rsa-358]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=358
+[rsa-371]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=371
+[rsa-395]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=395
+[rsa-557]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=557
+[rsa-559]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=559
+[rsa-560]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=560
+[rsa-567]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=567
+[rsa-568]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=568
+[rsa-1051]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1051
+[rsa-1052]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1052
+[rsa-1132]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1132
+[rsa-1133]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1133
+[rsa-1134]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1134
+[rsa-1487]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1487
+[rsa-1493]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1493
+[rsa-1494]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1494
+[rsa-1519]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1519
+[rsa-1783]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1783
+[rsa-1784]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1784
+[rsa-1798]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1798
+[rsa-1802]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1802
+[rsa-1871]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1871
+[rsa-1887]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1887
+[rsa-1888]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1888
+[rsa-1889]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=1889
+[rsa-2192]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2192
+[rsa-2193]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2193
+[rsa-2194]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2194
+[rsa-2195]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2195
+[rsa-2206]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2206
+[rsa-2411]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2411
+[rsa-2412]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2412
+[rsa-2414]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2414
+[rsa-2415]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2415
+[rsa-2521]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2521
+[rsa-2522]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2522
+[rsa-2523]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2523
+[rsa-2524]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2524
+[rsa-2667]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2667
+[rsa-2668]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2668
+[rsa-2669]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2669
+[rsa-2670]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2670
+[rsa-2671]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2671
+[rsa-2672]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2672
+[rsa-2673]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2673
+[rsa-2674]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2674
+[rsa-2675]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2675
+[rsa-2676]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2676
+[rsa-2677]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=rsa&number=2677
+
+[shs-20]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=20
+[shs-21]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=21
+[shs-23]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=23
+[shs-24]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=24
+[shs-32]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=32
+[shs-35]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=35
+[shs-83]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=83
+[shs-176]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=176
+[shs-177]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=177
+[shs-181]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=181
+[shs-267]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=267
+[shs-305]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=305
+[shs-364]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=364
+[shs-371]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=371
+[shs-385]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=385
+[shs-428]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=428
+[shs-429]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=429
+[shs-495]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=495
+[shs-578]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=578
+[shs-589]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=589
+[shs-610]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=610
+[shs-611]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=611
+[shs-613]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=613
+[shs-618]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=618
+[shs-737]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=737
+[shs-753]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=753
+[shs-783]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=783
+[shs-784]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=784
+[shs-785]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=785
+[shs-816]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=816
+[shs-1081]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=1081
+[shs-1773]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=1773
+[shs-1774]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=1774
+[shs-1902]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=1902
+[shs-1903]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=1903
+[shs-2373]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=2373
+[shs-2396]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=2396
+[shs-2764]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=2764
+[shs-2871]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=2871
+[shs-2886]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=2886
+[shs-3047]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3047
+[shs-3048]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3048
+[shs-3346]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3346
+[shs-3347]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3347
+[shs-3648]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3648
+[shs-3649]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3649
+[shs-3651]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3651
+[shs-3652]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3652
+[shs-3790]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=3790
+[shs-4009]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=4009
+[shs-4010]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=4010
+[shs-4011]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=shs&number=4011
+
+[tdes-16]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=16
+[tdes-18]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=18
+[tdes-81]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=81
+[tdes-192]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=192
+[tdes-199]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=199
+[tdes-201]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=201
+[tdes-315]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=315
+[tdes-365]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=365
+[tdes-370]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=370
+[tdes-381]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=381
+[tdes-517]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=517
+[tdes-526]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=526
+[tdes-542]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=542
+[tdes-543]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=543
+[tdes-544]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=544
+[tdes-549]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=549
+[tdes-656]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=656
+[tdes-675]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=675
+[tdes-676]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=676
+[tdes-677]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=677
+[tdes-691]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=691
+[tdes-846]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=846
+[tdes-1307]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=1307
+[tdes-1308]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=1308
+[tdes-1386]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=1386
+[tdes-1387]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=1387
+[tdes-1692]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=1692
+[tdes-1969]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=1969
+[tdes-2024]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2024
+[tdes-2227]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2227
+[tdes-2381]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2381
+[tdes-2382]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2382
+[tdes-2383]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2383
+[tdes-2384]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2384
+[tdes-2459]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2459
+[tdes-2556]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2556
+[tdes-2557]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2557
+[tdes-2558]: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?source=tdes&number=2558
+
+[certificate-68]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/68
+[certificate-75]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/75
+[certificate-76]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/76
+[certificate-103]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/103
+[certificate-106]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/106
+[certificate-110]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/110
+[certificate-238]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/238
+[certificate-240]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/240
+[certificate-241]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/241
+[certificate-381]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/381
+[certificate-382]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/382
+[certificate-405]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/405
+[certificate-825]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/825
+[certificate-868]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/868
+[certificate-869]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/869
+[certificate-875]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/875
+[certificate-891]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/891
+[certificate-893]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/893
+[certificate-894]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/894
+[certificate-947]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/947
+[certificate-978]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/978
+[certificate-979]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/979
+[certificate-980]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/980
+[certificate-989]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/989
+[certificate-990]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/990
+[certificate-997]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/997
+[certificate-1000]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1000
+[certificate-1001]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1001
+[certificate-1002]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1002
+[certificate-1003]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1003
+[certificate-1004]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1004
+[certificate-1005]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1005
+[certificate-1006]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1006
+[certificate-1007]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1007
+[certificate-1008]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1008
+[certificate-1009]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1009
+[certificate-1010]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1010
+[certificate-1319]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1319
+[certificate-1321]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1321
+[certificate-1326]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1326
+[certificate-1327]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1327
+[certificate-1328]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1328
+[certificate-1329]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1329
+[certificate-1330]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1330
+[certificate-1331]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1331
+[certificate-1332]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1332
+[certificate-1333]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1333
+[certificate-1334]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1334
+[certificate-1335]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1335
+[certificate-1336]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1336
+[certificate-1337]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1337
+[certificate-1338]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1338
+[certificate-1339]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1339
+[certificate-1891]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/1891
+[certificate-2351]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2351
+[certificate-2352]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2352
+[certificate-2353]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2353
+[certificate-2354]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2354
+[certificate-2355]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2355
+[certificate-2356]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2356
+[certificate-2357]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2357
+[certificate-2600]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2600
+[certificate-2601]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2601
+[certificate-2602]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2602
+[certificate-2603]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2603
+[certificate-2604]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2604
+[certificate-2605]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2605
+[certificate-2606]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2606
+[certificate-2607]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2607
+[certificate-2700]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2700
+[certificate-2701]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2701
+[certificate-2702]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2702
+[certificate-2703]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2703
+[certificate-2931]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2931
+[certificate-2932]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2932
+[certificate-2933]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2933
+[certificate-2934]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2934
+[certificate-2935]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2935
+[certificate-2936]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2936
+[certificate-2937]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2937
+[certificate-2938]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2938
+[certificate-2956]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2956
+[certificate-2957]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2957
+[certificate-3089]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3089
+[certificate-3090]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3090
+[certificate-3091]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3091
+[certificate-3092]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3092
+[certificate-3093]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3093
+[certificate-3094]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3094
+[certificate-3095]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3095
+[certificate-3096]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3096
+[certificate-3194]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3194
+[certificate-3195]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3195
+[certificate-3196]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3196
+[certificate-3197]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3197
+[certificate-3480]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3480
+[certificate-3615]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3615
+[certificate-3644]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3644
+[certificate-3651]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3651
+[certificate-3690]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3690
+
+[sp-68]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp68.pdf
+[sp-75]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp75.pdf
+[sp-76]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp76.pdf
+[sp-103]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp103.pdf
+[sp-106]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp106.pdf
+[sp-110]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp110.pdf
+[sp-238]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp238.pdf
+[sp-240]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp240.pdf
+[sp-241]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp241.pdf
+[sp-381]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp381.pdf
+[sp-382]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp382.pdf
+[sp-405]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp405.pdf
+[sp-825]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp825.pdf
+[sp-868]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp868.pdf
+[sp-869]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp869.pdf
+[sp-875]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp875.pdf
+[sp-891]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp891.pdf
+[sp-893]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp893.pdf
+[sp-894]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp894.pdf
+[sp-947]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp947.pdf
+[sp-978]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp978.pdf
+[sp-979]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp979.pdf
+[sp-980]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp980.pdf
+[sp-989]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp989.pdf
+[sp-990]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp990.pdf
+[sp-997]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp997.pdf
+[sp-1000]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1000.pdf
+[sp-1002]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1002.pdf
+[sp-1003]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1003.pdf
+[sp-1004]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1004.pdf
+[sp-1005]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1005.pdf
+[sp-1006]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1006.pdf
+[sp-1007]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1007.pdf
+[sp-1008]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1008.pdf
+[sp-1009]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1009.pdf
+[sp-1010]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1010.pdf
+[sp-1319]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1319.pdf
+[sp-1321]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1321.pdf
+[sp-1326]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1326.pdf
+[sp-1327]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1327.pdf
+[sp-1328]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1328.pdf
+[sp-1329]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1329.pdf
+[sp-1330]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1330.pdf
+[sp-1331]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1331.pdf
+[sp-1332]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1332.pdf
+[sp-1333]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1333.pdf
+[sp-1334]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1334.pdf
+[sp-1335]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1335.pdf
+[sp-1336]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1336.pdf
+[sp-1337]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1337.pdf
+[sp-1338]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1338.pdf
+[sp-1339]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1339.pdf
+[sp-1891]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1891.pdf
+[sp-1892]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1892.pdf
+[sp-1893]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1893.pdf
+[sp-1894]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1894.pdf
+[sp-1895]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1895.pdf
+[sp-1896]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1896.pdf
+[sp-1897]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1897.pdf
+[sp-1898]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1898.pdf
+[sp-1899]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1899.pdf
+[sp-2351]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2351.pdf
+[sp-2352]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2352.pdf
+[sp-2353]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2353.pdf
+[sp-2354]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2354.pdf
+[sp-2355]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2355.pdf
+[sp-2356]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2356.pdf
+[sp-2357]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2357.pdf
+[sp-2600]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2600.pdf
+[sp-2601]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2601.pdf
+[sp-2602]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2602.pdf
+[sp-2603]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2603.pdf
+[sp-2604]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2604.pdf
+[sp-2605]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2605.pdf
+[sp-2607]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2607.pdf
+[sp-2700]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2700.pdf
+[sp-2701]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2701.pdf
+[sp-2702]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2702.pdf
+[sp-2703]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2703.pdf
+[sp-2931]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2931.pdf
+[sp-2932]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2932.pdf
+[sp-2933]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2933.pdf
+[sp-2934]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2934.pdf
+[sp-2935]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2935.pdf
+[sp-2936]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2936.pdf
+[sp-2937]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2937.pdf
+[sp-2938]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2938.pdf
+[sp-2956]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2956.pdf
+[sp-2957]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2957.pdf
+[sp-3089]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3089.pdf
+[sp-3090]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3090.pdf
+[sp-3091]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3091.pdf
+[sp-3092]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3092.pdf
+[sp-3093]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3093.pdf
+[sp-3094]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3094.pdf
+[sp-3095]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3095.pdf
+[sp-3096]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3096.pdf
+[sp-3194]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3194.pdf
+[sp-3195]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3195.pdf
+[sp-3196]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3196.pdf
+[sp-3197]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3197.pdf
+[sp-3480]: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3480.pdf
+[sp-3615]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf
+[sp-3644]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf
+[sp-3651]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf
+[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf
\ No newline at end of file
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
index 60f033276b..f3481ad39c 100644
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@@ -1,7 +1,7 @@
 ---
 title: Get support
 description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT).
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.author: dansimp
 author: dulcemontemayor
@@ -10,7 +10,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 06/25/2018
 ms.reviewer: 
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Get Support for Windows baselines
@@ -40,7 +40,7 @@ The toolkit supports formats created by the Windows GPO backup feature (`.pol`,
 
 Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features.
 
-### Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?
+### Does SCT support the creation of Microsoft Configuration Manager DCM packs?
 
 No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement).
 
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 52a5ae4951..92d1fa392e 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -2,14 +2,14 @@
 title: Windows threat protection
 description: Describes the security capabilities in Windows client focused on threat protection
 search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
+ms.prod: windows-client
 ms.author: dansimp
 author: dansimp
 ms.localizationpriority: medium
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Windows threat protection
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 92da921c12..bfb7dc677b 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -1,13 +1,13 @@
 ---
 title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
 description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.author: dansimp
 author: dansimp
 ms.reviewer: 
 manager: aaroncz
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
  
 # What is Microsoft Baseline Security Analyzer and its uses?
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index a00cec360b..c71d2b029e 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -60,7 +60,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
 |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
 |Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
 |Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
+|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
 |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
 |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
 |Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 7118a806da..e9a396f602 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -2,17 +2,17 @@
 metadata:
   title: FAQ - Microsoft Defender Application Guard (Windows 10)
   description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
-  ms.prod: m365-security
   ms.mktglfcycl: manage
   ms.sitesec: library
   ms.pagetype: security
   ms.localizationpriority: medium
-  author: denisebmsft
-  ms.author: deniseb
+  ms.prod: windows-client
+  ms.technology: itpro-security
+  author: vinaypamnani-msft
+  ms.author: vinpa
   ms.reviewer:
   manager: aaroncz
   ms.custom: asr
-  ms.technology: windows-sec
   ms.topic: faq
 title: Frequently asked questions - Microsoft Defender Application Guard
 summary: |
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 2b2875ea47..b4fb01a3c6 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -13,6 +13,8 @@ ms.reviewer:
 manager: aaroncz
 ms.custom: asr
 ms.technology: itpro-security
+ms.collection: 
+  - highpri
 ---
 
 # Prepare to install Microsoft Defender Application Guard
@@ -92,7 +94,7 @@ Application Guard functionality is turned off by default. However, you can quick
 
 :::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune.":::
 
-1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 1. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following: <br/>
 
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index d4a07cff56..1ba47ee970 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft Defender Application Guard (Windows 10 or Windows 11)
-description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
 ms.prod: windows-client
 ms.mktglfcycl: manage
 ms.sitesec: library
@@ -13,6 +13,8 @@ ms.reviewer:
 manager: aaroncz
 ms.custom: asr
 ms.technology: itpro-security
+ms.collection: 
+  - highpri
 ---
 
 # Microsoft Defender Application Guard overview
@@ -37,13 +39,13 @@ For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoin
 
 Application Guard has been created to target several types of devices:
 
-- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
+- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
 
-- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
+- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
 
-- **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
+- **Bring your own device (BYOD) mobile laptops**. These personally owned laptops aren't domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
 
-- **Personal devices**. These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
+- **Personal devices**. These personally owned desktops or mobile laptops aren't domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
 
 ## Related articles
 
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index e7ea108193..85f176411e 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -47,4 +47,4 @@ Your environment must have the following hardware to run Microsoft Defender Appl
 |--------|-----------|
 | Operating system | Windows 10 Enterprise edition, version 1809 or later <br/> Windows 10 Professional edition, version 1809 or later <br/> Windows 10 Professional for Workstations edition, version 1809 or later <br/> Windows 10 Professional Education edition, version 1809 or later <br/> Windows 10 Education edition, version 1809 or later <br/> Windows 11 Education, Enterprise, and Professional editions |
 | Browser | Microsoft Edge |
-| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
+| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index dd2072101b..e58c585f72 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -9,6 +9,8 @@ ms.reviewer:
 manager: aaroncz
 ms.technology: itpro-security
 adobe-target: true
+ms.collection: 
+  - highpri
 ---
 
 # Microsoft Defender SmartScreen
diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md
index c15e7110b2..cf9752c6f3 100644
--- a/windows/security/threat-protection/msft-security-dev-lifecycle.md
+++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md
@@ -1,7 +1,7 @@
 ---
 title: Microsoft Security Development Lifecycle
 description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development.
-ms.prod: m365-security
+ms.prod: windows-client
 author: dansimp
 ms.author: dansimp
 manager: aaroncz
@@ -9,7 +9,7 @@ ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: 
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Microsoft Security Development Lifecycle
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index 83dcf3036f..fa6de91b70 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -3,10 +3,10 @@ manager: aaroncz
 ms.author: dansimp
 title: Override Process Mitigation Options (Windows 10)
 description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies.
-ms.prod: m365-security
+ms.prod: windows-client
 author: dulcemontemayor
 ms.localizationpriority: medium
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 551bdb2981..9540d55eb9 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -1,13 +1,13 @@
 ---
 title: Mitigate threats by using Windows 10 security features (Windows 10)
 description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats.
-ms.prod: m365-security
+ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 ms.reviewer: 
 manager: aaroncz
 ms.author: dansimp
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Mitigate threats by using Windows 10 security features
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index dff954f4db..ae2b7dcea6 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -1,14 +1,14 @@
 ---
 title: Control the health of Windows 10-based devices (Windows 10)
 description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
-ms.reviewer:
+ms.reviewer: 
 manager: aaroncz
 ms.author: dansimp
-ms.prod: m365-security
+ms.prod: windows-client
 author: dulcemontemayor
 ms.date: 10/13/2017
 ms.localizationpriority: medium
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Control the health of Windows 10-based devices
@@ -280,7 +280,7 @@ SAWs are computers that are built to help significantly reduce the risk of compr
 
 To protect high-value assets, SAWs are used to make secure connections to those assets.
 
-Similarly, on corporate fully managed workstations, where applications are installed by using a distribution tool like Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
+Similarly, on corporate fully managed workstations, where applications are installed by using a distribution tool like Microsoft Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running.
 
 It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
 
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index 581f24c137..559a82704b 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 08/16/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index dcb289e933..0b41931636 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 11/02/2018
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index 8d8e4c26cd..bc2b937927 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -22,7 +22,8 @@ ms.technology: itpro-security
 
 **Applies to**
 
-- Windows 10
+- Windows 11
+- Windows 10
 
 This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
 
@@ -313,4 +314,4 @@ Secedit.exe is useful when you have multiple devices on which security must be a
 
 ## <a href="" id="bkmk-grouppolicy"></a>Working with Group Policy tools
 
-Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop.
\ No newline at end of file
+Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local device or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack to provide a way for you to administer Group Policy settings from your desktop.
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index db454847ac..d9bdd93728 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
@@ -20,7 +22,8 @@ ms.technology: itpro-security
 # Configure security policy settings
 
 **Applies to**
--   Windows 10
+-   Windows 11
+-   Windows 10
 
 Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index 78388a4a1c..ff6e5b9bac 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/18/2018
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index 69e444f25d..a55b2121f7 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index 4c6c5ddd2d..39110f95c1 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -33,9 +33,9 @@ The **Microsoft network server: Amount of idle time required before suspending s
 
 ### Possible values
 
--   A user-defined number of minutes from 0 through 99,999
+-   A user-defined number of minutes from 0 through 99,999.
 
-    For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days. In effect, this value disables the policy.
+    For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999 (8 business hours per day), which is 208 days. In effect, this value disables the policy.
 
 -   Not defined
 
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index ad8881b12c..14a19ec3af 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 03/30/2022
 ms.technology: itpro-security
@@ -36,7 +38,7 @@ The **Minimum password length** policy setting determines the least number of ch
 
 ### Best practices
 
-Set Minimum password length to at least a value of 14. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
+Set minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
 
 Permitting short passwords reduces security because short passwords can be easily broken with tools that do dictionary or brute force attacks against the passwords. Requiring long passwords can result in mistyped passwords that might cause account lockouts and might increase the volume of Help Desk calls.
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 4842d0dfe2..3b779eb87c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -21,7 +21,13 @@ ms.technology: itpro-security
 # Network access: Restrict anonymous access to Named Pipes and Shares
 
 **Applies to**
+-   Windows 11
 -   Windows 10
+-   Windows 8.1
+-   Windows Server 2022
+-   Windows Server 2019
+-   Windows Server 2016
+-   Windows Server 2012 R2
 
 Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting.
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index c92203d33a..48d6693d11 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -9,6 +9,8 @@ author: vinaypamnani-msft
 ms.author: vinpa
 ms.reviewer: 
 manager: aaroncz
+ms.collection: 
+  - highpri
 ---
 
 # Network access: Restrict clients allowed to make remote calls to SAM
diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
index f558cd0804..82252f7a68 100644
--- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
@@ -21,7 +21,8 @@ ms.technology: itpro-security
 # Network List Manager policies
 
 **Applies to**
--   Windows 10
+-   Windows 11
+-   Windows 10
 
 Network List Manager policies are security settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices.
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 562ea5df45..c5143b9f49 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index af10a9974a..b3ebd353c1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 77c03aaea0..fb87a0fd40 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.technology: itpro-security
 ---
@@ -28,7 +30,7 @@ Describes the best practices, location, values, and security considerations for
 
 The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:
 
-1.  Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive.
+1.  Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.
 
     The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped.
     The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password.
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index d4894e3791..7ecb04ce32 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index 9f76b3d698..fe332e87f3 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c
 ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Profile system performance
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index a1e2ab6949..379cef16af 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c
 ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Recovery console: Allow automatic administrative logon
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index 8e34bd2995..6b402af2db 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se
 ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Recovery console: Allow floppy copy and access to all drives and folders
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index dafe4d5d59..fbd8bf9e9b 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management,
 ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Remove computer from docking station - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index c40121b387..3978432395 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management,
 ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Replace a process level token
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index e2f943cd55..900b66a6fe 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid
 ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 11/02/2018
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Reset account lockout counter after
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index 5e3f6b9386..ea25267470 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management,
 ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Restore files and directories - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index 7dc532fd31..a620908a28 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -4,7 +4,7 @@ description: Provides information about the advanced security audit policy setti
 ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Advanced security audit policy settings for Windows 10
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index 00441e06c4..2617bbe979 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -5,14 +5,14 @@ ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b
 ms.reviewer: 
 manager: aaroncz
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.date: 06/28/2018
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Security Options
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
index bfca76513d..2668278e86 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
@@ -4,7 +4,7 @@ description: This reference of security settings provides information about how
 ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,13 +15,14 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Security policy settings reference
 
 **Applies to**
--   Windows 10
+-   Windows 11
+-   Windows 10
 
 This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.
 
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index e694d0e097..5ab4550261 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -4,7 +4,7 @@ description: This reference topic describes the common scenarios, architecture,
 ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -12,10 +12,12 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Security policy settings
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index 465e04c8e5..67d5faee52 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management,
 ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Shut down the system - security policy setting
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index 06fb947134..191d7707e3 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security
 ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Shutdown: Allow system to be shut down without having to log on
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 188c435f4f..8dee428efe 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management a
 ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 08/01/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Shutdown: Clear virtual memory pagefile 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
index 460941fd81..b177d97e7f 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
@@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th
 ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 01/04/2019
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # SMBv1 Microsoft network client: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index 6125397053..735abfb6ec 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t
 ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 01/04/2019
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 # SMBv1 Microsoft network client: Digitally sign communications (if server agrees)
 
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
index b261da96b1..e786e34d26 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
@@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the  security
 ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 01/04/2019
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # SMB v1 Microsoft network server: Digitally sign communications (always)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index d10e1c5531..02d3e39e49 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p
 ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 01/04/2019
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # SMBv1 Microsoft network server: Digitally sign communications (if client agrees)
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index 207e07ea6f..7e2d99c5ca 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid
 ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Store passwords using reversible encryption
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index 75c07aa23f..27b022d867 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management,
 ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Synchronize directory service data
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index 8e7bbc95a5..73d75fc780 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se
 ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # System cryptography: Force strong key protection for user keys stored on the computer
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 384b7464ec..7b1b9ef84d 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se
 ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 11/16/2018
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index 9c4cd9c338..cfc1e3e48a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p
 ms.assetid: 340d6769-8f33-4067-8470-1458978d1522
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # System objects: Require case insensitivity for non-Windows subsystems
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index bba4ab0d9b..9e16de4a18 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, System obj
 ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index a36f304e17..0397eca9d7 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management,
 ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78
 ms.reviewer: 
 ms.author: vinpa
-ms.prod: m365-security
+ms.prod: windows-client
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -15,7 +15,7 @@ audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
 ms.date: 04/19/2017
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # System settings: Optional subsystems
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 85b060886d..79919780f0 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 12/16/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index f4ddfe874d..d48d5da38b 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -4,11 +4,11 @@ description: Learn about an approach to collect events from devices in your orga
 ms.reviewer: 
 manager: aaroncz
 ms.author: dansimp
-ms.prod: m365-security
+ms.prod: windows-client
 author: dulcemontemayor
 ms.date: 02/28/2019
 ms.localizationpriority: medium
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
 # Use Windows Event Forwarding to help with intrusion detection
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index ae3272781f..6b822bc07e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -48,7 +48,7 @@ Multiple WDAC policies can be managed from an MDM server through ApplicationCont
 
 However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
 
-For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Endpoint Manager Intune's Custom OMA-URI capability.
+For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Intune's Custom OMA-URI capability.
 
 > [!NOTE]
 > WMI and GP don't currently support multiple policies. If you can't directly access the MDM stack, use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage multiple policy format Windows Defender Application Control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 0eee8eff2c..71ed7b8d83 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -30,6 +30,8 @@
               href: allow-com-object-registration-in-windows-defender-application-control-policy.md
             - name: Use WDAC with .NET hardening
               href: use-windows-defender-application-control-with-dynamic-code-security.md
+            - name: Script enforcement with Windows Defender Application Control
+              href: design/script-enforcement.md
             - name: Manage packaged apps with WDAC
               href: manage-packaged-apps-with-windows-defender-application-control.md
             - name: Use WDAC to control specific plug-ins, add-ins, and modules
@@ -85,8 +87,6 @@
       href: merge-windows-defender-application-control-policies.md
     - name: Enforce WDAC policies
       href: enforce-windows-defender-application-control-policies.md
-    - name: Managing WDAC Policies with CI Tool
-      href: citool-commands.md
     - name: Use code signing to simplify application control for classic Windows applications
       href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
       items:
@@ -115,6 +115,8 @@
       href: operations/known-issues.md
     - name: Managed installer and ISG technical reference and troubleshooting guide
       href: configure-wdac-managed-installer.md
+    - name: Managing WDAC Policies with CI Tool
+      href: operations/citool-commands.md
 - name: WDAC AppId Tagging guide
   href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
   items:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index b2435f908b..2e6095c98a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: vinaypamnani-msft
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 10/16/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 67142745ef..6b7bda08f8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -1,6 +1,6 @@
 ---
 title: Use AppLocker and Software Restriction Policies in the same domain (Windows)
-description: This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
+description: This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
 ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943
 ms.reviewer: 
 ms.author: vinpa
@@ -14,7 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 11/07/2022
 ms.technology: itpro-security
 ---
 
@@ -23,19 +23,16 @@ ms.technology: itpro-security
 **Applies to**
 
 - Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows Server 2016
 
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
 
-This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
+> [!IMPORTANT]
+> Software Restriction Policies were deprecated beginning with Windows 10 build 1803 and above, and also applies to Windows Server 2019 and above. You should use Windows Defender Application Control (WDAC) or AppLocker to control what software runs.
 
 ## Using AppLocker and Software Restriction Policies in the same domain
 
-AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running 
-Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, 
-Windows 7 and later, the SRP policies are ignored.
+AppLocker is supported on systems running Windows 8.1. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored.
 
 The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker.
 
@@ -45,7 +42,7 @@ The following table compares the features and functions of Software Restriction
 |Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<br/><br/>AppLocker permits customization of error messages to direct users to a Web page for help.|
 |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
 |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.<br/><br/>SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.|
+|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.<br/><br/>SRP can also be configured in the “allowlist mode” so that by default all files are blocked. In "allowlist mode", administrators need to create allow rules for files that they want to run.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.|
 |File types that can be controlled|SRP can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<br/><br/>SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<li>Packaged apps and installers<br/><br/>AppLocker maintains a separate rule collection for each of the five file types.|
 |Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:<li>Executables (.exe, .com)<li>Dlls (.ocx, .dll)<li>Scripts (.vbs, .js, .ps1, .cmd, .bat)<li>Windows Installers (.msi, .mst, .msp)<li>Packaged app installers (.appx)|
 |Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<li>Internet zone|AppLocker supports three types of rules:<li>File hash<li>Path<li>Publisher|
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index af84836ade..f078f7a073 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -29,7 +29,7 @@ ms.technology: itpro-security
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager (MEMCM) or Microsoft Intune.
+Windows Defender Application Control (WDAC) includes an option called **managed installer** that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution, such as Microsoft Configuration Manager (MEMCM) or Microsoft Intune.
 
 ## How does a managed installer work?
 
@@ -127,7 +127,7 @@ The AppLocker policy creation UI in GPO Editor and the AppLocker PowerShell cmdl
     </RuleCollection>
     ```
 
-4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This condition-based inclusion ensures the policy will merge successfully on devices that may already have an AppLocker policy in place.
+4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This condition-based inclusion ensures the policy will merge successfully on devices that may already have an AppLocker policy in place.
 
     ```xml
     <AppLockerPolicy Version="1">
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index 9eb2d45bf5..c24b6295c9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -11,10 +11,10 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 08/14/2020
+ms.date: 11/11/2022
 ms.technology: itpro-security
 ---
 
@@ -29,21 +29,25 @@ ms.technology: itpro-security
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
 
-## Using fsutil to query SmartLocker EA
+## Enabling managed installer and Intelligent Security Graph (ISG) logging events
 
-Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
+Refer to [Understanding Application Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events.
+
+## Using fsutil to query extended attributes for Managed Installer (MI)
+
+Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) enabled can use fsutil.exe to determine whether a file was created by a managed installer process. This verification is done by querying the Extended Attributes (EAs) on a file using fsutil.exe and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. Then, you can use the data from the first row of output to identify if the file was created by a managed installer. For example, let's look at the fsutil.exe output for a file called application.exe:
 
 **Example:**
 
 ```powershell
-fsutil file queryEA C:\Users\Temp\Downloads\application.exe
+fsutil.exe file queryEA C:\Users\Temp\Downloads\application.exe
 
 Extended Attributes (EA) information for file C:\Users\Temp\Downloads\application.exe:
 
 Ea Buffer Offset: 410
 Ea Name: $KERNEL.SMARTLOCKER.ORIGINCLAIM
 Ea Value Length: 7e
-0000: 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
+0000: 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
 0010: b2 ff 10 66 bc a8 47 c7 00 d9 56 9d 3d d4 20 2a ...f..G...V.=. *
 0020: 63 a3 80 e2 d8 33 8e 77 e9 5c 8d b0 d5 a7 a3 11 c....3.w.\......
 0030: 83 00 00 00 00 00 00 00 5c 00 00 00 43 00 3a 00 ........\...C.:.
@@ -53,40 +57,63 @@ Ea Value Length: 7e
 0070: 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 i.c.a.t.i.o.n..e.x.e
 ```
 
-## Enabling managed installer logging events
+From the output shown above, find the first row of data labeled "0000:", which is then followed by 16 two-character sets. Every four sets form a group known as a ULONG. The two-character set at the front of the first ULONG will always be "01" as shown here:
 
-Refer to [Understanding Application Control Events](event-id-explanations.md#diagnostic-events-for-intelligent-security-graph-isg-and-managed-installer-mi) for information on enabling optional managed installer diagnostic events.
+0000: **`01` 00 00 00** 00 00 00 00 00 00 00 00 01 00 00 00
 
-## Deploying the Managed Installer rule collection
+If there is "00" in the fifth position of the output (the start of the second ULONG), that indicates the EA is related to managed installer:
 
-Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it.
+0000: 01 00 00 00 **`00` 00 00 00** 00 00 00 00 01 00 00 00
 
-1. Use the following command to deploy the policy.
+Finally, the two-character set in the ninth position of the output (the start of the third ULONG) indicates whether the file was created by a process running as managed installer. A value of "00" means the file was directly written by a managed installer process and will run if your WDAC policy trusts managed installers.
 
-   ```powershell
-   $policyFile=
-   @"
-   Raw_AppLocker_Policy_XML
-   "@
-   Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
+0000: 01 00 00 00 00 00 00 00 **`00` 00 00 00** 01 00 00 00
+
+If instead the starting value for the third ULONG is "02", then that indicates a "child of child". "Child of child" is set on any files created by something that was installed by a managed installer. But, the file was created **after** the managed installer completed its work. So this file **wouldn't** be allowed to run unless there's some other rule in your policy to allow it.
+
+In rarer cases, you may see other values in this position, but that will also run if your policy trusts managed installer.
+
+## Using fsutil to query extended attributes for Intelligent Security Graph (ISG)
+
+When an installer runs that has good reputation according to the ISG, the files that the installer writes to disk will inherit the reputation from the installer. These files with ISG inherited trust will also have the KERNEL.SMARTLOCKER.ORIGINCLAIM EA set as described above for managed installers. You can identify that the EA was created by the ISG by looking for the value "01" in the fifth position of the output (the start of the second ULONG) from fsutil:
+
+0000: 01 00 00 00 **`01` 00 00 00** 00 00 00 00 01 00 00 00
+
+## More troubleshooting steps for Managed Installer and ISG
+
+Both managed installer and the ISG depend on AppLocker to provide some functionality. Use the following steps to confirm that AppLocker is configured and running correctly.
+
+1. Check that AppLocker services are running. From an elevated PowerShell window, run the following and confirm the STATE shows as RUNNING for both appidsvc and AppLockerFltr:
+
+    ```powershell
+    sc.exe query appidsvc
+        SERVICE_NAME: appidsvc
+        TYPE               : 30  WIN32
+        STATE              : 4  RUNNING
+                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
+        WIN32_EXIT_CODE    : 0  (0x0)
+        SERVICE_EXIT_CODE  : 0  (0x0)
+        CHECKPOINT         : 0x0
+        WAIT_HINT          : 0x0
+    sc.exe query AppLockerFltr
+        SERVICE_NAME: applockerfltr
+        TYPE               : 1  KERNEL_DRIVER
+        STATE              : 4  RUNNING
+                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
+        WIN32_EXIT_CODE    : 0  (0x0)
+        SERVICE_EXIT_CODE  : 0  (0x0)
+        CHECKPOINT         : 0x0
+        WAIT_HINT          : 0x0
    ```
 
-2. Verify Deployment of the ruleset was successful
+    If not, run *appidtel start* from the elevated PowerShell window and check again.
+
+2. For managed installer, check for AppCache.dat and other *.AppLocker files created under %windir%\System32\AppLocker. There should minimally be a ".AppLocker" file created for each of EXE, DLL, and MANAGEDINSTALLER rule collections. If you don't see these files created, proceed to the next step to confirm the AppLocker policy has been correctly applied.
+
+3. For managed installer troubleshooting, check that the AppLocker effective policy is correct. From an elevated PowerShell window:
 
    ```powershell
-   Get-AppLockerPolicy -Local
-   
-   Version RuleCollections RuleCollectionTypes
-   ------- --------------- -------------------
-   1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...}
+   Get-AppLockerPolicy -Effective -XML > $env:USERPROFILE\Desktop\AppLocker.xml
    ```
 
-   Verify the output shows the ManagedInstaller rule set.
-
-3. Get the policy XML (optional) using PowerShell:
-
-   ```powershell
-   Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue
-   ```
-
-   This command will show the raw XML to verify the individual rules that were set.
+   Then open the XML file created and confirm it contains the rules you expect. In particular, the policy should include at least one rule for each of the EXE, DLL, and MANAGEDINSTALLER RuleCollections. The RuleCollections can either be set to AuditOnly or Enabled. Additionally, the EXE and DLL RuleCollections must include the RuleCollectionExtensions configuration as shown in [Automatically allow apps deployed by a managed installer with Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#create-and-deploy-an-applocker-policy-that-defines-your-managed-installer-rules-and-enables-services-enforcement-for-executables-and-dlls).
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 87d2d36eb1..0fdfc798f0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 11/20/2019
+ms.date: 11/07/2022
 ms.technology: itpro-security
 ---
 
@@ -30,7 +30,7 @@ ms.technology: itpro-security
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
+This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Intune. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
 
 > [!NOTE]
 > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
@@ -46,7 +46,7 @@ Alice previously created a policy for the organization's lightly managed devices
 Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed devices:
 
 - All clients are running Windows 10 version 1903 or above or Windows 11;
-- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune;
+- All clients are managed by Configuration Manager or with Intune;
 - Most, but not all, apps are deployed using Configuration Manager;
 - Sometimes, IT staff install apps directly to these devices without using Configuration Manager;
 - All users except IT are standard users on these devices.
@@ -60,7 +60,7 @@ Based on the above, Alice defines the pseudo-rules for the policy:
    - WHQL (third-party kernel drivers)
    - Windows Store signed apps
 
-2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
+2. **"ConfigMgr works”** rules that include signer and hash rules for Configuration Manager components to properly function.
 3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer)
 
 The critical differences between this set of pseudo-rules and those pseudo-rules defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
@@ -85,13 +85,13 @@ Alice follows these steps to complete this task:
       $PolicyPath=$env:userprofile+"\Desktop\"
       $PolicyName= "Lamna_FullyManagedClients_Audit"
       $LamnaPolicy=$PolicyPath+$PolicyName+".xml"
-      $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+      $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
       ```
 
 3. Copy the policy created by Configuration Manager to the desktop:
 
       ```powershell
-      cp $MEMCMPolicy $LamnaPolicy
+      cp $ConfigMgrPolicy $LamnaPolicy
       ```
 
 4. Give the new policy a unique ID, descriptive name, and initial version number:
@@ -119,10 +119,9 @@ Alice follows these steps to complete this task:
 7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
 
    ```powershell
-   [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy
-   $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId
-   $LamnaPolicyBin = $PolicyPath+$PolicyId+".cip"
-   ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+    [xml]$PolicyXML = Get-Content $LamnaPolicy
+    $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip"
+    ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin
    ```
 
 8. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 378ee082a0..7878df99b7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -12,10 +12,10 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 08/10/2022
+ms.date: 11/07/2022
 ms.technology: itpro-security
 ---
 
@@ -35,9 +35,9 @@ This section outlines the process to create a Windows Defender Application Contr
 > [!NOTE]
 > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
 
-As in the [previous article](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
+As in [Windows Defender Application Control deployment in different scenarios: types of devices](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
 
-**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing that Lamna currently has loose application usage policies and a culture of maximum app flexibility for users, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads.
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Lamna currently has loose application usage policies and a culture of maximum app flexibility for users. So, Alice knows she'll need to take an incremental approach to application control and use different policies for different workloads.
 
 For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
 
@@ -46,7 +46,7 @@ For most users and devices, Alice wants to create an initial policy that is as r
 Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices:
 
 - All clients are running Windows 10 version 1903 and above, or Windows 11;
-- All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune.
+- All clients are managed by Configuration Manager or with Intune.
 - Some, but not all, apps are deployed using Configuration Manager;
 - Most users are local administrators on their devices;
 - Some teams may need more rules to authorize specific apps that don't apply generally to all other users.
@@ -58,7 +58,7 @@ Based on the above, Alice defines the pseudo-rules for the policy:
    - WHQL (third-party kernel drivers)
    - Windows Store signed apps
 
-1. **"MEMCM works”** rules that include:
+1. **"ConfigMgr works”** rules that include:
     - Signer and hash rules for Configuration Manager components to properly function.
     - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
 
@@ -122,8 +122,8 @@ Alice follows these steps to complete this task:
     > If you do not use Configuration Manager, skip this step.
 
     ```powershell
-    $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
-    Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy
+    $ConfigMgrPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+    Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$ConfigMgrPolicy
     Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
     ```
 
@@ -149,12 +149,12 @@ Alice follows these steps to complete this task:
 1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
 
     ```powershell
-    [xml]$policyXML = Get-Content $LamnaPolicy
-    $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
-    ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+    [xml]$PolicyXML = Get-Content $LamnaPolicy
+    $LamnaPolicyBin = Join-Path $PolicyPath "$($PolicyXML.SiPolicy.PolicyID).cip"
+    ConvertFrom-CIPolicy $LamnaPolicy $LamnaPolicyBin
     ```
 
-1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+1. Upload your base policy XML and the associated binary to a source control solution, such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 
@@ -164,12 +164,12 @@ In order to minimize user productivity impact, Alice has defined a policy that m
 
 - **Users with administrative access**
 
-  This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+  This trade-off is the most impactful security trade-off. It allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
 
   Possible mitigations:
 
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
-  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+  - To remove the requirement for managed installer, create and deploy signed catalog files as part of the app deployment process.
   - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
 
 - **Unsigned policies**
@@ -187,7 +187,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
 
   Possible mitigations:
 
-  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
+  - To remove the requirement for managed installer, create and deploy signed catalog files as part of the app deployment process.
   - Limit who can elevate to administrator on the device.
 
 - **Intelligent Security Graph (ISG)**
@@ -196,7 +196,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
 
   Possible mitigations:
 
-  - Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
+  - Implement policies that require apps be managed by IT. Audit existing app usage and deploy authorized apps using a software distribution solution, like Microsoft Intune. Move from ISG to managed installer or signature-based rules.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 
 - **Supplemental policies**
@@ -219,7 +219,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m
 
 - **Signed files**
 
-  Although files that are code-signed verify the author's identity and ensures that the code has not been altered by anyone other than the author, it does not guarantee that the signed code is safe.
+  Although files that are code-signed verify the author's identity and ensures that the code hasn't been altered by anyone other than the author, it doesn't guarantee that the signed code is safe.
 
   Possible mitigations:
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 2882d6d02c..ee084e1311 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -152,7 +152,7 @@ To sign the existing catalog file, copy each of the following commands into an e
 
 5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}.
 
-   For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Endpoint Configuration Manager, which also simplifies the management of catalog versions.
+   For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Configuration Manager, which also simplifies the management of catalog versions.
 
 ## Add a catalog signing certificate to a Windows Defender Application Control policy
 
@@ -230,7 +230,7 @@ To simplify the management of catalog files, you can use Group Policy preference
 
 Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy.
 
-## Deploy catalog files with Microsoft Endpoint Configuration Manager
+## Deploy catalog files with Microsoft Configuration Manager
 
 As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
 
@@ -305,7 +305,7 @@ After you create the deployment package, deploy it to a collection so that the c
 
 Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy,.
 
-## Inventory catalog files with Microsoft Endpoint Configuration Manager
+## Inventory catalog files with Microsoft Configuration Manager
 
 When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index eb4d4fdceb..1d07caffe7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -88,7 +88,7 @@ When you're merging policies, the policy type and ID of the leftmost/first polic
 
 ## Deploying multiple policies
 
-In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Endpoint Manager Intune's Custom OMA-URI feature.
+In order to deploy multiple Windows Defender Application Control policies, you must either deploy them locally by copying the `*.cip` policy files into the proper folder or by using the ApplicationControl CSP, which is supported by Microsoft Intune's custom OMA-URI feature.
 
 ### Deploying multiple policies locally
 
@@ -106,7 +106,7 @@ Multiple Windows Defender Application Control policies can be managed from an MD
 
 However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
 
-For more information on deploying multiple policies, optionally using Microsoft Endpoint Manager Intune's Custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
+For more information on deploying multiple policies, optionally using Microsoft Intune's custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
 
 > [!NOTE]
 > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index 1702db9877..d66bca3105 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy Windows Defender Application Control policies with Configuration Manager
-description: You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
+description: You can use Microsoft Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.collection: M365-security-compliance
@@ -13,7 +13,7 @@ ms.topic: how-to
 ms.localizationpriority: medium
 ---
 
-# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager
+# Deploy WDAC policies by using Microsoft Configuration Manager
 
 **Applies to:**
 
@@ -24,7 +24,7 @@ ms.localizationpriority: medium
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
 
-You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines.
+You can use Microsoft Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines.
 
 ## Use Configuration Manager's built-in policies
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 99481638a6..9beafe889b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -82,7 +82,7 @@ You should now have one or more WDAC policies converted into binary form. If not
 
 ## Deploying signed policies
 
-If you are using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Endpoint Manager](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 
+If you are using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the steps outlined above. Unsigned WDAC policies do not need to be present in the EFI partition. Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. 
 
 1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: 
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
index f155922fc3..f4b43a2558 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
@@ -24,7 +24,7 @@ ms.topic: how-to
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
 
-You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
+You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
 
 ## Use Intune's built-in policies
 
@@ -61,7 +61,7 @@ The steps to use Intune's custom OMA-URI functionality are:
 2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
     - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
     - **Data type**: Base64 (file)
-    - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
+    - **Certificate file**: Upload your binary format policy file. To do this, change your {GUID}.cip file to {GUID}.bin. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. 
 
     > [!div class="mx-imgBorder"]
     > ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png)
diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
new file mode 100644
index 0000000000..5a4f9be3f6
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
@@ -0,0 +1,73 @@
+---
+title: Understand WDAC script enforcement
+description: WDAC script enforcement
+keywords: security, malware
+ms.prod: windows-client
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.author: jogeurte
+ms.manager: jsuther
+manager: aaroncz
+ms.date: 11/02/2022
+ms.technology: itpro-security
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Script enforcement with Windows Defender Application Control (WDAC)
+
+**Applies to:**
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
+
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+
+## Script enforcement overview
+
+By default, script enforcement is enabled for all WDAC policies unless the option **11 Disabled:Script Enforcement** is set in the policy. WDAC script enforcement involves a handshake between an enlightened script host, such as PowerShell, and WDAC. The actual enforcement behavior, however, is handled entirely by the script host. Some script hosts, like the Microsoft HTML Application Host (mshta.exe), simply block all code execution if any WDAC UMCI policy is active. Most script hosts first ask WDAC whether a script should be allowed to run based on the WDAC policies currently active. The script host then either blocks, allows, or changes *how* the script is run to best protect the user and the device.
+
+WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event will be logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log).
+
+> [!IMPORTANT]
+> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
+>
+> Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the information below for each script host and test thoroughly within your environment to ensure the scripts you need to run are working properly.
+
+## Enlightened script hosts that are part of Windows
+
+### PowerShell
+
+All PowerShell scripts (.ps1), modules (.psm1), and manifests (.psd1) must be allowed by WDAC policy in order to run with Full Language rights.
+
+Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that do not specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load.
+
+Any PowerShell script that isn't allowed by WDAC policy will still run, but only in Constrained Language Mode.
+
+PowerShell **dot-sourcing** isn't recommended. Instead, scripts should use PowerShell modules to provide common functionality. If a script file that is allowed by WDAC does try to run dot-sourced script files, those script files must also be allowed by the policy.
+
+WDAC will put **interactive PowerShell** into Constrained Language Mode if any WDAC UMCI policy is enforced and *any* active WDAC policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for *all* policies.
+
+For more information on PowerShell language modes, see [About Language Modes](/powershell/module/microsoft.powershell.core/about/about_language_modes).
+
+### VBscript, cscript, and jscript
+
+All scripts run using the Windows Based Script Host (wscript.exe) or the Microsoft Console Based Script Host (cscript.exe) must be allowed by the WDAC policy. If not, the script will be blocked.
+
+### Microsoft HTML Application Host (MSHTA) and MSXML
+
+If any WDAC policy is active that enables script enforcement, even if that policy is in audit mode, all code execution using MSHTA or MSXML will be blocked.
+
+### COM objects
+
+WDAC additionally enforces a restricted allowlist for COM objects that can be expanded or further restricted by your WDAC policy. COM object enforcement **isn't** affected by option **11 Disabled:Script Enforcement**. For more information on how to allow or deny COM objects, see [Allow COM object registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy).
+
+## Scripts that aren't directly controlled by WDAC
+
+WDAC doesn't directly control code run via the Windows Command Processor (cmd.exe), including .bat/.cmd script files. However, anything that such a batch script tries to run will be subject to WDAC control. If you don't need to run cmd.exe, it's recommended to block it outright or allow it only by exception based on the calling process. See [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules).
+
+WDAC doesn't control scripts run through an unenlightened script host, such as many 3rd-party Java or Python engines. If your WDAC policy allows an unenlightened script host to run, then you implicitly allow all scripts run through that host. For non-Microsoft script hosts, you should check with the software vendor whether their script hosts are enlightened to WDAC policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
index 157e08e8e7..526551ec0e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Disable Windows Defender Application Control policies  (Windows)
+title: Remove Windows Defender Application Control policies  (Windows)
 description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -11,86 +11,169 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 05/03/2018
+ms.date: 11/04/2022
 ms.technology: itpro-security
 ---
 
-# Disable Windows Defender Application Control policies
+# Remove Windows Defender Application Control (WDAC) policies
 
 **Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-This topic covers how to disable unsigned or signed WDAC policies.
+## Removing WDAC policies
 
-## Disable unsigned Windows Defender Application Control policies
+There may come a time when you want to remove one or more WDAC policies, or remove all WDAC policies you've deployed. This article describes the various ways to remove WDAC policies.
 
-There may come a time when an administrator wants to disable a Windows Defender Application Control policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart:
+> [!IMPORTANT]
+> **Signed WDAC policy**
+>
+> If the policy you are trying to remove is a signed WDAC policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**.
+>
+> The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \<UpdatePolicySigners\>.
+>
+> To take effect, this policy must be signed with a certificate included in the \<UpdatePolicySigners\> section of the original policy you want to replace. 
+>
+> You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.***
 
--   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
--   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer.
 
->[!NOTE]
-> As of the Windows 10 May 2019 Update (1903), Windows Defender Application Control allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory.
+To make a policy effectively inactive before removing it, you can first replace the policy with a new one that includes the following changes:
 
-## Disable signed Windows Defender Application Control policies within Windows
+1. Replace the policy rules with "Allow *" rules;
+2. Set option **3 Enabled:Audit Mode** to change the policy to audit mode only;
+3. Set option **11 Disabled:Script Enforcement**;
+4. Allow all COM objects. See [Allow COM object registration in a WDAC policy](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy#examples);
+5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only.
 
-Signed policies protect Windows from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed Windows Defender Application Control policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
+> [!IMPORTANT]
+> After a policy has been removed, you must restart the computer for it to take effect. You can't remove WDAC policies rebootlessly.
+
+### Remove WDAC policies using CiTool.exe
+
+Beginning with the Windows 11 2022 Update, you can remove WDAC policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove:
+
+```powershell
+    CiTool.exe -rp "{PolicyId GUID}" -json
+```
+
+Then restart the computer.
+
+### Remove WDAC policies using MDM solutions like Intune
+
+You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove WDAC policies from client machines using the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp).
+
+<!-- Waiting for information from Intune team on specific steps...
+
+The steps to use Intune's custom OMA-URI functionality to remove a WDAC policy are:
+
+1. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
+
+2. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
+    - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_PolicyId GUID_/Policy`
+    - **Data type**: Base64 (file)
+    - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
+
+    > [!div class="mx-imgBorder"]
+    > ![Configure custom WDAC.](../images/wdac-intune-custom-oma-uri.png)
 
 > [!NOTE]
-> For reference, signed WDAC policies should be replaced and removed from the following locations:
-> 
-> * &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
-> * &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+> For the _Policy GUID_ value, do not include the curly brackets.
+-->
 
+Consult your MDM solution provider for specific information on using the ApplicationControl CSP.
 
-1.  Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
+Then restart the computer.
 
-    > [!NOTE]
-    > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+### Remove WDAC policies using script
 
-2.  Restart the client computer.
+To remove WDAC policies using script, your script must delete the policy file(s) from the computer. For **multiple policy format (1903+) WDAC policies**, look for the policy files in the following locations. Be sure to replace the *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove.
 
-3.  Verify that the new signed policy exists on the client.
+- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
+- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip
 
-    > [!NOTE]
-    > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations:
 
-4.  Delete the new policy.
+- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\SiPolicy.p7b
+- &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b
 
-5.  Restart the client computer.
+Then restart the computer.
 
-If the signed Windows Defender Application Control policy has been deployed by using Group Policy, you must complete the following steps:
+#### Sample script
 
-1.  Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
+<details>
+  <summary>Expand this section to see a sample script to delete a single WDAC policy</summary>
 
-    > [!NOTE]  
-    > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+```powershell
+    # Set PolicyId GUID to the PolicyId from your WDAC policy XML
+    $PolicyId = "{PolicyId GUID}"
 
-2.  Restart the client computer.
+    # Initialize variables
+    $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
+    $SinglePolicyFormatFileName = "\SiPolicy.p7b"
+    $MountPoint =  $env:SystemDrive+"\EFIMount"
+    $SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
+    $EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
+    $MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"
 
-3.  Verify that the new signed policy exists on the client.
+    # Mount the EFI partition
+    $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
+    if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
+    mountvol $MountPoint $EFIPartition
 
-    > [!NOTE]
-    > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+    # Check if the PolicyId to be removed is the system reserved GUID for single policy format.
+    # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
+    # {GUID}.cip in the CiPolicies\Active subdirectory
+    if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
+    
+    $Count = 1
+    while ($Count -le $NumFilesToDelete) 
+    {
+           
+        # Set the $PolicyPath to the file to be deleted, if exists
+        Switch ($Count)
+        {
+            1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}
+            2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}
+            3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
+            4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
+        }
 
-4.  Set the GPO to disabled.
+        # Delete the policy file from the current $PolicyPath
+        Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan
+        if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}
 
-5.  Delete the new policy.
+        $Count = $Count + 1
+    }
 
-6.  Restart the client computer.
+    # Dismount the EFI partition
+   mountvol $MountPoint /D
+```
 
-## Disable signed Windows Defender Application Control policies within the BIOS
+</Details>
 
-There may be a time when signed Windows Defender Application Control policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it's important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
+> [!NOTE]
+> You must run the script as administrator to remove WDAC policies on your computer.
 
--   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
--   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+## Remove WDAC policies causing boot stop failures
+
+A WDAC policy that blocks boot critical drivers can cause a boot stop failure (BSOD) to occur, though this can be mitigated by setting option **10 Enabled:Boot Audit On Failure** in your policies. Additionally, signed WDAC policies protect the policy from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies even for administrators. Tampering with or removing a signed WDAC policy will cause a BSOD to occur.
+
+To remove a policy that is causing boot stop failures:
+
+1. If the policy is a **signed** WDAC policy, turn off Secure Boot from your [UEFI BIOS menu](/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode). For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM).
+2. Access the Advanced Boot Options menu on your computer and choose the option to **Disable Driver Signature Enforcement**. For instructions on accessing the Advanced Boot Options menu during startup, consult with your OEM. This option will suspend all code integrity checks, including WDAC, for a single boot session.
+3. Start Windows normally and sign in. Then, [remove WDAC policies using script](#remove-wdac-policies-using-script).
+4. If you turned off Secure Boot in step 1 above and your drive is protected by BitLocker, [suspend BitLocker protection](/troubleshoot/windows-client/windows-security/suspend-bitlocker-protection-non-microsoft-updates) then turn on Secure Boot from your UEFI BIOS menu.
+5. Restart the computer.
+
+> [!NOTE]
+> If your drive is protected by Bitlocker, you may need your Bitlocker recovery keys to perform steps 1-2 above.
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 6abeab5887..2c666bad22 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -15,7 +15,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 08/05/2022
+ms.date: 11/02/2022
 ms.technology: itpro-security
 ---
 
@@ -35,12 +35,20 @@ When you create policies for use with Windows Defender Application Control (WDAC
 ## Example Base Policies
 
 | **Example Base Policy** | **Description** | **Where it can be found** |
-|----------------------------|---------------------------------------------------------------|--------|
-| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+|-------------------------|---------------------------------------------------------------|--------|
+| **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml |
+| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml |
+| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml |
+| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml |
+| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml |
 | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
 | **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
-| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml <br>%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\SignedReputable.xml |
+| **Example supplemental policy** | This example policy shows how to use supplemental policy to expand the DefaultWindows_Audit.xml allow a single Microsoft-signed file. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Supplemental.xml |
+| **Microsoft Recommended Block List** | This policy includes a list of Windows and Microsoft-signed code that Microsoft recommends blocking when using WDAC, if possible. | [Microsoft recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules) <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Recommended_UserMode_Blocklist.xml |
+| **Microsoft recommended driver blocklist** | This policy includes rules to block known vulnerable or malicious kernel drivers. | [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules) <br> %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\RecommendedDriverBlock_Enforced.xml <br> %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\Recommended_Driver_Blocklist.xml |
+| **Windows S mode** | This policy includes the rules used to enforce [Windows S mode](https://support.microsoft.com/en-us/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85). | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSiPolicy.xml.xml |
+| **Windows 11 SE** | This policy includes the rules used to enforce [Windows 11 SE](/education/windows/windows-11-se-overview), a version of Windows built for use in schools. | %ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\WinSEPolicy.xml.xml |
+
+> [!NOTE]
+> Not all policies shown available at %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies can be found on all versions of Windows.
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 49ba15bfb5..4da8421cfe 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -9,7 +9,7 @@ author: jgeurten
 ms.reviewer: aaroncz
 ms.author: jogeurte
 manager: aaroncz
-ms.date: 06/27/2022
+ms.date: 11/02/2022
 ms.custom: asr
 ms.topic: overview
 ---
@@ -27,17 +27,17 @@ ms.topic: overview
 
 | Capability  | Windows Defender Application Control | AppLocker   |
 |-------------|------|-------------|
-| Platform support    | Available on Windows 10, Windows 11, and Windows Server 2016 or later  | Available on Windows 8 or later   |
-| SKU availability     | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs.  | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs.  |
-| Management solutions   | <ul><li>[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
-| Per-User and Per-User group rules | Not available (policies are device-wide)  | Available on Windows 8+  |
-| Kernel mode policies  | Available on all Windows 10 versions and Windows 11  | Not available |
-| Per-app rules  | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)  | Not available |
-| Managed Installer (MI)  | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md)  | Not available  |
-| Reputation-Based intelligence     | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md)  | Not available |
-| Multiple policy support           | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md)  | Not available  |
-| Path-based rules                  | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions aren't supported. Runtime user-writeability checks enforced by default.  | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
-| COM object configurability        | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md)  | Not available |
-| Packaged app rules                | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md)  | Available on Windows 8+   |
-| Enforceable file types       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll, .rll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
-| Application ID (AppId) Tagging | [Available on 20H1+](./AppIdTagging/windows-defender-application-control-appid-tagging-guide.md)  | Not available |
+| Platform support    | Available on Windows 10, Windows 11, and Windows Server 2016 or later.  | Available on Windows 8 or later.   |
+| SKU availability     | Available on Windows 10, Windows 11, and Windows Server 2016 or later. <br> WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies deployed through GP are only supported on Enterprise and Server editions.<br>Policies deployed through MDM are supported on all editions. |
+| Management solutions   | <ul><li>[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md)</li><li>[Microsoft Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>[Script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
+| Per-User and Per-User group rules | Not available (policies are device-wide).  | Available on Windows 8+.  |
+| Kernel mode policies  | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Not available. |
+| [Per-app rules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules)  | Available on Windows 10, Windows 11, and Windows Server 2019 or later.  | Not available. |
+| [Managed Installer (MI)](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer)  | Available on Windows 10, Windows 11, and Windows Server 2019 or later. | Not available. |
+| [Reputation-Based intelligence](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph)     | Available on Windows 10, Windows 11, and Windows Server 2019 or later.  | Not available. |
+| [Multiple policy support](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Available on Windows 10, version 1903 and above, Windows 11, and Windows Server 2022.  | Not available.  |
+| [Path-based rules](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create) | Available on Windows 10, version 1903 and above, Windows 11, and Windows Server 2019 or later. Exclusions aren't supported. Runtime user-writeability checks enforced by default.  | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| [COM object allowlisting](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Available on Windows 10, Windows 11, and Windows Server 2019 or later. | Not available. |
+| [Packaged app rules](/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 10, Windows 11, and Windows Server 2019 or later.  | Available on Windows 8+. |
+| Enforceable file types | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll, .rll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
+| [Application ID (AppId) Tagging](/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide) | Available on Windows 10, version 20H1 and above, and Windows 11. | Not available. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 80be7ef669..407e490e72 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -9,7 +9,7 @@ author: jsuther1974
 ms.reviewer: jgeurten
 ms.author: vinpa
 manager: aaroncz
-ms.date: 09/29/2021
+ms.date: 11/04/2022
 ms.topic: reference
 ---
 
@@ -22,11 +22,11 @@ ms.topic: reference
 - Windows Server 2016 and above
 
 >[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md).
 
-Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
+Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC.
 
-Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
+Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including WDAC:
 
 - addinprocess.exe
 - addinprocess32.exe
@@ -94,24 +94,25 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 | `Oddvar Moe` | `@Oddvarmoe` |
 | `Philip Tsukerman` | `@PhilipTsukerman` |
 | `Vladas Bulavas` | `Kaspersky Lab` |
+| `Will Dormann` | `@wdormann` |
 | `William Easton` | `@Strawgate` |
 
 > [!NOTE]
 > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
 
-Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
+Certain software applications may allow other code to run by design. Such applications should be blocked by your WDAC policy. In addition, when an application version is upgraded to fix a security vulnerability or potential WDAC bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
 
-Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes. 
+Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass WDAC. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
 
 As of October 2017, system.management.automation.dll is updated to revoke earlier versions by hash values, instead of version rules.
 
-Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. As of March 2019, each version of Windows requires blocking a specific version of the following files:
+If you wish to use this blocklist policy on Windows Server 2016, locate the deny rules for the following files, and change the comment block to only include the rules for that OS version. Applying the RS5+ rules to Windows Server 2016 may cause apps to malfunction:
 
 - msxml3.dll
 - msxml6.dll
 - jscript9.dll
 
-Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
+The blocklist policy below includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone WDAC policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy below using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the sample policy below.
 
 <br>
 <details>
@@ -144,6 +145,8 @@ Select the correct version of each .dll for the Windows release you plan to supp
   <EKUs />
   <!-- File Rules  -->
   <FileRules>
+    <Allow ID="ID_ALLOW_A_1" FriendlyName="Allow Kernel Drivers" FileName="*" />
+    <Allow ID="ID_ALLOW_A_2" FriendlyName="Allow User mode components" FileName="*" />
     <Deny ID="ID_DENY_ADDINPROCESS" FriendlyName="AddInProcess.exe" FileName="AddInProcess.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_ADDINPROCESS32" FriendlyName="AddInProcess32.exe" FileName="AddInProcess32.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_ADDINUTIL" FriendlyName="AddInUtil.exe" FileName="AddInUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
@@ -160,7 +163,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
     <Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
-	<Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
+    <Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_KD_KMCI" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
@@ -181,7 +184,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
     <Deny ID="ID_DENY_RUNSCRIPTHELPER" FriendlyName="runscripthelper.exe" FileName="runscripthelper.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_VISUALUIAVERIFY" FriendlyName="visualuiaverifynative.exe" FileName="visualuiaverifynative.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
-	<Deny ID="ID_DENY_WEBCLNT" FriendlyName="BlockWebDAV WebClnt" FileName="davsvc.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355"/> 
+    <Deny ID="ID_DENY_WEBCLNT" FriendlyName="BlockWebDAV WebClnt" FileName="davsvc.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355"/> 
     <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
     <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
@@ -196,26 +199,11 @@ Select the correct version of each .dll for the Windows release you plan to supp
     <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>
     <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.14393.2607"/>
     -->
-      <!-- RS2 Windows 1703
-    <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.15063.1386"/>
-    <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.15063.1386"/>
-    <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.15063.1445"/>
-    -->
-      <!-- RS3 Windows 1709
-    <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.16299.725"/>
-    <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.16299.725"/>
-    <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.16299.785"/>
-    -->
-      <!-- RS4 Windows 1803
-    <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17134.344"/>
-    <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17134.344"/>
-    <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17134.406"/>
-    -->
-      <!-- RS5 Windows 1809
+      <!-- RS5 Windows 1809 -->
     <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17763.54"/>
     <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17763.54"/>
     <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17763.133"/>
-    -->
+    <!-- -->
     <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6" />
     <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF" />
     <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40" />
@@ -853,6 +841,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
     <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Driver Signing Scenarios">
       <ProductSigners>
         <FileRulesRef>
+          <FileRuleRef RuleID="ID_ALLOW_A_1" />
           <FileRuleRef RuleID="ID_DENY_KD_KMCI" />
         </FileRulesRef>
       </ProductSigners>
@@ -860,6 +849,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
     <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User Mode Signing Scenarios">
       <ProductSigners>
         <FileRulesRef>
+          <FileRuleRef RuleID="ID_ALLOW_A_2" />
           <FileRuleRef RuleID="ID_DENY_ADDINPROCESS" />
           <FileRuleRef RuleID="ID_DENY_ADDINPROCESS32" />
           <FileRuleRef RuleID="ID_DENY_ADDINUTIL" />
@@ -876,7 +866,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
           <FileRuleRef RuleID="ID_DENY_FSI" />
           <FileRuleRef RuleID="ID_DENY_FSI_ANYCPU" />
           <FileRuleRef RuleID="ID_DENY_INFINSTALL" />
-		  <FileRuleRef RuleID="ID_DENY_INSTALLUTIL" />
+          <FileRuleRef RuleID="ID_DENY_INSTALLUTIL" />
           <FileRuleRef RuleID="ID_DENY_KD" />
           <FileRuleRef RuleID="ID_DENY_KILL" />
           <FileRuleRef RuleID="ID_DENY_LXSS" />
@@ -896,7 +886,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
           <FileRuleRef RuleID="ID_DENY_RUNSCRIPTHELPER" />
           <FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM" />
           <FileRuleRef RuleID="ID_DENY_VISUALUIAVERIFY" />
-		  <FileRuleRef RuleID="ID_DENY_WEBCLNT" />
+          <FileRuleRef RuleID="ID_DENY_WEBCLNT" />
           <FileRuleRef RuleID="ID_DENY_WFC" />
           <FileRuleRef RuleID="ID_DENY_WINDBG" />
           <FileRuleRef RuleID="ID_DENY_WMIC" />
@@ -904,11 +894,9 @@ Select the correct version of each .dll for the Windows release you plan to supp
           <FileRuleRef RuleID="ID_DENY_WSL" />
           <FileRuleRef RuleID="ID_DENY_WSLCONFIG" />
           <FileRuleRef RuleID="ID_DENY_WSLHOST" />
-          <!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
-		  <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
-		  <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
-		  <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-		  -->
+          <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
+          <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
+          <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
           <FileRuleRef RuleID="ID_DENY_D_1" />
           <FileRuleRef RuleID="ID_DENY_D_2" />
           <FileRuleRef RuleID="ID_DENY_D_3" />
@@ -1527,9 +1515,6 @@ Select the correct version of each .dll for the Windows release you plan to supp
 
 </details>
 
-> [!NOTE]
-> To create a policy that works on both Windows 10, version 1803 and version 1809, you can create two different policies, or merge them into one broader policy.
-
 ## More information
 
-- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
+- [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 2e43f93faa..25e864f812 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -9,12 +9,15 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 author: jgeurten
-ms.reviewer: isbrahm
+ms.reviewer: jsuther
 ms.author: vinpa
 manager: aaroncz
-ms.date: 10/07/2022
+ms.date: 11/01/2022
+ms.technology: itpro-security
 ---
 
 # Microsoft recommended driver block rules
@@ -36,25 +39,31 @@ Microsoft has strict requirements for code running in kernel. So, malicious acto
 
 Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
 
+> [!NOTE]
+> Blocking drivers can cause devices or software to malfunction, and in rare cases, lead to blue screen. The vulnerable driver blocklist is not guaranteed to block every driver found to have vulnerabilities. Microsoft attempts to balance the security risks from vulnerable drivers with the potential impact on compatibility and reliability to produce the blocklist. As always, Microsoft recommends using an explicit allow list approach to security wherever possible.
+
 ## Microsoft vulnerable driver blocklist
 
 <!-- MAXADO-6286432 -->
 
-With Windows 11 2022 update, the vulnerable driver blocklist  is enabled by default for all devices, and can be turned on or off via the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app. The vulnerable driver blocklist is also enforced when either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode is active. Users can opt in to HVCI using the Windows Security app, and HVCI is on by-default for most new Windows 11 devices.
+With Windows 11 2022 update, the vulnerable driver blocklist  is enabled by default for all devices, and can be turned on or off via the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app. Except on Windows Server 2016, the vulnerable driver blocklist is also enforced when either memory integrity (also known as hypervisor-protected code integrity or HVCI), Smart App Control, or S mode is active. Users can opt in to HVCI using the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app, and HVCI is on by-default for most new Windows 11 devices.
 
 > [!NOTE]
-> The option to turn Microsoft's vulnerable driver blocklist on or off using the [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2) app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist.
+>
+> - The Windows Security app is updated separately from the OS and ships out of box. The version with the vulnerable driver blocklist toggle is in the final validation ring and will ship to all customers very soon. Initially, you will be able to view the configuration state only and the toggle will appear grayed out. The ability to turn the toggle on or off will come with a future Windows update.
+>
+> - For Windows Insiders, the option to turn Microsoft's vulnerable driver blocklist on or off using the Windows Security app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist.
 
-The blocklist is updated with each new major release of Windows. We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing.
+The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022. The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing.
 
 Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies.
 
 ## Blocking vulnerable drivers using WDAC
 
-Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
+Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
 
 > [!IMPORTANT]
-> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from being loaded, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy prevents the existing driver from being loaded.
+> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading.
 
 <br>
 <details>
@@ -2181,7 +2190,10 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
 </details>
 
 > [!NOTE]
-> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
+> The policy listed above contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations).
+
+> [!NOTE]
+> To use the policy above with Windows Server 2016, you must convert the policy XML on a device running a newer operating system.
 
 ## Steps to download and apply the vulnerable driver blocklist binary
 
@@ -2198,7 +2210,7 @@ To check that the policy was successfully applied on your computer:
 1. Open Event Viewer
 2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational**
 3. Select **Filter Current Log...**
-4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK
+4. Replace "&lt;All Event IDs&gt;" with "3099" and select OK.
 5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present.
 
 > [!NOTE]
diff --git a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
similarity index 98%
rename from windows/security/threat-protection/windows-defender-application-control/citool-commands.md
rename to windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
index 5a2d7b7e72..88273c3c74 100644
--- a/windows/security/threat-protection/windows-defender-application-control/citool-commands.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md
@@ -3,11 +3,12 @@ title: Managing CI Policies and Tokens with CiTool
 description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
 author: valemieux
 ms.author: jogeurte
-ms.service: security
 ms.reviewer: jogeurte
 ms.topic: how-to
 ms.date: 08/07/2022
 ms.custom: template-how-to
+ms.prod: windows-client
+ms.technology: itpro-security
 ---
 
 # Manage Windows Defender Application Control (WDAC) Policies with CI Tool
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 4c0c1f6e41..08f23bb4ca 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -11,10 +11,10 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 02/21/2018
+ms.date: 11/02/2022
 ms.technology: itpro-security
 ---
 
@@ -22,9 +22,9 @@ ms.technology: itpro-security
 
 **Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -38,11 +38,11 @@ The first step in implementing application control is to consider how your polic
 Most Windows Defender Application Control policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include:
 
 1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files aren't prevented from executing.
-2. Deploy the audit mode policy to intended devices.
-3. Monitor audit block events from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
+2. [Deploy the audit mode policy](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) to intended devices.
+3. [Monitor audit block events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations) from the intended devices and add/edit/delete rules as needed to address unexpected/unwanted blocks.
 4. Repeat steps 2-3 until the remaining block events meet expectations.
-5. Generate the enforced mode version of the policy. In enforced mode, files that aren't allowed by the policy are prevented from executing and corresponding block events are generated.
-6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
+5. [Generate the enforced mode version](/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies) of the policy. In enforced mode, files that aren't allowed by the policy are prevented from executing and corresponding block events are generated.
+6. [Deploy the enforced mode policy](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.  
 
 ![Recommended WDAC policy deployment process.](images/policyflow.png)
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index d955ebfc22..836db5154a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -67,7 +67,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **8 Required:EV Signers** | This option isn't currently supported. | No |
 | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
 | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).<br/> NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement). <br/> NOTE: This option isn't supported on Windows Server 2016 and shouldn't be used on that operating system. | No |
 | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
 | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
 | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
@@ -150,7 +150,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
 You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
 
 > [!NOTE]
-> When authoring WDAC policies with Microsoft Endpoint Configuration Manager (MEMCM), you can instruct MEMCM to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, MEMCM performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the MEMCM policy is reapplied.
+> When authoring WDAC policies with Microsoft Configuration Manager (MEMCM), you can instruct MEMCM to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, MEMCM performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the MEMCM policy is reapplied.
 
 > [!NOTE]
 > There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules.
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index 5bf1b7518f..7122339287 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -42,11 +42,11 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes
 
 ## An introduction to Lamna Healthcare Company
 
-In the next set of topics, we'll explore each of the above scenarios using a fictional organization called Lamna Healthcare Company.
+In the next set of articles, we'll explore each of the above scenarios using a fictional organization called Lamna Healthcare Company.
 
 Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
 
-Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Endpoint Manager to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
+Lamna uses [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Intune to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
 
 Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized many new security IT responses, including tightening policies for application use and introducing application control.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 73a8d6f71b..6627e9c50a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -29,7 +29,7 @@ ms.technology: itpro-security
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-This topic is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment.
+This article is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment.
 
 When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance.
 
@@ -62,7 +62,7 @@ Organizations with well-defined, centrally managed app management and deployment
 
 | Possible answers | Design considerations|
 | - | - |
-| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. Windows Defender Application Control options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
+| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Intune](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. Windows Defender Application Control options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
 | Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide Windows Defender Application Control policy. Alternatively, teams can use managed installers to install their team-specific apps, or admin-only file path rules can be used to allow apps installed by admin users. |
 | Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | Windows Defender Application Control can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
 | Users and teams are free to download and install apps without restriction. | Windows Defender Application Control policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
@@ -74,7 +74,7 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p
 | Possible answers | Design considerations |
 | - | - |
 | All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
-| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can  [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | 
+| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can  [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Intune offer multiple ways to distribute signed App Catalogs. | 
  
 ### Are there specific groups in your organization that need customized application control policies?
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index e752db3d0d..ca5b20ff1f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: vinpa
 manager: aaroncz
-ms.date: 08/15/2022
+ms.date: 11/04/2022
 ms.technology: itpro-security
 ---
 
@@ -42,10 +42,10 @@ Signed Windows Defender Application Control (WDAC) policies give organizations t
 
 Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
 
-Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. 
+Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward.
 If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA.
 
-Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
+Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options **Enabled:Advanced Boot Options Menu** and **10 Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
 
 To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components:
 
@@ -85,7 +85,7 @@ If you don't have a code signing certificate, see [Optional: Create a code signi
 
    > [!NOTE]
    > *&lt;Path to exported .cer certificate&gt;* should be  the full path to the certificate that you exported in   step 3.
-   Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows).
+   Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Remove WDAC policies](disable-windows-defender-application-control-policies.md).
 
 6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 13c68dea7d..6830e5bbcd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -13,8 +13,8 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
-ms.date: 02/10/2022
+ms.reviewer: jogeurte
+ms.date: 11/02/2022
 ms.technology: itpro-security
 ---
 
@@ -24,31 +24,28 @@ ms.technology: itpro-security
 
 - Windows 10
 - Windows 11
-- Windows Server 2016 and above
+- Windows Server 2019 and above
 
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-As of Windows 10, version 1703, you can use Windows Defender Application Control (WDAC) policies to control applications and also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):
+You can use Windows Defender Application Control (WDAC) policies to control applications and also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):
 
-| Approach (as of Windows 10, version 1703) | Guideline |
+| Approach | Guideline |
 |---|---|
 | You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. | Use `New-CIPolicyRule` with the `-AppID` option. |
 | In addition, you can work  from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use `New-CIPolicyRule` with the `-AppID` and `-Deny` options. |
 
-To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section).
-
-For example, to create a Windows Defender Application Control policy allowing **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. In the second command, **+=** is used to add a second rule to the **$rule** variable:
+For example, to add rules to a WDAC policy called "Lamna_FullyManagedClients_Audit.xml" that allow **addin1.dll** and **addin2.dll** to be run by **ERP1.exe**, Lamna's enterprise resource planning (ERP) application, run the following commands. In the second command, **+=** is used to add a second rule to the **$rule** variable:
 
 ```powershell
 $rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
 $rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe'
-New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
 ```
 
-As another example, to create a Windows Defender Application Control policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specified application:
+As another example, to create a Windows Defender Application Control policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specified application. Once you have all the rules you want, you can merge them into an existing WDAC policy using the Merge-CIPolicy cmdlet as shown here:
 
 ```powershell
-$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
-New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
+$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
+Merge-CIPolicy -OutputFilePath .\Lamna_FullyManagedClients_Audit.xml -PolicyPaths .\Lamna_FullyManagedClients_Audit.xml -Rules $rule
 ```
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 8b34bf7ff2..a5d9f79a3f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -111,4 +111,4 @@ Packaged apps aren't supported with the ISG and will need to be separately autho
 The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.  
 
 > [!NOTE]
-> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
+> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Intune's built-in WDAC support includes the option to trust apps with good reputation via the ISG, but it has no option to add explicit allow or deny rules. In most cases, customers using application control will need to deploy a custom WDAC policy (which can include the ISG option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
index 78fa9baa34..1676591088 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
@@ -67,7 +67,7 @@ A description of each policy rule, beginning with the left-most column, is provi
 | **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 isn't supported and may have unintended results. |
 |**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
 | **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by the Microsoft Intelligent Security Graph (ISG). |
-| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
+| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
 | **Require WHQL** | By default, legacy drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Henceforth, every new Windows–compatible driver must be WHQL certified. |
 | **Update Policy without Rebooting** | Use this option to allow future Windows Defender Application Control policy updates to apply without requiring a system reboot. |
 | **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
index ef8ad65e17..05d77d395a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
@@ -62,7 +62,7 @@ There are only three policy rules that can be configured by the supplemental pol
 | Rule option | Description |
 |------------ | ----------- |
 | **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
-| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
+| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Configuration Manager, that has been defined as a managed installer. |
 | **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
 
 ![Rule options UI for Windows Allowed mode.](images/wdac-wizard-supplemental-policy-rule-options-UI.png)
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index 78914e67c0..c8a1476cff 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -59,6 +59,6 @@ All Windows Defender Application Control policy changes should be deployed in au
 There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
 
 - [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
-- [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
+- [Deploy using Microsoft Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
 - [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
 - [Deploy via group policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index cf2b67e225..b0da802f2e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -9,7 +9,9 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 author: vinaypamnani-msft
 ms.reviewer: isbrahm
 ms.author: vinpa
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 6979f8363a..ab88f6b52c 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -25,7 +25,7 @@ ms.technology: itpro-security
 - Windows 11
 
 
-The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
+The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they're seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
 
 The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 523459b18b..958d4c9085 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -40,7 +40,7 @@ You can only use Group Policy to change these settings.
 
 ## Use Group Policy to hide non-critical notifications
 
-You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Endpoint Configuration Manager reporting).
+You can hide notifications that describe regular events related to the health and security of the machine. These notifications are the ones that don't require an action from the machine's user. It can be useful to hide these notifications if you find they're too numerous or you have other status reporting on a larger scale (such as Update Compliance or Microsoft Configuration Manager reporting).
 
 These notifications can be hidden only by using Group Policy.
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index fced865bd5..d34c5fc2b0 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -9,6 +9,8 @@ ms.author: vinpa
 ms.reviewer: 
 manager: aaroncz
 ms.technology: itpro-security
+ms.collection: 
+  - highpri
 ---
 
 # The Windows Security app
@@ -68,7 +70,7 @@ For more information about each section, options for configuring the sections, a
     ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png)
 
 > [!NOTE]
-> Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security.
+> Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Configuration Manager, will generally take precedence over the settings in the Windows Security.
 
 ## How the Windows Security app works with Windows security features
 
@@ -94,7 +96,7 @@ The Windows Security app operates as a separate app or process from each of the
 
 It acts as a collector or single place to see the status and perform some configuration for each of the features.
 
-If you disable any of the individual features, it will prevent that feature from reporting its status in the Windows Security app. For example, if you disable a feature through group policy or other management tools, such as Microsoft Endpoint Configuration Manager. The Windows Security app itself will still run and show status for the other security features.
+If you disable any of the individual features, it will prevent that feature from reporting its status in the Windows Security app. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager. The Windows Security app itself will still run and show status for the other security features.
 
 > [!IMPORTANT]
 > If you individually disable any of the services, it won't disable the other services or the Windows Security app.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index a942f45633..a5a4b985e6 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -82,7 +82,7 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def
 
 ![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png)
 
-After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
 
 ## System requirements for System Guard
 
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index 55305f58b2..5dbd0f57e6 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: paolomatarazzo
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index 73e20f347d..011af27334 100644
--- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -53,7 +53,7 @@ By default, in new installations, Windows Defender Firewall with Advanced Securi
 
 If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
 
-Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
+Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This approach is the recommended one for third-party firewalls to coexist with the Windows Defender Firewall; third-party firewalls that comply with this recommendation have the certified logo from Microsoft.
 
 An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation.
 
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index 1c15d341b1..eeb43f2414 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -3,6 +3,7 @@ title: Best practices for configuring Windows Defender Firewall
 description: Learn about best practices for configuring Windows Defender Firewall
 keywords: firewall, best practices, security, network security, network, rules, filters,
 ms.prod: windows-client
+ms.date: 11/09/2022
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
@@ -11,26 +12,18 @@ author: paolomatarazzo
 ms.localizationpriority: medium
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: article
 ms.technology: itpro-security
 appliesto: 
-  - ✅ <b>Windows 10</b>
-  - ✅ <b>Windows 11</b>
-  - ✅ <b>Windows Server 2016</b>
-  - ✅ <b>Windows Server 2019</b>
-  - ✅ <b>Windows Server 2022</b>
+  - ✅ <b>Windows 10 and later</b>
+  - ✅ <b>Windows Server 2016 and later</b>
 ---
 
 # Best practices for configuring Windows Defender Firewall
 
-**Applies to**
-
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
-
-
 Windows Defender Firewall with Advanced Security provides host-based, two-way
 network traffic filtering and blocks unauthorized network traffic flowing into
 or out of the local device. Configuring your Windows Firewall based on the
@@ -38,8 +31,8 @@ following best practices can help you optimize protection for devices in your
 network. These recommendations cover a wide range of deployments including home
 networks and enterprise desktop/server systems.
 
-To open Windows Firewall, go to the **Start** menu, select **Run**,
-type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md).
+To open Windows Firewall, go to the **Start** menu, select **Run**,
+type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md).
 
 ## Keep default settings
 
@@ -49,18 +42,14 @@ When you open the Windows Defender Firewall for the first time, you can see the
 
 *Figure 1: Windows Defender Firewall*
 
-1.  **Domain profile**: Used for networks where there's a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC
-
-2.  **Private profile**: Designed for and best used
-    in private networks such as a home network
-
-3.  **Public profile**: Designed with higher security in mind
-    for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
+1. **Domain profile**: Used for networks where there's a system of account authentication against an Active Directory domain controller
+1. **Private profile**: Designed for and best used in private networks such as a home network
+1. **Public profile**: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
 
 View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**.
 
 Maintain the default settings in Windows Defender
-Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. 
+Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
 
 ![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png)
 
@@ -82,27 +71,20 @@ This rule-adding task can be accomplished by right-clicking either **Inbound Rul
 *Figure 3: Rule Creation Wizard*
 
 > [!NOTE]
->This article does not cover step-by-step rule
-configuration. See the [Windows Firewall with Advanced Security Deployment
-Guide](./windows-firewall-with-advanced-security-deployment-guide.md)
-for general guidance on policy creation.
+>This article does not cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](./windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation.
 
-In many cases, allowing specific types of inbound traffic will be required for
-applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when
-allowing these inbound exceptions.
+In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions.
 
-1.  Explicitly defined allow rules will take precedence over the default block setting.
-
-2.  Explicit block rules will take precedence over any conflicting allow rules.
-
-3.  More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
+1. Explicitly defined allow rules will take precedence over the default block setting.
+1. Explicit block rules will take precedence over any conflicting allow rules.
+1. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
 
 Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
 
 A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
 
-> [!NOTE] 
-> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. 
+> [!NOTE]
+> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.
 
 ## Create rules for new applications before first launch
 
@@ -121,7 +103,6 @@ In either of the scenarios above, once these rules are added they must be delete
 > [!NOTE]
 > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. 
 
-
 ### Known issues with automatic rule creation
 
 When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.
@@ -130,11 +111,9 @@ The absence of these staged rules doesn't necessarily mean that in the end an ap
 
 To determine why some applications are blocked from communicating in the network, check for the following instances:
 
-1.  A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.
-
-2.  A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes.
-
-3.  Local Policy Merge is disabled, preventing the application or network service from creating local rules.
+1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.
+1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes.
+1. Local Policy Merge is disabled, preventing the application or network service from creating local rules.
 
 Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
 
@@ -148,9 +127,9 @@ See also [Checklist: Creating Inbound Firewall Rules](./checklist-creating-inbou
 
 Firewall rules can be deployed:
 
-1. Locally using the Firewall snap-in (**WF.msc**) 
-2. Locally using PowerShell 
-3. Remotely using Group Policy if the device is a member of an Active Directory Name, System  Center Configuration Manager, or Intune (using workplace join)
+1. Locally using the Firewall snap-in (**WF.msc**)
+1. Locally using PowerShell 
+1. Remotely using Group Policy if the device is a member of an Active Directory Name, System  Center Configuration Manager, or Intune (using workplace join)
 
 Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.
 
@@ -161,8 +140,7 @@ The rule-merging settings either allow or prevent local administrators from crea
 *Figure 5: Rule merging setting*
 
 > [!TIP]
-> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the
-equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*. 
+> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
 
 If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
 
@@ -171,15 +149,12 @@ Management (MDM), or both (for hybrid or co-management environments).
 
 [Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging.
 
-As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. 
+As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
 
 In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes.
 
-
-
 > [!NOTE]
-> The use of wildcard patterns, such as *C:\*\\teams.exe* is not
-supported in application rules. We currently only support rules created using the full path to the application(s).
+> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s).
 
 ## Know how to use "shields up" mode for active attacks
 
@@ -206,15 +181,12 @@ Once the emergency is over, uncheck the setting to restore regular network traff
 
 What follows are a few general guidelines for configuring outbound rules.
 
-- The default configuration of Blocked for Outbound rules can be
-    considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default.
-
-- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use.
-
-- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments).
+- The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default
+- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use
+- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments)
 
 For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](./checklist-creating-outbound-firewall-rules.md).
 
 ## Document your changes
 
-When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
+When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index 89e08b0200..cae3c81088 100644
--- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -43,6 +43,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr
 
 4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**.
 
+    :::image type="content" alt-text="Screenshot that shows Copy Paste GPO." source="images/grouppolicy-paste.png":::
+
 5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler.
 
 6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*.
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index 36c1229f91..c714c14def 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: paolomatarazzo
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index 7c7ec78966..3a2283e1cd 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -12,7 +12,9 @@ ms.localizationpriority: medium
 author: paolomatarazzo
 manager: aaroncz
 audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index dc02971c1c..a3d1293e65 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -26,7 +26,7 @@ appliesto:
 
 To get started, Open the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type. 
 Select Windows Defender Firewall.
-:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Endpoint Manager.":::
+:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Endpoint Manager admin center.":::
 
 >[!IMPORTANT]
 >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index ca93fb8e17..591aa2000d 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -7,7 +7,9 @@ ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 manager: aaroncz
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png
new file mode 100644
index 0000000000..ba2de148f1
Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/grouppolicy-paste.png differ
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 4f01d53373..c71a87bdc4 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -7,7 +7,9 @@ ms.prod: windows-client
 ms.localizationpriority: medium
 author: paolomatarazzo
 manager: aaroncz
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/08/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index f7513f29c6..26eefe0a15 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -6,7 +6,9 @@ ms.localizationpriority: medium
 author: paolomatarazzo
 ms.author: paoloma
 manager: aaroncz
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 09/08/2021
 ms.reviewer: jekrynit
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index e23ee6cb2e..37bb6cb877 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -1,35 +1,49 @@
 ---
 title: Common Criteria Certifications
 description: This topic details how Microsoft supports the Common Criteria certification program.
-ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
+ms.prod: windows-client
+ms.author: paoloma
+author: paolomatarazzo
 manager: aaroncz
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 1/14/2022
+ms.date: 11/4/2022
 ms.reviewer: 
-ms.technology: windows-sec
+ms.technology: itpro-security
 ---
 
-# Common Criteria Certifications
+# Common Criteria certifications
 
-Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.  This topic lists the current and archived certified Windows products, together with relevant documentation from each certification.
+Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the *Common Criteria Certification Program*, ensures that products incorporate the features and functions required by relevant *Common Criteria Protection Profiles*, and completes *Common Criteria certifications* of Microsoft Windows products.  This topic lists the current and archived certified Windows products, together with relevant documentation from each certification.
 
-## Certified Products
+## Certified products
 
-The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/).  The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation.  The Administrative Guide provides guidance on configuring the product to match the evaluated configuration.  The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions.
+The product releases below are currently certified against the cited *Protection Profile*, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/):
 
-### Microsoft Windows 10, Windows Server version 2004 (May 2020 Update); Microsoft Windows Server Core Datacenter (Azure Frabic Controller); Microsoft Windows Server Core Datacenter (Azure Stack)
-Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.
+- The *Security Target* describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the *Protection Profile* used as part of the evaluation
+- The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration
+- The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions
+
+For more details, expand each product section.
+
+<br>
+
+<details>
+<summary><b>  Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack)</b></summary>
+
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients
 
 - [Security Target](https://download.microsoft.com/download/a/5/6/a5650848-e86a-4554-bb13-1ad6ff2d45d2/Windows%2010%202004%20GP%20OS%20Security%20Target.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/4/a/6/4a66a459-3c73-4c34-84bb-92cb20301206/Windows%2010%202004%20GP%20OS%20Administrative%20Guide.pdf)
 - [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf)
 
-### Microsoft Windows Server, Windows 10 version 1909 (November 2019 Update), Microsoft Windows Server 2019 (version 1809) Hyper-V
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V</b></summary>
+
 Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization.
 
 - [Security Target](https://download.microsoft.com/download/5/f/6/5f6efbb4-88a0-4161-953d-de07450b7107/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Security%20Target.pdf)
@@ -37,23 +51,35 @@ Certified against the Protection Profile for Virtualization, including the Exten
 - [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf)
 - [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 and Windows Server (November 2019 Update, version 1909)
-Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1909, Windows Server, version 1909</b></summary>
+
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.</b></summary>
 
 - [Security Target](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf)
 - [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 and Windows Server (May 2019 Update, version 1903)
-Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1903, Windows Server, version 1903</b></summary>
+
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.</b></summary>
 
 - [Security Target](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf)
 - [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 and Windows Server (October 2018 Update, version 1809)
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1809, Windows Server, version 1809</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
 
 - [Security Target](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf)
@@ -61,7 +87,11 @@ Certified against the Protection Profile for General Purpose Operating Systems,
 - [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 and Windows Server (April 2018 Update, version 1803)
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1803, Windows Server, version 1803</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
 
 - [Security Target](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
@@ -69,7 +99,11 @@ Certified against the Protection Profile for General Purpose Operating Systems,
 - [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 and Windows Server (Fall Creators Update, version 1709)
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1709, Windows Server, version 1709</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems.
 
 - [Security Target](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
@@ -77,7 +111,11 @@ Certified against the Protection Profile for General Purpose Operating Systems.
 - [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 (Creators Update, version 1703)
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1703, Windows Server, version 1703</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems.
 
 - [Security Target](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
@@ -85,7 +123,11 @@ Certified against the Protection Profile for General Purpose Operating Systems.
 - [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf) 
 
-### Microsoft Windows 10 (Anniversary Update, version 1607) and Windows Server 2016
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1607, Windows Server 2016</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems.
 
 - [Security Target](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
@@ -93,7 +135,11 @@ Certified against the Protection Profile for General Purpose Operating Systems.
 - [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 (version 1507) and Windows Server 2012 R2
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1507, Windows Server 2012 R2</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
@@ -101,19 +147,35 @@ Certified against the Protection Profile for General Purpose Operating Systems.
 - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf)
 
-## Archived Certified Products
+</details>
 
-The product releases below were certified against the cited Protection Profile and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1).  The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation.  The Administrative Guide provides guidance on configuring the product to match the evaluated configuration.  The Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report, where available, providing details on the evaluator's actions.
+## Archived certified products
 
-### Microsoft Windows Server 2016, Windows Server 2012 R2, and Windows 10
-Certified against the Protection Profile for Server Virtualization. 
+The product releases below were certified against the cited *Protection Profile* and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1):
+
+- The *Security Target* describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the *Protection Profile* used as part of the evaluation
+- The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration
+- The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions
+
+For more details, expand each product section.
+
+
+<br>
+<details>
+<summary><b>  Windows Server 2016, Windows Server 2012 R2, Windows 10</b></summary>
+
+Certified against the Protection Profile for Server Virtualization.
 
 - [Security Target](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
 - [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 and Windows 10 Mobile (Anniversary Update, version 1607)
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1607, Windows 10 Mobile, version 1607</b></summary>
+
 Certified against the Protection Profile for Mobile Device Fundamentals.
 
 - [Security Target](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
@@ -121,7 +183,11 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
 - [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf) 
 
-### Microsoft Windows 10 (Anniversary Update, version 1607) and Windows Server 2016
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1607, Windows Server 2016</b></summary>
+
 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
 
 - [Security Target](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
@@ -129,7 +195,11 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN)
 - [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 (November 2015 Update, version 1511)
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1511</b></summary>
+
 Certified against the Protection Profile for Mobile Device Fundamentals.
 
 - [Security Target](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
@@ -137,7 +207,11 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
 - [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 and Windows 10 Mobile (version 1507)
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1507, Windows 10 Mobile, version 1507</b></summary>
+
 Certified against the Protection Profile for Mobile Device Fundamentals.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10677-st.pdf)
@@ -145,7 +219,11 @@ Certified against the Protection Profile for Mobile Device Fundamentals.
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf)
 
-### Microsoft Windows 10 (version 1507)
+</details>
+
+<details>
+<summary><b>  Windows 10, version 1507</b></summary>
+
 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
 
 - [Security Target](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
@@ -153,87 +231,134 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN)
 - [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
 - [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
 
-### Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830
+</details>
+
+<details>
+<summary><b>  Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830</b></summary>
+
 Certified against the Protection Profile for Mobile Device Fundamentals.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-st.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf)
 
-### Microsoft Surface Pro 3 and Windows 8.1
+</details>
+
+<details>
+<summary><b>  Surface Pro 3, Windows 8.1</b></summary>
+
 Certified against the Protection Profile for Mobile Device Fundamentals.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-st.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf)
 
-### Windows 8.1 and Windows Phone 8.1
+</details>
+
+<details>
+<summary><b>  Windows 8.1, Windows Phone 8.1</b></summary>
+
 Certified against the Protection Profile for Mobile Device Fundamentals.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-st.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf)
 
-### Windows 8 and Windows Server 2012
+</details>
+
+<details>
+<summary><b>  Windows 8, Windows Server 2012</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-st.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf)
 
-### Windows 8 and Windows RT
+</details>
+
+<details>
+<summary><b>  Windows 8, Windows RT</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-st.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf)
 
-### Windows 8 and Windows Server 2012 BitLocker
+</details>
+
+<details>
+<summary><b>  Windows 8, Windows Server 2012 BitLocker</b></summary>
+
 Certified against the Protection Profile for Full Disk Encryption.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
 
-### Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client
+</details>
+
+<details>
+<summary><b>  Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client</b></summary>
+
 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
 - [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
 
-### Windows 7 and Windows Server 2008 R2
+</details>
+
+<details>
+<summary><b>  Windows 7, Windows Server 2008 R2</b></summary>
+
 Certified against the Protection Profile for General Purpose Operating Systems.
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
 - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
 
-### Microsoft Windows Server 2008 R2 Hyper-V Role
+</details>
+
+<details>
+<summary><b>  Microsoft Windows Server 2008 R2 Hyper-V Role</b></summary>
 
 - [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305)
 - [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
 
-### Windows Vista and Windows Server 2008 at EAL4+
+</details>
+
+<details>
+<summary><b>  Windows Vista, Windows Server 2008 at EAL4+</b></summary>
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
 - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
 
-### Windows Vista and Windows Server 2008 at EAL1
+</details>
+
+<details>
+<summary><b>  Windows Vista, Windows Server 2008 at EAL1</b></summary>
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
 - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
 - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
 
-### Microsoft Windows Server 2008 Hyper-V Role
+</details>
+
+<details>
+<summary><b>  Microsoft Windows Server 2008 Hyper-V Role</b></summary>
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
 - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
 - [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf) 
 
-### Windows Server 2003 Certificate Server
+</details>
+
+<details>
+<summary><b>  Windows Server 2003 Certificate Server</b></summary>
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
 - [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
@@ -242,7 +367,12 @@ Certified against the Protection Profile for General Purpose Operating Systems.
 - [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
 
-### Windows Rights Management Services
+</details>
+
+<details>
+<summary><b>  Windows Rights Management Services</b></summary>
 
 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
 - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
+
+</details>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index af6ccea817..58fb302ed7 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -6,6 +6,7 @@ author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.collection: 
+  - highpri
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 
@@ -228,12 +229,14 @@ With the Visual Studio Code installer script already mapped into the sandbox, th
 
 ### VSCodeInstall.cmd
 
+Download vscode to `downloads` folder and run from `downloads` folder
+
 ```batch
 REM Download Visual Studio Code
-curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
+curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe
 
 REM Install and run Visual Studio Code
-C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
+C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
 ```
 
 ### VSCode.wsb
@@ -243,15 +246,17 @@ C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
   <MappedFolders>
     <MappedFolder>
       <HostFolder>C:\SandboxScripts</HostFolder>
+      <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads\sandbox</SandboxFolder>
       <ReadOnly>true</ReadOnly>
     </MappedFolder>
     <MappedFolder>
       <HostFolder>C:\CodingProjects</HostFolder>
+      <SandboxFolder>C:\Users\WDAGUtilityAccount\Documents\Projects</SandboxFolder>
       <ReadOnly>false</ReadOnly>
     </MappedFolder>
   </MappedFolders>
   <LogonCommand>
-    <Command>C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd</Command>
+    <Command>C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd</Command>
   </LogonCommand>
 </Configuration>
 ```
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 71216514cc..60ccff4e09 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -6,6 +6,7 @@ author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.collection: 
+  - highpri
 ms.topic: article
 ms.localizationpriority: 
 ms.date: 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 20ae8ff495..cb62adc90c 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -1,6 +1,6 @@
 ---
 title: Get support for security baselines
-description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related topics.
+description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related articles.
 ms.prod: windows-client
 ms.localizationpriority: medium
 ms.author: vinpa
@@ -32,13 +32,13 @@ Any version of Windows baseline before Windows 10 1703 can still be downloaded u
 
 **What file formats are supported by the new SCT?**
 
-The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' .cab files are no longer supported.
+The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' .cab files are no longer supported.
 
 **Does SCT support Desired State Configuration (DSC) file format?**
 
 No. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration.
 
-**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?**
+**Does SCT support the creation of Microsoft Configuration Manager DCM packs?**
 
 No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO Backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
 
@@ -77,7 +77,7 @@ Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-fo
 |           Name            |                                                                            Details                                                                            |                               Security Tools                                |
 |---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
 |   Microsoft 365 Apps for enterprise, version 2206    | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) |     [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)     |
-|   Microsoft Edge, version 98    | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) |     [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)     |
+|   Microsoft Edge, version 107    | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) |     [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)     |
 
 <br />
 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 3b281b0dbb..11b8b102dd 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -6,7 +6,9 @@ ms.localizationpriority: medium
 ms.author: vinpa
 author: vinaypamnani-msft
 manager: aaroncz
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 02/14/2022
 ms.reviewer: rmunck
@@ -47,7 +49,7 @@ The Security Compliance Toolkit consists of:
     -   Microsoft 365 Apps for Enterprise Version 2206
     
 -   Microsoft Edge security baseline
-    -   Edge version 98
+    -   Edge version 107
 
 -   Tools
     -   Policy Analyzer
@@ -56,7 +58,7 @@ The Security Compliance Toolkit consists of:
     -   GPO to Policy Rules
 
 
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more information about security baseline recommendations, see the [Microsoft Security Guidance blog](/archive/blogs/secguide/).
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more information about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines).
 
 ## What is the Policy Analyzer tool?
 
@@ -68,7 +70,7 @@ The Policy Analyzer is a utility for analyzing and comparing sets of Group Polic
 
 Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. 
 
-More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/new-tool-policy-analyzer) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 
 ## What is the Local Group Policy Object (LGPO) tool?
 
@@ -78,7 +80,7 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files
 It can export local policy to a GPO backup. 
 It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
 
-Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 
 ## What is the Set Object Security tool?
 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 160acacf0a..47647ffae7 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -6,7 +6,9 @@ ms.localizationpriority: medium
 ms.author: vinpa
 author: vinaypamnani-msft
 manager: aaroncz
-ms.collection: M365-security-compliance
+ms.collection: 
+  - M365-security-compliance
+  - highpri
 ms.topic: conceptual
 ms.date: 01/26/2022
 ms.reviewer: jmunck
@@ -54,7 +56,7 @@ Our recommendations follow a streamlined and efficient approach to baseline defi
 You can use security baselines to:
 
 - Ensure that user and device configuration settings are compliant with the baseline.
-- Set configuration settings. For example, you can use group policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
+- Set configuration settings. For example, you can use group policy, Microsoft Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
 
 ## Where can I get the security baselines?
 
@@ -64,7 +66,7 @@ There are several ways to get and use security baselines:
 
 2. [Mobile device management (MDM) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate these baselines into an existing MDM management tool.
 
-3. MDM security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
+3. MDM security baselines can easily be configured in Microsoft Intune on devices that run Windows 10 and Windows 11. For more information, see [List of the settings in the Windows 10/11 MDM security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
 
 ## Community
 
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
index 37a654e8fd..64689039a1 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/trusted-boot.md
@@ -1,18 +1,18 @@
 ---
 title: Secure Boot and Trusted Boot
 description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
-search.appverid: MET150 
+search.appverid: MET150
 author: vinaypamnani-msft
 ms.author: vinpa
-manager: aaroncz 
+manager: aaroncz
 ms.topic: conceptual
 ms.date: 09/21/2021
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.collection: 
 ms.custom: 
-ms.reviewer: jsuther  
+ms.reviewer: jsuther
 ---
 
 # Secure Boot and Trusted Boot
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index 6e2cf83c4a..84ff0bde52 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -1,5 +1,5 @@
 ---
-title: Zero Trust and Windows device health 
+title: Zero Trust and Windows device health
 description: Describes the process of Windows device health attestation
 ms.reviewer: 
 ms.topic: article
@@ -8,8 +8,8 @@ ms.author: paoloma
 author: paolomatarazzo
 ms.collection: M365-security-compliance
 ms.custom: intro-overview
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
 ---
 
 # Zero Trust and Windows device health
@@ -60,7 +60,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side
 
 6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
 
-7. The device then sends the report to the Microsoft Endpoint Manager cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
+7. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
 
 8. Conditional access, along with device-compliance state then decides to allow or deny access.
 
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 6a59ce9b38..d432c8a8ff 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -12,13 +12,24 @@
     - name: Prepare for Windows 11
       href: windows-11-prepare.md
     - name: What's new in Windows 11, version 22H2
-      href: whats-new-windows-11-version-22h2.md     
+      href: whats-new-windows-11-version-22h2.md
 - name: Windows 10
   expanded: true
   items:
+    - name: What's new in Windows 10, version 22H2
+      href: whats-new-windows-10-version-22H2.md
     - name: What's new in Windows 10, version 21H2
       href: whats-new-windows-10-version-21H2.md
     - name: What's new in Windows 10, version 21H1
       href: whats-new-windows-10-version-21H1.md
     - name: What's new in Windows 10, version 20H2
       href: whats-new-windows-10-version-20H2.md
+- name: Deprecated and removed Windows features
+  expanded: false
+  items:
+    - name: Windows client features lifecycle
+      href: feature-lifecycle.md
+    - name: Deprecated Windows features
+      href: deprecated-features.md
+    - name: Removed Windows features
+      href: removed-features.md
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/whats-new/deprecated-features.md
similarity index 94%
rename from windows/deployment/planning/windows-10-deprecated-features.md
rename to windows/whats-new/deprecated-features.md
index 76c4a0c066..12880bd7ef 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,30 +1,29 @@
 ---
-title: Deprecated features in Windows client
+title: Deprecated features in the Windows client
 description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
-ms.date: 07/21/2022
-ms.prod: w10
-ms.technology: windows
+ms.date: 10/28/2022
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
 ms.reviewer: 
 ms.topic: article
-ms.collection: highpri
 ---
 
 # Deprecated features for Windows client
 
-_Applies to:_
+**Applies to**
 
 - Windows 10
 - Windows 11
 
-Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](windows-10-removed-features.md).
+Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionalities that are no longer being developed in Windows client. For more information about features that have been removed, see [Windows features removed](removed-features.md).
 
 For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
 
-To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md).
+To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](feature-lifecycle.md).
 
 The features in this article are no longer being actively developed, and might be removed in a future update. Some features have been replaced with other features or functionality and some are now available from other sources.
 
@@ -73,11 +72,11 @@ The features in this article are no longer being actively developed, and might b
 |Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
 |Trusted Platform Module (TPM): TPM.msc and TPM Remote Management  | To be replaced by a new user interface in a future release. | 1709 |
 |Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 |
-|Windows Hello for Business deployment that uses Microsoft Endpoint Manager   |Windows Server 2016 Active Directory Federation Services - Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
+|Windows Hello for Business deployment that uses Microsoft Configuration Manager   |Windows Server 2016 Active Directory Federation Services - Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
 |Windows PowerShell 2.0  | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
 |Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This replacement includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
-|Tile Data Layer | The [Tile Data Layer](/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
+|Tile Data Layer | The [Tile Data Layer](/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
 |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
 |TCPChimney | TCP Chimney Offload is no longer being developed.  See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
 |IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 |
-|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019.|
+|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507 <br /> Applies to Windows Server 2016 and Windows Server 2019.|
\ No newline at end of file
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/whats-new/feature-lifecycle.md
similarity index 77%
rename from windows/deployment/planning/features-lifecycle.md
rename to windows/whats-new/feature-lifecycle.md
index 0bb13ccd0f..11eaa12e7e 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/whats-new/feature-lifecycle.md
@@ -1,13 +1,15 @@
 ---
 title: Windows client features lifecycle
-description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
-ms.prod: w10
+description: Learn about the lifecycle of Windows features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-manager: dougeby
-ms.author: aaroncz
+author: mestew
+manager: aaroncz
+ms.author: mstewart
 ms.topic: article
 ms.custom: seo-marvel-apr2020
+ms.technology: itpro-fundamentals
+ms.date: 10/28/2022
 ---
 # Windows client features lifecycle
 
@@ -25,17 +27,17 @@ For information about features that are impacted when you upgrade from Windows 1
 
 The following topic lists features that are no longer being developed. These features might be removed in a future release.
 
-[Windows 10 features we're no longer developing](windows-10-deprecated-features.md)
+[Deprecated Windows features](deprecated-features.md)
 
 ## Features removed
 
 The following topics have details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11.
 
-[Windows 10 features we removed](windows-10-removed-features.md)
+[Removed Windows features](removed-features.md)
 
 ## Terminology
 
-The following terms can be used to describe the status that might be assigned to a feature during its lifecycle. 
+The following terms can be used to describe the status that might be assigned to a feature during its lifecycle: 
 
 - **Deprecation**: The stage of the product lifecycle when a feature or functionality is no longer in active development and may be removed in future releases of a product or online service.
 - **End of support**: The stage of the product lifecycle when support and servicing are no longer available for a product.
@@ -45,4 +47,4 @@ The following terms can be used to describe the status that might be assigned to
 
 ## Also see
 
-[Windows 10 release information](/windows/release-health/release-information)
+[Windows release information](/windows/release-health/release-information)
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 3d11bd96e3..d1f1ec51df 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -1,22 +1,20 @@
 ### YamlMime:Landing
 
 title: What's new in Windows
-summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11.
+summary: Find out about new features and capabilities in the latest release of Windows client for IT professionals.
 
 metadata:
   title: What's new in Windows
-  description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11.
-  services: windows-10
-  ms.service: windows-10
-  ms.subservice: subservice
+  description: Find out about new features and capabilities in the latest release of Windows client for IT professionals.
+  ms.prod: windows-client
+  ms.technology: itpro-fundamentals
   ms.topic: landing-page
   ms.collection:
-    - windows-10
     - highpri
   author: aczechowski
   ms.author: aaroncz
   manager: dougeby
-  ms.date: 06/03/2022
+  ms.date: 11/14/2022
   localization_priority: medium
 
 landingContent:
@@ -38,12 +36,12 @@ landingContent:
     linkLists:
       - linkListType: overview
         links:
+          - text: What's new in Windows 10, version 22H2
+            url: whats-new-windows-10-version-22h2.md
           - text: What's new in Windows 10, version 21H2
             url: whats-new-windows-10-version-21h2.md
           - text: What's new in Windows 10, version 21H1
             url: whats-new-windows-10-version-21h1.md
-          - text: What's new in Windows 10, version 20H2
-            url: whats-new-windows-10-version-20h2.md
 
   - title: Learn more
     linkLists:
@@ -54,14 +52,14 @@ landingContent:
           - text: Windows release health dashboard
             url: /windows/release-health/
           - text: Windows 11 update history
-            url: https://support.microsoft.com/topic/windows-11-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9
+            url: https://support.microsoft.com/topic/windows-11-version-22h2-update-history-ec4229c3-9c5f-4e75-9d6d-9025ab70fcce
           - text: Windows 10 update history
             url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
-          - text: Windows 10 features we're no longer developing
-            url: /windows/deployment/planning/windows-10-deprecated-features
-          - text: Features and functionality removed in Windows 10
-            url: /windows/deployment/planning/windows-10-removed-features
-          - text: Compare Windows 10 Editions
-            url: https://www.microsoft.com/windowsforbusiness/compare
+          - text: Windows features we're no longer developing
+            url: deprecated-features.md
+          - text: Features and functionality removed in Windows
+            url: removed-features.md
+          - text: Compare Windows 11 Editions
+            url: https://www.microsoft.com/windows/business/compare-windows-11
           - text: Windows 10 Enterprise LTSC
             url: ltsc/index.md
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 5d691021f8..4ebad1267c 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -1,13 +1,14 @@
 ---
 title: Windows 10 Enterprise LTSC
 description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: low
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-fundamentals
 ---
 
 # Windows 10 Enterprise LTSC
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index 94de09d07a..8d02105a34 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -4,10 +4,11 @@ ms.reviewer:
 manager: dougeby
 ms.author: aaroncz
 description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10 Enterprise LTSC 2015
@@ -236,7 +237,7 @@ Enterprises have the following identity and management choices.
 |---|---|
 | Identity   | Active Directory; Azure AD         |
 | Grouping   | Domain join; Workgroup; Azure AD join    |
-| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
+| Device management | Group Policy; Microsoft Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
 
 > [!NOTE]
 > With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
@@ -273,9 +274,9 @@ By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows
 
 -   **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient.
 
--   **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security).
+-   **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security).
 
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Configuration Manager](/configmgr).
 
 
 Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 74fe44632b..ff84fce008 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -4,10 +4,11 @@ ms.reviewer:
 manager: dougeby
 ms.author: aaroncz
 description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: low
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10 Enterprise LTSC 2016
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index f915846669..99bbdce00b 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -4,10 +4,13 @@ ms.reviewer:
 manager: dougeby
 ms.author: aaroncz
 description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: medium
 ms.topic: article
+ms.collection: 
+  - highpri
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10 Enterprise LTSC 2019
@@ -34,7 +37,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
 
 ## Microsoft Intune
 
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, Windows 10 update rings device profiles don't support LTSC releases. For installing software updates, use the [policy configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update), Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, Windows 10 update rings device profiles don't support LTSC releases. For installing software updates, use the [policy configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update), Windows Server Update Services (WSUS), or Microsoft Configuration Manager.
 
 ## Security
 
@@ -380,7 +383,7 @@ If you wish to take advantage of [Kiosk capabilities in Microsoft Edge](/previou
 
 ### Co-management
 
-Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+Intune and Microsoft Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
 
 For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management).
 
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index d79885ad46..6c8dc542bc 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -4,10 +4,13 @@ ms.reviewer:
 manager: dougeby
 ms.author: aaroncz
 description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.localizationpriority: low
 ms.topic: article
+ms.collection: 
+  - highpri
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10 Enterprise LTSC 2021
@@ -159,9 +162,9 @@ Windows Hello enhancements include:
 
 ## Cloud Services
 
-### Microsoft Endpoint Manager
+### Microsoft Intune family of products
 
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
 
 ### Configuration Manager
 
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/whats-new/removed-features.md
similarity index 94%
rename from windows/deployment/planning/windows-10-removed-features.md
rename to windows/whats-new/removed-features.md
index 4510e72618..ac21df98d7 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -1,33 +1,34 @@
 ---
 title: Features and functionality removed in Windows client
 description: In this article, learn about the features and functionality that have been removed or replaced in Windows client.
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: mestew
+ms.author: mstewart
+manager: aaroncz
 ms.topic: article
 ms.custom: seo-marvel-apr2020
-ms.collection: highpri
+ms.technology: itpro-fundamentals
+ms.date: 10/28/2022
 ---
 
 # Features and functionality removed in Windows client
 
-_Applies to:_
+**Applies to**
 
 - Windows 10
 - Windows 11
 
 Each version of Windows client adds new features and functionality. Occasionally, new versions also remove features and functionality, often because they've added a newer option. This article provides details about the features and functionality that have been removed in Windows client.
 
-For more information about features that might be removed in a future release, see [Deprecated features for Windows client](windows-10-deprecated-features.md).
+For more information about features that might be removed in a future release, see [Deprecated features for Windows client](deprecated-features.md).
 
 > [!NOTE]
 > To get early access to new Windows builds and test these changes yourself, join the [Windows Insider program](https://insider.windows.com).
 
 For more information about features in Windows 11, see [Feature deprecations and removals](https://www.microsoft.com/windows/windows-11-specifications#table3).
 
-To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](features-lifecycle.md).
+To understand the distinction between _deprecation_ and _removal_, see [Windows client features lifecycle](feature-lifecycle.md).
 
 The following features and functionalities have been removed from the installed product image for Windows client. Applications or code that depend on these features won't function in the release when it was removed, or in later releases.
 
@@ -52,7 +53,7 @@ The following features and functionalities have been removed from the installed
 |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or HoloLens with the Mixed Reality Viewer.| 1809 |
 |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 |
 |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 |
-|Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
+|Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We're no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
 |Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
 |People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 |
 |Language control in the Control Panel|    Use the Settings app to change your language settings.| 1803 |
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 5078ed991a..66b6c21f4d 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -2,13 +2,14 @@
 title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
 description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)?
 ms.reviewer: 
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 manager: dougeby
 ms.author: aaroncz
 ms.localizationpriority: medium
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, versions 1507 and 1511 for IT Pros
@@ -277,7 +278,7 @@ Enterprises have the following identity and management choices.
 |---|---|
 | Identity   | Active Directory; Azure AD         |
 | Grouping   | Domain join; Workgroup; Azure AD join    |
-| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
+| Device management | Group Policy; Microsoft Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
 
 > [!NOTE]
 > With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
@@ -324,9 +325,9 @@ By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows
 
 -   **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient.
 
--   **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security).
+-   **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security).
 
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Configuration Manager](/configmgr).
 
 
 Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 981388e744..5d80c4bdea 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -1,7 +1,7 @@
 ---
 title: What's new in Windows 10, version 1607 (Windows 10)
 description: What's new in Windows 10 for Windows 10 (version 1607)?
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.reviewer: 
 author: aczechowski
@@ -9,6 +9,7 @@ manager: dougeby
 ms.author: aaroncz
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 1607 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index c6f958b3fe..d56bac40df 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,7 +1,7 @@
 ---
 title: What's new in Windows 10, version 1703
 description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated).
-ms.prod: w10
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.reviewer: 
 author: aczechowski
@@ -9,6 +9,7 @@ manager: dougeby
 ms.author: aaroncz
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 1703 for IT Pros
@@ -18,7 +19,7 @@ Below is a list of some of what's new in Information Technology (IT) pro feature
 For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update}(https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
 
 >[!NOTE]
->Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](/windows/deployment/planning/windows-10-removed-features).
+>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed in Windows 10 Creators Update](removed-features.md).
 
 ## Configuration
 
@@ -181,7 +182,7 @@ We recently added the option to download Windows 10 Insider Preview builds using
 
 ### Optimize update delivery
 
-With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, and with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Configuration Manager, starting with version 1702 of Configuration Manager, and with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
 
 >[!NOTE]
 > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 4e26d46510..df9f38a3c3 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -1,7 +1,7 @@
 ---
 title: What's new in Windows 10, version 1709
 description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update).
-ms.prod: w10
+ms.prod: windows-client
 ms.reviewer: 
 author: aczechowski
 manager: dougeby
@@ -9,6 +9,7 @@ ms.author: aaroncz
 ms.localizationpriority: medium
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 1709 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 1067c47c88..3815add5bd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -1,7 +1,7 @@
 ---
 title: What's new in Windows 10, version 1803
 description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update).
-ms.prod: w10
+ms.prod: windows-client
 ms.reviewer: 
 author: aczechowski
 manager: dougeby
@@ -9,6 +9,7 @@ ms.author: aaroncz
 ms.localizationpriority: medium
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 1803 for IT Pros
@@ -130,7 +131,7 @@ Portions of the work done during the offline phases of a Windows update have bee
 
 ### Co-management
 
-**Intune** and **Microsoft Endpoint Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+**Intune** and **Microsoft Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
 
 For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 92e1871b97..ced11ae8ad 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -2,13 +2,14 @@
 title: What's new in Windows 10, version 1809
 ms.reviewer: 
 description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803.
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 manager: dougeby
 ms.author: aaroncz
 ms.localizationpriority: medium
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 1809 for IT Pros
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 4dbfe4141b..1f6ccc5fac 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -1,13 +1,14 @@
 ---
 title: What's new in Windows 10, version 1903
 description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: medium
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 1903 for IT Pros
@@ -42,7 +43,7 @@ This article lists new and updated features and content that are of interest to
 
 ## Servicing
 
-- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! 
+- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates and Intune content.
 - [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.  
 - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. 
 - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 4ca266485c..f901253d51 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -1,19 +1,20 @@
 ---
 title: What's new in Windows 10, version 1909
 description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: medium
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 1909 for IT Pros
 
 **Applies to**
--   Windows 10, version 1909
+-   Windows 10, version 1909
 
 This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 1909, also known as the Windows 10 November 2019 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1903. 
 
@@ -29,7 +30,7 @@ If you're updating from an older version of Windows 10 (version 1809 or earlier)
 
 ### Windows Server Update Services (WSUS)
 
-Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
+Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
 
 The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. 
 
@@ -65,13 +66,13 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
 
 [Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally!
 
-Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant.
+Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It's the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant.
 
 ## Deployment
 
-#### Microsoft Endpoint Manager
+### Microsoft Intune family of products
 
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/).
 
 ### Windows 10 Pro and Enterprise in S mode
 
@@ -93,7 +94,7 @@ A new [Windows ADK](/windows-hardware/get-started/adk-install) will **not be rel
 
 ## Microsoft Connected Cache
 
-Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a “configure once and forget it” solution that transparently caches content that your devices on your network need.
+Together with Delivery Optimization, [Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Introducing-Microsoft-Connected-Cache-Microsoft-s-cloud-managed/ba-p/963898) installed on Windows Server or Linux can seamlessly offload your traffic to local sources, caching content efficiently at the byte range level. Connected Cache is configured as a "configure once and forget it" solution that transparently caches content that your devices on your network need.
 
 ## Accessibility
 
@@ -125,10 +126,10 @@ General battery life and power efficiency improvements for PCs with certain proc
 
 [What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
 [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.<br>
+[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.<br>
 [What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.<br>
-[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.<br>
+[Features and functionality removed in Windows 10](removed-features.md): Removed features.<br>
+[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.<br>
 [How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.<br>
 [How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.<br>
-[What’s new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.<br>
+[What's new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.<br>
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index e0d940dbf9..5762e44a56 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -1,13 +1,14 @@
 ---
 title: What's new in Windows 10, version 2004
 description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: medium
 ms.topic: article
 ROBOTS: NOINDEX
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 2004 for IT Pros
@@ -76,7 +77,7 @@ With this release, you can configure [Windows Autopilot user-driven](/windows/de
 
 If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this skip was only supported with self-deploying profiles.
 
-### Microsoft Endpoint Manager
+### Microsoft Configuration Manager
 
 An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
 
@@ -100,7 +101,7 @@ For the latest information about MDT, see the [MDT release notes](/mem/configmgr
 
 Windows PowerShell cmdlets have been improved:
 
-- **Get-DeliveryOptimizationStatus** has added the  **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
+- **Get-DeliveryOptimizationStatus** has added the  **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
 - **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
 - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
 
@@ -243,7 +244,7 @@ Examples include:
 - Monitor panel testing and validation
 - Independent Hardware Vendor (IHV) driver testing and validation
 
-To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On.  The display will now be available for a specialized use.
+To prevent Windows from using a display, choose Settings > Display and select Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On.  The display will now be available for a specialized use.
 
 ## Desktop Analytics
 
@@ -261,5 +262,5 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
 - [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
 - [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
 - [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features.
-- [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-- [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
+- [Features and functionality removed in Windows 10](removed-features.md): Removed features.
+- [Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index 14b2588859..1b1b11fb62 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -1,13 +1,14 @@
 ---
 title: What's new in Windows 10, version 20H2
 description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: high
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 20H2 for IT Pros
@@ -69,7 +70,7 @@ Activities are grouped into the following phases: **Plan** > **Prepare** > **Dep
 Enhancements to Windows Autopilot since the last release of Windows 10 include:
 - [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
 - [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
-- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
+- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**.
 
 ### Windows Assessment and Deployment Toolkit (ADK)
 
@@ -145,5 +146,5 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
 [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
 [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.<br>
 [Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.<br>
-[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.<br>
+[Features and functionality removed in Windows 10](removed-features.md): Removed features.<br>
+[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.<br>
diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md
index f598d1913b..2e40e1ddd7 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H1.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H1.md
@@ -1,13 +1,14 @@
 ---
 title: What's new in Windows 10, version 21H1
 description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update).
-ms.prod: w10
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: high
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 21H1 for IT Pros
@@ -93,10 +94,10 @@ This release includes the following enhancements and issues fixed:
 - Windows Management Instrumentation (WMI) service caused a heap leak each time security settings are applied to WMI namespace permissions.
 - screen rendering after opening games with certain hardware configurations.
 - startup times for applications that have roaming settings when User Experience Virtualization (UE-V) is turned on.
-- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, “KRB_GENERIC_ERROR”, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
+- a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
 - high memory and CPU utilization in Microsoft Defender for Endpoint.
 - We enhanced data loss prevention and insider risk management solution functionalities in Microsoft 365 endpoints.
-- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, “WDAG Report – Container: Error: 0x80070003, Ext error: 0x00000001”. This issue occurs after installing the .NET update KB4565627.
+- an error when you attempt to open an untrusted webpage using Microsoft Edge or open an untrusted Microsoft Office document. The error is, "WDAG Report - Container: Error: 0x80070003, Ext error: 0x00000001". This issue occurs after installing the .NET update KB4565627.
 - an issue that prevents wevtutil from parsing an XML file.
 - failure to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes.
 - We added support for using the new Chromium-based Microsoft Edge as the assigned access single kiosk app. Now, you can also customize a breakout key sequence for single app kiosks. For more information, see Configure Microsoft Edge kiosk mode.
@@ -130,7 +131,7 @@ This release includes the following enhancements and issues fixed:
 [Introducing the next feature update to Windows 10, version 21H1](https://blogs.windows.com/windowsexperience/2021/02/17/introducing-the-next-feature-update-to-windows-10-version-21h1/): Windows Experience Blog.<br>
 [What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
 [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
-[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.<br>
-[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.<br>
-[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.<br>
+[What's New in Windows 10](./index.yml): See what's new in other versions of Windows 10.<br>
+[Announcing more ways we're making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.<br>
+[Features and functionality removed in Windows 10](removed-features.md): Removed features.<br>
+[Windows 10 features we're no longer developing](deprecated-features.md): Features that aren't being developed.<br>
diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md
index da72022d30..5d8e006605 100644
--- a/windows/whats-new/whats-new-windows-10-version-21H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-21H2.md
@@ -2,13 +2,14 @@
 title: What's new in Windows 10, version 21H2 for IT pros
 description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
 manager: dougeby
-ms.prod: w10
+ms.prod: windows-client
 ms.author: aaroncz
 author: aczechowski
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: highpri
 ms.custom: intro-overview
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 10, version 21H2
@@ -51,7 +52,7 @@ For more information, and what GPU compute support means for you, see the [GPU a
 
 The [KB5005101  September 1, 2021 update](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1) includes about 1400 CSPs that were made available to MDM providers.
 
-These CSPs are built in to Windows 10, version 21H2. These settings are available in Endpoint Manager in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis.
+These CSPs are built in to Windows 10, version 21H2. These settings are available in Microsoft Intune in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis.
 
 For more information on the CSPs, see the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
 
diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md
new file mode 100644
index 0000000000..19a2bb9c46
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-22H2.md
@@ -0,0 +1,38 @@
+---
+title: What's new in Windows 10, version 22H2 for IT pros
+description: Learn more about what's new in Windows 10, version 22H2, including how to get it.
+ms.prod: windows-client
+ms.technology: itpro-fundamentals
+ms.author: mstewart
+author: mestew
+manager: dougeby
+ms.localizationpriority: medium
+ms.topic: overview
+ms.date: 10/18/2022
+---
+
+# What's new in Windows 10, version 22H2
+
+<!-- 7133471 -->
+
+Windows 10, version 22H2 is a feature update for Windows 10. It's a scoped release focused on quality improvements to the overall Windows experience in existing feature areas. It includes all previous cumulative updates to Windows 10, version 21H2. This article is for IT professionals, it lists information about this release that you should know.
+
+Windows 10, version 22H2 is an [H2-targeted release](/lifecycle/faq/windows#what-is-the-servicing-timeline-for-a-version--feature-update--of-windows-10-), and has the following servicing schedule:
+
+- **Windows 10 Professional**: Serviced for 18 months from the release date.
+- **Windows 10 Enterprise**: Serviced for 30 months from the release date.
+
+Windows 10, version 22H2 is available through Windows Server Update Services including Configuration Manager, Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 10 2022 Update](https://blogs.windows.com/windowsexperience/2022/10/18/how-to-get-the-windows-10-2022-update/).
+
+Devices running earlier supported versions of Windows 10 can update to version 22H2 using an enablement package. For more information, see [Feature update to Windows 10, version 22H2 by using an enablement package](https://support.microsoft.com/topic/kb5015684-featured-update-to-windows-10-version-22h2-by-using-an-enablement-package-09d43632-f438-47b5-985e-d6fd704eee61).
+
+To learn more about the status of the Windows 10, version 22H2 rollout, known issues, and build information, see [Windows 10 release information](/windows/release-health/release-information).
+
+For more information about updated tools to support this release, see [IT tools to support Windows 10, version 22H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-22h2/ba-p/3655750).
+
+The Windows 10, version 22H2 feature update is installed as part of the general availability channel. Quality updates are still installed monthly on patch Tuesday.
+
+For more information, see:
+
+- [Feature and quality update definitions](/windows/deployment/update/waas-quick-start#definitions)
+- [Windows servicing channels](/windows/deployment/update/waas-overview#servicing-channels)
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index 0af8ec6113..a36d8795f6 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -2,13 +2,14 @@
 title: What's new in Windows 11, version 22H2 for IT pros
 description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
 manager: dougeby
-ms.prod: w10
+ms.prod: windows-client
 ms.author: mstewart
 author: mestew
 ms.localizationpriority: medium
 ms.topic: article
 ms.collection: highpri
 ms.custom: intro-overview
+ms.technology: itpro-fundamentals
 ---
 
 # What's new in Windows 11, version 22H2
diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md
index 61a499904f..bdfa205f5c 100644
--- a/windows/whats-new/windows-10-insider-preview.md
+++ b/windows/whats-new/windows-10-insider-preview.md
@@ -1,13 +1,14 @@
 ---
 title: Documentation for Windows 10 Insider Preview (Windows 10)
 description: Preliminary documentation for some Windows 10 features in Insider Preview.
-ms.prod: w10
+ms.prod: windows-client
 author: dansimp
 ms.date: 04/14/2017
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
 ms.topic: article
+ms.technology: itpro-fundamentals
 ---
 
 # Documentation for Windows 10 Insider Preview
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index 19c319c011..165bd132d3 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -24,7 +24,7 @@ Windows 11 is the next client operating system, and includes features that organ
 
 It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment.
 
-Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Endpoint Manager. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices.
+Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Intune. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices.
 
 This article lists what's new, and some of the features & improvements. For more information on what's new for OEMs, see [What's new in manufacturing, customization, and design](/windows-hardware/get-started/what-s-new-in-windows).
 
@@ -40,7 +40,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
   
   For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines).
 
-- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Endpoint Manager to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint.
+- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint.
 
   For more information, see:
 
@@ -54,15 +54,15 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 
 - **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices.
 
-  As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Endpoint Manager work together to remove passwords, create more secure policies, and help enforce compliance.
+  As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Intune work together to remove passwords, create more secure policies, and help enforce compliance.
 
   For more information, see:
 
   - [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview)
   - [Trusted Platform Module Technology Overview](/windows/security/information-protection/tpm/trusted-platform-module-overview)
-  - [Integrate Windows Hello for Business with Endpoint Manager](/mem/intune/protect/windows-hello)
+  - [Integrate Windows Hello for Business with Intune](/mem/intune/protect/windows-hello)
 
-For more information on the security features you can configure, manage, and enforce using Endpoint Manager, see [Protect data and devices with Microsoft Endpoint Manager](/mem/intune/protect/device-protect).
+For more information on the security features you can configure, manage, and enforce using Intune, see [Protect data and devices with Microsoft Intune](/mem/intune/protect/device-protect).
 
 ## Easier access to new services, and services you already use
 
@@ -74,11 +74,11 @@ For more information on the security features you can configure, manage, and enf
 
   :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png" alt-text="On the Windows 11 taskbar, select the camera chat icon to start a Microsoft Teams call.":::
 
-  This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Endpoint Manager. For more information, see:
+  This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Intune. For more information, see:
 
-  - [Get started with Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started)
+  - [What is Intune?](/mem/intune/fundamentals/what-is-intune)
   - [Add Microsoft 365 apps to Windows 10 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365)
-  - [Install Microsoft Teams using Microsoft Endpoint Configuration Manager](/microsoftteams/msi-deployment)
+  - [Install Microsoft Teams using Microsoft Configuration Manager](/microsoftteams/msi-deployment)
 
   Users can manage preinstalled apps using the **Settings** app > **Apps** > **Apps & Features**. Admins can [create a policy that pins apps, or removes the default pinned apps from the Taskbar](/windows/configuration/customize-taskbar-windows-11).
 
@@ -158,9 +158,9 @@ For more information on the security features you can configure, manage, and enf
 
   In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in.
 
-  Using an MDM provider, like Endpoint Manager, you can create policies that also manage some app settings. For a list of settings, see [App Store in Endpoint Manager](/mem/intune/configuration/device-restrictions-windows-10#app-store).
+  Using an MDM provider, like Intune, you can create policies that also manage some app settings. For a list of settings, see [App Store in Intune](/mem/intune/configuration/device-restrictions-windows-10#app-store).
 
-- If you manage devices using Endpoint Manager, then you might be familiar with the **Company Portal app**. Starting with Windows 11, the Company Portal is your private app repository for your organization apps. For more information, see [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11).
+- If you manage devices using Intune, then you might be familiar with the **Company Portal app**. Starting with Windows 11, the Company Portal is your private app repository for your organization apps. For more information, see [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11).
 
   For public and retail apps, continue using the Microsoft Store.
 
@@ -183,7 +183,7 @@ For more information on the security features you can configure, manage, and enf
 
   To save system resources, Microsoft Edge uses sleeping tabs. Users can configure these settings, and more, in `edge://settings/system`.
 
-  Using Group Policy or an MDM provider, such as Endpoint Manager, you can configure some Microsoft Edge settings. For more information, see [Microsoft Edge - Policies](/deployedge/microsoft-edge-policies) and [Configure Microsoft Edge policy settings](/mem/intune/configuration/administrative-templates-configure-edge).
+  Using Group Policy or an MDM provider, such as Intune, you can configure some Microsoft Edge settings. For more information, see [Microsoft Edge - Policies](/deployedge/microsoft-edge-policies) and [Configure Microsoft Edge policy settings](/mem/intune/configuration/administrative-templates-configure-edge).
 
 ## Deployment and servicing
 
@@ -197,15 +197,15 @@ For more information on the security features you can configure, manage, and enf
 
   If you have a global or remote workforce, then Autopilot might be the right option to install the OS, and get it ready for use. For more information, see [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot).
 
-- **Microsoft Endpoint Manager** is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more.
+- **Microsoft Intune** is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more.
 
-  If you use Group Policy to manage your Windows 10 devices, then you can also use Group Policy to manage Windows 11 devices. In Endpoint Manager, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects.
+  If you use Group Policy to manage your Windows 10 devices, then you can also use Group Policy to manage Windows 11 devices. In Intune, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects.
 
 - **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
 
   Like Windows 10, Windows 11 will receive monthly quality updates.
 
-  You have options to install updates on your Windows devices, including Endpoint Manager, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates).
+  You have options to install updates on your Windows devices, including Intune, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates).
 
   Some updates are large, and use bandwidth. Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more.
 
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 2c6b25ecff..1a2f7d3b76 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -1,13 +1,14 @@
 ---
 title: Plan for Windows 11
 description: Windows 11 deployment planning, IT Pro content.
-ms.prod: w11
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: high
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-fundamentals
 ---
 
 # Plan for Windows 11
@@ -45,7 +46,7 @@ The availability of Windows 11 will vary according to a device's hardware and wh
 
 ##### Managed devices
 
-Managed devices are devices that are under organization control. Managed devices include those devices managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions. 
+Managed devices are devices that are under organization control. Managed devices include those devices managed by Microsoft Intune, Microsoft Configuration Manager, or other endpoint management solutions. 
 
 If you manage devices on behalf of your organization, you'll be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as:  
 
@@ -71,7 +72,7 @@ The recommended method to determine if your infrastructure, deployment processes
 
 As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows:
 - Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet.
-- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. 
+- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 
 - Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). 
 
 For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). 
@@ -104,7 +105,7 @@ If you run into compatibility issues or want to ensure that your organization's
 
 **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. 
 
-**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across various Windows features and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.  
+**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) is a service that allows you to validate your apps across various Windows features and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.  
 
 You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. 
 
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 7967b76c83..1ae1ed1629 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -1,13 +1,14 @@
 ---
 title: Prepare for Windows 11
 description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content.
-ms.prod: w11
+ms.prod: windows-client
 author: aczechowski
 ms.author: aaroncz
 manager: dougeby
 ms.localizationpriority: high
 ms.topic: article
 ms.collection: highpri
+ms.technology: itpro-fundamentals
 ---
 
 # Prepare for Windows 11
@@ -35,7 +36,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil
   > [!NOTE]
   > During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture.
 
-- If you use [Microsoft Endpoint Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.  
+- If you use [Microsoft Configuration Manager](/mem/configmgr/), you can sync the new **Windows 11** product category and begin upgrading eligible devices. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.  
 
   > [!NOTE]
   > Configuration Manager will prompt you to accept the Microsoft Software License Terms on behalf of the users in your organization. 
@@ -56,13 +57,13 @@ The tools that you use for core workloads during Windows 10 deployments can stil
 
 ## Cloud-based management
 
-If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy.  
+If you aren’t already taking advantage of cloud-based management capabilities, like those available in the [Microsoft Intune family of products](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Intune can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy.  
 
-The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: 
+The following are some common use cases and the corresponding Microsoft Intune capabilities that support them: 
 
 - **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is new feature that is available when you use in Windows Autopilot to deploy Windows 11.
 - **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multifactor authentication (MFA) for specific apps. 
-- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager. 
+- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Intune. 
 
 If you're exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. 
 
@@ -97,7 +98,7 @@ Regardless of the method you choose, you have the benefit of free Microsoft supp
 
 #### Analytics and assessment tools 
 
-If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you'll have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade.
+If you use Microsoft Intune and have onboarded devices to Endpoint analytics, you'll have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade.
 
 [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) doesn't support Windows 11. You must use [Endpoint analytics](/mem/analytics/overview).
 
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index f7deeee64b..e72a69b1d0 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -4,11 +4,12 @@ description: Hardware requirements to deploy Windows 11
 manager: aaroncz
 author: mestew
 ms.author: mstewart
-ms.prod: w11
+ms.prod: windows-client
 ms.localizationpriority: medium
 ms.topic: article
 ms.custom: seo-marvel-apr2020
 ms.collection: highpri
+ms.technology: itpro-fundamentals
 ---
 
 # Windows 11 requirements
@@ -83,7 +84,7 @@ The following configuration requirements apply to VMs running Windows 11.
 -	Generation: 2<b> \*</b>
 -	Storage: 64 GB or greater
 -	Security: 
-    - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM and secure boot enabled
+    - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled
     - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager)
     - General settings: Secure boot capable, virtual TPM enabled
 -	Memory:  4 GB or greater